Public bug reported: Web SSO will be broken in places where the ssumption that the AUTH_URL that Horizon uses is publically accessible.
Conversation with deployer: "keystone is open in haproxy to the public world, but the problem is that horizon forming the SSO url based on the region URL, which is also used for normal authentication and the controller node (keystone, apache, horizon, etc) does not have public network access. ha proxy isn't involved because my web browser follows the redirect request, which has a private IP in it" Issue is https://github.com/openstack/django_openstack_auth/blob/a40234be311eae11ca22497a82a82ab404d09a7c/openstack_auth/utils.py#L181 Which uses auth_url to make the Federation urls. A sample solution would be to add FEDERATION_AUTH_URL=https://public.... in /etc/openstack_dashboard/local_settings and then in /openstack_auth/utils.py federation_auth_url = getattr(settings, 'FEDERATION_AUTH_URL', auth_url) later (auth_url, idp_id, protocol_id, origin)) becomes (federation_auth_url, idp_id, protocol_id, origin)) ** Affects: horizon Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1646305 Title: Federation URL is public, but AUTH_URL is private Status in OpenStack Dashboard (Horizon): New Bug description: Web SSO will be broken in places where the ssumption that the AUTH_URL that Horizon uses is publically accessible. Conversation with deployer: "keystone is open in haproxy to the public world, but the problem is that horizon forming the SSO url based on the region URL, which is also used for normal authentication and the controller node (keystone, apache, horizon, etc) does not have public network access. ha proxy isn't involved because my web browser follows the redirect request, which has a private IP in it" Issue is https://github.com/openstack/django_openstack_auth/blob/a40234be311eae11ca22497a82a82ab404d09a7c/openstack_auth/utils.py#L181 Which uses auth_url to make the Federation urls. A sample solution would be to add FEDERATION_AUTH_URL=https://public.... in /etc/openstack_dashboard/local_settings and then in /openstack_auth/utils.py federation_auth_url = getattr(settings, 'FEDERATION_AUTH_URL', auth_url) later (auth_url, idp_id, protocol_id, origin)) becomes (federation_auth_url, idp_id, protocol_id, origin)) To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1646305/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
