Merge "Add service_token for nova-glance interaction"

4 files changed, 17 insertions, 3 deletions

diff --git a/nova/conf/service_token.py b/nova/conf/service_token.py
index 482c0581f0..29d6bd1b20 100644
--- a/nova/conf/service_token.py
+++ b/nova/conf/service_token.py
@@ -32,7 +32,7 @@ service_user_opts = [
 When True, if sending a user token to an REST API, also send a service token.
 
 Nova often reuses the user token provided to the nova-api to talk to other
-REST APIs, such as Cinder and Neutron. It is possible that while the
+REST APIs, such as Cinder, Glance and Neutron. It is possible that while the
 user token was valid when the request was made to Nova, the token may expire
 before it reaches the other service. To avoid any failures, and to
 make it clear it is Nova calling the service on the users behalf, we include
diff --git a/nova/image/glance.py b/nova/image/glance.py
index 0f598416ab..360f1bc8e6 100644
--- a/nova/image/glance.py
+++ b/nova/image/glance.py
@@ -46,6 +46,7 @@ from nova.i18n import _LE, _LI, _LW
 import nova.image.download as image_xfers
 from nova import objects
 from nova.objects import fields
+from nova import service_auth
 
 LOG = logging.getLogger(__name__)
 CONF = nova.conf.CONF
@@ -60,7 +61,7 @@ def _glanceclient_from_endpoint(context, endpoint, version):
         _SESSION = ks_loading.load_session_from_conf_options(
             CONF, nova.conf.glance.glance_group.name)
 
-    auth = context.get_auth_plugin()
+    auth = service_auth.get_auth_plugin(context)
 
     # TODO(johngarbutt) eventually we should default to getting the
     # endpoint URL from the service catalog.
diff --git a/nova/tests/unit/image/test_glance.py b/nova/tests/unit/image/test_glance.py
index 84b85c8d0b..bf4251ae7f 100644
--- a/nova/tests/unit/image/test_glance.py
+++ b/nova/tests/unit/image/test_glance.py
@@ -32,6 +32,7 @@ import nova.conf
 from nova import context
 from nova import exception
 from nova.image import glance
+from nova import service_auth
 from nova import test
 from nova.tests import uuidsentinel as uuids
 
@@ -342,7 +343,7 @@ class TestGetImageService(test.NoDBTestCase):
 
 class TestCreateGlanceClient(test.NoDBTestCase):
 
-    @mock.patch.object(context.RequestContext, 'get_auth_plugin')
+    @mock.patch.object(service_auth, 'get_auth_plugin')
     @mock.patch.object(ks_loading, 'load_session_from_conf_options')
     @mock.patch('glanceclient.Client')
     def test_glanceclient_with_ks_session(self, mock_client, mock_load,
diff --git a/releasenotes/notes/validate-expired-user-tokens-glance-440c36887286b52f.yaml b/releasenotes/notes/validate-expired-user-tokens-glance-440c36887286b52f.yaml
new file mode 100644
index 0000000000..8d769b7f15
--- /dev/null
+++ b/releasenotes/notes/validate-expired-user-tokens-glance-440c36887286b52f.yaml
@@ -0,0 +1,12 @@
+---
+features:
+  - |
+    Added support for Keystone middleware feature for interaction of Nova with
+    the Glance API. With this support, if service token is sent along with the
+    user token, then the expiration of user token will be ignored. In order to
+    use this functionality a service user needs to be created first.
+    Add the service user configurations in ``nova.conf`` under ``service_user``
+    group and set ``send_service_user_token`` flag to ``True``.
+
+    .. note:: This feature is already implemented for Nova interaction with the
+      Cinder and Neutron APIs in Ocata.