Use service tokens (partially complete)
Some operations in Nova could take a long time to complete. During this
time user token associated with this request could expire. When Nova tries
to communicate with other services using the same user token, Keystone fails
to validate the request due to expired token.
Service token will be passed along with user token to communicate with
services when dealing with long running tasks like live migration.
Keystone middlewere trusts that the service got the user token when
it was valid, don't check the expiry date of cert.
Blueprint information
- Status:
- Complete
- Approver:
- Matt Riedemann
- Priority:
- Medium
- Drafter:
- Sarafraj Singh
- Direction:
- Approved
- Assignee:
- Sarafraj Singh
- Definition:
- Approved
- Series goal:
- Accepted for ocata
- Implementation:
- Implemented
- Milestone target:
- ocata-3
- Started by
- Sarafraj Singh
- Completed by
- Matt Riedemann
Related branches
Related bugs
Sprints
Whiteboard
Gerrit topic: https:/
Addressed by: https:/
Add service_token for nova-cinder interaction
Addressed by: https:/
Add service_token for nova-neutron interaction
Addressed by: https:/
Adopts keystoneauth with glance client.
Addressed by: https:/
DNM: Test service token
Addressed by: https:/
Add service_token for nova-glance interaction
Addressed by: https:/
DNM: Test service token in Glance
The cinder and neutron client patches merged, but the glanceclient changes haven't yet and those are going to be deferred to Pike. Let's resume there with a use-service-
Addressed by: https:/
Bump python-glanceclient minimum to 2.7.0
Work Items
Dependency tree
* Blueprints in grey have been implemented.