Browse Source

Merge "Use OPENSTACK_KEYSTONE_URL instead of HTTP_REFERRER"

changes/32/824432/1
Zuul 4 months ago committed by Gerrit Code Review
parent
commit
8fe5bbc8da
  1. 17
      doc/source/configuration/settings.rst
  2. 6
      openstack_auth/defaults.py
  3. 8
      openstack_auth/views.py
  4. 15
      releasenotes/notes/support-websso_use_http_referer-6fb2dc0d292b54d4.yaml

17
doc/source/configuration/settings.rst

@ -1715,6 +1715,23 @@ identity provider lives. This URL will take precedence over
``OPENSTACK_KEYSTONE_URL`` if the login choice is an external
identity provider (IdP).
WEBSSO_USE_HTTP_REFERER
~~~~~~~~~~~~~~~~~~~~~~~
.. versionadded:: 21.0.0(Yoga)
Default: ``True``
For use in cases of web single-sign-on authentication when the control plane
has no outbound connectivity to the external service endpoints. By default
the HTTP_REFERER is used to derive the Keystone endpoint to pass requests to.
As previous requests to an external IdP will be using Keystone's external
endpoint, this HTTP_REFERER will be Keystone's external endpoint.
When Horizon is unable to connect to Keystone's external endpoint in this setup
this leads to a time out. ``WEBSSO_USE_HTTP_REFERER`` can be set to False to
use the ``OPENSTACK_KEYSTONE_URL`` instead, which should be set to an internal
Keystone endpoint, so that this request will succeed.
Neutron
-------

6
openstack_auth/defaults.py

@ -159,6 +159,12 @@ WEBSSO_DEFAULT_REDIRECT_LOGOUT = None
# Example: WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3"
WEBSSO_KEYSTONE_URL = None
# In the case of web single-sign-on authentication when the control plane
# has no outbound connectivity to the external service endpoints set this
# to False. Otherwise the Keystone external endpoint will be used to make
# a token authentication request from Horizon to Keystone which will timeout.
WEBSSO_USE_HTTP_REFERER = True
# The Keystone Provider drop down uses Keystone to Keystone federation
# to switch between Keystone service providers.
# Set display name for Identity Provider (dropdown display name)

8
openstack_auth/views.py

@ -199,8 +199,12 @@ def login(request):
@never_cache
def websso(request):
"""Logs a user in using a token from Keystone's POST."""
referer = request.META.get('HTTP_REFERER', settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
if settings.WEBSSO_USE_HTTP_REFERER:
referer = request.META.get('HTTP_REFERER',
settings.OPENSTACK_KEYSTONE_URL)
auth_url = utils.clean_up_auth_url(referer)
else:
auth_url = settings.OPENSTACK_KEYSTONE_URL
token = request.POST.get('token')
try:
request.user = auth.authenticate(request, auth_url=auth_url,

15
releasenotes/notes/support-websso_use_http_referer-6fb2dc0d292b54d4.yaml

@ -0,0 +1,15 @@
---
fixes:
- |
[:bug:`1874705`] Add a new variable WEBSSO_USE_HTTP_REFERER to
facilitate WEBSSO deployments where network segmentation is used per
security requirement. In this case, the controllers cannot reach
other services external endpoints. Therefore, using the
HTTP_REFERER to derive the Keystone endpoint in the websso view will
return a timeout for requests to Keystone in cases where the external
Keystone endpoint is the HTTP_REFERER.
WEBSSO_USE_HTTP_REFERER defaults to True to keep inline with current
functionality. When set to False the OPENSTACK_KEYSTONE_URL is used
instead of the HTTP_REFERER. If OPENSTACK_KEYSTONE_URL is set to the
internal Keystone endpoint the requests between Horizon and Keystone
should be able to connect.
Loading…
Cancel
Save