Remove secure_proxy_ssl_header opt from Glance
Glance uses http-proxy-to-wsgi middleware from oslo.middleware in its pipeline in order to efficiently forward request headers in case of load balancer style deployments. Hence, the configuration option ``secure_proxy_ssl_header`` was marked as deprecated. This patch removes the option and the support for it within Glance to entirely rely on oslo middleware. This will ensure that the related headers set by oslo.middleware:HTTPProxyToWSGI is never modified in Glance. Change-Id: I11d41bb736bbfd90030d88245c11642823e4c400 Closes-Bug: 1673908
This commit is contained in:
parent
7a42b7be1a
commit
8140abe639
@ -794,14 +794,6 @@
|
|||||||
# Minimum value: 1
|
# Minimum value: 1
|
||||||
#tcp_keepidle = 600
|
#tcp_keepidle = 600
|
||||||
|
|
||||||
# DEPRECATED: The HTTP header used to determine the scheme for the original
|
|
||||||
# request, even if it was removed by an SSL terminating proxy. Typical value is
|
|
||||||
# "HTTP_X_FORWARDED_PROTO". (string value)
|
|
||||||
# This option is deprecated for removal.
|
|
||||||
# Its value may be silently ignored in the future.
|
|
||||||
# Reason: Use the http_proxy_to_wsgi middleware instead.
|
|
||||||
#secure_proxy_ssl_header = <None>
|
|
||||||
|
|
||||||
# Key:Value pair of store identifier and store type. In case of multiple
|
# Key:Value pair of store identifier and store type. In case of multiple
|
||||||
# backends should be separated using comma. (dict value)
|
# backends should be separated using comma. (dict value)
|
||||||
#enabled_backends = <None>
|
#enabled_backends = <None>
|
||||||
|
@ -245,17 +245,6 @@ Related options:
|
|||||||
""")),
|
""")),
|
||||||
]
|
]
|
||||||
|
|
||||||
wsgi_opts = [
|
|
||||||
cfg.StrOpt('secure_proxy_ssl_header',
|
|
||||||
deprecated_for_removal=True,
|
|
||||||
deprecated_reason=_('Use the http_proxy_to_wsgi middleware '
|
|
||||||
'instead.'),
|
|
||||||
help=_('The HTTP header used to determine the scheme for the '
|
|
||||||
'original request, even if it was removed by an SSL '
|
|
||||||
'terminating proxy. Typical value is '
|
|
||||||
'"HTTP_X_FORWARDED_PROTO".')),
|
|
||||||
]
|
|
||||||
|
|
||||||
store_opts = [
|
store_opts = [
|
||||||
cfg.DictOpt('enabled_backends',
|
cfg.DictOpt('enabled_backends',
|
||||||
help=_('Key:Value pair of store identifier and store type. '
|
help=_('Key:Value pair of store identifier and store type. '
|
||||||
@ -293,7 +282,6 @@ CONF = cfg.CONF
|
|||||||
CONF.register_opts(bind_opts)
|
CONF.register_opts(bind_opts)
|
||||||
CONF.register_opts(socket_opts)
|
CONF.register_opts(socket_opts)
|
||||||
CONF.register_opts(eventlet_opts)
|
CONF.register_opts(eventlet_opts)
|
||||||
CONF.register_opts(wsgi_opts)
|
|
||||||
CONF.register_opts(store_opts)
|
CONF.register_opts(store_opts)
|
||||||
CONF.register_opts(cache_opts)
|
CONF.register_opts(cache_opts)
|
||||||
profiler_opts.set_defaults(CONF)
|
profiler_opts.set_defaults(CONF)
|
||||||
@ -1084,10 +1072,6 @@ class Request(webob.Request):
|
|||||||
"""Add some OpenStack API-specific logic to the base webob.Request."""
|
"""Add some OpenStack API-specific logic to the base webob.Request."""
|
||||||
|
|
||||||
def __init__(self, environ, *args, **kwargs):
|
def __init__(self, environ, *args, **kwargs):
|
||||||
if CONF.secure_proxy_ssl_header:
|
|
||||||
scheme = environ.get(CONF.secure_proxy_ssl_header)
|
|
||||||
if scheme:
|
|
||||||
environ['wsgi.url_scheme'] = scheme
|
|
||||||
super(Request, self).__init__(environ, *args, **kwargs)
|
super(Request, self).__init__(environ, *args, **kwargs)
|
||||||
|
|
||||||
@property
|
@property
|
||||||
|
@ -53,7 +53,6 @@ _api_opts = [
|
|||||||
glance.common.wsgi.bind_opts,
|
glance.common.wsgi.bind_opts,
|
||||||
glance.common.wsgi.eventlet_opts,
|
glance.common.wsgi.eventlet_opts,
|
||||||
glance.common.wsgi.socket_opts,
|
glance.common.wsgi.socket_opts,
|
||||||
glance.common.wsgi.wsgi_opts,
|
|
||||||
glance.common.wsgi.store_opts,
|
glance.common.wsgi.store_opts,
|
||||||
glance.common.wsgi.cache_opts,
|
glance.common.wsgi.cache_opts,
|
||||||
glance.common.wsgi.cli_opts,
|
glance.common.wsgi.cli_opts,
|
||||||
|
@ -22,7 +22,6 @@ from oslo_serialization import jsonutils
|
|||||||
|
|
||||||
from glance.api.middleware import version_negotiation
|
from glance.api.middleware import version_negotiation
|
||||||
from glance.api import versions
|
from glance.api import versions
|
||||||
from glance.common.wsgi import Request as WsgiRequest
|
|
||||||
from glance.tests.unit import base
|
from glance.tests.unit import base
|
||||||
|
|
||||||
|
|
||||||
@ -213,60 +212,6 @@ class VersionsTest(base.IsolatedUnitTest):
|
|||||||
enabled_cache=True)
|
enabled_cache=True)
|
||||||
self.assertEqual(expected, results)
|
self.assertEqual(expected, results)
|
||||||
|
|
||||||
def test_get_version_list_secure_proxy_ssl_header(self):
|
|
||||||
self.config(secure_proxy_ssl_header='HTTP_X_FORWARDED_PROTO')
|
|
||||||
url = 'http://localhost:9292'
|
|
||||||
environ = webob.request.environ_from_url(url)
|
|
||||||
req = WsgiRequest(environ)
|
|
||||||
res = versions.Controller().index(req)
|
|
||||||
self.assertEqual(http.MULTIPLE_CHOICES, res.status_int)
|
|
||||||
self.assertEqual('application/json', res.content_type)
|
|
||||||
results = jsonutils.loads(res.body)['versions']
|
|
||||||
expected = get_versions_list(url)
|
|
||||||
self.assertEqual(expected, results)
|
|
||||||
|
|
||||||
self.config(enabled_backends='slow:one,fast:two')
|
|
||||||
res = versions.Controller().index(req)
|
|
||||||
results = jsonutils.loads(res.body)['versions']
|
|
||||||
expected = get_versions_list(url, enabled_backends=True)
|
|
||||||
self.assertEqual(expected, results)
|
|
||||||
|
|
||||||
self.config(image_cache_dir='/tmp/cache')
|
|
||||||
res = versions.Controller().index(req)
|
|
||||||
results = jsonutils.loads(res.body)['versions']
|
|
||||||
expected = get_versions_list(url,
|
|
||||||
enabled_backends=True,
|
|
||||||
enabled_cache=True)
|
|
||||||
self.assertEqual(expected, results)
|
|
||||||
|
|
||||||
def test_get_version_list_secure_proxy_ssl_header_https(self):
|
|
||||||
self.config(secure_proxy_ssl_header='HTTP_X_FORWARDED_PROTO')
|
|
||||||
url = 'http://localhost:9292'
|
|
||||||
ssl_url = 'https://localhost:9292'
|
|
||||||
environ = webob.request.environ_from_url(url)
|
|
||||||
environ['HTTP_X_FORWARDED_PROTO'] = "https"
|
|
||||||
req = WsgiRequest(environ)
|
|
||||||
res = versions.Controller().index(req)
|
|
||||||
self.assertEqual(http.MULTIPLE_CHOICES, res.status_int)
|
|
||||||
self.assertEqual('application/json', res.content_type)
|
|
||||||
results = jsonutils.loads(res.body)['versions']
|
|
||||||
expected = get_versions_list(ssl_url)
|
|
||||||
self.assertEqual(expected, results)
|
|
||||||
|
|
||||||
self.config(enabled_backends='slow:one,fast:two')
|
|
||||||
res = versions.Controller().index(req)
|
|
||||||
results = jsonutils.loads(res.body)['versions']
|
|
||||||
expected = get_versions_list(ssl_url, enabled_backends=True)
|
|
||||||
self.assertEqual(expected, results)
|
|
||||||
|
|
||||||
self.config(image_cache_dir='/tmp/cache')
|
|
||||||
res = versions.Controller().index(req)
|
|
||||||
results = jsonutils.loads(res.body)['versions']
|
|
||||||
expected = get_versions_list(ssl_url,
|
|
||||||
enabled_backends=True,
|
|
||||||
enabled_cache=True)
|
|
||||||
self.assertEqual(expected, results)
|
|
||||||
|
|
||||||
def test_get_version_list_for_external_app(self):
|
def test_get_version_list_for_external_app(self):
|
||||||
url = 'http://customhost:9292/app/api'
|
url = 'http://customhost:9292/app/api'
|
||||||
req = webob.Request.blank('/', base_url=url)
|
req = webob.Request.blank('/', base_url=url)
|
||||||
|
@ -0,0 +1,9 @@
|
|||||||
|
---
|
||||||
|
deprecations:
|
||||||
|
- |
|
||||||
|
Removed the deprecated 'secure_proxy_ssl_header' config option. Image import
|
||||||
|
will be always enabled from this release onwards as designed.
|
||||||
|
upgrade:
|
||||||
|
- |
|
||||||
|
As Glance relies on oslo.middleware for this feature, care needs to be taken
|
||||||
|
that it is configured properly from this release forward.
|
Loading…
Reference in New Issue
Block a user