OpenStack Identity (keystone)

OAuth headers are missing when using Apache

Bug #1392584 reported by Steve Martinelli on 2014-11-14

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Steve Martinelli	OpenStack Identity (keystone) 2015.1.0 "kilo"
	python-keystoneclient	Fix Released	High	Steve Martinelli	python-keystoneclient 1.0.0

Bug Description

It seems that when deploying Keystone with mod_wsgi, and using the OS-OAUTH extension causes some OAuth headers to be missing.

Specifically, there are two sets of headers that are required to be sent to the OAuth APIs.

1) A single `Requested_Project_Id` header, and
2) A single `Authorization: OAuth oauth_consumer_key="xvz1evFS4wEEPTGEFPHBog"...` header

It was determined that mod_wsgi was the culprit in this case, and requires a different fix for both missing headers.

For 1) We have to change `Requested_Project_Id` to `Requested-Project-Id`, since if using Apache 2.4 or higher, mod_wsgi blocks any headers that have non-dash or non-alpahanumeric headers. See note 1) here: http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.3.0.html#features-changed

For 2) It is required to set WSGIPassAuthorization to On, which is Off by default. See https://code.google.com/p/modwsgi/wiki/ConfigurationDirectives#WSGIPassAuthorization for more details.

Issue 1) Should be fixed by updating the documentation here: http://docs.openstack.org/developer/keystone/extensions/oauth1.html

Issue 2) requires a change to keystoneclient, available here (https://review.openstack.org/#/c/134364/)

OpenStack Infra (hudson-openstack) on 2014-11-14

Changed in keystone:
assignee:	nobody → Steve Martinelli (stevemar)
status:	New → In Progress
Changed in python-keystoneclient:
assignee:	nobody → Steve Martinelli (stevemar)
status:	New → In Progress

Revision history for this message

Steve Martinelli (stevemar) wrote on 2014-11-14:

keystone: https://review.openstack.org/#/c/134388/

keystoneclient: https://review.openstack.org/#/c/134364/

Changed in keystone:
importance:	Undecided → Medium
Changed in python-keystoneclient:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-25: Fix merged to keystone (master)

Reviewed: https://review.openstack.org/134388
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=9f8ba171b6943902bc7c2cf5c5c9dd656058a77d
Submitter: Jenkins
Branch: master

commit 9f8ba171b6943902bc7c2cf5c5c9dd656058a77d
Author: Steve Martinelli <email address hidden>
Date: Thu Nov 13 17:36:32 2014 -0500

Add WSGIPassAuthorization to OAuth docs

    OAuth headers will not be passed in if operating Keystone under
    Apache. Mention this in the docs that are used to enable OAuth,
    so a deployer can know it's a configuration setting in mod_wsgi.

Partial-Bug: #1392584
Change-Id: I12e734650d9428460522e6b8f04baf7325bfc778

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-01: Fix proposed to keystone (feature/hierarchical-multitenancy)

Fix proposed to branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-01: Change abandoned on keystone (feature/hierarchical-multitenancy)

Change abandoned by Morgan Fainberg (<email address hidden>) on branch: feature/hierarchical-multitenancy
Review: https://review.openstack.org/138182

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-12-09: Fix merged to python-keystoneclient (master)

Reviewed: https://review.openstack.org/134364
Committed: https://git.openstack.org/cgit/openstack/python-keystoneclient/commit/?id=a60978ed73227f6087ddad6a024e0a04255e35c5
Submitter: Jenkins
Branch: master

commit a60978ed73227f6087ddad6a024e0a04255e35c5
Author: Steve Martinelli <email address hidden>
Date: Thu Nov 13 16:24:29 2014 -0500

Project ID in OAuth headers was missing

    If running Keystone under Apache with mod_wsgi, the extra
    headers were not being passed forward. These headers include:
    i) the Requested_Project_Id header, and ii) The Authorization
    headers with the oauth values.

    For i) we have to rename the header to use dashes (-), and not
    underscores (_), since mod_wsgi does not propogate the header
    otherwise. For ii) we need to add `WSGIPassAuthorization On`
    in the keystone vhost file. This should be done on the server
    side.

For more info see note #2 here:
http://modwsgi.readthedocs.org/en/latest/release-notes/version-4.3.0.html#bugs-fixed

Closes-Bug: #1392584
Change-Id: Id84e883b357408d25797155a72119f4c9898ca76

Changed in python-keystoneclient:
status:	In Progress → Fix Committed

Morgan Fainberg (mdrnstm) on 2014-12-17

Changed in python-keystoneclient:
milestone:	none → 1.0.0

Morgan Fainberg (mdrnstm) on 2014-12-18

Changed in python-keystoneclient:
status:	Fix Committed → Fix Released

Revision history for this message

Steve Martinelli (stevemar) wrote on 2015-02-18:

https://review.openstack.org/#/c/134388/ resolved this issue

Changed in keystone:
milestone:	none → kilo-3
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2015-03-19

Changed in keystone:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in keystone:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.