We have had lots of ideas on how to improve cross service communication. There are two key areas of concern: Auth Token issues, Request ID issues. OSIC wants to invest time and energy in making real progress here.
Consider the following use cases:
* Nova does a long live-migrate, eventually needs to call cinder and neutron using the users token, but it has expired
* Nova snapshot takes a long time, the token can timeout by the end when final bits are done, ideally we need to avoid that.
* Nova wants to talk to port binding as both the user and as Nova, service token and user token
* Folks want to have very short lived user tokens, ideally the timeout can be indepent of how long a live-migrate may take
Possible solution:
* send service token along with user token
* keystone middlewere trusts that the service got the user token when it was valid, don't check the expiry date of cert
* limitation: only works on the "cert" based token and not uuid based tokens?
References: keystone-specs: Allow retrieving an expired token https://review.openstack.org/#/c/381361/
Session Leader(s): John Garbutt (johnthetubaguy), Dolph Mathews (dolphm)
Registration Opening Soon
Registration will open for you to purchase passes for the OpenStack Summit very soon!
We're excited to see you there!
