From 596e8de5ebd261b2b6610830641d23728b006f53 Mon Sep 17 00:00:00 2001 From: Sarafraj Singh Date: Tue, 13 Dec 2016 15:04:33 -0600 Subject: [PATCH] Add service_token for nova-neutron interaction Service token will be passed along with user token to communicate with services when dealing with long running tasks like live migration. This change addresses adding service_token to the request when nova requests neutron session. Implements: blueprint use-service-tokens Change-Id: I5e6d6dfeda3673d38bab0bc692c50ca74eb90fc1 --- nova/conf/service_token.py | 2 +- nova/network/neutronv2/api.py | 4 +++- nova/tests/unit/network/test_neutronv2.py | 12 ++++++++++++ ...alidate-expired-user-tokens-57a265cb4ee4ba6f.yaml | 10 +++++----- 4 files changed, 21 insertions(+), 7 deletions(-) diff --git a/nova/conf/service_token.py b/nova/conf/service_token.py index 9c4d75959375..482c0581f001 100644 --- a/nova/conf/service_token.py +++ b/nova/conf/service_token.py @@ -32,7 +32,7 @@ service_user_opts = [ When True, if sending a user token to an REST API, also send a service token. Nova often reuses the user token provided to the nova-api to talk to other -REST APIs, such as Cinder. It is possible that while the +REST APIs, such as Cinder and Neutron. It is possible that while the user token was valid when the request was made to Nova, the token may expire before it reaches the other service. To avoid any failures, and to make it clear it is Nova calling the service on the users behalf, we include diff --git a/nova/network/neutronv2/api.py b/nova/network/neutronv2/api.py index ee832f1f9b36..0810cce87743 100644 --- a/nova/network/neutronv2/api.py +++ b/nova/network/neutronv2/api.py @@ -39,6 +39,8 @@ from nova.pci import request as pci_request from nova.pci import utils as pci_utils from nova.pci import whitelist as pci_whitelist from nova.policies import base as base_policies +from nova import service_auth + CONF = nova.conf.CONF @@ -136,7 +138,7 @@ def get_client(context, admin=False): auth_plugin = _ADMIN_AUTH elif context.auth_token: - auth_plugin = context.get_auth_plugin() + auth_plugin = service_auth.get_auth_plugin(context) if not auth_plugin: # We did not get a user token and we should not be using diff --git a/nova/tests/unit/network/test_neutronv2.py b/nova/tests/unit/network/test_neutronv2.py index 04792ed62d51..fc0560520e6a 100644 --- a/nova/tests/unit/network/test_neutronv2.py +++ b/nova/tests/unit/network/test_neutronv2.py @@ -20,6 +20,7 @@ import uuid from keystoneauth1.fixture import V2Token from keystoneauth1 import loading as ks_loading +from keystoneauth1 import service_token import mock from mox3 import mox import netaddr @@ -140,6 +141,17 @@ class TestNeutronClient(test.NoDBTestCase): neutronapi.get_client, my_context) + def test_non_admin_with_service_token(self): + self.flags(send_service_user_token=True, group='service_user') + + my_context = context.RequestContext('userid', + uuids.my_tenant, + auth_token='token') + + cl = neutronapi.get_client(my_context) + self.assertIsInstance(cl.httpclient.auth, + service_token.ServiceTokenAuthWrapper) + @mock.patch.object(client.Client, "list_networks", side_effect=exceptions.Unauthorized()) def test_Unauthorized_user(self, mock_list_networks): diff --git a/releasenotes/notes/validate-expired-user-tokens-57a265cb4ee4ba6f.yaml b/releasenotes/notes/validate-expired-user-tokens-57a265cb4ee4ba6f.yaml index 10ccb6983f26..4701dd201e74 100644 --- a/releasenotes/notes/validate-expired-user-tokens-57a265cb4ee4ba6f.yaml +++ b/releasenotes/notes/validate-expired-user-tokens-57a265cb4ee4ba6f.yaml @@ -4,11 +4,11 @@ features: sent along with the user token, then it will ignore the expiration of user token. This helps deal with issues of user tokens expiring during long running operations, such as live-migration where nova tries to access - Cinder at the end of the operation using the user token that has expired. - In order to use this functionality a service user needs to be created. - Add service user configurations in ``nova.conf`` under + Cinder and Neutron at the end of the operation using the user token that + has expired. In order to use this functionality a service user needs to + be created. Add service user configurations in ``nova.conf`` under ``service_user`` group and set ``send_service_user_token`` flag to ``True``. The minimum Keytone API version 3.8 and Keystone middleware version 4.12.0 is required to use this functionality. - This only currently works with nova - cinder API interactions. - + This only currently works with Nova - Cinder and Nova - Neutron API + interactions.