Comment 234 for bug 2004555

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to nova (stable/xena)

Reviewed: https://review.opendev.org/c/openstack/nova/+/882868
Committed: https://opendev.org/openstack/nova/commit/6cc4e7fb9ac49606c598e72fcd3d6cf02efac4f1
Submitter: "Zuul (22348)"
Branch: stable/xena

commit 6cc4e7fb9ac49606c598e72fcd3d6cf02efac4f1
Author: melanie witt <email address hidden>
Date: Tue May 9 03:11:25 2023 +0000

    Enable use of service user token with admin context

    When the [service_user] section is configured in nova.conf, nova will
    have the ability to send a service user token alongside the user's
    token. The service user token is sent when nova calls other services'
    REST APIs to authenticate as a service, and service calls can sometimes
    have elevated privileges.

    Currently, nova does not however have the ability to send a service user
    token with an admin context. This means that when nova makes REST API
    calls to other services with an anonymous admin RequestContext (such as
    in nova-manage or periodic tasks), it will not be authenticated as a
    service.

    This adds a keyword argument to service_auth.get_auth_plugin() to
    enable callers to provide a user_auth object instead of attempting to
    extract the user_auth from the RequestContext.

    The cinder and neutron client modules are also adjusted to make use of
    the new user_auth keyword argument so that nova calls made with
    anonymous admin request contexts can authenticate as a service when
    configured.

    Related-Bug: #2004555

    Change-Id: I14df2d55f4b2f0be58f1a6ad3f19e48f7a6bfcb4
    (cherry picked from commit 41c64b94b0af333845e998f6cc195e72ca5ab6bc)
    (cherry picked from commit 1f781423ee4224c0871ab4aafec191bb2f7ef0e4)
    (cherry picked from commit 0d6dd6c67f56c9d4ed36246d14f119da6bca0a5a)
    (cherry picked from commit 98c3e3707c08a07f7ca5996086b165512f604ad6)