yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1799332] [NEW] Apache WSGI config shipping with Keystone is incompatible with Horizon

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Mike Joseph <1799332@xxxxxxxxxxxxxxxxxx>
Date: Tue, 23 Oct 2018 02:11:32 -0000
Reply-to: Bug 1799332 <1799332@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

In keystone/httpd/wsgi-keystone.conf, the following configuration is
present:

Alias /identity /usr/local/bin/keystone-wsgi-public
<Location /identity>
    SetHandler wsgi-script
    Options +ExecCGI

    WSGIProcessGroup keystone-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>

However, it is both harmful and unnecessary.  The operative WSGI
configuration for Keystone comes from the <VirtualHost
*:5000>...</VirtualHost> section.  In fact, the commit which added the
/identity endpoint described it as an documentation example:

"Apache Httpd can be configured to accept keystone requests on all
sorts of interfaces. The sample config file is updated to show
how to configure Apache Httpd to also send requests on /identity
and /identity_admin to keystone."

Leaving it in place, however, causes conflicts when Horizon is
concurrently installed:

AH01630: client denied by server configuration: /usr/bin/keystone-wsgi-
public

...in responses to Horizon URL's referencing '/identity'.  Therefore, I
believe keeping this configuration snippet in the shipped WSGI
configuration (as opposed to actual documentation) is a defect.

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1799332

Title:
  Apache WSGI config shipping with Keystone is incompatible with Horizon

Status in OpenStack Identity (keystone):
  New

Bug description:
  In keystone/httpd/wsgi-keystone.conf, the following configuration is
  present:

  Alias /identity /usr/local/bin/keystone-wsgi-public
  <Location /identity>
      SetHandler wsgi-script
      Options +ExecCGI

      WSGIProcessGroup keystone-public
      WSGIApplicationGroup %{GLOBAL}
      WSGIPassAuthorization On
  </Location>

  However, it is both harmful and unnecessary.  The operative WSGI
  configuration for Keystone comes from the <VirtualHost
  *:5000>...</VirtualHost> section.  In fact, the commit which added the
  /identity endpoint described it as an documentation example:

  "Apache Httpd can be configured to accept keystone requests on all
  sorts of interfaces. The sample config file is updated to show
  how to configure Apache Httpd to also send requests on /identity
  and /identity_admin to keystone."

  Leaving it in place, however, causes conflicts when Horizon is
  concurrently installed:

  AH01630: client denied by server configuration: /usr/bin/keystone-
  wsgi-public

  ...in responses to Horizon URL's referencing '/identity'.  Therefore,
  I believe keeping this configuration snippet in the shipped WSGI
  configuration (as opposed to actual documentation) is a defect.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1799332/+subscriptions

Follow ups

[Bug 1799332] Re: Apache WSGI config shipping with Keystone is incompatible with Horizon
From: Mike Joseph, 2018-10-24
[Bug 1799332] Re: Apache WSGI config shipping with Keystone is incompatible with Horizon
From: Morgan Fainberg, 2018-10-24