cinder/releasenotes/notes/cinder-backup-swift-service-token-9b86e8e73ebd2a22.yaml
Tobias Urdin 77c886ab18 backup/swift: Add support sending service user token
This adds support to the Swift backup driver to send
a service user token in the X-Service-Token header when
talking to Swift which will support long running processes
to continue functioning when the user token is expired if
the target supports it. [1] [2]

In the patch I'm favoring passing the X-Service-Token from
Cinder as a header instead of passing the service user credentials
down to the python-swiftclient, it makes more sense to not hand
it off. We already have a auth plugin for the service user which
ensures that the token is always valid, an invalid token would
disrupt the process and cause the long running process to fail.

The new config option to enable the service auth in the Swift
driver serves the purpose of not enabling the feature by default
for deployments already enabling service user for Nova and Glance.

I'm working on implementing the X-Service-Token support
in Ceph RadosGW's Swift API implementation [3], OpenStack Swift
already supports service token.

[1] https://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/juno/service-tokens.html
[2] https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html
[3] https://github.com/ceph/ceph/pull/45395

Related-Bug: #1298135
Change-Id: I69a478dc18c18e6d67be83d61c9643afab72c118
2022-05-04 07:29:54 +00:00

10 lines
497 B
YAML

---
features:
- |
The Swift backup driver now supports sending a X-Service-Token header with
a service token when the new ``backup_swift_service_auth`` config option is
enabled. Please note that you still need to configure the ``[service_user]``
group and also set ``send_service_user_token`` to enable the behavior and not
only the Swift backup driver option. Note ``send_service_user_token`` enables
it globally and will also affect communication with Nova and Glance.