Description of problem: In Horizon, SSL related options are not configure properly After deployment, some parameters in horizon required for SSL deployment are not configured properly. /var/lib/config-data/puppet-generated/horizon/etc/openstack-dashboard/local_settings ------ # If Horizon is being served through SSL, then uncomment the following two # settings to better secure the cookies from security exploits #CSRF_COOKIE_SECURE = True #SESSION_COOKIE_SECURE = True ----- HorizonSecureCookies is set as True in my template file, and I expect that these parameters should be configured, but something is wrong. ----- $ grep HorizonSecureCookies -B 1 templates/enable-tls.yaml parameter_defaults: HorizonSecureCookies: True ------ If the configuration is set by ExtraConfig, it works well ~~~ ControllerExtraConfig: horizon::secure_cookies: True ~~~ Version-Release number of selected component (if applicable): current openstack-tripleo-heat-templates. How reproducible: Everytime Steps to Reproduce: 1. Add the configuration to the environment file. ~~~ parameter_defaults: HorizonSecureCookies: True ~~~ 2. Deploy Overcloud. 3. Check local_settings of horizon in Controller nodes. Actual results: Expected values are not set to the parameters by 'HorizonSecureCookies: True' Expected results: Required parameters are configured. Additional info: In puppet/services/horizon.yaml, the parameter is passed to 'horizon::secure_cookies:'. ~~~ 129 horizon::secure_cookies: {get_param: [HorizonSecureCookies]} ~~~ But the way to pass it looks strange. The parameter, HorizonSecureCookies is defined as boolean. However, it is passed as a list to secure_cookies in the line. Following modification might resolve the issue. ~~~ 129 horizon::secure_cookies: {get_param: HorizonSecureCookies} ~~~
I think that the reason for this setting having no effect is that it is being overriden here: https://github.com/openstack/tripleo-heat-templates/blob/master/docker/services/horizon.yaml#L70 Looking at the history, it has been always there, since the file was created.
Hello Radomir, Do we have a launchpad or gerrit in upstream for this issue?
I don't have we do. I will create one: https://storyboard.openstack.org/#!/story/2004254
Hello Radomir, Could you ask upstream to look at the story board to move it forward? Best Regards, Keigo Noha
I will ask at today's tripleo meeting.
We are not sure why this was introduced in the first place, probably to work around some transient problems we had initially at the time. I'm going to remove it and test if everything still works, and then backport it.
Hello Radomir, Thank you for your work on this bugzilla. In the upstream gerrit, the gerrit is bloced by 'Blocked on Workflow Label' status. Do you need a launchpad for this issue? or could you proceed the gerrit if you can? Best Regards, Keigo Noha
It looks like removing that line makes Horizon stop working in the containerized environment — the CSRF token cookie is no longer created and that makes it impossible to log in. I suspect this is some problem with haproxy configuration, I will investigate this further.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:0448