Ask Your Question
0

how services token buffer work

asked 2013-06-25 03:39:40 -0500

chen-li gravatar image

updated 2013-06-28 10:38:03 -0500

smaffulli gravatar image

I'm working under Grizzly and using UUID for keystone.

When I first start nova-api and run "nova list" for the first time, I can get three keystone accesses:

2013-06-24 13:25:56     INFO [access] 192.168.11.12 - - [24/Jun/2013:05:25:56 +0000] "POST http://keystone:5000/v2.0/tokens HTTP/1.0" 200 2047
2013-06-24 13:25:56     INFO [access] 192.168.11.11 - - [24/Jun/2013:05:25:56 +0000] "POST http://keystone:35357/v2.0/tokens HTTP/1.0" 200 2045
2013-06-24 13:25:56     INFO [access] 192.168.11.11 - - [24/Jun/2013:05:25:56 +0000] "GET http://keystone:35357/v2.0/tokens/7de2c612f62441e3a1378c6584921f44 HTTP/1.0" 200 2089

Then, I re-run "nova list", only two accesses left:

2013-06-24 13:25:56     INFO [access] 192.168.11.12 - - [24/Jun/2013:05:25:56 +0000] "POST http://keystone:5000/v2.0/tokens HTTP/1.0" 200 2047
2013-06-24 13:25:56     INFO [access] 192.168.11.11 - - [24/Jun/2013:05:25:56 +0000] "GET http://keystone:35357/v2.0/tokens/7de2c612f62441e3a1378c6584921f44 HTTP/1.0" 200 2089

Obviously, the new token request for nova-api itself will not happen every time, nova-api will re-use previous token.

I question is how this achieved in code? Nova has a buffer for token ? When nova know it's time to get a token ?

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
0

answered 2014-02-28 19:26:47 -0500

That call is most probably coming from middleware

POST is used to get the token and GET is used to validte the token. GET is restricted call. In order to validate the token you need service token or admin token. If you look at auth middleware, it will have configuration for admin token or admin user /admin pwd. The second POST is for admin user/admin pwd.

1) You cal nova list will username/pwd. -- This will lead to POST v20/tokens 2) This token is then passed to nova, which calls keystone to validate the token. Token validation happens via middleware. To validate the token first the middlware will get the admin or service token. So the second POST is for the admin token from the middleware. Middleware caches the admin token 3) Third call is GET to validate the token

During second run the same sequence of steps happen, except the middleware uses the cached admin token, So you don't see second post

Also look at the port number. 5000 is from nova cli and 35357 is from middleware

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

Stats

Asked: 2013-06-25 03:39:40 -0500

Seen: 151 times

Last updated: Feb 28 '14