Enable use of service user token with admin context
When the [service_user] section is configured in nova.conf, nova will
have the ability to send a service user token alongside the user's
token. The service user token is sent when nova calls other services'
REST APIs to authenticate as a service, and service calls can sometimes
have elevated privileges.
Currently, nova does not however have the ability to send a service user
token with an admin context. This means that when nova makes REST API
calls to other services with an anonymous admin RequestContext (such as
in nova-manage or periodic tasks), it will not be authenticated as a
service.
This adds a keyword argument to service_auth.get_auth_plugin() to
enable callers to provide a user_auth object instead of attempting to
extract the user_auth from the RequestContext.
The cinder and neutron client modules are also adjusted to make use of
the new user_auth keyword argument so that nova calls made with
anonymous admin request contexts can authenticate as a service when
configured.
Related-Bug: #2004555
Change-Id: I14df2d55f4b2f0be58f1a6ad3f19e48f7a6bfcb4
(cherry picked from commit 41c64b94b0af333845e998f6cc195e72ca5ab6bc)
(cherry picked from commit 1f781423ee4224c0871ab4aafec191bb2f7ef0e4)
(cherry picked from commit 0d6dd6c67f56c9d4ed36246d14f119da6bca0a5a)
(cherry picked from commit 98c3e3707c08a07f7ca5996086b165512f604ad6)
Reviewed: https:/ /review. opendev. org/c/openstack /nova/+ /882868 /opendev. org/openstack/ nova/commit/ 6cc4e7fb9ac4960 6c598e72fcd3d6c f02efac4f1
Committed: https:/
Submitter: "Zuul (22348)"
Branch: stable/xena
commit 6cc4e7fb9ac4960 6c598e72fcd3d6c f02efac4f1
Author: melanie witt <email address hidden>
Date: Tue May 9 03:11:25 2023 +0000
Enable use of service user token with admin context
When the [service_user] section is configured in nova.conf, nova will
have the ability to send a service user token alongside the user's
token. The service user token is sent when nova calls other services'
REST APIs to authenticate as a service, and service calls can sometimes
have elevated privileges.
Currently, nova does not however have the ability to send a service user
token with an admin context. This means that when nova makes REST API
calls to other services with an anonymous admin RequestContext (such as
in nova-manage or periodic tasks), it will not be authenticated as a
service.
This adds a keyword argument to service_ auth.get_ auth_plugin( ) to
enable callers to provide a user_auth object instead of attempting to
extract the user_auth from the RequestContext.
The cinder and neutron client modules are also adjusted to make use of
the new user_auth keyword argument so that nova calls made with
anonymous admin request contexts can authenticate as a service when
configured.
Related-Bug: #2004555
Change-Id: I14df2d55f4b2f0 be58f1a6ad3f19e 48f7a6bfcb4 845e998f6cc195e 72ca5ab6bc) 0871ab4aafec191 bb2f7ef0e4) 4ed36246d14f119 da6bca0a5a) f7ca5996086b165 512f604ad6)
(cherry picked from commit 41c64b94b0af333
(cherry picked from commit 1f781423ee4224c
(cherry picked from commit 0d6dd6c67f56c9d
(cherry picked from commit 98c3e3707c08a07