)]}'
{"doc/source/configuration/block-storage/service-token.rst":[{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d8d07553918028a97539a3ec8e986869398fb5ae","unresolved":false,"context_lines":[{"line_number":13,"context_line":"leading to the failure of the user\u0027s original request."},{"line_number":14,"context_line":""},{"line_number":15,"context_line":"One way to deal with this is to set a long token life in Keystone, and this may"},{"line_number":16,"context_line":"be what you are currently doing.  But this can be problematic for installations"},{"line_number":17,"context_line":"whose security policies prefer short user token lives.  Beginning with the"},{"line_number":18,"context_line":"Queens release, an alternative solution is available.  You have the ability to"},{"line_number":19,"context_line":"configure some services (particularly Nova and Cinder) to send a \"service"},{"line_number":20,"context_line":"token\" along with the user\u0027s token.  When properly configured, the Identity"}],"source_content_type":"text/x-rst","patch_set":2,"id":"7faddb67_5ebfd9a9","line":17,"range":{"start_line":16,"start_character":50,"end_line":17,"end_character":54},"updated":"2019-08-23 21:37:45.000000000","message":"++ and is considered a security anti-pattern","commit_id":"90597ef91c516af5c92ec45f595a8bd75e2edcc9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d8d07553918028a97539a3ec8e986869398fb5ae","unresolved":false,"context_lines":[{"line_number":30,"context_line":"   Identity Service to have specific roles that identify that user as"},{"line_number":31,"context_line":"   a service."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"   The key point here is that the \"service token\" doesn\u0027t need to have"},{"line_number":34,"context_line":"   an extra long life -- it can have the same short life as all the"},{"line_number":35,"context_line":"   other tokens because it will be a **fresh** (and hence valid) token"},{"line_number":36,"context_line":"   accompanying the (possibly expired) user\u0027s token."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":".. _service-token-configuration:"},{"line_number":39,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"7faddb67_3e4c5dc7","line":36,"range":{"start_line":33,"start_character":0,"end_line":36,"end_character":52},"updated":"2019-08-23 21:37:45.000000000","message":"Nice explanation here.\n\nFor additional context; keystone will validate an expired token if told to do so. Keystonemiddleware leverages this with user tokens by checking to make sure the service user has the service role defined in a service\u0027s configuration file (e.g., cinder\u0027s [keystone_authtoken] configuration section.) If those roles match, keystonemiddleware will ask keystone to validate a user\u0027s token with the ?allow_expired query parameter set (you can find all the nitty gritty details in ksm [0].)\n\n[0] https://opendev.org/openstack/keystonemiddleware/src/branch/master/keystonemiddleware/auth_token/__init__.py#L373-L404","commit_id":"90597ef91c516af5c92ec45f595a8bd75e2edcc9"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"70f6cc030f069951f21037af9cbd8a0f36b7014b","unresolved":false,"context_lines":[{"line_number":30,"context_line":"   Identity Service to have specific roles that identify that user as"},{"line_number":31,"context_line":"   a service."},{"line_number":32,"context_line":""},{"line_number":33,"context_line":"   The key point here is that the \"service token\" doesn\u0027t need to have"},{"line_number":34,"context_line":"   an extra long life -- it can have the same short life as all the"},{"line_number":35,"context_line":"   other tokens because it will be a **fresh** (and hence valid) token"},{"line_number":36,"context_line":"   accompanying the (possibly expired) user\u0027s token."},{"line_number":37,"context_line":""},{"line_number":38,"context_line":".. _service-token-configuration:"},{"line_number":39,"context_line":""}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_5149752e","line":36,"range":{"start_line":33,"start_character":0,"end_line":36,"end_character":52},"in_reply_to":"7faddb67_3e4c5dc7","updated":"2019-09-26 08:15:36.000000000","message":"Thanks for the explanation, it\u0027s helpful to me to have a better understanding of how this is designed.  (This seems to be TMI for the doc, though.)","commit_id":"90597ef91c516af5c92ec45f595a8bd75e2edcc9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d8d07553918028a97539a3ec8e986869398fb5ae","unresolved":false,"context_lines":[{"line_number":48,"context_line":"    file (usually ``/etc/cinder/cinder.conf``, though it may be in a"},{"line_number":49,"context_line":"    different location in your installation)."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"2.  In that section, set ``send_user_service_token \u003d true``."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"3.  Also in that section, fill in the appropriate configuration for"},{"line_number":54,"context_line":"    your service user (``username``, ``project_name``, etc.)"}],"source_content_type":"text/x-rst","patch_set":2,"id":"7faddb67_7e5c154c","line":51,"range":{"start_line":51,"start_character":4,"end_line":51,"end_character":60},"updated":"2019-08-23 21:37:45.000000000","message":"Interesting - I had no idea services needed to roll out their own configuration option to get this stuff to work.\n\nI was under the impression services (like cinder) would build clients using the user information from ``cinder.conf [keystone_authtoken]`` which would be the service user.\n\nI built a copy of the cinder.conf today and this option doesn\u0027t render, is it included? I\u0027m working from 48f9425d2cdaa2d38f30d77b19115a64ac360c3a","commit_id":"90597ef91c516af5c92ec45f595a8bd75e2edcc9"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"70f6cc030f069951f21037af9cbd8a0f36b7014b","unresolved":false,"context_lines":[{"line_number":48,"context_line":"    file (usually ``/etc/cinder/cinder.conf``, though it may be in a"},{"line_number":49,"context_line":"    different location in your installation)."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"2.  In that section, set ``send_user_service_token \u003d true``."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"3.  Also in that section, fill in the appropriate configuration for"},{"line_number":54,"context_line":"    your service user (``username``, ``project_name``, etc.)"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_1f02290c","line":51,"range":{"start_line":51,"start_character":4,"end_line":51,"end_character":60},"in_reply_to":"7faddb67_7e5c154c","updated":"2019-09-26 08:15:36.000000000","message":"I don\u0027t know that we *have to* roll out our own config, but Cinder has a specific service_auth module to handle this, and it specifically loads the info from the [service_user] group in the config file.","commit_id":"90597ef91c516af5c92ec45f595a8bd75e2edcc9"},{"author":{"_account_id":5046,"name":"Lance Bragstad","email":"lbragstad@redhat.com","username":"ldbragst"},"change_message_id":"d8d07553918028a97539a3ec8e986869398fb5ae","unresolved":false,"context_lines":[{"line_number":50,"context_line":""},{"line_number":51,"context_line":"2.  In that section, set ``send_user_service_token \u003d true``."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"3.  Also in that section, fill in the appropriate configuration for"},{"line_number":54,"context_line":"    your service user (``username``, ``project_name``, etc.)"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":".. note::"},{"line_number":57,"context_line":"   There is no configuration required for a service to *receive*"}],"source_content_type":"text/x-rst","patch_set":2,"id":"7faddb67_3e2bfd95","line":54,"range":{"start_line":53,"start_character":0,"end_line":54,"end_character":60},"updated":"2019-08-23 21:37:45.000000000","message":"Shouldn\u0027t this already be in included by using ksm since it uses and loads keystoneauth\u0027s configuration options? You might be able to get access to this same information by querying ``cinder.conf [keystone_authtoken]``.\n\nhttps://opendev.org/openstack/keystonemiddleware/src/branch/master/keystonemiddleware/auth_token/_opts.py#L193-L195\nhttps://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth1/loading/__init__.py#L25\nhttps://opendev.org/openstack/keystoneauth/src/branch/master/keystoneauth1/loading/conf.py#L30-L42","commit_id":"90597ef91c516af5c92ec45f595a8bd75e2edcc9"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"70f6cc030f069951f21037af9cbd8a0f36b7014b","unresolved":false,"context_lines":[{"line_number":50,"context_line":""},{"line_number":51,"context_line":"2.  In that section, set ``send_user_service_token \u003d true``."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"3.  Also in that section, fill in the appropriate configuration for"},{"line_number":54,"context_line":"    your service user (``username``, ``project_name``, etc.)"},{"line_number":55,"context_line":""},{"line_number":56,"context_line":".. note::"},{"line_number":57,"context_line":"   There is no configuration required for a service to *receive*"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_71c911aa","line":54,"range":{"start_line":53,"start_character":0,"end_line":54,"end_character":60},"in_reply_to":"7faddb67_3e2bfd95","updated":"2019-09-26 08:15:36.000000000","message":"The code could probably be refactored to eliminate the Cinder [service_user] option group (as you suggested in the previous comment), but what I\u0027d like to do is land this doc patch as-is, since it will explain how to get this to work in the stable branches, and then look into making this automatic as a follow-up.","commit_id":"90597ef91c516af5c92ec45f595a8bd75e2edcc9"},{"author":{"_account_id":4523,"name":"Eric Harney","email":"eharney@redhat.com","username":"eharney"},"change_message_id":"7e3bbeb820cd3fbf4937298cb400aa6291ddf50f","unresolved":false,"context_lines":[{"line_number":48,"context_line":"    file (usually ``/etc/cinder/cinder.conf``, though it may be in a"},{"line_number":49,"context_line":"    different location in your installation)."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"2.  In that section, set ``send_user_service_token \u003d true``."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"3.  Also in that section, fill in the appropriate configuration for"},{"line_number":54,"context_line":"    your service user (``username``, ``project_name``, etc.)"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_919b6d64","line":51,"range":{"start_line":51,"start_character":27,"end_line":51,"end_character":50},"updated":"2019-09-26 08:23:01.000000000","message":"send_service_user_token","commit_id":"ae405f81fbdebe3b3ee4cf676c8ec4d19fe038e2"},{"author":{"_account_id":5314,"name":"Brian Rosmaita","email":"rosmaita.fossdev@gmail.com","username":"brian-rosmaita"},"change_message_id":"20bba757cf4a75f7877c2eb830bddd4febeb65b2","unresolved":false,"context_lines":[{"line_number":48,"context_line":"    file (usually ``/etc/cinder/cinder.conf``, though it may be in a"},{"line_number":49,"context_line":"    different location in your installation)."},{"line_number":50,"context_line":""},{"line_number":51,"context_line":"2.  In that section, set ``send_user_service_token \u003d true``."},{"line_number":52,"context_line":""},{"line_number":53,"context_line":"3.  Also in that section, fill in the appropriate configuration for"},{"line_number":54,"context_line":"    your service user (``username``, ``project_name``, etc.)"}],"source_content_type":"text/x-rst","patch_set":3,"id":"3fa7e38b_91b4cdd2","line":51,"range":{"start_line":51,"start_character":27,"end_line":51,"end_character":50},"in_reply_to":"3fa7e38b_919b6d64","updated":"2019-09-26 08:24:15.000000000","message":"That\u0027s a pretty embarrassing typo!","commit_id":"ae405f81fbdebe3b3ee4cf676c8ec4d19fe038e2"}]}