openstack/glance
Code Issues Proposed changes

Remove secure_proxy_ssl_header opt from Glance

Browse Source 
Glance uses http-proxy-to-wsgi middleware from oslo.middleware in
its pipeline in order to efficiently forward request headers in case
of load balancer style deployments. Hence, the configuration option
``secure_proxy_ssl_header`` was marked as deprecated.

This patch removes the option and the support for it within Glance
to entirely rely on oslo middleware. This will ensure that the related
headers set by oslo.middleware:HTTPProxyToWSGI is never modified in
Glance.

Change-Id: I11d41bb736bbfd90030d88245c11642823e4c400
Closes-Bug: 1673908
This commit is contained in:
Dharini Chandrasekar 2017-03-18 00:34:16 +00:00 committed by Cyril Roelandt
parent 7a42b7be1a
commit 8140abe639
5 changed files with 9 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
etc/glance-api.conf
View File

@ -794,14 +794,6 @@
# Minimum value: 1
#tcp_keepidle = 600
# DEPRECATED: The HTTP header used to determine the scheme for the original
# request, even if it was removed by an SSL terminating proxy. Typical value is
# "HTTP_X_FORWARDED_PROTO". (string value)
# This option is deprecated for removal.
# Its value may be silently ignored in the future.
# Reason: Use the http_proxy_to_wsgi middleware instead.
#secure_proxy_ssl_header = <None>
# Key:Value pair of store identifier and store type. In case of multiple
# backends should be separated using comma. (dict value)
#enabled_backends = <None>

16
glance/common/wsgi.py
View File

@ -245,17 +245,6 @@ Related options:
""")),
]
wsgi_opts = [
cfg.StrOpt('secure_proxy_ssl_header',
deprecated_for_removal=True,
deprecated_reason=_('Use the http_proxy_to_wsgi middleware '
'instead.'),
help=_('The HTTP header used to determine the scheme for the '
'original request, even if it was removed by an SSL '
'terminating proxy. Typical value is '
'"HTTP_X_FORWARDED_PROTO".')),
]
store_opts = [
cfg.DictOpt('enabled_backends',
help=_('Key:Value pair of store identifier and store type. '
@ -293,7 +282,6 @@ CONF = cfg.CONF
CONF.register_opts(bind_opts)
CONF.register_opts(socket_opts)
CONF.register_opts(eventlet_opts)
CONF.register_opts(wsgi_opts)
CONF.register_opts(store_opts)
CONF.register_opts(cache_opts)
profiler_opts.set_defaults(CONF)
@ -1084,10 +1072,6 @@ class Request(webob.Request):
"""Add some OpenStack API-specific logic to the base webob.Request."""
def __init__(self, environ, *args, **kwargs):
if CONF.secure_proxy_ssl_header:
scheme = environ.get(CONF.secure_proxy_ssl_header)
if scheme:
environ['wsgi.url_scheme'] = scheme
super(Request, self).__init__(environ, *args, **kwargs)
@property

1
glance/opts.py
View File

@ -53,7 +53,6 @@ _api_opts = [
glance.common.wsgi.bind_opts,
glance.common.wsgi.eventlet_opts,
glance.common.wsgi.socket_opts,
glance.common.wsgi.wsgi_opts,
glance.common.wsgi.store_opts,
glance.common.wsgi.cache_opts,
glance.common.wsgi.cli_opts,

55
glance/tests/unit/test_versions.py
View File

@ -22,7 +22,6 @@ from oslo_serialization import jsonutils
from glance.api.middleware import version_negotiation
from glance.api import versions
from glance.common.wsgi import Request as WsgiRequest
from glance.tests.unit import base
@ -213,60 +212,6 @@ class VersionsTest(base.IsolatedUnitTest):
enabled_cache=True)
self.assertEqual(expected, results)
def test_get_version_list_secure_proxy_ssl_header(self):
self.config(secure_proxy_ssl_header='HTTP_X_FORWARDED_PROTO')
url = 'http://localhost:9292'
environ = webob.request.environ_from_url(url)
req = WsgiRequest(environ)
res = versions.Controller().index(req)
self.assertEqual(http.MULTIPLE_CHOICES, res.status_int)
self.assertEqual('application/json', res.content_type)
results = jsonutils.loads(res.body)['versions']
expected = get_versions_list(url)
self.assertEqual(expected, results)
self.config(enabled_backends='slow:one,fast:two')
res = versions.Controller().index(req)
results = jsonutils.loads(res.body)['versions']
expected = get_versions_list(url, enabled_backends=True)
self.assertEqual(expected, results)
self.config(image_cache_dir='/tmp/cache')
res = versions.Controller().index(req)
results = jsonutils.loads(res.body)['versions']
expected = get_versions_list(url,
enabled_backends=True,
enabled_cache=True)
self.assertEqual(expected, results)
def test_get_version_list_secure_proxy_ssl_header_https(self):
self.config(secure_proxy_ssl_header='HTTP_X_FORWARDED_PROTO')
url = 'http://localhost:9292'
ssl_url = 'https://localhost:9292'
environ = webob.request.environ_from_url(url)
environ['HTTP_X_FORWARDED_PROTO'] = "https"
req = WsgiRequest(environ)
res = versions.Controller().index(req)
self.assertEqual(http.MULTIPLE_CHOICES, res.status_int)
self.assertEqual('application/json', res.content_type)
results = jsonutils.loads(res.body)['versions']
expected = get_versions_list(ssl_url)
self.assertEqual(expected, results)
self.config(enabled_backends='slow:one,fast:two')
res = versions.Controller().index(req)
results = jsonutils.loads(res.body)['versions']
expected = get_versions_list(ssl_url, enabled_backends=True)
self.assertEqual(expected, results)
self.config(image_cache_dir='/tmp/cache')
res = versions.Controller().index(req)
results = jsonutils.loads(res.body)['versions']
expected = get_versions_list(ssl_url,
enabled_backends=True,
enabled_cache=True)
self.assertEqual(expected, results)
def test_get_version_list_for_external_app(self):
url = 'http://customhost:9292/app/api'
req = webob.Request.blank('/', base_url=url)

9
releasenotes/notes/remove_secure_proxy_ssl_header-2a95ad48ffa471ad.yaml Normal file
View File

@ -0,0 +1,9 @@
---
deprecations:
- |
Removed the deprecated 'secure_proxy_ssl_header' config option. Image import
will be always enabled from this release onwards as designed.
upgrade:
- |
As Glance relies on oslo.middleware for this feature, care needs to be taken
that it is configured properly from this release forward.