From fa07df1e99eb751a9f9739c0e0851c8f20b30b00 Mon Sep 17 00:00:00 2001 From: "ya.wang" Date: Mon, 11 Mar 2019 17:56:22 +0800 Subject: [PATCH] Update docs: User token times out during long-running operations Keystonemiddleware compares the roles of the service_user with [Keystone_authtoken]/service_token_roles, we need to explain this so that users don't get confused. For example: Nova send request to neutron with both service_user_token and user_token, neutron first sends them to Keystonemiddleware for authenrication, Keystonemiddleware will compare service_user's role with [Keystone_authtoken]/service_token_roles which configured in neutron, then decide whether to fetch user_token based on the result. Change-Id: I024885adad2d14bc2568382c677198132dc88a13 --- doc/source/admin/support-compute.rst | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/doc/source/admin/support-compute.rst b/doc/source/admin/support-compute.rst index 5e3a7ae36747..fc2f513fad8f 100644 --- a/doc/source/admin/support-compute.rst +++ b/doc/source/admin/support-compute.rst @@ -526,3 +526,11 @@ configuration file, for example: And configure the other identity options as necessary for the service user, much like you would configure nova to work with the image service (glance) or networking service. + +.. note:: + + Please note that the role of the :oslo.config:group:`service_user` you + configure needs to be a superset of + :oslo.config:option:`keystone_authtoken.service_token_roles` (The option + :oslo.config:option:`keystone_authtoken.service_token_roles` is configured + in cinder, glance and neutron).