Apache WSGI config shipping with Keystone is incompatible with Horizon
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Triaged
|
Low
|
Unassigned |
Bug Description
The documentation needs to be changed to cover that we do not recommend running keystone on a high port but instead on it's own host or under a sub-url.
This is not something we need to fix in the example WSGI file.
We should also change documentation to recommend uwsgi over mod_wsgi in all cases.
---- Below this point is kept for historical reasons ----
In keystone/
Alias /identity /usr/local/
<Location /identity>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcess
WSGIApplica
WSGIPassAut
</Location>
However, it is both harmful and unnecessary. The operative WSGI configuration for Keystone comes from the <VirtualHost *:5000>
"Apache Httpd can be configured to accept keystone requests on all
sorts of interfaces. The sample config file is updated to show
how to configure Apache Httpd to also send requests on /identity
and /identity_admin to keystone."
Leaving it in place, however, causes conflicts when Horizon is concurrently installed:
AH01630: client denied by server configuration: /usr/bin/
...in responses to Horizon URL's referencing '/identity'. Therefore, I believe keeping this configuration snippet in the shipped WSGI configuration (as opposed to actual documentation) is a defect.
tags: | added: documentation |
description: | updated |
description: | updated |
It is recommended keystone NOT be deployed on non-http/https (80/443) ports. If you would like to use a Vhost on a different port it is up to the deployer/ installation tools to make that decision. The provided wsgi file is intended to be opinionated on the best way to deploy keystone, port 80/443 (standard ports) under the identity-prefix.