Cinder glance client is using a token instead of auth session
Bug #1735444 reported by
Chhavi Agarwal
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Cinder |
New
|
Undecided
|
Unassigned |
Bug Description
https:/
To post a comment you must log in.
This seems to be a classic case of user token getting expired in the middle of a long running operation . User passes a valid token to cinder and makes a REST call but by the time the token reaches glance, it has expired. OpenStack has support for something called service tokens to aid in this. This has been implemented in nova for calls to cinder (for eg. user makes rest api call to nova and nova uses that user token to cinder). As we know, while making REST api call, user token is passed as part of the header named 'X-Auth-Token' . With the service token support, another header named 'X-service-token' gets passed which has service user token passed along with the user token. Within the operation , when the user token expires, the call still continues if the service token is present. This support is enabled in keystoneauth1 library.
https:/ /specs. openstack. org/openstack/ nova-specs/ specs/ocata/ implemented/ use-service- tokens. html /blueprints. launchpad. net/nova/ +spec/use- service- tokens /github. com/openstack/ nova/blob/ master/ nova/service_ auth.py /github. com/openstack/ nova/blob/ master/ nova/conf/ service_ token.py
https:/
https:/
https:/
The other way would be to have the client (for eg. glanceclient) re-authenticate and get a fresh token when the existing user token expires. But the problem with that would be the service user credentials has to be used for generating a new token and thus the second REST api will be made using token corresponding to the service credentials.