I'm aware of between Horizon and Keystone, Unscoped Token and Scoped Token. But, I'd like to know when the user requests Nova to execute the function, how does Nova request Scoped Token?

This is the detail of my question based on Nova. I know Horizon, Keystone, Unscoped Token, and Scope Token. However, I would like to know how Nova requests Scoped Token when the user requests Nova to execute the function.

  1. When Nova must authenticate after receiving the Scoped token from the user. 1.1) How does 'Nova' proceed with authentication when the user requests it to 'Nova'? 1.2) After the question 1.1 has done, is the Scoped Token a Manager Token Or Unscoped Token?

  2. When 'Nova' sends X-Auth-Token and requests information from 'Glance', it sends X-Subject-Token from 'keystone' to X-Auth-Token, who gets this token? case A : X-Auth-Token authenticated by the user. case B : X-Auth-Token certified using Nova Scoped token and User Scoped token.

1

There are 1 best solutions below

0
On

https://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/ This article explains what happens behind the hood.

Simply speak, keystone is treated as a CA(Certificate Athourity), sign the token, and encrypt it with it's private key. endpoints use CA's public key to verify the token's validation, the verification process within endpoints can be locally without calling keystone remotely. enter image description here