It is a known problem that when talking to services on a user's behalf (such as glance, cinder, neutron) and using a Token, that it could expire when making sub requests on behalf of the user. By default Keystone Token expiration time is 1 hour.
There is no definitive solution at this point for this problem. A number of ideas have been discussed during summit sessions around non expiring token types (would need keystone changes). However we may want to decide that for some class of known long standing operations that Nova will reject them if the token expiration is too close (much like traveling on a passport that is near expiration). That may be able to mitigate this.
It is a known problem that when talking to services on a user's behalf (such as glance, cinder, neutron) and using a Token, that it could expire when making sub requests on behalf of the user. By default Keystone Token expiration time is 1 hour.
There is no definitive solution at this point for this problem. A number of ideas have been discussed during summit sessions around non expiring token types (would need keystone changes). However we may want to decide that for some class of known long standing operations that Nova will reject them if the token expiration is too close (much like traveling on a passport that is near expiration). That may be able to mitigate this.