OpenStack Dashboard (Horizon)

webSSO URLs may not be accessible under some network configurations

Bug #1544703 reported by Steve McLellan on 2016-02-11

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	Undecided	Guang Yee

Bug Description

WebSSO uses OPENSTACK_KEYSTONE_URL to generate URLs to point a browser at. Under many configurations this is fine, but in setups where there may be multiple networks, it can be problematic. For instance, if horizon is configured to talk to keystone over a network that is private, OPENSTACK_KEYSTONE_URL will not be reachable from a browser. A fuller explanation is in https://blueprints.launchpad.net/horizon/+spec/configurable-websso-keystone-url but this seems more like a bug than a feature. The upshot is adding a second setting to allow a separate WEBSSO keystone url.

Tags:

Revision history for this message

Steve McLellan (sjmc7) wrote on 2016-02-11:

This will also require adding a public url option to the AVAILABLE_REGIONS which is currently a list of tuples (endpoint, title) representing different keystone installations, and takes precedence over OPENSTACK_KEYSTONE_URL.

Roxana Gherle (roxana-gherle) on 2016-02-12

Changed in horizon:
assignee:	nobody → Roxana Gherle (roxana-gherle)

Revision history for this message

Dan Nguyen (daniel-a-nguyen) wrote on 2016-02-12:

yeah, we can add a public url t the existing AVAILABLE_REGIONS property.

That property currently looks something like this:

https://github.com/openstack/horizon/blob/master/openstack_dashboard/local/local_settings.py.example#L149

# For multiple regions uncomment this configuration, and add (endpoint, title).
AVAILABLE_REGIONS = [
('http://cluster1.example.com:5000/v2.0', 'cluster1'),
('http://cluster2.example.com:5000/v2.0', 'cluster2'),
]

But I wonder is we should add a single one for Clouds that will be running WebSSO but not have multiple regions.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-02-12: Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/279355

Changed in horizon:
status:	New → In Progress

Revision history for this message

Dan Nguyen (daniel-a-nguyen) wrote on 2016-02-12:

Let's not try to tackle AVAILABLE_REGIONS for now, please ignore my previous comment :)

OpenStack Infra (hudson-openstack) on 2016-02-12

Changed in horizon:
assignee:	Roxana Gherle (roxana-gherle) → Dan Nguyen (daniel-a-nguyen)

Rob Cresswell (robcresswell-deactivatedaccount) on 2017-03-07

Changed in horizon:
status:	In Progress → New

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-03-07: Change abandoned on horizon (master)

Change abandoned by Rob Cresswell (<email address hidden>) on branch: master
Review: https://review.openstack.org/279355
Reason: Abandoned due to inactivity. Please feel free to restore if you wish to work on it.

Rob Cresswell (robcresswell-deactivatedaccount) on 2017-03-07

Changed in horizon:
assignee:	Dan Nguyen (daniel-a-nguyen) → nobody

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-01: Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/607064

Changed in horizon:
assignee:	nobody → Guang Yee (guang-yee)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-10: Fix merged to horizon (master)

Reviewed: https://review.openstack.org/607064
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=a53f012fa1c0724ee4d532e782e6b2fe88ef8fa8
Submitter: Zuul
Branch: master

commit a53f012fa1c0724ee4d532e782e6b2fe88ef8fa8
Author: Guang Yee <email address hidden>
Date: Mon Oct 1 15:30:16 2018 -0700

support WEBSSO_KEYSTONE_URL

    Add a new optional WEBSSO_KEYSTONE_URL property to facilitate WEBSSO
    deployments where network segmentation is used per security requirement.
    In this case, the controllers are not reachable from public network.
    Therefore, user's browser will not be able to reach OPENSTACK_KEYSTONE_URL
    if it is set to the internal endpoint.

If WEBSSO_KEYSTONE_URL is set, it will be used instead of
OPENSTACK_KEYSTONE_URL.

Change-Id: I05ea4227aa4c2cb0a73015ed7fd29cf1a96e696a
Closes-bug: #1544703

Changed in horizon:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-18: Fix proposed to horizon (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/611681

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-25: Fix included in openstack/horizon 15.0.0.0b1

This issue was fixed in the openstack/horizon 15.0.0.0b1 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-30: Fix merged to horizon (stable/rocky)

#10

Reviewed: https://review.openstack.org/611681
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=ac7f6e4d0de2a8d6cf0ed413b86866b4b29df875
Submitter: Zuul
Branch: stable/rocky

commit ac7f6e4d0de2a8d6cf0ed413b86866b4b29df875
Author: Guang Yee <email address hidden>
Date: Mon Oct 1 15:30:16 2018 -0700

support WEBSSO_KEYSTONE_URL

If WEBSSO_KEYSTONE_URL is set, it will be used instead of
OPENSTACK_KEYSTONE_URL.

    Change-Id: I05ea4227aa4c2cb0a73015ed7fd29cf1a96e696a
    Closes-bug: #1544703
    (cherry picked from commit a53f012fa1c0724ee4d532e782e6b2fe88ef8fa8)