Public bug reported:
In keystone/httpd/wsgi-keystone.conf, the following configuration is
present:
Alias /identity /usr/local/bin/keystone-wsgi-public
<Location /identity>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
However, it is both harmful and unnecessary. The operative WSGI
configuration for Keystone comes from the <VirtualHost
*:5000>...</VirtualHost> section. In fact, the commit which added the
/identity endpoint described it as an documentation example:
"Apache Httpd can be configured to accept keystone requests on all
sorts of interfaces. The sample config file is updated to show
how to configure Apache Httpd to also send requests on /identity
and /identity_admin to keystone."
Leaving it in place, however, causes conflicts when Horizon is
concurrently installed:
AH01630: client denied by server configuration: /usr/bin/keystone-wsgi-
public
...in responses to Horizon URL's referencing '/identity'. Therefore, I
believe keeping this configuration snippet in the shipped WSGI
configuration (as opposed to actual documentation) is a defect.
** Affects: keystone
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1799332
Title:
Apache WSGI config shipping with Keystone is incompatible with Horizon
Status in OpenStack Identity (keystone):
New
Bug description:
In keystone/httpd/wsgi-keystone.conf, the following configuration is
present:
Alias /identity /usr/local/bin/keystone-wsgi-public
<Location /identity>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
However, it is both harmful and unnecessary. The operative WSGI
configuration for Keystone comes from the <VirtualHost
*:5000>...</VirtualHost> section. In fact, the commit which added the
/identity endpoint described it as an documentation example:
"Apache Httpd can be configured to accept keystone requests on all
sorts of interfaces. The sample config file is updated to show
how to configure Apache Httpd to also send requests on /identity
and /identity_admin to keystone."
Leaving it in place, however, causes conflicts when Horizon is
concurrently installed:
AH01630: client denied by server configuration: /usr/bin/keystone-
wsgi-public
...in responses to Horizon URL's referencing '/identity'. Therefore,
I believe keeping this configuration snippet in the shipped WSGI
configuration (as opposed to actual documentation) is a defect.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1799332/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
