From 3c53110282b97c42a00cee9ee344f32dc8cf29c5 Mon Sep 17 00:00:00 2001 From: Jorge Merlino Date: Tue, 29 Nov 2022 14:36:57 -0300 Subject: [PATCH] Add support for using service tokens This patch configures Nova to send a service token along with the received user token on requests to other services. This can allow those other services to accept the request even if the user token has been invalidated since received by Nova. Also with this patch Nova will accept request from other services with invalid user tokens but valid service tokens. Service tokens exist since Openstack Queens. Closes-Bug: #1992840 Change-Id: I78b43ef77dc1d7b5976ec81ecddf63c9e6c8b6c1 --- hooks/nova_compute_context.py | 2 ++ templates/queens/nova.conf | 2 ++ templates/rocky/nova.conf | 2 ++ templates/stein/nova.conf | 2 ++ templates/train/nova.conf | 2 ++ templates/yoga/nova.conf | 2 ++ unit_tests/test_nova_compute_contexts.py | 5 +++++ 7 files changed, 17 insertions(+) diff --git a/hooks/nova_compute_context.py b/hooks/nova_compute_context.py index 7bce97d6..8a4231b4 100644 --- a/hooks/nova_compute_context.py +++ b/hooks/nova_compute_context.py @@ -654,6 +654,7 @@ class CloudComputeContext(context.OSContextGenerator): 'api_version', **rel) or '2.0', 'neutron_plugin': _neutron_plugin(), 'neutron_url': url, + 'admin_role': relation_get('admin_role', **rel) or 'Admin', } # DNS domain is optional dns_domain = relation_get('dns_domain', **rel) @@ -772,6 +773,7 @@ class CloudComputeContext(context.OSContextGenerator): ctxt['admin_user'] = net_manager.get('neutron_admin_username') ctxt['admin_password'] = net_manager.get( 'neutron_admin_password') + ctxt['admin_role'] = net_manager.get('admin_role') ctxt['auth_protocol'] = net_manager.get('auth_protocol') ctxt['auth_host'] = net_manager.get('keystone_host') ctxt['auth_port'] = net_manager.get('auth_port') diff --git a/templates/queens/nova.conf b/templates/queens/nova.conf index 7393c655..97220550 100644 --- a/templates/queens/nova.conf +++ b/templates/queens/nova.conf @@ -206,6 +206,8 @@ service_metadata_proxy=True {% include "section-keystone-authtoken-mitaka" %} +{% include "section-service-user" %} + {% if glance_api_servers -%} [glance] api_servers = {{ glance_api_servers }} diff --git a/templates/rocky/nova.conf b/templates/rocky/nova.conf index d074cfe7..385a7fa8 100644 --- a/templates/rocky/nova.conf +++ b/templates/rocky/nova.conf @@ -224,6 +224,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }} {% include "section-keystone-authtoken-mitaka" %} +{% include "section-service-user" %} + {% if glance_api_servers -%} [glance] api_servers = {{ glance_api_servers }} diff --git a/templates/stein/nova.conf b/templates/stein/nova.conf index 5add5bc8..46a30eb1 100644 --- a/templates/stein/nova.conf +++ b/templates/stein/nova.conf @@ -237,6 +237,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }} {% include "section-keystone-authtoken-mitaka" %} +{% include "section-service-user" %} + {% if glance_api_servers -%} [glance] api_servers = {{ glance_api_servers }} diff --git a/templates/train/nova.conf b/templates/train/nova.conf index 54e3dacf..9f07d1b3 100644 --- a/templates/train/nova.conf +++ b/templates/train/nova.conf @@ -251,6 +251,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }} {% include "section-keystone-authtoken-mitaka" %} +{% include "section-service-user" %} + {% if glance_api_servers -%} [glance] api_servers = {{ glance_api_servers }} diff --git a/templates/yoga/nova.conf b/templates/yoga/nova.conf index 173798ab..4824972e 100644 --- a/templates/yoga/nova.conf +++ b/templates/yoga/nova.conf @@ -234,6 +234,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }} {% include "section-keystone-authtoken-mitaka" %} +{% include "section-service-user" %} + {% if glance_api_servers -%} [glance] api_servers = {{ glance_api_servers }} diff --git a/unit_tests/test_nova_compute_contexts.py b/unit_tests/test_nova_compute_contexts.py index 34af2c36..09f3be7f 100644 --- a/unit_tests/test_nova_compute_contexts.py +++ b/unit_tests/test_nova_compute_contexts.py @@ -232,6 +232,7 @@ class NovaComputeContextTests(CharmTestCase): 'network_manager': 'neutron', 'network_manager_config': { 'api_version': '2.0', + 'admin_role': 'Admin', 'auth_protocol': 'https', 'service_protocol': 'http', 'auth_port': '5000', @@ -252,6 +253,7 @@ class NovaComputeContextTests(CharmTestCase): 'admin_tenant_name': 'admin', 'admin_user': 'admin', 'admin_password': 'openstack', + 'admin_role': 'Admin', 'admin_domain_name': 'admin_domain', 'auth_port': '5000', 'auth_protocol': 'https', @@ -281,6 +283,7 @@ class NovaComputeContextTests(CharmTestCase): 'network_manager': 'neutron', 'network_manager_config': { 'api_version': '2.0', + 'admin_role': 'Admin', 'auth_protocol': 'https', 'service_protocol': 'http', 'auth_port': '5000', @@ -302,6 +305,7 @@ class NovaComputeContextTests(CharmTestCase): 'admin_tenant_name': 'admin', 'admin_user': 'admin', 'admin_password': 'openstack', + 'admin_role': 'Admin', 'admin_domain_name': 'admin_domain', 'auth_port': '5000', 'auth_protocol': 'https', @@ -330,6 +334,7 @@ class NovaComputeContextTests(CharmTestCase): cloud_compute = context.CloudComputeContext() ex_ctxt = { 'api_version': '2.0', + 'admin_role': 'Admin', 'auth_protocol': 'https', 'service_protocol': 'http', 'auth_port': '5000',