From 33292ca0a467637971c73f420166b4077e941e20 Mon Sep 17 00:00:00 2001 From: Georgina Shippey Date: Fri, 24 Apr 2020 13:52:42 +0100 Subject: Use OPENSTACK_KEYSTONE_URL instead of HTTP_REFERRER By using OPENSTACK_KEYSTONE_URL instead of the HTTP_REFERRER the authentication request between Horizon and Keystone continues to work in situations where the HTTP_REFERRER is an external keystone endpoint that Horizon does not have access to. Change-Id: I9c5c8d59c5f5a8570dbb563ae224d45406a73ba5 Closes-bug: #1874705 --- doc/source/configuration/settings.rst | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) (limited to 'doc') diff --git a/doc/source/configuration/settings.rst b/doc/source/configuration/settings.rst index 166c76db8..ebad4967d 100644 --- a/doc/source/configuration/settings.rst +++ b/doc/source/configuration/settings.rst @@ -1715,6 +1715,23 @@ identity provider lives. This URL will take precedence over ``OPENSTACK_KEYSTONE_URL`` if the login choice is an external identity provider (IdP). +WEBSSO_USE_HTTP_REFERER +~~~~~~~~~~~~~~~~~~~~~~~ + +.. versionadded:: 21.0.0(Yoga) + +Default: ``True`` + +For use in cases of web single-sign-on authentication when the control plane +has no outbound connectivity to the external service endpoints. By default +the HTTP_REFERER is used to derive the Keystone endpoint to pass requests to. +As previous requests to an external IdP will be using Keystone's external +endpoint, this HTTP_REFERER will be Keystone's external endpoint. +When Horizon is unable to connect to Keystone's external endpoint in this setup +this leads to a time out. ``WEBSSO_USE_HTTP_REFERER`` can be set to False to +use the ``OPENSTACK_KEYSTONE_URL`` instead, which should be set to an internal +Keystone endpoint, so that this request will succeed. + Neutron ------- -- cgit v1.2.1