When the [service_user] section is configured in nova.conf, nova will
have the ability to send a service user token alongside the user's
token. The service user token is sent when nova calls other services'
REST APIs to authenticate as a service, and service calls can sometimes
have elevated privileges.
Currently, nova does not however have the ability to send a service user
token with an admin context. This means that when nova makes REST API
calls to other services with an anonymous admin RequestContext (such as
in nova-manage or periodic tasks), it will not be authenticated as a
service.
This adds a keyword argument to service_auth.get_auth_plugin() to
enable callers to provide a user_auth object instead of attempting to
extract the user_auth from the RequestContext.
The cinder and neutron client modules are also adjusted to make use of
the new user_auth keyword argument so that nova calls made with
anonymous admin request contexts can authenticate as a service when
configured.
Related-Bug: #2004555
Change-Id: I14df2d55f4b2f0be58f1a6ad3f19e48f7a6bfcb4
If the [service_user]/send_service_user_token option is
set to True but the actual auth options are incomplete,
like missing to set the auth_type option, we eventually
fail to re-auth with keystone due to a NoneType error
in keystoneauth1.
We can detect this issue because load_auth_from_conf_options
will return None and we can just log a warning and continue
as if the service user was never configured in the first place.
Co-Authored-By: Eric Fried <efried@us.ibm.com>
Change-Id: I0a96c835d620307f1ab34736ba42c2deb1321a23
Closes-Bug: #1733642
Service token will be passed along with user token to communicate with
services when dealing with long running tasks like live migration.
This change addresses adding service_token to the request when nova
requests cinder session to interact with cinder.
Change-Id: I51eb0a8937fa39a2e5dafb1ad915e7113ea61f72
Implements: blueprint use-service-tokens