← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1370022] [NEW] Keystone cannot cope with being behind an SSL terminator for version list

 

Public bug reported:

When keystone set up behind SSL termintator then it returns 'http' as
protocol in URLs returned by version list command -

user@host:~$ curl https://MYHOST:5000/

{"versions": {"values": [{"status": "stable", "updated":
"2013-03-06T00:00:00Z", "media-types": [{"base": "application/json",
"type": "application/vnd.openstack.identity-v3+json"}, {"base":
"application/xml", "type":
"application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links":
[{"href": "http://MYHOST:5000/v3/";, "rel": "self"}]}, {"status":
"stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base":
"application/json", "type":
"application/vnd.openstack.identity-v2.0+json"}, {"base":
"application/xml", "type":
"application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0", "links":
[{"href": "http://MYHOST:5000/v2.0/";, "rel": "self"}, {"href":
"http://docs.openstack.org/api/openstack-identity-service/2.0/content/";,
"type": "text/html", "rel": "describedby"}, {"href":
"http://docs.openstack.org/api/openstack-identity-service/2.0/identity-
dev-guide-2.0.pdf", "type": "application/pdf", "rel":
"describedby"}]}]}}

my ha_proxyconfig -

frontend keystone_main_frontend
    bind 172.31.7.253:5000
    bind 172.31.7.252:5000 ssl crt /etc/haproxy/certs/runtime
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }
    default_backend keystone_main_backend
    option httpclose
    option http-pretend-keepalive
    option forwardfor

backend keystone_main_backend
    server HOST1 172.31.0.10:5000 check
    server HOST2 172.31.0.12:5000 check
    server HOST3 172.31.0.16:5000 check

Similar bug is here https://bugs.launchpad.net/heat/+bug/1235555

And because of this bug last cinder client doesn't work -

user@host:~$cinder --os-username admin --os-tenant-name admin --os-password password --os-auth-url https://MYHOST:5000/v2.0/ --endpoint-type publicURL --debug list
ERROR: Unable to establish connection to http://MYHOST:5000/v2.0/tokens


Also - if I set public_endpoint and admin_endpoint in keystone.conf to use 'https' proto then all works.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1370022

Title:
  Keystone cannot cope with being behind an SSL terminator for version
  list

Status in OpenStack Identity (Keystone):
  New

Bug description:
  When keystone set up behind SSL termintator then it returns 'http' as
  protocol in URLs returned by version list command -

  user@host:~$ curl https://MYHOST:5000/

  {"versions": {"values": [{"status": "stable", "updated":
  "2013-03-06T00:00:00Z", "media-types": [{"base": "application/json",
  "type": "application/vnd.openstack.identity-v3+json"}, {"base":
  "application/xml", "type":
  "application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links":
  [{"href": "http://MYHOST:5000/v3/";, "rel": "self"}]}, {"status":
  "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base":
  "application/json", "type":
  "application/vnd.openstack.identity-v2.0+json"}, {"base":
  "application/xml", "type":
  "application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0",
  "links": [{"href": "http://MYHOST:5000/v2.0/";, "rel": "self"},
  {"href": "http://docs.openstack.org/api/openstack-identity-
  service/2.0/content/", "type": "text/html", "rel": "describedby"},
  {"href": "http://docs.openstack.org/api/openstack-identity-service/2.0
  /identity-dev-guide-2.0.pdf", "type": "application/pdf", "rel":
  "describedby"}]}]}}

  my ha_proxyconfig -

  frontend keystone_main_frontend
      bind 172.31.7.253:5000
      bind 172.31.7.252:5000 ssl crt /etc/haproxy/certs/runtime
      reqadd X-Forwarded-Proto:\ https if { ssl_fc }
      default_backend keystone_main_backend
      option httpclose
      option http-pretend-keepalive
      option forwardfor

  backend keystone_main_backend
      server HOST1 172.31.0.10:5000 check
      server HOST2 172.31.0.12:5000 check
      server HOST3 172.31.0.16:5000 check

  Similar bug is here https://bugs.launchpad.net/heat/+bug/1235555

  And because of this bug last cinder client doesn't work -

  user@host:~$cinder --os-username admin --os-tenant-name admin --os-password password --os-auth-url https://MYHOST:5000/v2.0/ --endpoint-type publicURL --debug list
  ERROR: Unable to establish connection to http://MYHOST:5000/v2.0/tokens

  
  Also - if I set public_endpoint and admin_endpoint in keystone.conf to use 'https' proto then all works.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1370022/+subscriptions


Follow ups

References