OpenStack Dashboard (Horizon)

Federation URL is public, but AUTH_URL is private

Bug #1646305 reported by Adam Young on 2016-12-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Confirmed	Medium	Unassigned

Bug Description

Web SSO will be broken in places where the ssumption that the AUTH_URL that Horizon uses is publically accessible.

Conversation with deployer:

"keystone is open in haproxy to the public world, but the problem is that horizon forming the SSO url based on the region URL, which is also used for normal authentication and the controller node (keystone, apache, horizon, etc) does not have public network access. ha proxy isn't involved because my web browser follows the redirect request, which has a private IP in it"

Issue is
https://github.com/openstack/django_openstack_auth/blob/a40234be311eae11ca22497a82a82ab404d09a7c/openstack_auth/utils.py#L181

Which uses auth_url to make the Federation urls. A sample solution would be to add

FEDERATION_AUTH_URL=https://public....

in /etc/openstack_dashboard/local_settings

and then in /openstack_auth/utils.py

federation_auth_url = getattr(settings, 'FEDERATION_AUTH_URL', auth_url)

later

(auth_url, idp_id, protocol_id, origin)) becomes (federation_auth_url, idp_id, protocol_id, origin))

Tags:

Gary W. Smith (gary-w-smith) on 2017-09-12

Changed in horizon:
importance:	Undecided → Medium

Gary W. Smith (gary-w-smith) on 2017-10-19

tags:

added: keystone

Ivan Kolodyazhny (e0ne) on 2018-08-29

Changed in horizon:
status:	New → Confirmed

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.