← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #59288

[Bug 1646305] [NEW] Federation URL is public, but AUTH_URL is private

  Thread PreviousDate PreviousThread Next 
Public bug reported:

Web SSO will be broken in places where the ssumption that the AUTH_URL
that Horizon uses is publically accessible.

Conversation with deployer:

"keystone is open in haproxy to the public world, but the problem is
that horizon forming the SSO url based on the region URL, which is also
used for normal authentication and the controller node (keystone,
apache, horizon, etc) does not have public network access.  ha proxy
isn't involved because my web browser follows the redirect request,
which has a private IP in it"


Issue is 
 https://github.com/openstack/django_openstack_auth/blob/a40234be311eae11ca22497a82a82ab404d09a7c/openstack_auth/utils.py#L181

Which uses auth_url to make the Federation urls.  A sample solution
would be to add

FEDERATION_AUTH_URL=https://public....

in /etc/openstack_dashboard/local_settings

and then in /openstack_auth/utils.py

 federation_auth_url = getattr(settings, 'FEDERATION_AUTH_URL',
auth_url)

later

 (auth_url, idp_id, protocol_id, origin))  becomes
(federation_auth_url, idp_id, protocol_id, origin))

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1646305

Title:
  Federation URL is public, but AUTH_URL is private

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  Web SSO will be broken in places where the ssumption that the AUTH_URL
  that Horizon uses is publically accessible.

  Conversation with deployer:

  "keystone is open in haproxy to the public world, but the problem is
  that horizon forming the SSO url based on the region URL, which is
  also used for normal authentication and the controller node (keystone,
  apache, horizon, etc) does not have public network access.  ha proxy
  isn't involved because my web browser follows the redirect request,
  which has a private IP in it"

  
  Issue is 
   https://github.com/openstack/django_openstack_auth/blob/a40234be311eae11ca22497a82a82ab404d09a7c/openstack_auth/utils.py#L181

  Which uses auth_url to make the Federation urls.  A sample solution
  would be to add

  FEDERATION_AUTH_URL=https://public....

  in /etc/openstack_dashboard/local_settings

  and then in /openstack_auth/utils.py

   federation_auth_url = getattr(settings, 'FEDERATION_AUTH_URL',
  auth_url)

  later

   (auth_url, idp_id, protocol_id, origin))  becomes
  (federation_auth_url, idp_id, protocol_id, origin))

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1646305/+subscriptions
  Thread PreviousDate PreviousThread Next