Web servers that are exposed to the Internet eventually gain a
security feature of limiting the amount of data in the request
body. In Apache Httpd, this is provided by the LimitRequestBody
directive. This is added to the sample Httpd config file.
The limit is set for only the keystone services so it won't
affect other services running in Httpd.
The value of 114688 was picked because it's the current limit
on request body that oslo.middleware's sizelimit function puts
on requests to keystone.
Use of oslo.middleware's sizelimit re-implementation can be
deprecated.
Docs:
- http://httpd.apache.org/docs/2.4/mod/core.html#limitrequestbody
ReleaseNotesImpact
Closes-Bug: 1481048
Change-Id: I5509e4b65900c15dd0b5fda43b1d5bb4dc3ff5ff
Apache Httpd can be configured to accept keystone requests on all
sorts of interfaces. The sample config file is updated to show
how to configure Apache Httpd to also send requests on /identity
and /identity_admin to keystone.
Closes-Bug: 1496041
Change-Id: Ie7b829eff16c0e839f8dd1e4ecef7fdc06c3f561
The httpd/keystone.py file needed to be copied and then
symlinked when used by web servers to "admin" and "main".
pbr 1.4.0 added support for wsgi_scripts that creates scripts
for wsgi servers on install. Keystone will now specify
wsgi_scripts so that the admin (keystone-wsgi-admin) and
main (keystone-wsgi-public) scripts will be created on install.
See http://httpd.apache.org/docs/2.4/upgrading.html#access for
the apache docs with examples for the Allow/Deny/Require
directives.
DocImpact
Related-Bug: #1441733
Change-Id: Ic9c03e6c00408f3698c10012ca98cfc6ea9b6ace
The sample httpd config file was not using best practices for
apache configuration. The file is now a copy of the file that
devstack uses for keystone apache config
(files/apache-keystone.template), with the replacement strings
updated to the keystone defaults.
Also, the "Firewall" section is removed from the httpd config
docs because the sample config file isn't using port 443.
Change-Id: I1d10925b33ec7e70793e61db1cb99186f112ef3e
PasteDeploy configuration contains class names which might change
between releases. Keeping it separate from user-configurable
parameters allows deployers to move paste-deploy ini file out of
configuration directory to a place where it can be safely overwritten
on updates e.g. under /usr/share/
DocImpact
Change-Id: I9292ca6226c8430b93565dedd45cc842742a23e2