Open Stack

Hi!

As we're trying to use the InstanceLocalityFilter in cinder, I encountered some strange issues.
I've opened a bug report already:

https://bugs.launchpad.net/cinder/+bug/1686616

But further looking at the novaclient code in Cinder, cinder/nova.py smells a bit more. Seems the latest
modifications are forgot about the case where the user context is used. The problems (some are mentioned in the bug report):
-  It takes great efforts to get the Nova url from the service catalog. Then it passes this url to the constructor of the Keystone
Password plugin (which needs the keystone endpoint). Can be mitigated by setting nova_endpoint_template to the Keystone
endpoint (uhh). The plain nova endpoint is not required anywhere.
- Tries to create a Password plugin, even when the user context is requested. But it doesn't have a password. Creating the Password
plugin like this: password=context.auth_token is very broken.

What I suggest is to: 
- introduce a [nova] section, and use the keystone auth and session loader if a privileged user is requested, like in other components.
- use the Token plugin when the user context is used for the authentication.
- get rid of the service catalog reading code, [nova] should contain auth_url in all cases.
- (get a lightweight novaclient glue code from neutron, or any other components).

What do you think?

Br,
György