← Back to team overview

yahoo-eng-team team mailing list archive

[Bug 1885772] [NEW] Keystone doesn't use http_proxy_to_wsgi middleware

 

Public bug reported:

Keystone since migration to flask doesn't import nor use
http_proxy_to_wsgi middleware.

How to reproduce:
1. Start Keystone with uwsgi as http application
2. Set [oslo_middleware] option enable_proxy_headers_parsing=true in keystone.conf
3. Setup SSL terminating reverse proxy, add headers X-Forwarded-Proto https
4. curl Keystone APi version endpoint:
curl https://identity.example.com/

What is expected:
{
  "versions": {
    "values": [
      {
        "id": "v3.13",
        "status": "stable",
        "updated": "2019-07-19T00:00:00Z",
        "links": [
          {
            "rel": "self",
            "href": "https://identity.example.com/v3/";
          }
        ],
        "media-types": [
          {
            "base": "application/json",
            "type": "application/vnd.openstack.identity-v3+json"
          }
        ]
      }
    ]
  }
}

What is an actual result:
{
  "versions": {
    "values": [
      {
        "id": "v3.13",
        "status": "stable",
        "updated": "2019-07-19T00:00:00Z",
        "links": [
          {
            "rel": "self",
            "href": "http://identity.example.com/v3/";
          }
        ],
        "media-types": [
          {
            "base": "application/json",
            "type": "application/vnd.openstack.identity-v3+json"
          }
        ]
      }
    ]
  }
}

If we look at the code, Keystone flask application doesn't use oslo_middleware and application_url from the request, it only gets PATH_INFO from the environment, which can't be set in the reverse proxy:
https://github.com/openstack/keystone/blob/master/keystone/server/flask/common.py#L673

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1885772

Title:
  Keystone doesn't use http_proxy_to_wsgi middleware

Status in OpenStack Identity (keystone):
  New

Bug description:
  Keystone since migration to flask doesn't import nor use
  http_proxy_to_wsgi middleware.

  How to reproduce:
  1. Start Keystone with uwsgi as http application
  2. Set [oslo_middleware] option enable_proxy_headers_parsing=true in keystone.conf
  3. Setup SSL terminating reverse proxy, add headers X-Forwarded-Proto https
  4. curl Keystone APi version endpoint:
  curl https://identity.example.com/

  What is expected:
  {
    "versions": {
      "values": [
        {
          "id": "v3.13",
          "status": "stable",
          "updated": "2019-07-19T00:00:00Z",
          "links": [
            {
              "rel": "self",
              "href": "https://identity.example.com/v3/";
            }
          ],
          "media-types": [
            {
              "base": "application/json",
              "type": "application/vnd.openstack.identity-v3+json"
            }
          ]
        }
      ]
    }
  }

  What is an actual result:
  {
    "versions": {
      "values": [
        {
          "id": "v3.13",
          "status": "stable",
          "updated": "2019-07-19T00:00:00Z",
          "links": [
            {
              "rel": "self",
              "href": "http://identity.example.com/v3/";
            }
          ],
          "media-types": [
            {
              "base": "application/json",
              "type": "application/vnd.openstack.identity-v3+json"
            }
          ]
        }
      ]
    }
  }

  If we look at the code, Keystone flask application doesn't use oslo_middleware and application_url from the request, it only gets PATH_INFO from the environment, which can't be set in the reverse proxy:
  https://github.com/openstack/keystone/blob/master/keystone/server/flask/common.py#L673

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1885772/+subscriptions