yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #82412
[Bug 1874705] [NEW] Websso fails when HTTP_REFERRER that horizon is unable to connect to gets used
Public bug reported:
I am currently having an issue where a request to Horizon's websso
endpoint fails to respond in time as the token validation request fails
to connect between Horizon and Keystone.
(On Openstack Train)
I am trying to login to Horizon using an external identity provider.
I have set the WEBSSO_KEYSTONE_URL to keystones external facing endpoint as the IDP is on an external network.
The POST request to https://horizon_ip/auth/websso/ that includes a keystone token for validation in its params is failing.
This request routes to the horizon view 'websso' (https://opendev.org/openstack/horizon/src/branch/master/openstack_auth/views.py#L165)
The token authentication request to keystone in this view uses the requests HTTP_REFERRER when available as the keystone endpoint to use.
The previous request was to keystone on its external endpoint (as used by the external identity provider) to its route 'auth/OS-FEDERATION/websso/openid', and therefore the HTTP_REFERRER for this POST request is the external keystone endpoint.
Our Openstack services have minimal external connectivity for security reasons.
So in our setup the horizon service is unable to make connections to the external keystone endpoint.
Therefore in the horizon apache logs I see:
Unable to establish connection to https://keystone_external_ip:5000/v3/auth/tokens
Which eventually leads to a time out.
As this is request between Horizon and Keystone ideally for us it should
be using the internal endpoint. I've had a go at setting the auth_url to
be settings.OPENSTACK_KEYSTONE_URL and this lets me login successfully.
I am unsure as to why the HTTP_REFERRER gets used in preference over the
settings.OPENSTACK_KEYSTONE_URL for this request?
I propose either:
1. Removing the use of HTTP_REFERRER in favor of settings.OPENSTACK_KEYSTONE_URL.
2. Providing a setting to toggle between using the HTTP_REFERRER or settings.OPENSTACK_KEYSTONE_URL to build the auth request with.
Original commit in django_openstack_auth for websso view:
https://github.com/openstack/django_openstack_auth/commit/302f422568a32b513ffbb3089ba799a4416df108
** Affects: horizon
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1874705
Title:
Websso fails when HTTP_REFERRER that horizon is unable to connect to
gets used
Status in OpenStack Dashboard (Horizon):
New
Bug description:
I am currently having an issue where a request to Horizon's websso
endpoint fails to respond in time as the token validation request
fails to connect between Horizon and Keystone.
(On Openstack Train)
I am trying to login to Horizon using an external identity provider.
I have set the WEBSSO_KEYSTONE_URL to keystones external facing endpoint as the IDP is on an external network.
The POST request to https://horizon_ip/auth/websso/ that includes a keystone token for validation in its params is failing.
This request routes to the horizon view 'websso' (https://opendev.org/openstack/horizon/src/branch/master/openstack_auth/views.py#L165)
The token authentication request to keystone in this view uses the requests HTTP_REFERRER when available as the keystone endpoint to use.
The previous request was to keystone on its external endpoint (as used by the external identity provider) to its route 'auth/OS-FEDERATION/websso/openid', and therefore the HTTP_REFERRER for this POST request is the external keystone endpoint.
Our Openstack services have minimal external connectivity for security reasons.
So in our setup the horizon service is unable to make connections to the external keystone endpoint.
Therefore in the horizon apache logs I see:
Unable to establish connection to https://keystone_external_ip:5000/v3/auth/tokens
Which eventually leads to a time out.
As this is request between Horizon and Keystone ideally for us it
should be using the internal endpoint. I've had a go at setting the
auth_url to be settings.OPENSTACK_KEYSTONE_URL and this lets me login
successfully.
I am unsure as to why the HTTP_REFERRER gets used in preference over
the settings.OPENSTACK_KEYSTONE_URL for this request?
I propose either:
1. Removing the use of HTTP_REFERRER in favor of settings.OPENSTACK_KEYSTONE_URL.
2. Providing a setting to toggle between using the HTTP_REFERRER or settings.OPENSTACK_KEYSTONE_URL to build the auth request with.
Original commit in django_openstack_auth for websso view:
https://github.com/openstack/django_openstack_auth/commit/302f422568a32b513ffbb3089ba799a4416df108
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1874705/+subscriptions
Follow ups