Comment 1 for bug 1735444

This seems to be a classic case of user token getting expired in the middle of a long running operation . User passes a valid token to cinder and makes a REST call but by the time the token reaches glance, it has expired. OpenStack has support for something called service tokens to aid in this. This has been implemented in nova for calls to cinder (for eg. user makes rest api call to nova and nova uses that user token to cinder). As we know, while making REST api call, user token is passed as part of the header named 'X-Auth-Token' . With the service token support, another header named 'X-service-token' gets passed which has service user token passed along with the user token. Within the operation , when the user token expires, the call still continues if the service token is present. This support is enabled in keystoneauth1 library.

https://specs.openstack.org/openstack/nova-specs/specs/ocata/implemented/use-service-tokens.html
https://blueprints.launchpad.net/nova/+spec/use-service-tokens
https://github.com/openstack/nova/blob/master/nova/service_auth.py
https://github.com/openstack/nova/blob/master/nova/conf/service_token.py

The other way would be to have the client (for eg. glanceclient) re-authenticate and get a fresh token when the existing user token expires. But the problem with that would be the service user credentials has to be used for generating a new token and thus the second REST api will be made using token corresponding to the service credentials.