Add support for using service tokens

This patch configures Nova to send a service token along with the received user token on requests to other services. This can allow those other services to accept the request even if the user token has been invalidated since received by Nova. Also with this patch Nova will accept request from other services with invalid user tokens but valid service tokens. Service tokens exist since Openstack Queens. Closes-Bug: #1992840 Change-Id: I78b43ef77dc1d7b5976ec81ecddf63c9e6c8b6c1
2022-11-29 14:36:57 -03:00 · 2022-11-29 14:36:57 -03:00 · 3c53110282
commit 3c53110282
parent d9fc4b69c1
7 changed files with 17 additions and 0 deletions
--- a/hooks/nova_compute_context.py
+++ b/hooks/nova_compute_context.py
@ -654,6 +654,7 @@ class CloudComputeContext(context.OSContextGenerator):
                        'api_version', **rel) or '2.0',
                    'neutron_plugin': _neutron_plugin(),
                    'neutron_url': url,
+                    'admin_role': relation_get('admin_role', **rel) or 'Admin',
                }
                # DNS domain is optional
                dns_domain = relation_get('dns_domain', **rel)
@ -772,6 +773,7 @@ class CloudComputeContext(context.OSContextGenerator):
                ctxt['admin_user'] = net_manager.get('neutron_admin_username')
                ctxt['admin_password'] = net_manager.get(
                    'neutron_admin_password')
+                ctxt['admin_role'] = net_manager.get('admin_role')
                ctxt['auth_protocol'] = net_manager.get('auth_protocol')
                ctxt['auth_host'] = net_manager.get('keystone_host')
                ctxt['auth_port'] = net_manager.get('auth_port')
--- a/templates/queens/nova.conf
+++ b/templates/queens/nova.conf
@ -206,6 +206,8 @@ service_metadata_proxy=True

 {% include "section-keystone-authtoken-mitaka" %}

+{% include "section-service-user" %}
+
 {% if glance_api_servers -%}
 [glance]
 api_servers = {{ glance_api_servers }}
--- a/templates/rocky/nova.conf
+++ b/templates/rocky/nova.conf
@ -224,6 +224,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }}

 {% include "section-keystone-authtoken-mitaka" %}

+{% include "section-service-user" %}
+
 {% if glance_api_servers -%}
 [glance]
 api_servers = {{ glance_api_servers }}
--- a/templates/stein/nova.conf
+++ b/templates/stein/nova.conf
@ -237,6 +237,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }}

 {% include "section-keystone-authtoken-mitaka" %}

+{% include "section-service-user" %}
+
 {% if glance_api_servers -%}
 [glance]
 api_servers = {{ glance_api_servers }}
--- a/templates/train/nova.conf
+++ b/templates/train/nova.conf
@ -251,6 +251,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }}

 {% include "section-keystone-authtoken-mitaka" %}

+{% include "section-service-user" %}
+
 {% if glance_api_servers -%}
 [glance]
 api_servers = {{ glance_api_servers }}
--- a/templates/yoga/nova.conf
+++ b/templates/yoga/nova.conf
@ -234,6 +234,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }}

 {% include "section-keystone-authtoken-mitaka" %}

+{% include "section-service-user" %}
+
 {% if glance_api_servers -%}
 [glance]
 api_servers = {{ glance_api_servers }}
--- a/unit_tests/test_nova_compute_contexts.py
+++ b/unit_tests/test_nova_compute_contexts.py
@ -232,6 +232,7 @@ class NovaComputeContextTests(CharmTestCase):
            'network_manager': 'neutron',
            'network_manager_config': {
                'api_version': '2.0',
+                'admin_role': 'Admin',
                'auth_protocol': 'https',
                'service_protocol': 'http',
                'auth_port': '5000',
@ -252,6 +253,7 @@ class NovaComputeContextTests(CharmTestCase):
            'admin_tenant_name': 'admin',
            'admin_user': 'admin',
            'admin_password': 'openstack',
+            'admin_role': 'Admin',
            'admin_domain_name': 'admin_domain',
            'auth_port': '5000',
            'auth_protocol': 'https',
@ -281,6 +283,7 @@ class NovaComputeContextTests(CharmTestCase):
            'network_manager': 'neutron',
            'network_manager_config': {
                'api_version': '2.0',
+                'admin_role': 'Admin',
                'auth_protocol': 'https',
                'service_protocol': 'http',
                'auth_port': '5000',
@ -302,6 +305,7 @@ class NovaComputeContextTests(CharmTestCase):
            'admin_tenant_name': 'admin',
            'admin_user': 'admin',
            'admin_password': 'openstack',
+            'admin_role': 'Admin',
            'admin_domain_name': 'admin_domain',
            'auth_port': '5000',
            'auth_protocol': 'https',
@ -330,6 +334,7 @@ class NovaComputeContextTests(CharmTestCase):
        cloud_compute = context.CloudComputeContext()
        ex_ctxt = {
            'api_version': '2.0',
+            'admin_role': 'Admin',
            'auth_protocol': 'https',
            'service_protocol': 'http',
            'auth_port': '5000',