On Fri, Dec 18, 2015 at 11:13:37AM +0000, Paul Carlton wrote: > Jamie > > John Garbutt suggested I follow up this issue with you. I understand you > may be leading the > effort to address the issue of token expiry during a long running operation. > Nova > encounter this scenario during image snapshots and live migrations. > > Is there a keystone blueprint for this issue? FWIW we have now worked around this issue via trusts in Heat, as discussed some time ago here: http://lists.openstack.org/pipermail/openstack-dev/2014-October/048429.html In summary, we have a (optional, defaulted to false) config option which enables switching to a trust-scoped token, where we've created a keystone trust delegating from the user making the request to heat and a trustee user (a configurable user owned by the heat service) We then make use of the keystoneclient auth plugin mechanism, which already supports reauthentication for password based auth, including when scoped to a trust: https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/auth/identity/v3/password.py#L70 The heat patch where we introduced this feature is here: https://review.openstack.org/#/c/226384/ I wrote a blog post a while back which may help if you need some context around Heat's usage of Trusts: http://hardysteven.blogspot.co.uk/2014/04/heat-auth-model-updates-part-1-trusts.html HTH! Steve