Add service_token for nova-glance interaction

Service token will be passed along with user token to communicate with services when dealing with long running tasks like snapshots. Change-Id: Ib61e045742fc98f5ff86f6aaab23ad7505c3ee07 Implements: blueprint use-service-tokens-pike
2017-01-12 15:39:09 -06:00 · 2017-01-12 15:39:09 -06:00 · 6211009e55
commit 6211009e55
parent b277b10df6
4 changed files with 17 additions and 3 deletions
--- a/nova/conf/service_token.py
+++ b/nova/conf/service_token.py
@ -32,7 +32,7 @@ service_user_opts = [
 When True, if sending a user token to an REST API, also send a service token.

 Nova often reuses the user token provided to the nova-api to talk to other
-REST APIs, such as Cinder and Neutron. It is possible that while the
+REST APIs, such as Cinder, Glance and Neutron. It is possible that while the
 user token was valid when the request was made to Nova, the token may expire
 before it reaches the other service. To avoid any failures, and to
 make it clear it is Nova calling the service on the users behalf, we include
--- a/nova/image/glance.py
+++ b/nova/image/glance.py
@ -46,6 +46,7 @@ from nova.i18n import _LE, _LI, _LW
 import nova.image.download as image_xfers
 from nova import objects
 from nova.objects import fields
+from nova import service_auth

 LOG = logging.getLogger(__name__)
 CONF = nova.conf.CONF
@ -60,7 +61,7 @@ def _glanceclient_from_endpoint(context, endpoint, version):
        _SESSION = ks_loading.load_session_from_conf_options(
            CONF, nova.conf.glance.glance_group.name)

-    auth = context.get_auth_plugin()
+    auth = service_auth.get_auth_plugin(context)

    # TODO(johngarbutt) eventually we should default to getting the
    # endpoint URL from the service catalog.
--- a/nova/tests/unit/image/test_glance.py
+++ b/nova/tests/unit/image/test_glance.py
@ -32,6 +32,7 @@ import nova.conf
 from nova import context
 from nova import exception
 from nova.image import glance
+from nova import service_auth
 from nova import test
 from nova.tests import uuidsentinel as uuids

@ -342,7 +343,7 @@ class TestGetImageService(test.NoDBTestCase):

 class TestCreateGlanceClient(test.NoDBTestCase):

-    @mock.patch.object(context.RequestContext, 'get_auth_plugin')
+    @mock.patch.object(service_auth, 'get_auth_plugin')
    @mock.patch.object(ks_loading, 'load_session_from_conf_options')
    @mock.patch('glanceclient.Client')
    def test_glanceclient_with_ks_session(self, mock_client, mock_load,
--- a/releasenotes/notes/validate-expired-user-tokens-glance-440c36887286b52f.yaml
+++ b/releasenotes/notes/validate-expired-user-tokens-glance-440c36887286b52f.yaml
@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Added support for Keystone middleware feature for interaction of Nova with
+    the Glance API. With this support, if service token is sent along with the
+    user token, then the expiration of user token will be ignored. In order to
+    use this functionality a service user needs to be created first.
+    Add the service user configurations in ``nova.conf`` under ``service_user``
+    group and set ``send_service_user_token`` flag to ``True``.
+
+    .. note:: This feature is already implemented for Nova interaction with the
+      Cinder and Neutron APIs in Ocata.