From b54f6701d6cc408990add5fdb81bac1c74aa20db Mon Sep 17 00:00:00 2001 From: Jorge Merlino Date: Tue, 29 Nov 2022 14:36:57 -0300 Subject: [PATCH] Add support for using service tokens This patch configures Nova to send a service token along with the received user token on requests to other services. This can allow those other services to accept the request even if the user token has been invalidated since received by Nova. Also with this patch Nova will accept request from other services with invalid user tokens but valid service tokens. Service tokens exist since Openstack Queens. Closes-Bug: #1992840 Change-Id: I78b43ef77dc1d7b5976ec81ecddf63c9e6c8b6c1 (cherry picked from commit 3c53110282b97c42a00cee9ee344f32dc8cf29c5) --- hooks/nova_compute_context.py | 2 ++ templates/queens/nova.conf | 2 ++ templates/rocky/nova.conf | 2 ++ templates/stein/nova.conf | 2 ++ templates/train/nova.conf | 2 ++ templates/yoga/nova.conf | 2 ++ unit_tests/test_nova_compute_contexts.py | 5 +++++ 7 files changed, 17 insertions(+) diff --git a/hooks/nova_compute_context.py b/hooks/nova_compute_context.py index 2c7db29d..fd46cb54 100644 --- a/hooks/nova_compute_context.py +++ b/hooks/nova_compute_context.py @@ -645,6 +645,7 @@ class CloudComputeContext(context.OSContextGenerator): 'api_version', **rel) or '2.0', 'neutron_plugin': _neutron_plugin(), 'neutron_url': url, + 'admin_role': relation_get('admin_role', **rel) or 'Admin', } # DNS domain is optional dns_domain = relation_get('dns_domain', **rel) @@ -763,6 +764,7 @@ class CloudComputeContext(context.OSContextGenerator): ctxt['admin_user'] = net_manager.get('neutron_admin_username') ctxt['admin_password'] = net_manager.get( 'neutron_admin_password') + ctxt['admin_role'] = net_manager.get('admin_role') ctxt['auth_protocol'] = net_manager.get('auth_protocol') ctxt['auth_host'] = net_manager.get('keystone_host') ctxt['auth_port'] = net_manager.get('auth_port') diff --git a/templates/queens/nova.conf b/templates/queens/nova.conf index 7393c655..97220550 100644 --- a/templates/queens/nova.conf +++ b/templates/queens/nova.conf @@ -206,6 +206,8 @@ service_metadata_proxy=True {% include "section-keystone-authtoken-mitaka" %} +{% include "section-service-user" %} + {% if glance_api_servers -%} [glance] api_servers = {{ glance_api_servers }} diff --git a/templates/rocky/nova.conf b/templates/rocky/nova.conf index d074cfe7..385a7fa8 100644 --- a/templates/rocky/nova.conf +++ b/templates/rocky/nova.conf @@ -224,6 +224,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }} {% include "section-keystone-authtoken-mitaka" %} +{% include "section-service-user" %} + {% if glance_api_servers -%} [glance] api_servers = {{ glance_api_servers }} diff --git a/templates/stein/nova.conf b/templates/stein/nova.conf index 5add5bc8..46a30eb1 100644 --- a/templates/stein/nova.conf +++ b/templates/stein/nova.conf @@ -237,6 +237,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }} {% include "section-keystone-authtoken-mitaka" %} +{% include "section-service-user" %} + {% if glance_api_servers -%} [glance] api_servers = {{ glance_api_servers }} diff --git a/templates/train/nova.conf b/templates/train/nova.conf index 54e3dacf..9f07d1b3 100644 --- a/templates/train/nova.conf +++ b/templates/train/nova.conf @@ -251,6 +251,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }} {% include "section-keystone-authtoken-mitaka" %} +{% include "section-service-user" %} + {% if glance_api_servers -%} [glance] api_servers = {{ glance_api_servers }} diff --git a/templates/yoga/nova.conf b/templates/yoga/nova.conf index a94f4f7e..c9a76913 100644 --- a/templates/yoga/nova.conf +++ b/templates/yoga/nova.conf @@ -232,6 +232,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }} {% include "section-keystone-authtoken-mitaka" %} +{% include "section-service-user" %} + {% if glance_api_servers -%} [glance] api_servers = {{ glance_api_servers }} diff --git a/unit_tests/test_nova_compute_contexts.py b/unit_tests/test_nova_compute_contexts.py index ac587b3b..4895a126 100644 --- a/unit_tests/test_nova_compute_contexts.py +++ b/unit_tests/test_nova_compute_contexts.py @@ -232,6 +232,7 @@ class NovaComputeContextTests(CharmTestCase): 'network_manager': 'neutron', 'network_manager_config': { 'api_version': '2.0', + 'admin_role': 'Admin', 'auth_protocol': 'https', 'service_protocol': 'http', 'auth_port': '5000', @@ -252,6 +253,7 @@ class NovaComputeContextTests(CharmTestCase): 'admin_tenant_name': 'admin', 'admin_user': 'admin', 'admin_password': 'openstack', + 'admin_role': 'Admin', 'admin_domain_name': 'admin_domain', 'auth_port': '5000', 'auth_protocol': 'https', @@ -281,6 +283,7 @@ class NovaComputeContextTests(CharmTestCase): 'network_manager': 'neutron', 'network_manager_config': { 'api_version': '2.0', + 'admin_role': 'Admin', 'auth_protocol': 'https', 'service_protocol': 'http', 'auth_port': '5000', @@ -302,6 +305,7 @@ class NovaComputeContextTests(CharmTestCase): 'admin_tenant_name': 'admin', 'admin_user': 'admin', 'admin_password': 'openstack', + 'admin_role': 'Admin', 'admin_domain_name': 'admin_domain', 'auth_port': '5000', 'auth_protocol': 'https', @@ -330,6 +334,7 @@ class NovaComputeContextTests(CharmTestCase): cloud_compute = context.CloudComputeContext() ex_ctxt = { 'api_version': '2.0', + 'admin_role': 'Admin', 'auth_protocol': 'https', 'service_protocol': 'http', 'auth_port': '5000',