Use OPENSTACK_KEYSTONE_URL instead of HTTP_REFERRER

By using OPENSTACK_KEYSTONE_URL instead of the HTTP_REFERRER
the authentication request between Horizon and Keystone continues
to work in situations where the HTTP_REFERRER is an external keystone
endpoint that Horizon does not have access to.

Change-Id: I9c5c8d59c5f5a8570dbb563ae224d45406a73ba5
Closes-bug: #1874705

doc/source/configuration/settings.rst

@@ -1715,6 +1715,23 @@ identity provider lives. This URL will take precedence over
 ``OPENSTACK_KEYSTONE_URL`` if the login choice is an external
 identity provider (IdP).
 
+WEBSSO_USE_HTTP_REFERER
+~~~~~~~~~~~~~~~~~~~~~~~
+
+.. versionadded:: 21.0.0(Yoga)
+
+Default: ``True``
+
+For use in cases of web single-sign-on authentication when the control plane
+has no outbound connectivity to the external service endpoints. By default
+the HTTP_REFERER is used to derive the Keystone endpoint to pass requests to.
+As previous requests to an external IdP will be using Keystone's external
+endpoint, this HTTP_REFERER will be Keystone's external endpoint.
+When Horizon is unable to connect to Keystone's external endpoint in this setup
+this leads to a time out. ``WEBSSO_USE_HTTP_REFERER`` can be set to False to
+use the ``OPENSTACK_KEYSTONE_URL`` instead, which should be set to an internal
+Keystone endpoint, so that this request will succeed.
+
 Neutron
 -------
 

openstack_auth/defaults.py

@@ -159,6 +159,12 @@ WEBSSO_DEFAULT_REDIRECT_LOGOUT = None
 # Example: WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3"
 WEBSSO_KEYSTONE_URL = None
 
+# In the case of web single-sign-on authentication when the control plane
+# has no outbound connectivity to the external service endpoints set this
+# to False. Otherwise the Keystone external endpoint will be used to make
+# a token authentication request from Horizon to Keystone which will timeout.
+WEBSSO_USE_HTTP_REFERER = True
+
 # The Keystone Provider drop down uses Keystone to Keystone federation
 # to switch between Keystone service providers.
 # Set display name for Identity Provider (dropdown display name)

openstack_auth/views.py

@@ -189,8 +189,12 @@ def login(request):
 @never_cache
 def websso(request):
     """Logs a user in using a token from Keystone's POST."""
-    referer = request.META.get('HTTP_REFERER', settings.OPENSTACK_KEYSTONE_URL)
-    auth_url = utils.clean_up_auth_url(referer)
+    if settings.WEBSSO_USE_HTTP_REFERER:
+        referer = request.META.get('HTTP_REFERER',
+                                   settings.OPENSTACK_KEYSTONE_URL)
+        auth_url = utils.clean_up_auth_url(referer)
+    else:
+        auth_url = settings.OPENSTACK_KEYSTONE_URL
     token = request.POST.get('token')
     try:
         request.user = auth.authenticate(request, auth_url=auth_url,

releasenotes/notes/support-websso_use_http_referer-6fb2dc0d292b54d4.yaml

@@ -0,0 +1,15 @@
+---
+fixes:
+  - |
+    [:bug:`1874705`] Add a new variable WEBSSO_USE_HTTP_REFERER to
+    facilitate WEBSSO deployments where network segmentation is used per
+    security requirement. In this case, the controllers cannot reach
+    other services external endpoints. Therefore, using the
+    HTTP_REFERER to derive the Keystone endpoint in the websso view will
+    return a timeout for requests to Keystone in cases where the external
+    Keystone endpoint is the HTTP_REFERER.
+    WEBSSO_USE_HTTP_REFERER defaults to True to keep inline with current
+    functionality. When set to False the OPENSTACK_KEYSTONE_URL is used
+    instead of the HTTP_REFERER. If OPENSTACK_KEYSTONE_URL is set to the
+    internal Keystone endpoint the requests between Horizon and Keystone
+    should be able to connect.