From 33292ca0a467637971c73f420166b4077e941e20 Mon Sep 17 00:00:00 2001 From: Georgina Shippey Date: Fri, 24 Apr 2020 13:52:42 +0100 Subject: [PATCH] Use OPENSTACK_KEYSTONE_URL instead of HTTP_REFERRER By using OPENSTACK_KEYSTONE_URL instead of the HTTP_REFERRER the authentication request between Horizon and Keystone continues to work in situations where the HTTP_REFERRER is an external keystone endpoint that Horizon does not have access to. Change-Id: I9c5c8d59c5f5a8570dbb563ae224d45406a73ba5 Closes-bug: #1874705 --- doc/source/configuration/settings.rst | 17 +++++++++++++++++ openstack_auth/defaults.py | 6 ++++++ openstack_auth/views.py | 8 ++++++-- ...ebsso_use_http_referer-6fb2dc0d292b54d4.yaml | 15 +++++++++++++++ 4 files changed, 44 insertions(+), 2 deletions(-) create mode 100644 releasenotes/notes/support-websso_use_http_referer-6fb2dc0d292b54d4.yaml diff --git a/doc/source/configuration/settings.rst b/doc/source/configuration/settings.rst index 166c76db86..ebad4967de 100644 --- a/doc/source/configuration/settings.rst +++ b/doc/source/configuration/settings.rst @@ -1715,6 +1715,23 @@ identity provider lives. This URL will take precedence over ``OPENSTACK_KEYSTONE_URL`` if the login choice is an external identity provider (IdP). +WEBSSO_USE_HTTP_REFERER +~~~~~~~~~~~~~~~~~~~~~~~ + +.. versionadded:: 21.0.0(Yoga) + +Default: ``True`` + +For use in cases of web single-sign-on authentication when the control plane +has no outbound connectivity to the external service endpoints. By default +the HTTP_REFERER is used to derive the Keystone endpoint to pass requests to. +As previous requests to an external IdP will be using Keystone's external +endpoint, this HTTP_REFERER will be Keystone's external endpoint. +When Horizon is unable to connect to Keystone's external endpoint in this setup +this leads to a time out. ``WEBSSO_USE_HTTP_REFERER`` can be set to False to +use the ``OPENSTACK_KEYSTONE_URL`` instead, which should be set to an internal +Keystone endpoint, so that this request will succeed. + Neutron ------- diff --git a/openstack_auth/defaults.py b/openstack_auth/defaults.py index 060390f865..aeec944cc0 100644 --- a/openstack_auth/defaults.py +++ b/openstack_auth/defaults.py @@ -159,6 +159,12 @@ WEBSSO_DEFAULT_REDIRECT_LOGOUT = None # Example: WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3" WEBSSO_KEYSTONE_URL = None +# In the case of web single-sign-on authentication when the control plane +# has no outbound connectivity to the external service endpoints set this +# to False. Otherwise the Keystone external endpoint will be used to make +# a token authentication request from Horizon to Keystone which will timeout. +WEBSSO_USE_HTTP_REFERER = True + # The Keystone Provider drop down uses Keystone to Keystone federation # to switch between Keystone service providers. # Set display name for Identity Provider (dropdown display name) diff --git a/openstack_auth/views.py b/openstack_auth/views.py index 353dc99157..ac9afcd89e 100644 --- a/openstack_auth/views.py +++ b/openstack_auth/views.py @@ -189,8 +189,12 @@ def login(request): @never_cache def websso(request): """Logs a user in using a token from Keystone's POST.""" - referer = request.META.get('HTTP_REFERER', settings.OPENSTACK_KEYSTONE_URL) - auth_url = utils.clean_up_auth_url(referer) + if settings.WEBSSO_USE_HTTP_REFERER: + referer = request.META.get('HTTP_REFERER', + settings.OPENSTACK_KEYSTONE_URL) + auth_url = utils.clean_up_auth_url(referer) + else: + auth_url = settings.OPENSTACK_KEYSTONE_URL token = request.POST.get('token') try: request.user = auth.authenticate(request, auth_url=auth_url, diff --git a/releasenotes/notes/support-websso_use_http_referer-6fb2dc0d292b54d4.yaml b/releasenotes/notes/support-websso_use_http_referer-6fb2dc0d292b54d4.yaml new file mode 100644 index 0000000000..c5a5663b77 --- /dev/null +++ b/releasenotes/notes/support-websso_use_http_referer-6fb2dc0d292b54d4.yaml @@ -0,0 +1,15 @@ +--- +fixes: + - | + [:bug:`1874705`] Add a new variable WEBSSO_USE_HTTP_REFERER to + facilitate WEBSSO deployments where network segmentation is used per + security requirement. In this case, the controllers cannot reach + other services external endpoints. Therefore, using the + HTTP_REFERER to derive the Keystone endpoint in the websso view will + return a timeout for requests to Keystone in cases where the external + Keystone endpoint is the HTTP_REFERER. + WEBSSO_USE_HTTP_REFERER defaults to True to keep inline with current + functionality. When set to False the OPENSTACK_KEYSTONE_URL is used + instead of the HTTP_REFERER. If OPENSTACK_KEYSTONE_URL is set to the + internal Keystone endpoint the requests between Horizon and Keystone + should be able to connect.