Update docs: User token times out during long-running operations

Keystonemiddleware compares the roles of the service_user with [Keystone_authtoken]/service_token_roles, we need to explain this so that users don't get confused. For example: Nova send request to neutron with both service_user_token and user_token, neutron first sends them to Keystonemiddleware for authenrication, Keystonemiddleware will compare service_user's role with [Keystone_authtoken]/service_token_roles which configured in neutron, then decide whether to fetch user_token based on the result. Change-Id: I024885adad2d14bc2568382c677198132dc88a13
2019-03-11 17:56:22 +08:00 · 2019-03-11 17:56:22 +08:00 · fa07df1e99
commit fa07df1e99
parent f853e04cd2
1 changed files with 8 additions and 0 deletions
--- a/doc/source/admin/support-compute.rst
+++ b/doc/source/admin/support-compute.rst
@ -526,3 +526,11 @@ configuration file, for example:
 And configure the other identity options as necessary for the service user,
 much like you would configure nova to work with the image service (glance)
 or networking service.
+
+.. note::
+
+  Please note that the role of the :oslo.config:group:`service_user` you
+  configure needs to be a superset of
+  :oslo.config:option:`keystone_authtoken.service_token_roles` (The option
+  :oslo.config:option:`keystone_authtoken.service_token_roles` is configured
+  in cinder, glance and neutron).