yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1799332] Re: Apache WSGI config shipping with Keystone is incompatible with Horizon

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Mike Joseph <1799332@xxxxxxxxxxxxxxxxxx>
Date: Wed, 24 Oct 2018 21:37:57 -0000
Reply-to: Bug 1799332 <1799332@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

I believe that this should be reopened, since the issue remains for the
following reasons:

* All installation guide docs refer to Keystone running on port 5000
(OS_AUTH_URL=http://controller:5000/v3).  If that's no longer the
recommended deployment model, then the docs should be updated
accordingly.

* The file in question still contains endpoints on both :5000 and
/identity.  If the Keystone project believes that :5000 is deprecated in
favor of /identity, then the WSGI config should be updated in the file
to remove :5000.  But having both seems broken.

* For some reason that I haven't worked out yet, the /identity endpoint
*is* interfering with the /horizon endpoint.  If /identity will be
remaining, we should try to figure out why that is.

-MJ

** Changed in: keystone
       Status: Invalid => New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1799332

Title:
  Apache WSGI config shipping with Keystone is incompatible with Horizon

Status in OpenStack Identity (keystone):
  New

Bug description:
  In keystone/httpd/wsgi-keystone.conf, the following configuration is
  present:

  Alias /identity /usr/local/bin/keystone-wsgi-public
  <Location /identity>
      SetHandler wsgi-script
      Options +ExecCGI

      WSGIProcessGroup keystone-public
      WSGIApplicationGroup %{GLOBAL}
      WSGIPassAuthorization On
  </Location>

  However, it is both harmful and unnecessary.  The operative WSGI
  configuration for Keystone comes from the <VirtualHost
  *:5000>...</VirtualHost> section.  In fact, the commit which added the
  /identity endpoint described it as an documentation example:

  "Apache Httpd can be configured to accept keystone requests on all
  sorts of interfaces. The sample config file is updated to show
  how to configure Apache Httpd to also send requests on /identity
  and /identity_admin to keystone."

  Leaving it in place, however, causes conflicts when Horizon is
  concurrently installed:

  AH01630: client denied by server configuration: /usr/bin/keystone-
  wsgi-public

  ...in responses to Horizon URL's referencing '/identity'.  Therefore,
  I believe keeping this configuration snippet in the shipped WSGI
  configuration (as opposed to actual documentation) is a defect.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1799332/+subscriptions

References

[Bug 1799332] [NEW] Apache WSGI config shipping with Keystone is incompatible with Horizon
From: Mike Joseph, 2018-10-23