Comment 20 for bug 1298135

Hello, a little update on my part.

This bug is very spread out since it covers multiple issues, I'll try to update my view on things. You can already today enable service user for Cinder talking to Glance and Nova by updating the [service_user] config section and enable send_service_user_token.

Then there is the Swift backup driver in per_user mode (meaning we use the user token to talk from the cinder-backup service to the Swift endpoint). There is a proposed fix [1] that involves creating a Keystone trust and then use that, I consider this a workaround that can be used to solve the issue shorterm but probably has a lot of edge-cases that could leave trusts left behind if it fails to cleanup.

I have proposed a patch [2] that adds support for sending a service user token (X-Service-Token header) from cinder-backup to the Swift endpoint that would make the Swift endpoint allow the X-Auth-Token (the user token we pass along) even if it's expired (based on the [token]/allow_expired_window window that Keystone allows).

The patch [2] should hopefully solve the issue for anybody running OpenStack Swift.

For us that is running Ceph RadosGW as a means of providing a Swift compatible API it's harder because the X-Service-Token support is not there, we are running Ceph RadosGW and I'm working on adding this support in [3].

Our goal is to solve the issue with [2] and [3], but potentially use [1] (if it's merged, I think it could be but maybe as a workaround the same way Nova has a [workarounds] section) until those two patches has been released in the future.

[1] https://review.opendev.org/c/openstack/cinder/+/785362
[2] https://review.opendev.org/c/openstack/cinder/+/840289
[3] https://github.com/ceph/ceph/pull/45395