[openstack-dev] [keystone] Addressing issue of keysone token expiry during long running operations

Steven Hardy shardy at redhat.com
Fri Dec 18 17:01:15 UTC 2015


On Fri, Dec 18, 2015 at 11:13:37AM +0000, Paul Carlton wrote:
> Jamie
> 
> John Garbutt suggested I follow up this issue with you.  I understand you
> may be leading the
> effort to address the issue of token expiry during a long running operation.
> Nova
> encounter this scenario during image snapshots and live migrations.
> 
> Is there a keystone blueprint for this issue?

FWIW we have now worked around this issue via trusts in Heat, as discussed
some time ago here:

http://lists.openstack.org/pipermail/openstack-dev/2014-October/048429.html

In summary, we have a (optional, defaulted to false) config option which
enables switching to a trust-scoped token, where we've created a keystone
trust delegating from the user making the request to heat and a trustee
user (a configurable user owned by the heat service)

We then make use of the keystoneclient auth plugin mechanism, which already
supports reauthentication for password based auth, including when scoped to
a trust:

https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/v3/password.py#L70

The heat patch where we introduced this feature is here:

https://review.openstack.org/#/c/226384/

I wrote a blog post a while back which may help if you need some context
around Heat's usage of Trusts:

http://hardysteven.blogspot.co.uk/2014/04/heat-auth-model-updates-part-1-trusts.html

HTH!

Steve



More information about the OpenStack-dev mailing list