Comment 0 for bug 1325143

As discussed here: http://lists.openstack.org/pipermail/openstack-dev/2014-May/035264.htm the use of "with_lockmode('update')" can cause a number of issues when run on top of MySQL+Galera because galera does not support the 'SELECT ... FOR UPDATE' SQL call.

We currently only use with_lockmode('update') for coordinating consuming trusts (limited use trusts).

We should eliminate this and handle the coordination of consumption to ensure only the specified number of tokens can be issued from a trust. Unfortunately, this is not as straightforward as it could be, we need to handle the following deployment scenarios:

* Eventlet
* Multiple Keystone Processes (same physical server) [same issue as mod_wsgi]
* Multiple Keystone Processes (different physical servers)

The first and second ones could be handled with the lockutils (external file-based) locking decorator. The last scenario will take more thought.