Mirantis OpenStack

Federation cannot be configured in HA mode

Bug #1527717 reported by Boris Bobrov on 2015-12-18

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Mirantis OpenStack	Fix Released	Medium	Max Yatsenko	Mirantis OpenStack 9.0

Bug Description

Because of our haproxy configuration, it is not possible to use mod-shib to enable federation.

This happens because shibboleth stores some information in a local database between requests.

This can be fixed with one of the changes:

1. Make shibboleth use mysql. My opinion is that it is an overkill. It is also not deployer-friendly: one would have to create a database, tables, schema etc, which is a terrible thing to figure out.

2. Use sticky sessions in haproxy. We need a small window to let the user make a request to keystone, authenticate at his IdP and get back to keystone. The window should be 2 minutes. We can try to lower this value in future.

Although we don't officially support federation in 8.0 release, our deployers already want it.

Tags:

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-12-18:

I suggest to add this value to haproxy configuration:

stick on src
stick-table type ip size 200k expire 2m

tags:

added: ha
removed: haproxy

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-12-18:

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPClustering -- for more information about shibboleth behind HA.

Adam Heczko (aheczko-mirantis) on 2015-12-22

information type:

Public → Public Security

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-12-22:

No, this is not public security.

information type:

Public Security → Public

Roman Podoliaka (rpodolyaka) on 2015-12-22

Changed in mos:
assignee:	nobody → MOS Keystone (mos-keystone)
status:	New → Confirmed
importance:	Undecided → Medium

Boris Bobrov (bbobrov) on 2015-12-22

Changed in mos:
assignee:	MOS Keystone (mos-keystone) → MOS Puppet Team (mos-puppet)

Ivan Berezovskiy (iberezovskiy) on 2015-12-22

Changed in mos:
assignee:	MOS Puppet Team (mos-puppet) → Max Yatsenko (myatsenko)

Ivan Berezovskiy (iberezovskiy) on 2015-12-25

Changed in mos:
milestone:	8.0 → 9.0

Revision history for this message

Max Yatsenko (myatsenko) wrote on 2015-12-27:

The patch for solving the issue:
https://review.openstack.org/#/c/261762

Changed in mos:
status:	Confirmed → In Progress

Revision history for this message

Max Yatsenko (myatsenko) wrote on 2016-01-22:

https://review.openstack.org/#/c/261762 was merged.

Changed in mos:
status:	In Progress → Fix Committed

Revision history for this message

Alexander Petrov (apetrov-n) wrote on 2016-04-01:

Verified on MOS 9.0 build 106
haproxy configuration is done correctly

/etc/haproxy/conf.d/020-keystone-1.cfg

listen keystone-2
  bind 192.168.0.2:35357
  http-request set-header X-Forwarded-Proto https if { ssl_fc }
  option httpchk GET /v3
  option httplog
  option httpclose
  option forwardfor
  stick on src
  stick-table type ip size 200k expire 2m
  server node-1 192.168.0.3:35357 check inter 10s fastinter 2s downinter 2s rise 30 fall 3
  server node-2 192.168.0.7:35357 check inter 10s fastinter 2s downinter 2s rise 30 fall 3

Changed in mos:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.