Public bug reported: In keystone/httpd/wsgi-keystone.conf, the following configuration is present:
Alias /identity /usr/local/bin/keystone-wsgi-public <Location /identity> SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On </Location> However, it is both harmful and unnecessary. The operative WSGI configuration for Keystone comes from the <VirtualHost *:5000>...</VirtualHost> section. In fact, the commit which added the /identity endpoint described it as an documentation example: "Apache Httpd can be configured to accept keystone requests on all sorts of interfaces. The sample config file is updated to show how to configure Apache Httpd to also send requests on /identity and /identity_admin to keystone." Leaving it in place, however, causes conflicts when Horizon is concurrently installed: AH01630: client denied by server configuration: /usr/bin/keystone-wsgi- public ...in responses to Horizon URL's referencing '/identity'. Therefore, I believe keeping this configuration snippet in the shipped WSGI configuration (as opposed to actual documentation) is a defect. ** Affects: keystone Importance: Undecided Status: New -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1799332 Title: Apache WSGI config shipping with Keystone is incompatible with Horizon Status in OpenStack Identity (keystone): New Bug description: In keystone/httpd/wsgi-keystone.conf, the following configuration is present: Alias /identity /usr/local/bin/keystone-wsgi-public <Location /identity> SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On </Location> However, it is both harmful and unnecessary. The operative WSGI configuration for Keystone comes from the <VirtualHost *:5000>...</VirtualHost> section. In fact, the commit which added the /identity endpoint described it as an documentation example: "Apache Httpd can be configured to accept keystone requests on all sorts of interfaces. The sample config file is updated to show how to configure Apache Httpd to also send requests on /identity and /identity_admin to keystone." Leaving it in place, however, causes conflicts when Horizon is concurrently installed: AH01630: client denied by server configuration: /usr/bin/keystone- wsgi-public ...in responses to Horizon URL's referencing '/identity'. Therefore, I believe keeping this configuration snippet in the shipped WSGI configuration (as opposed to actual documentation) is a defect. To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1799332/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp