Service User Tokens¶
Configuration of service user tokens is required for every Nova service for security reasons. See https://bugs.launchpad.net/nova/+bug/2004555 for details.
Configure Nova to send service user tokens alongside regular user tokens when making REST API calls to other services. The identity service (Keystone) will authenticate a request using the service user token if the regular user token has expired.
This is important when long-running operations such as live migration or snapshot take long enough to exceed the expiry of the user token. Without the service token, if a long-running operation exceeds the expiry of the user token, post operations such as cleanup after a live migration could fail when Nova calls other service APIs like block-storage (Cinder) or networking (Neutron).
The service token is also used by services to validate whether the API caller is a service. Some service APIs are restricted to service users only.
To set up service tokens, create a
nova service user and
in the identity service (Keystone) and assign the
service role to the
nova service user.
Then, configure the
service_user section of the Nova
configuration file, for example:
[service_user] send_service_user_token = true auth_url = https://220.127.116.11/identity auth_strategy = keystone auth_type = password project_domain_name = Default project_name = service user_domain_name = Default username = nova password = secretservice ...
And configure the other identity options as necessary for the service user, much like you would configure nova to work with the image service (Glance) or networking service (Neutron).