OpenStack Identity (keystone)

Keystone cannot cope with being behind an SSL terminator for version list

Bug #1370022 reported by Andrey Pavlov on 2014-09-16

This bug affects 8 people

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Low	Andrey Pavlov	OpenStack Identity (keystone) 2015.1.0 "kilo"

Bug Description

When keystone set up behind SSL termintator then it returns 'http' as protocol in URLs returned by version list command -

user@host:~$ curl https://MYHOST:5000/

{"versions": {"values": [{"status": "stable", "updated": "2013-03-06T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v3+xml"}], "id": "v3.0", "links": [{"href": "http://MYHOST:5000/v3/", "rel": "self"}]}, {"status": "stable", "updated": "2014-04-17T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v2.0+json"}, {"base": "application/xml", "type": "application/vnd.openstack.identity-v2.0+xml"}], "id": "v2.0", "links": [{"href": "http://MYHOST:5000/v2.0/", "rel": "self"}, {"href": "http://docs.openstack.org/api/openstack-identity-service/2.0/content/", "type": "text/html", "rel": "describedby"}, {"href": "http://docs.openstack.org/api/openstack-identity-service/2.0/identity-dev-guide-2.0.pdf", "type": "application/pdf", "rel": "describedby"}]}]}}

my ha_proxyconfig -

frontend keystone_main_frontend
    bind 172.31.7.253:5000
    bind 172.31.7.252:5000 ssl crt /etc/haproxy/certs/runtime
    reqadd X-Forwarded-Proto:\ https if { ssl_fc }
    default_backend keystone_main_backend
    option httpclose
    option http-pretend-keepalive
    option forwardfor

backend keystone_main_backend
    server HOST1 172.31.0.10:5000 check
    server HOST2 172.31.0.12:5000 check
    server HOST3 172.31.0.16:5000 check

Similar bug is here https://bugs.launchpad.net/heat/+bug/1235555

And because of this bug last cinder client doesn't work -

user@host:~$cinder --os-username admin --os-tenant-name admin --os-password password --os-auth-url https://MYHOST:5000/v2.0/ --endpoint-type publicURL --debug list
ERROR: Unable to establish connection to http://MYHOST:5000/v2.0/tokens

Also - if I set public_endpoint and admin_endpoint in keystone.conf to use 'https' proto then all works.

Tags:

Revision history for this message

Lance Bragstad (lbragstad) wrote on 2014-09-16:

Andrey, you'll need to set 'https' in your keystone configuration in order to use SSL with Keystone.

Maybe we can look for an opportunity to improve the documentation.

Changed in keystone:
status:	New → Invalid

Andrey Pavlov (apavlov-e) on 2014-09-17

Changed in keystone:
status:	Invalid → New

Revision history for this message

Andrey Pavlov (apavlov-e) wrote on 2014-09-17:

I try to explain -

We have deployment where HAProxy server serves SSL connections and then redirect to all services without SSL.
And keystone returns 'host_url' from request back to user in version(discovery) answer.
For example, heat uses 'X-Forwarded-Proto' from http header to detect 'SSL termination' and it returns https/http due to this header.

I can change `public_endpoint` and `admin_endpoint` in config file but I must write FQDN name of my cloud in additinal of protocol. But I can go to services internally - and got https for internal purposes. This is not convenient way.

David Stanek (dstanek) on 2014-09-23

Changed in keystone:
status:	New → Confirmed
importance:	Undecided → Low
assignee:	nobody → David Stanek (dstanek)

Revision history for this message

Morgan Fainberg (mdrnstm) wrote on 2014-09-23:

This would be a nice to have enhancement, not unreasonable to make it more friendly for varying deployment scenarios.

Marking as Low since there is a workaround (setting proto to https) in the bug.

Changed in keystone:
assignee:	David Stanek (dstanek) → nobody

Andrey Pavlov (apavlov-e) on 2014-10-17

Changed in keystone:
assignee:	nobody → Andrey Pavlov (apavlov-e)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-31: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/132235

Changed in keystone:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-05: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/132235
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=340a692de2661e8bf5a710c325dcf0866c2cbfed
Submitter: Jenkins
Branch: master

commit 340a692de2661e8bf5a710c325dcf0866c2cbfed
Author: Andrey Pavlov <email address hidden>
Date: Fri Oct 31 15:25:46 2014 +0300

Handle SSL termination proxies for version list

Return correct scheme in version URLs if service
behind an SSL termination proxy.

Change-Id: I76462db9c01a130964844207e375bd35359694f7
Closes-Bug: 1370022

Changed in keystone:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-02-05

Changed in keystone:
milestone:	none → kilo-2
status:	Fix Committed → Fix Released

Revision history for this message

Kevin Fox (kevpn) wrote on 2015-03-05:

Marked as juno-backport-potential. The patch worked for me as is on rdo juno.

tags:

added: juno-backport-potential

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-2 → 2015.1.0

Dmitry (dtsapikov) on 2016-03-15

tags:

added: on-verification

Dmitry (dtsapikov) on 2016-03-16

tags:

removed: on-verification

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.