Bug 1250711 - Keystone cannot cope with being behind an SSL terminator for version list
Keystone cannot cope with being behind an SSL terminator for version list
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: openstack-keystone (Show other bugs)
6.0 (Juno)
All Linux
high Severity high
: async
: 6.0 (Juno)
Assigned To: Adam Young
Rodrigo Duarte
: ZStream
: 1340527 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-05 15:34 EDT by Jack Waterworth
Modified: 2017-03-07 12:04 EST (History)
8 users (show)

See Also:
Fixed In Version: openstack-keystone-2014.2.3-3.el7ost
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-06-01 08:29:12 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1370022 None None None 2016-03-17 22:10 EDT

  None (edit)
Description Jack Waterworth 2015-08-05 15:34:44 EDT
Description of problem:

When keystone set up behind SSL termintator then it returns 'http' as protocol in URLs returned by version list command -

$ curl -g -i -X GET https://node1.example.com:8776/ -H "Accept: application/json" -H "User-Agent: python-keystoneclient"
{"versions": [{"status": "SUPPORTED", "updated": "2014-06-28T12:20:21Z", "id": "v1.0", "links": [{"href": "http://10.180.58.131:8776/v1/", "rel": "self"}]}, {"status": "CURRENT", "updated": "2012-11-21T11:33:21Z", "id": "v2.0", "links": [{"href": "http://10.180.58.131:8776/v2/", "rel": "self"}]}]}

Version-Release number of selected component (if applicable):
openstack-keystone-2014.2.3-1.el7ost.noarch
python-keystone-2014.2.3-1.el7ost.noarch
python-keystoneclient-0.11.1-1.el7ost.noarch
python-keystonemiddleware-1.2.0-2.el7ost.noarch

How reproducible:
every time
Comment 3 Jack Waterworth 2015-08-05 15:35:33 EDT
upstream bug:
https://bugs.launchpad.net/keystone/+bug/1370022

customer has patched their own enviornment with the following patch

diff --git a/keystone/common/config.py b/keystone/common/config.py
index cc59f9d..aa19ac4 100644
--- a/keystone/common/config.py
+++ b/keystone/common/config.py
@@ -140,7 +140,12 @@
                          'exceeds the maximum length, the operation will fail '
                          'with an HTTP 403 Forbidden error. If set to false, '
                          'passwords are automatically truncated to the '
-                         'maximum length.')],
+                         'maximum length.'),
+        cfg.StrOpt('secure_proxy_ssl_header',
+                    help='The HTTP header used to determine the scheme for the '
+                         'original request, even if it was removed by an SSL '
+                         'terminating proxy. Typical value is '
+                         '"HTTP_X_FORWARDED_PROTO".'),],
     'identity': [
         cfg.StrOpt('default_domain_id', default='default',
                    help='This references the domain to use for all '
diff --git a/keystone/common/wsgi.py b/keystone/common/wsgi.py
index 7d1d06d..60f21bf 100644
--- a/keystone/common/wsgi.py
+++ b/keystone/common/wsgi.py
@@ -196,6 +196,16 @@ def __call__(self, req):
         context['headers'] = dict(six.iteritems(req.headers))
         context['path'] = req.environ['PATH_INFO']
         context['host_url'] = req.host_url
+        scheme = (None if not CONF.secure_proxy_ssl_header
+                  else req.headers.get(CONF.secure_proxy_ssl_header))
+        if scheme:
+            # NOTE(andrey-mp): "wsgi.url_scheme" contains the protocol used
+            # before the proxy removed it ('https' usually). So if
+            # the webob.Request instance is modified in order to use this
+            # scheme instead of the one defined by API, the call to
+            # webob.Request.relative_url() will return a URL with the correct
+            # scheme.
+            req.environ['wsgi.url_scheme'] = scheme
         params = req.environ.get(PARAMS_ENV, {})
         # authentication and authorization attributes are set as environment
         # values by the container and processed by the pipeline.  the complete
Comment 18 errata-xmlrpc 2016-06-01 08:29:12 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:1195
Comment 19 Nathan Kinder 2017-03-07 12:04:13 EST
*** Bug 1340527 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.