0

I'm aware of between Horizon and Keystone, Unscoped Token and Scoped Token. But, I'd like to know when the user requests Nova to execute the function, how does Nova request Scoped Token?

This is the detail of my question based on Nova. I know Horizon, Keystone, Unscoped Token, and Scope Token. However, I would like to know how Nova requests Scoped Token when the user requests Nova to execute the function.

  1. When Nova must authenticate after receiving the Scoped token from the user. 1.1) How does 'Nova' proceed with authentication when the user requests it to 'Nova'? 1.2) After the question 1.1 has done, is the Scoped Token a Manager Token Or Unscoped Token?

  2. When 'Nova' sends X-Auth-Token and requests information from 'Glance', it sends X-Subject-Token from 'keystone' to X-Auth-Token, who gets this token? case A : X-Auth-Token authenticated by the user. case B : X-Auth-Token certified using Nova Scoped token and User Scoped token.

Hyeon
  • 1
  • 1
  • I don't know what you mean by "certification" and "validator"; can you elaborate? Nova has a user account, usually named *nova*, and is member of a project named *service* in most cases. Nova has to obtain a token from Keystone, just like any other user, then use a special token validation API to check the user's token. Nova's token will be `x-auth-token`, the user's token `x-subject-token`, as [described in the API](https://docs.openstack.org/api-ref/identity/v3/index.html?expanded=validate-and-show-information-for-token-detail#validate-and-show-information-for-token). – berndbausch Mar 09 '21 at 06:52
  • @berndbausch sorry about the confusing question:). I just updated my question! please check and answer if you have any idea. – Hyeon Mar 09 '21 at 10:26
  • I am not sure which token Nova uses with other services like Glance, Neutron or Cinder. In the case of Glance, the user's token would make sense, since the user needs to get granted access to an image. Regarding the scope, I think that Nova requests a scoped token from Keystone when authenticating. If you have a cloud, you could use `tcpdump` to check what precisely happens, or perhaps Keystone, Nova or Glance put enough information in debug log messages. – berndbausch Mar 10 '21 at 02:42

0 Answers0