The OpenStack services communicate with each other by
passing the user token and service token wrapped in
keystoneauth's ServiceTokenAuthWrapper. The purpose
of passing the service token is for long-running
operations and in case the user token gets expired.
For RBAC, services need to check if a user token has the
'service'
role or not. For that calling service needs to load the
configured user auth plugin (where the user should have
the 'service' role) from keystoneauth and pass that to
the other services and called service (glance in this case)
will use that user role to verify the policy permission.
Cinder register and load user auth plugin from keystonauth
for nova communication case
- 644b6362a6/cinder/compute/nova.py (L100)
But it is missing for glance case which is fixed in this change.
Closes-Bug: #2121622
Needed-By: https://review.opendev.org/c/openstack/glance/+/958715
Change-Id: Ia3fe15517cdbeb8295725b99b526dd70ce290562
Signed-off-by: Ghanshyam Maan <gmaan@ghanshyammann.com>
9dfb500d5b