yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #83160
[Bug 1885772] [NEW] Keystone doesn't use http_proxy_to_wsgi middleware
Public bug reported:
Keystone since migration to flask doesn't import nor use
http_proxy_to_wsgi middleware.
How to reproduce:
1. Start Keystone with uwsgi as http application
2. Set [oslo_middleware] option enable_proxy_headers_parsing=true in keystone.conf
3. Setup SSL terminating reverse proxy, add headers X-Forwarded-Proto https
4. curl Keystone APi version endpoint:
curl https://identity.example.com/
What is expected:
{
"versions": {
"values": [
{
"id": "v3.13",
"status": "stable",
"updated": "2019-07-19T00:00:00Z",
"links": [
{
"rel": "self",
"href": "https://identity.example.com/v3/";
}
],
"media-types": [
{
"base": "application/json",
"type": "application/vnd.openstack.identity-v3+json"
}
]
}
]
}
}
What is an actual result:
{
"versions": {
"values": [
{
"id": "v3.13",
"status": "stable",
"updated": "2019-07-19T00:00:00Z",
"links": [
{
"rel": "self",
"href": "http://identity.example.com/v3/";
}
],
"media-types": [
{
"base": "application/json",
"type": "application/vnd.openstack.identity-v3+json"
}
]
}
]
}
}
If we look at the code, Keystone flask application doesn't use oslo_middleware and application_url from the request, it only gets PATH_INFO from the environment, which can't be set in the reverse proxy:
https://github.com/openstack/keystone/blob/master/keystone/server/flask/common.py#L673
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1885772
Title:
Keystone doesn't use http_proxy_to_wsgi middleware
Status in OpenStack Identity (keystone):
New
Bug description:
Keystone since migration to flask doesn't import nor use
http_proxy_to_wsgi middleware.
How to reproduce:
1. Start Keystone with uwsgi as http application
2. Set [oslo_middleware] option enable_proxy_headers_parsing=true in keystone.conf
3. Setup SSL terminating reverse proxy, add headers X-Forwarded-Proto https
4. curl Keystone APi version endpoint:
curl https://identity.example.com/
What is expected:
{
"versions": {
"values": [
{
"id": "v3.13",
"status": "stable",
"updated": "2019-07-19T00:00:00Z",
"links": [
{
"rel": "self",
"href": "https://identity.example.com/v3/";
}
],
"media-types": [
{
"base": "application/json",
"type": "application/vnd.openstack.identity-v3+json"
}
]
}
]
}
}
What is an actual result:
{
"versions": {
"values": [
{
"id": "v3.13",
"status": "stable",
"updated": "2019-07-19T00:00:00Z",
"links": [
{
"rel": "self",
"href": "http://identity.example.com/v3/";
}
],
"media-types": [
{
"base": "application/json",
"type": "application/vnd.openstack.identity-v3+json"
}
]
}
]
}
}
If we look at the code, Keystone flask application doesn't use oslo_middleware and application_url from the request, it only gets PATH_INFO from the environment, which can't be set in the reverse proxy:
https://github.com/openstack/keystone/blob/master/keystone/server/flask/common.py#L673
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1885772/+subscriptions
