OpenStack Identity (keystone)

  1. Bug #1799332
  2. Comment #0

Comment 0 for bug 1799332

Revision history for this message
Mike Joseph (mj-mode) wrote :

In keystone/httpd/wsgi-keystone.conf, the following configuration is present:

Alias /identity /usr/local/bin/keystone-wsgi-public
<Location /identity>
    SetHandler wsgi-script
    Options +ExecCGI

    WSGIProcessGroup keystone-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>

However, it is both harmful and unnecessary. The operative WSGI configuration for Keystone comes from the <VirtualHost *:5000>...</VirtualHost> section. In fact, the commit which added the /identity endpoint described it as an documentation example:

"Apache Httpd can be configured to accept keystone requests on all
sorts of interfaces. The sample config file is updated to show
how to configure Apache Httpd to also send requests on /identity
and /identity_admin to keystone."

Leaving it in place, however, causes conflicts when Horizon is concurrently installed:

AH01630: client denied by server configuration: /usr/bin/keystone-wsgi-public

...in responses to Horizon URL's referencing '/identity'. Therefore, I believe keeping this configuration snippet in the shipped WSGI configuration (as opposed to actual documentation) is a defect.