yahoo-eng-team team mailing list archive

[Thierry Carrez <thierry.carrez+lp@xxxxxxxxx>]

** Changed in: keystone
       Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1392584

Title:
  OAuth headers are missing when using Apache

Status in OpenStack Identity (Keystone):
  Fix Released
Status in Python client library for Keystone:
  Fix Released

Bug description:
  It seems that when deploying Keystone with mod_wsgi, and using the OS-
  OAUTH extension causes some OAuth headers to be missing.

  Specifically, there are two sets of headers that are required to be
  sent to the OAuth APIs.

  1) A single `Requested_Project_Id` header, and 
  2) A single `Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog"...` header

  It was determined that mod_wsgi was the culprit in this case, and
  requires a different fix for both missing headers.

  For 1) We have to change `Requested_Project_Id` to `Requested-Project-
  Id`, since if using Apache 2.4 or higher, mod_wsgi blocks any headers
  that have non-dash or non-alpahanumeric headers. See note 1) here:
  http://modwsgi.readthedocs.org/en/latest/release-
  notes/version-4.3.0.html#features-changed

  For 2) It is required to set WSGIPassAuthorization to On, which is Off
  by default. See
  https://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIPassAuthorization
  for more details.

  Issue 1) Should be fixed by updating the documentation here:
  http://docs.openstack.org/developer/keystone/extensions/oauth1.html

  Issue 2) requires a change to keystoneclient, available here
  (https://review.openstack.org/#/c/134364/)

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1392584/+subscriptions