versions resource uses host_url which may be incorrect

Bug #1384379 reported by Vish Ishaya on 2014-10-22
46
This bug affects 8 people
Affects Status Importance Assigned to Milestone
Cinder
Undecided
wanghao
Glance
High
Unassigned
Icehouse
High
Unassigned
Juno
High
Unassigned
Ironic
Fix Released
Medium
Lucas Alvares Gomes
Manila
High
Deliang Fan
OpenStack Compute (nova)
High
Radomir Dopieralski
OpenStack DBaaS (Trove)
Medium
Zhao Chao
OpenStack Heat
Triaged
Medium
shihanzhang

Bug Description

The versions resource constructs the links by using host_url, but the glance api endpoint may be behind a proxy or ssl terminator. This means that host_url may be incorrect. It should have a config option to override host_url like the other services do when constructing versions links.

Jay Pipes (jaypipes) on 2014-10-22
Changed in glance:
status: New → Confirmed

Reviewed: https://review.openstack.org/130311
Committed: https://git.openstack.org/cgit/openstack/glance/commit/?id=fa3b691011b8f24cb447f0ce1c62270b19b18110
Submitter: Jenkins
Branch: master

commit fa3b691011b8f24cb447f0ce1c62270b19b18110
Author: Vishvananda Ishaya <email address hidden>
Date: Wed Oct 22 11:59:32 2014 -0700

    Add config option to override url for versions

    The versions url returns the wrong data when glance api is behind
    a proxy. This adds a new config option so it can be set properly.

    DocImpact

    Change-Id: I5ab53d608a6667435a4b03b0c832870716baaeb8
    Closes-Bug: #1384379

Changed in glance:
status: Confirmed → Fix Committed
Thierry Carrez (ttx) on 2014-12-19
Changed in glance:
milestone: none → kilo-1
status: Fix Committed → Fix Released
Changed in glance:
importance: Undecided → High
Erno Kuvaja (jokke) on 2015-02-12
tags: added: icehouse-backport-potential juno-backport-potential
Changed in trove:
importance: Undecided → Medium
assignee: nobody → Nikhil Manchanda (slicknik)
milestone: none → kilo-3
status: New → Triaged

Fix proposed to branch: master
Review: https://review.openstack.org/155555

Changed in trove:
status: Triaged → In Progress
Changed in nova:
assignee: nobody → shihanzhang (shihanzhang)
Changed in heat:
assignee: nobody → shihanzhang (shihanzhang)
wanghao (wanghao749) on 2015-02-26
Changed in cinder:
assignee: nobody → wanghao (wanghao749)
Changed in nova:
status: New → Confirmed
importance: Undecided → Low
Changed in cinder:
status: New → In Progress

Fix proposed to branch: master
Review: https://review.openstack.org/160266

Changed in nova:
status: Confirmed → In Progress
Changed in heat:
status: New → In Progress
Ian Cordasco (icordasc) wrote :

For anyone looking to pick this up, please read the conversation on the ML first: http://lists.openstack.org/pipermail/openstack-dev/2015-March/058196.html

Reviewed: https://review.openstack.org/159374
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=2eb25ab8803214cb3beb5d8fe3efbf70a462c414
Submitter: Jenkins
Branch: master

commit 2eb25ab8803214cb3beb5d8fe3efbf70a462c414
Author: wanghao <email address hidden>
Date: Thu Feb 26 16:50:31 2015 +0800

    Add config option to override url for versions

    The versions url returns the wrong data when cinder api is behind
    a proxy. This adds a new config option so it can be set properly.

    DocImpact

    Change-Id: I46a90120b21e43bf8dca9e5f0efdf339f0d3e8e6
    Closes-Bug: #1384379

Changed in cinder:
status: In Progress → Fix Committed
Changed in trove:
milestone: kilo-3 → kilo-rc1
Thierry Carrez (ttx) on 2015-03-20
Changed in cinder:
milestone: none → kilo-3
status: Fix Committed → Fix Released
Changed in trove:
importance: Medium → High
Angus Salkeld (asalkeld) on 2015-04-01
Changed in heat:
importance: Undecided → Medium
milestone: none → liberty-1
tags: added: kilo-rc-potential
Changed in trove:
importance: High → Medium
milestone: kilo-rc1 → liberty-1
Changed in nova:
milestone: none → liberty-1
importance: Low → High
Changed in ceilometer:
assignee: nobody → Deliang Fan (vanderliang)
status: New → In Progress
Changed in ironic:
assignee: nobody → Deliang Fan (vanderliang)
status: New → In Progress
Changed in manila:
assignee: nobody → Deliang Fan (vanderliang)
Changed in manila:
status: New → In Progress
Steve Baker (steve-stevebaker) wrote :

I would much prefer solutions which build the versions URL from X-Forwarded-Host and X-Forwarded-Proto header values.

See this bug for a similar issue which was fixed by changing haproxy configuration:
https://bugzilla.redhat.com/show_bug.cgi?id=1201227#c14

Deliang Fan (vanderliang) wrote :

@Steve Baker Hello, Steve, I think it's still a problem for many other component except heat. Because we implement heat.filter_factory = heat.api.openstack:sslmiddleware_filter in heat which is able to get the forwarded seventh level protocol type.
For many other OpenStack component, we still need to choose a method(like heat or glance) to solve this problem.

Deliang Fan (vanderliang) wrote :

After I have read the webob source, I think we should solve this problem like heat https://review.openstack.org/#/c/64142/ rather than nova or glance etc.

Changed in ironic:
assignee: Deliang Fan (vanderliang) → Ramakrishnan G (rameshg87)
devananda (devananda) on 2015-04-28
Changed in ironic:
milestone: none → liberty-1
importance: Undecided → Medium
Thierry Carrez (ttx) on 2015-04-30
Changed in glance:
milestone: kilo-1 → 2015.1.0
Thierry Carrez (ttx) on 2015-04-30
Changed in cinder:
milestone: kilo-3 → 2015.1.0
Thierry Carrez (ttx) on 2015-04-30
tags: removed: kilo-rc-potential

Change abandoned by shihanzhang (<email address hidden>) on branch: master
Review: https://review.openstack.org/160267

Change abandoned by shihanzhang (<email address hidden>) on branch: master
Review: https://review.openstack.org/160266

Changed in trove:
milestone: liberty-1 → liberty-2
John Garbutt (johngarbutt) wrote :

update nova as patch was abandoned.

Changed in nova:
assignee: shihanzhang (shihanzhang) → nobody
milestone: liberty-1 → liberty-2
status: In Progress → Triaged
Thierry Carrez (ttx) on 2015-06-23
Changed in heat:
milestone: liberty-1 → liberty-2
Yukinori Sagara (sagara) on 2015-07-13
Changed in nova:
assignee: nobody → Yukinori Sagara (sagara177)

Change abandoned by Mike Perez (<email address hidden>) on branch: stable/juno
Review: https://review.openstack.org/194719

Changed in trove:
milestone: liberty-2 → liberty-3
Changed in nova:
milestone: liberty-2 → liberty-3

Fix proposed to branch: master
Review: https://review.openstack.org/206479

Changed in nova:
assignee: Yukinori Sagara (sagara177) → Radomir Dopieralski (thesheep)
status: Triaged → In Progress
Changed in heat:
milestone: liberty-2 → next

Reviewed: https://review.openstack.org/206479
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=ab35779238658ad8595e383618ca28a191c1085d
Submitter: Jenkins
Branch: master

commit ab35779238658ad8595e383618ca28a191c1085d
Author: Radomir Dopieralski <email address hidden>
Date: Tue Jul 28 12:54:20 2015 +0200

    Handle SSL termination proxies for version list

    Return correct scheme in version URLs if service
    behind an SSL termination proxy.

    This is done by adding a new configuration option,
    secure_proxy_ssl_header, which, when defined, makes
    the wsgi application take the host_url scheme from
    that header. By default, when this option is not
    specified, there is no difference in behavior.

    The intention is to configure any ssl-decrypting
    proxy to set that header, so that nova-api knows
    which protocol to use in the URLs in response.

    This patch is largely based on
    https://review.openstack.org/#/c/132235/18

    DocImpact
    Closes-Bug: #1384379

    Change-Id: I27ba166902ecc19c9b7fff2ee7f3bf733885efe1

Changed in nova:
status: In Progress → Fix Committed
Changed in heat:
status: In Progress → Triaged
Changed in trove:
milestone: liberty-3 → ongoing
Thierry Carrez (ttx) on 2015-09-03
Changed in nova:
status: Fix Committed → Fix Released
Changed in ironic:
assignee: Ramakrishnan G (rameshg87) (rameshg87) → nobody
Changed in manila:
milestone: none → liberty-rc1
importance: Undecided → High
Changed in trove:
milestone: ongoing → liberty-rc1

Reviewed: https://review.openstack.org/180483
Committed: https://git.openstack.org/cgit/openstack/manila/commit/?id=32295b5c3c2f68cced53232ec22e5c31f62c4466
Submitter: Jenkins
Branch: master

commit 32295b5c3c2f68cced53232ec22e5c31f62c4466
Author: Deliang Fan <email address hidden>
Date: Wed May 6 18:37:29 2015 +0800

    Add SSL middleware to fix incorrect version host_url

    The Manila API does not behave properly if it is behind an SSL
    termination proxy. If this is the case, the host_url in version
    resource are build using http protocol instead of https.

    To handle to correct host_url with proxy, first, we should enable
    X-Forwarded-Host in proxy so that Manila can get the right client
    ip. Second, we should enable X-Forwarded-Proto, with the new SSL
    middleware, Manila will get original protocol.

    Change-Id: I2dac983481718e6d639453e3f03f41baf8cea56d
    Closes-Bug: #1384379

Changed in manila:
status: In Progress → Fix Committed
Changed in ironic:
assignee: nobody → Lucas Alvares Gomes (lucasagomes)
Changed in ironic:
assignee: Lucas Alvares Gomes (lucasagomes) → Jim Rollenhagen (jim-rollenhagen)
assignee: Jim Rollenhagen (jim-rollenhagen) → Lucas Alvares Gomes (lucasagomes)
Changed in ironic:
milestone: none → 4.2.0

Reviewed: https://review.openstack.org/223640
Committed: https://git.openstack.org/cgit/openstack/ironic/commit/?id=eec96136be1e8d87d2a07c7d4306de52cbc3e7c8
Submitter: Jenkins
Branch: master

commit eec96136be1e8d87d2a07c7d4306de52cbc3e7c8
Author: Lucas Alvares Gomes <email address hidden>
Date: Tue Sep 15 13:58:30 2015 +0100

    Add config option to override url for links

    The versions url returns the wrong data when Ironic API is behind a
    proxy. This adds a new config option called "public_endpoint" so it can
    be set properly.

    Closes-Bug: #1384379
    Change-Id: I6d1b59db3ce09aba7bca5a71edcf97eb79f0b17b

Changed in ironic:
status: In Progress → Fix Committed
gordon chung (chungg) on 2015-09-16
Changed in ceilometer:
assignee: Deliang Fan (vanderliang) → nobody
importance: Undecided → Low
status: In Progress → Triaged
Nikhil Manchanda (slicknik) wrote :

This is not a blocker for Liberty-RC1 for Trove.

Changed in trove:
milestone: liberty-rc1 → ongoing
Thierry Carrez (ttx) on 2015-09-22
Changed in manila:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-09-25
Changed in ironic:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2015-10-15
Changed in nova:
milestone: liberty-3 → 12.0.0
Thierry Carrez (ttx) on 2015-10-15
Changed in manila:
milestone: liberty-rc1 → 1.0.0
Alan Pevec (apevec) on 2015-11-24
tags: removed: icehouse-backport-potential juno-backport-potential

Change abandoned by amrith (<email address hidden>) on branch: master
Review: https://review.openstack.org/155555
Reason: abandoning for inactivity.

Change abandoned by Chris Dent (<email address hidden>) on branch: master
Review: https://review.openstack.org/180929
Reason: No activity in over six months. If it still matters feel free to restore.

gordon chung (chungg) on 2016-03-10
no longer affects: ceilometer
Amrith Kumar (amrith) wrote :

Nikhil, any word on this?

Changed in trove:
status: In Progress → New
Zhao Chao (zhaochao1984) on 2018-02-07
Changed in trove:
assignee: Nikhil Manchanda (slicknik) → Zhao Chao (zhaochao1984)
status: New → In Progress

Reviewed: https://review.openstack.org/155555
Committed: https://git.openstack.org/cgit/openstack/trove/commit/?id=1667ad5e80be7d0bf3ac8e02410a18ce3a0ea4cd
Submitter: Zuul
Branch: master

commit 1667ad5e80be7d0bf3ac8e02410a18ce3a0ea4cd
Author: Zhao Chao <email address hidden>
Date: Wed Feb 7 11:07:02 2018 +0800

    Allow host URL for versions to be configurable

    The versions resource constructs the links by using application_url,
    but it's possible that the API endpoint is behind a load balancer
    or SSL terminator. This means that the application_url might be
    incorrect. This fix provides a config option (similar to other
    services) which lets us override the host URL when constructing
    links for the versions API.

    Co-Authored-By: Nikhil Manchanda <email address hidden>
    Change-Id: I23f06c6c2d52ba46c74e0d097c4963d2de731d30
    Closes-bug: 1384379

Changed in trove:
status: In Progress → Fix Released

This issue was fixed in the openstack/trove 10.0.0.0b1 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.