Federation cannot be configured in HA mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mirantis OpenStack |
Fix Released
|
Medium
|
Max Yatsenko |
Bug Description
Because of our haproxy configuration, it is not possible to use mod-shib to enable federation.
This happens because shibboleth stores some information in a local database between requests.
This can be fixed with one of the changes:
1. Make shibboleth use mysql. My opinion is that it is an overkill. It is also not deployer-friendly: one would have to create a database, tables, schema etc, which is a terrible thing to figure out.
2. Use sticky sessions in haproxy. We need a small window to let the user make a request to keystone, authenticate at his IdP and get back to keystone. The window should be 2 minutes. We can try to lower this value in future.
Although we don't officially support federation in 8.0 release, our deployers already want it.
information type: | Public → Public Security |
Changed in mos: | |
assignee: | nobody → MOS Keystone (mos-keystone) |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in mos: | |
assignee: | MOS Keystone (mos-keystone) → MOS Puppet Team (mos-puppet) |
Changed in mos: | |
assignee: | MOS Puppet Team (mos-puppet) → Max Yatsenko (myatsenko) |
Changed in mos: | |
milestone: | 8.0 → 9.0 |
I suggest to add this value to haproxy configuration:
stick on src
stick-table type ip size 200k expire 2m