Service User Tokens

Warning

Configuration of service user tokens is required for every Nova service for security reasons. See https://bugs.launchpad.net/nova/+bug/2004555 for details.

Configure Nova to send service user tokens alongside regular user tokens when making REST API calls to other services. The identity service (Keystone) will authenticate a request using the service user token if the regular user token has expired.

This is important when long-running operations such as live migration or snapshot take long enough to exceed the expiry of the user token. Without the service token, if a long-running operation exceeds the expiry of the user token, post operations such as cleanup after a live migration could fail when Nova calls other service APIs like block-storage (Cinder) or networking (Neutron).

The service token is also used by services to validate whether the API caller is a service. Some service APIs are restricted to service users only.

To set up service tokens, create a nova service user and service role in the identity service (Keystone) and assign the service role to the nova service user.

Then, configure the service_user section of the Nova configuration file, for example:

[service_user]
send_service_user_token = true
auth_url = $AUTH_URL
auth_strategy = keystone
auth_type = password
project_domain_name = $PROJECT_DOMAIN_NAME
project_name = service
user_domain_name = $USER_DOMAIN_NAME
username = nova
password = $SERVICE_USER_PASSWORD
...

And configure the other identity options as necessary for the service user, much like you would configure nova to work with the image service (Glance) or networking service (Neutron).

Note

Please note that the role assigned to the service_user needs to be in the configured keystone_authtoken.service_token_roles of other services such as block-storage (Cinder), image (Glance), and networking (Neutron).