Add service_token for nova-cinder interaction

Service token will be passed along with user token to communicate with services when dealing with long running tasks like live migration. This change addresses adding service_token to the request when nova requests cinder session to interact with cinder. Change-Id: I51eb0a8937fa39a2e5dafb1ad915e7113ea61f72 Implements: blueprint use-service-tokens
2016-11-14 22:31:58 +00:00
parent 5ab8c110de
commit 9874b9731c
2 changed files with 68 additions and 0 deletions
--- a/nova/conf/init.py
+++ b/nova/conf/init.py
@ -60,6 +60,7 @@ from nova.conf import remote_debug
 from nova.conf import scheduler
 from nova.conf import serial_console
 from nova.conf import service
+from nova.conf import service_token
 from nova.conf import servicegroup
 from nova.conf import spice
 from nova.conf import ssl
@ -114,6 +115,7 @@ rdp.register_opts(CONF)
 scheduler.register_opts(CONF)
 serial_console.register_opts(CONF)
 service.register_opts(CONF)
+service_token.register_opts(CONF)
 servicegroup.register_opts(CONF)
 spice.register_opts(CONF)
 ssl.register_opts(CONF)
--- a/nova/conf/service_token.py
+++ b/nova/conf/service_token.py
@ -0,0 +1,66 @@
+#    Licensed under the Apache License, Version 2.0 (the "License"); you may
+#    not use this file except in compliance with the License. You may obtain
+#    a copy of the License at
+#
+#         http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+#    WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+#    License for the specific language governing permissions and limitations
+#    under the License.
+
+from keystoneauth1 import loading as ks_loading
+from oslo_config import cfg
+
+SERVICE_USER_GROUP = 'service_user'
+
+service_user = cfg.OptGroup(
+    SERVICE_USER_GROUP,
+    title = 'Service token authentication type options',
+    help = """
+Configuration options for service to service authentication using a service
+token. These options allow to send a service token along with the
+user's token when contacting external REST APIs.
+"""
+)
+
+service_user_opts = [
+    cfg.BoolOpt('send_service_user_token',
+                default=False,
+                help="""
+When True, if sending a user token to an REST API, also send a service token.
+
+Nova often reuses the user token provided to the nova-api to talk to other
+REST APIs, such as Cinder. It is possible that while the
+user token was valid when the request was made to Nova, the token may expire
+before it reaches the other service. To avoid any failures, and to
+make it clear it is Nova calling the service on the users behalf, we include
+a server token along with the user token. Should the user's token have
+expired, a valid service token ensures the REST API request will still be
+accepted by the keystone middleware.
+
+This feature is currently experimental, and as such is turned off by default
+while full testing and performance tuning of this feature is completed.
+"""),
+]
+
+
+def register_opts(conf):
+    conf.register_group(service_user)
+    conf.register_opts(service_user_opts, group=service_user)
+
+    ks_loading.register_session_conf_options(conf, SERVICE_USER_GROUP)
+    ks_loading.register_auth_conf_options(conf, SERVICE_USER_GROUP)
+
+
+def list_opts():
+    return {
+        service_user: (
+            service_user_opts +
+            ks_loading.get_session_conf_options() +
+            ks_loading.get_auth_common_conf_options() +
+            ks_loading.get_auth_plugin_conf_options('password') +
+            ks_loading.get_auth_plugin_conf_options('v2password') +
+            ks_loading.get_auth_plugin_conf_options('v3password'))
+    }