yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #26114
[Bug 1392584] Re: OAuth headers are missing when using Apache
** Changed in: python-keystoneclient
Status: Fix Committed => Fix Released
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1392584
Title:
OAuth headers are missing when using Apache
Status in OpenStack Identity (Keystone):
In Progress
Status in Python client library for Keystone:
Fix Released
Bug description:
It seems that when deploying Keystone with mod_wsgi, and using the OS-
OAUTH extension causes some OAuth headers to be missing.
Specifically, there are two sets of headers that are required to be
sent to the OAuth APIs.
1) A single `Requested_Project_Id` header, and
2) A single `Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog"...` header
It was determined that mod_wsgi was the culprit in this case, and
requires a different fix for both missing headers.
For 1) We have to change `Requested_Project_Id` to `Requested-Project-
Id`, since if using Apache 2.4 or higher, mod_wsgi blocks any headers
that have non-dash or non-alpahanumeric headers. See note 1) here:
http://modwsgi.readthedocs.org/en/latest/release-
notes/version-4.3.0.html#features-changed
For 2) It is required to set WSGIPassAuthorization to On, which is Off
by default. See
https://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIPassAuthorization
for more details.
Issue 1) Should be fixed by updating the documentation here:
http://docs.openstack.org/developer/keystone/extensions/oauth1.html
Issue 2) requires a change to keystoneclient, available here
(https://review.openstack.org/#/c/134364/)
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1392584/+subscriptions
References