yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1370022] Re: Keystone cannot cope with being behind an SSL terminator for version list

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Tue, 16 Sep 2014 18:49:33 -0000
Reply-to: Bug 1370022 <1370022@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Andrey, you'll need to set 'https' in your keystone configuration in
order to use SSL with Keystone.

Maybe we can look for an opportunity to improve the documentation.

** Changed in: keystone
       Status: New => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1370022

Title:
  Keystone cannot cope with being behind an SSL terminator for version
  list

Status in OpenStack Identity (Keystone):
  Invalid

Bug description:
  When keystone set up behind SSL termintator then it returns 'http' as
  protocol in URLs returned by version list command -

  user@host:~$ curl https://MYHOST:5000/

  {"versions": {"values": [{"status": "stable", "updated":
  "2013-03-06T00:00:00Z", "media-types": [{"base": "application/json",
  "type": "application/vnd.openstack.identity-v3+json"}, {"base":
  "application/xml", "type":
  "application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links":
  [{"href": "http://MYHOST:5000/v3/";, "rel": "self"}]}, {"status":
  "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base":
  "application/json", "type":
  "application/vnd.openstack.identity-v2.0+json"}, {"base":
  "application/xml", "type":
  "application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0",
  "links": [{"href": "http://MYHOST:5000/v2.0/";, "rel": "self"},
  {"href": "http://docs.openstack.org/api/openstack-identity-
  service/2.0/content/", "type": "text/html", "rel": "describedby"},
  {"href": "http://docs.openstack.org/api/openstack-identity-service/2.0
  /identity-dev-guide-2.0.pdf", "type": "application/pdf", "rel":
  "describedby"}]}]}}

  my ha_proxyconfig -

  frontend keystone_main_frontend
      bind 172.31.7.253:5000
      bind 172.31.7.252:5000 ssl crt /etc/haproxy/certs/runtime
      reqadd X-Forwarded-Proto:\ https if { ssl_fc }
      default_backend keystone_main_backend
      option httpclose
      option http-pretend-keepalive
      option forwardfor

  backend keystone_main_backend
      server HOST1 172.31.0.10:5000 check
      server HOST2 172.31.0.12:5000 check
      server HOST3 172.31.0.16:5000 check

  Similar bug is here https://bugs.launchpad.net/heat/+bug/1235555

  And because of this bug last cinder client doesn't work -

  user@host:~$cinder --os-username admin --os-tenant-name admin --os-password password --os-auth-url https://MYHOST:5000/v2.0/ --endpoint-type publicURL --debug list
  ERROR: Unable to establish connection to http://MYHOST:5000/v2.0/tokens

  
  Also - if I set public_endpoint and admin_endpoint in keystone.conf to use 'https' proto then all works.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1370022/+subscriptions

References

[Bug 1370022] [NEW] Keystone cannot cope with being behind an SSL terminator for version list
From: Andrey Pavlov, 2014-09-16