77c886ab18
This adds support to the Swift backup driver to send a service user token in the X-Service-Token header when talking to Swift which will support long running processes to continue functioning when the user token is expired if the target supports it. [1] [2] In the patch I'm favoring passing the X-Service-Token from Cinder as a header instead of passing the service user credentials down to the python-swiftclient, it makes more sense to not hand it off. We already have a auth plugin for the service user which ensures that the token is always valid, an invalid token would disrupt the process and cause the long running process to fail. The new config option to enable the service auth in the Swift driver serves the purpose of not enabling the feature by default for deployments already enabling service user for Nova and Glance. I'm working on implementing the X-Service-Token support in Ceph RadosGW's Swift API implementation [3], OpenStack Swift already supports service token. [1] https://specs.openstack.org/openstack/keystone-specs/specs/keystonemiddleware/juno/service-tokens.html [2] https://docs.openstack.org/cinder/latest/configuration/block-storage/service-token.html [3] https://github.com/ceph/ceph/pull/45395 Related-Bug: #1298135 Change-Id: I69a478dc18c18e6d67be83d61c9643afab72c118
10 lines
497 B
YAML
10 lines
497 B
YAML
---
|
|
features:
|
|
- |
|
|
The Swift backup driver now supports sending a X-Service-Token header with
|
|
a service token when the new ``backup_swift_service_auth`` config option is
|
|
enabled. Please note that you still need to configure the ``[service_user]``
|
|
group and also set ``send_service_user_token`` to enable the behavior and not
|
|
only the Swift backup driver option. Note ``send_service_user_token`` enables
|
|
it globally and will also affect communication with Nova and Glance.
|