Add service_token for nova-neutron interaction

Service token will be passed along with user token to communicate with
services when dealing with long running tasks like live migration.

This change addresses adding service_token to the request when nova
requests neutron session.

Implements: blueprint use-service-tokens
Change-Id: I5e6d6dfeda3673d38bab0bc692c50ca74eb90fc1

nova/conf/service_token.py

@@ -32,7 +32,7 @@ service_user_opts = [
 When True, if sending a user token to an REST API, also send a service token.
 
 Nova often reuses the user token provided to the nova-api to talk to other
-REST APIs, such as Cinder. It is possible that while the
+REST APIs, such as Cinder and Neutron. It is possible that while the
 user token was valid when the request was made to Nova, the token may expire
 before it reaches the other service. To avoid any failures, and to
 make it clear it is Nova calling the service on the users behalf, we include

nova/network/neutronv2/api.py

@@ -39,6 +39,8 @@ from nova.pci import request as pci_request
 from nova.pci import utils as pci_utils
 from nova.pci import whitelist as pci_whitelist
 from nova.policies import base as base_policies
+from nova import service_auth
+
 
 CONF = nova.conf.CONF
 
@@ -136,7 +138,7 @@ def get_client(context, admin=False):
         auth_plugin = _ADMIN_AUTH
 
     elif context.auth_token:
-        auth_plugin = context.get_auth_plugin()
+        auth_plugin = service_auth.get_auth_plugin(context)
 
     if not auth_plugin:
         # We did not get a user token and we should not be using

nova/tests/unit/network/test_neutronv2.py

@@ -20,6 +20,7 @@ import uuid
 
 from keystoneauth1.fixture import V2Token
 from keystoneauth1 import loading as ks_loading
+from keystoneauth1 import service_token
 import mock
 from mox3 import mox
 import netaddr
@@ -140,6 +141,17 @@ class TestNeutronClient(test.NoDBTestCase):
                           neutronapi.get_client,
                           my_context)
 
+    def test_non_admin_with_service_token(self):
+        self.flags(send_service_user_token=True, group='service_user')
+
+        my_context = context.RequestContext('userid',
+                                            uuids.my_tenant,
+                                            auth_token='token')
+
+        cl = neutronapi.get_client(my_context)
+        self.assertIsInstance(cl.httpclient.auth,
+                              service_token.ServiceTokenAuthWrapper)
+
     @mock.patch.object(client.Client, "list_networks",
                        side_effect=exceptions.Unauthorized())
     def test_Unauthorized_user(self, mock_list_networks):

releasenotes/notes/validate-expired-user-tokens-57a265cb4ee4ba6f.yaml

@@ -4,11 +4,11 @@ features:
     sent along with the user token, then it will ignore the expiration of user
     token. This helps deal with issues of user tokens expiring during long
     running operations, such as live-migration where nova tries to access
-    Cinder at the end of the operation using the user token that has expired.
-    In order to use this functionality a service user needs to be created.
-    Add service user configurations in ``nova.conf`` under
+    Cinder and Neutron at the end of the operation using the user token that
+    has expired. In order to use this functionality a service user needs to
+    be created. Add service user configurations in ``nova.conf`` under
     ``service_user`` group and set ``send_service_user_token`` flag to
     ``True``. The minimum Keytone API version 3.8 and Keystone middleware
     version 4.12.0 is required to use this functionality.
-    This only currently works with nova - cinder API interactions.
-
+    This only currently works with Nova - Cinder and Nova - Neutron API
+    interactions.