Now if we run a workflow that will be running longer than a lifetime of an authentication token associated with it then it will fail at some point when the token gets expired.
Keystone trusts are currently used only for cron triggers to be able to run workflows in a deferred mode. But trusts do not solve the aforementioned problem.
This current behavior was implemented intentionally because we didn't want to stick to Identity API of version 3 (that provides trusts) too much at that time since some people may not want to use v3. The assumption was that workflows that users start won't take longer than token expiration period. But as we become more stable and expand our use cases to more complicated things that require longer run time it's becoming an issue for us.
Some thoughts on possible ways to solve it:
* Use trusts not only for cron triggers and get a new token during workflow execution from trust before running every action in the workflow because actions may require a new token (e.g. those that interact with OpenStack services).
* Same as before but we can implement smarter logic that will determine dynamically if token needs to be renewed (e.g. if it's about to get expired).
* Somehow dynamically determine if next action needs a token and renew it, if needed.
In general, this problem comes down to having to have some token renewal mechanism in Mistral.
If authentication is disabled, this bug is not relevant.
Regarding the solutions:
2) and 3)
- the actions invoked can also time out internally, we have no influence on this.
- E.g. call a heat stack create that takes who knows much time. How do you decide whether the token needs to be renewed before the action? What if the token expiration is shorter than the expected length of the operation?
- renewing a token without admin credentials is impossible
Due to these reasons, I think 2) and 3) are not valid solutions.
1) yes, I think we should go for using trusts
- maybe the Mistral client could create the trust and Mistral could simply reuse it
- creating trusts does not require admin rights
- Mistral could run without admin credentials which is very important for standalone applications
Finally, IMHO at this point requiring keystone V3 should not be a limitation for deployments.