Add support for using service tokens

This patch configures Nova to send a service token along with the received user token on requests to other services. This can allow those other services to accept the request even if the user token has been invalidated since received by Nova. Also with this patch Nova will accept request from other services with invalid user tokens but valid service tokens. Service tokens exist since Openstack Queens. Closes-Bug: #1992840 Change-Id: I78b43ef77dc1d7b5976ec81ecddf63c9e6c8b6c1 (cherry picked from commit 3c53110282)
2022-11-29 14:36:57 -03:00 · 2022-11-29 14:36:57 -03:00 · d9dc048a51
parent 8df5e9356f
commit d9dc048a51
7 changed files with 17 additions and 0 deletions
--- a/hooks/nova_compute_context.py
+++ b/hooks/nova_compute_context.py
@ -647,6 +647,7 @@ class CloudComputeContext(context.OSContextGenerator):
                        'api_version', **rel) or '2.0',
                    'neutron_plugin': _neutron_plugin(),
                    'neutron_url': url,
+                    'admin_role': relation_get('admin_role', **rel) or 'Admin',
                }
                # DNS domain is optional
                dns_domain = relation_get('dns_domain', **rel)
@ -765,6 +766,7 @@ class CloudComputeContext(context.OSContextGenerator):
                ctxt['admin_user'] = net_manager.get('neutron_admin_username')
                ctxt['admin_password'] = net_manager.get(
                    'neutron_admin_password')
+                ctxt['admin_role'] = net_manager.get('admin_role')
                ctxt['auth_protocol'] = net_manager.get('auth_protocol')
                ctxt['auth_host'] = net_manager.get('keystone_host')
                ctxt['auth_port'] = net_manager.get('auth_port')
--- a/templates/queens/nova.conf
+++ b/templates/queens/nova.conf
@ -206,6 +206,8 @@ service_metadata_proxy=True

 {% include "section-keystone-authtoken-mitaka" %}

+{% include "section-service-user" %}
+
 {% if glance_api_servers -%}
 [glance]
 api_servers = {{ glance_api_servers }}
--- a/templates/rocky/nova.conf
+++ b/templates/rocky/nova.conf
@ -224,6 +224,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }}

 {% include "section-keystone-authtoken-mitaka" %}

+{% include "section-service-user" %}
+
 {% if glance_api_servers -%}
 [glance]
 api_servers = {{ glance_api_servers }}
--- a/templates/stein/nova.conf
+++ b/templates/stein/nova.conf
@ -237,6 +237,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }}

 {% include "section-keystone-authtoken-mitaka" %}

+{% include "section-service-user" %}
+
 {% if glance_api_servers -%}
 [glance]
 api_servers = {{ glance_api_servers }}
--- a/templates/train/nova.conf
+++ b/templates/train/nova.conf
@ -251,6 +251,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }}

 {% include "section-keystone-authtoken-mitaka" %}

+{% include "section-service-user" %}
+
 {% if glance_api_servers -%}
 [glance]
 api_servers = {{ glance_api_servers }}
--- a/templates/yoga/nova.conf
+++ b/templates/yoga/nova.conf
@ -234,6 +234,8 @@ numa_nodes = {{ network_manager_config.neutron_tunnel }}

 {% include "section-keystone-authtoken-mitaka" %}

+{% include "section-service-user" %}
+
 {% if glance_api_servers -%}
 [glance]
 api_servers = {{ glance_api_servers }}
--- a/unit_tests/test_nova_compute_contexts.py
+++ b/unit_tests/test_nova_compute_contexts.py
@ -232,6 +232,7 @@ class NovaComputeContextTests(CharmTestCase):
            'network_manager': 'neutron',
            'network_manager_config': {
                'api_version': '2.0',
+                'admin_role': 'Admin',
                'auth_protocol': 'https',
                'service_protocol': 'http',
                'auth_port': '5000',
@ -252,6 +253,7 @@ class NovaComputeContextTests(CharmTestCase):
            'admin_tenant_name': 'admin',
            'admin_user': 'admin',
            'admin_password': 'openstack',
+            'admin_role': 'Admin',
            'admin_domain_name': 'admin_domain',
            'auth_port': '5000',
            'auth_protocol': 'https',
@ -281,6 +283,7 @@ class NovaComputeContextTests(CharmTestCase):
            'network_manager': 'neutron',
            'network_manager_config': {
                'api_version': '2.0',
+                'admin_role': 'Admin',
                'auth_protocol': 'https',
                'service_protocol': 'http',
                'auth_port': '5000',
@ -302,6 +305,7 @@ class NovaComputeContextTests(CharmTestCase):
            'admin_tenant_name': 'admin',
            'admin_user': 'admin',
            'admin_password': 'openstack',
+            'admin_role': 'Admin',
            'admin_domain_name': 'admin_domain',
            'auth_port': '5000',
            'auth_protocol': 'https',
@ -330,6 +334,7 @@ class NovaComputeContextTests(CharmTestCase):
        cloud_compute = context.CloudComputeContext()
        ex_ctxt = {
            'api_version': '2.0',
+            'admin_role': 'Admin',
            'auth_protocol': 'https',
            'service_protocol': 'http',
            'auth_port': '5000',