backup/swift: Add support sending service user token
This adds support to the Swift backup driver to send
a service user token in the X-Service-Token header when
talking to Swift which will support long running processes
to continue functioning when the user token is expired if
the target supports it. [1] [2]
In the patch I'm favoring passing the X-Service-Token from
Cinder as a header instead of passing the service user credentials
down to the python-swiftclient, it makes more sense to not hand
it off. We already have a auth plugin for the service user which
ensures that the token is always valid, an invalid token would
disrupt the process and cause the long running process to fail.
The new config option to enable the service auth in the Swift
driver serves the purpose of not enabling the feature by default
for deployments already enabling service user for Nova and Glance.
I'm working on implementing the X-Service-Token support
in Ceph RadosGW's Swift API implementation [3], OpenStack Swift
already supports service token.
Reviewed: https:/ /review. opendev. org/c/openstack /cinder/ +/840289 /opendev. org/openstack/ cinder/ commit/ 77c886ab18ba241 eaa7418f1e0d095 fe6639ae19
Committed: https:/
Submitter: "Zuul (22348)"
Branch: master
commit 77c886ab18ba241 eaa7418f1e0d095 fe6639ae19
Author: Tobias Urdin <email address hidden>
Date: Tue May 3 13:27:15 2022 +0000
backup/swift: Add support sending service user token
This adds support to the Swift backup driver to send
a service user token in the X-Service-Token header when
talking to Swift which will support long running processes
to continue functioning when the user token is expired if
the target supports it. [1] [2]
In the patch I'm favoring passing the X-Service-Token from
Cinder as a header instead of passing the service user credentials
down to the python-swiftclient, it makes more sense to not hand
it off. We already have a auth plugin for the service user which
ensures that the token is always valid, an invalid token would
disrupt the process and cause the long running process to fail.
The new config option to enable the service auth in the Swift
driver serves the purpose of not enabling the feature by default
for deployments already enabling service user for Nova and Glance.
I'm working on implementing the X-Service-Token support
in Ceph RadosGW's Swift API implementation [3], OpenStack Swift
already supports service token.
[1] https:/ /specs. openstack. org/openstack/ keystone- specs/specs/ keystonemiddlew are/juno/ service- tokens. html /docs.openstack .org/cinder/ latest/ configuration/ block-storage/ service- token.html /github. com/ceph/ ceph/pull/ 45395
[2] https:/
[3] https:/
Related-Bug: #1298135 6d67be83d61c964 3afab72c118
Change-Id: I69a478dc18c18e