Comment 3 for bug 1648677

Adding the following to my nova.conf appears to stop Nova from failing when it gets a 401:

[keystone_authtoken]
...
check_revocations_for_cached = True

So, since Nova appears to by-design not automatically check and handle revoked tokens, I think we have the following options to solve the problem:

  1. set the above config in the nova-compute charm

  2. stop the keystone charm from calling update if password has not changed

  3. always restart nova-compute service when password update occurs (i.e. whenever nova-cloud-controller identity-service relation is called)

Personally I think that option 1 is least intrusive and simplest to implement.