← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #55008

[Bug 1612518] [NEW] Auth failed for Neutron when behind haproxy

  Thread PreviousDate PreviousThread Next 
Public bug reported:

I have Mitaka installed with all service password enabled. Neutron
Server Container is put behind HAProxy. But the auth for Neutron fails
from all compute nodes and Neutron CLIs. Keystone assumes the auth
request is originated from HAProxy IP. Below is the error log from
Keystone.

2016-08-12 12:04:02.080 3104 INFO keystone.common.wsgi [req-01943395-752e-4e3c-b1b6-5b288d3320e4 - - - - -] POST http://10.42.249.10:35357/v3/auth/tokens
2016-08-12 12:04:02.105 3104 WARNING keystone.common.wsgi [req-01943395-752e-4e3c-b1b6-5b288d3320e4 - - - - -] Authorization failed. The request you have made requires authentication. from 10.42.249.10

I have enabled "option forwardfor header X-Forwarded-For" in HAProxy
And remoteip module
And "RemoteIPHeader X-Forwarded-For" and "RemoteIPTrustedProxy 10.42.249.10" in Apache conf.

But the issue remains same. I think keystone requires to understand "X
-Forwarded-For".

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1612518

Title:
  Auth failed for Neutron when behind haproxy

Status in OpenStack Identity (keystone):
  New

Bug description:
  I have Mitaka installed with all service password enabled. Neutron
  Server Container is put behind HAProxy. But the auth for Neutron fails
  from all compute nodes and Neutron CLIs. Keystone assumes the auth
  request is originated from HAProxy IP. Below is the error log from
  Keystone.

  2016-08-12 12:04:02.080 3104 INFO keystone.common.wsgi [req-01943395-752e-4e3c-b1b6-5b288d3320e4 - - - - -] POST http://10.42.249.10:35357/v3/auth/tokens
  2016-08-12 12:04:02.105 3104 WARNING keystone.common.wsgi [req-01943395-752e-4e3c-b1b6-5b288d3320e4 - - - - -] Authorization failed. The request you have made requires authentication. from 10.42.249.10

  I have enabled "option forwardfor header X-Forwarded-For" in HAProxy
  And remoteip module
  And "RemoteIPHeader X-Forwarded-For" and "RemoteIPTrustedProxy 10.42.249.10" in Apache conf.

  But the issue remains same. I think keystone requires to understand "X
  -Forwarded-For".

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1612518/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next