yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1874705] Re: Websso fails when HTTP_REFERRER that horizon is unable to connect to gets used

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Vishal Manchanda <1874705@xxxxxxxxxxxxxxxxxx>
Date: Wed, 07 Jul 2021 15:48:39 -0000
Reply-to: Bug 1874705 <1874705@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: keystone
Importance: Undecided
Status: New

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1874705

Title:
Websso fails when HTTP_REFERRER that horizon is unable to connect to
gets used

Status in OpenStack Dashboard (Horizon):
In Progress
Status in OpenStack Identity (keystone):
New

Bug description:
I am currently having an issue where a request to Horizon's websso
endpoint fails to respond in time as the token validation request
fails to connect between Horizon and Keystone.

(On Openstack Train)
I am trying to login to Horizon using an external identity provider.
I have set the WEBSSO_KEYSTONE_URL to keystones external facing endpoint as the IDP is on an external network.

The POST request to https://horizon_ip/auth/websso/ that includes a keystone token for validation in its params is failing.
This request routes to the horizon view 'websso' (https://opendev.org/openstack/horizon/src/branch/master/openstack_auth/views.py#L165)
The token authentication request to keystone in this view uses the requests HTTP_REFERRER when available as the keystone endpoint to use.
The previous request was to keystone on its external endpoint (as used by the external identity provider) to its route 'auth/OS-FEDERATION/websso/openid', and therefore the HTTP_REFERRER for this POST request is the external keystone endpoint.

Our Openstack services have minimal external connectivity for security reasons.
So in our setup the horizon service is unable to make connections to the external keystone endpoint.
Therefore in the horizon apache logs I see:
Unable to establish connection to https://keystone_external_ip:5000/v3/auth/tokens
Which eventually leads to a time out.

As this is request between Horizon and Keystone ideally for us it
should be using the internal endpoint. I've had a go at setting the
auth_url to be settings.OPENSTACK_KEYSTONE_URL and this lets me login
successfully.

I am unsure as to why the HTTP_REFERRER gets used in preference over
the settings.OPENSTACK_KEYSTONE_URL for this request?

I propose either:
1. Removing the use of HTTP_REFERRER in favor of settings.OPENSTACK_KEYSTONE_URL.
2. Providing a setting to toggle between using the HTTP_REFERRER or settings.OPENSTACK_KEYSTONE_URL to build the auth request with.

Original commit in django_openstack_auth for websso view:
https://github.com/openstack/django_openstack_auth/commit/302f422568a32b513ffbb3089ba799a4416df108

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1874705/+subscriptions

References

[Bug 1874705] [NEW] Websso fails when HTTP_REFERRER that horizon is unable to connect to gets used
From: Georgina Shippey, 2020-04-24