authenticate in protection service client
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Karbor |
In Progress
|
High
|
zengchen |
Bug Description
Currently, all openstack clients in protection service use context (including token) passed by API service.
This implementation will introduce 3 issues:
1. protection plugin will check resource status asynchronously in background, which may take hours. The token in the context may expire.
2. protection plugin requires admin authority to check all tenants resource status, while the context from API is per tenant authority;
3. during restore, protection plugin may restore to a separate openstack, which has independent authentication service from smaug API service. We need have protection plugin to authenticate to this openstack's keystone independently.
To address issues above, we'd better have protection service clients to authenticate independently instead of continuing to use context passed by API service
Changed in smaug: | |
status: | New → Triaged |
importance: | Undecided → High |
Changed in karbor: | |
milestone: | none → ocata |
Changed in karbor: | |
assignee: | nobody → zengchen (chenzeng2) |
I will fix the first bug that the token may expire when accessing another openstack service in karbor's protect service.