Merge "support WEBSSO_KEYSTONE_URL"
This commit is contained in:
commit
683bc7ecba
|
@ -1565,6 +1565,20 @@ Default: ``None``
|
|||
Allows to specify a callback to the IdP to cleanup the SSO resources.
|
||||
Once the user logs out it will redirect to the IdP log out method.
|
||||
|
||||
WEBSSO_KEYSTONE_URL
|
||||
-----------------------
|
||||
|
||||
.. versionadded:: 15.0.0(Stein)
|
||||
|
||||
Default: None
|
||||
|
||||
The full auth URL for the Keystone endpoint used for web single-sign-on
|
||||
authentication. Use this when ``OPENSTACK_KEYSTONE_URL`` is set to an internal
|
||||
Keystone endpoint and is not reachable from the external network where the
|
||||
identity provider lives. This URL will take precedence over
|
||||
``OPENSTACK_KEYSTONE_URL`` if the login choice is an external
|
||||
identity provider (IdP).
|
||||
|
||||
Neutron
|
||||
-------
|
||||
|
||||
|
|
|
@ -16,6 +16,7 @@ import uuid
|
|||
from django.conf import settings
|
||||
from django.contrib import auth
|
||||
from django import test
|
||||
from django.test.utils import override_settings
|
||||
from django.urls import reverse
|
||||
from keystoneauth1 import exceptions as keystone_exceptions
|
||||
from keystoneauth1.identity import v2 as v2_auth
|
||||
|
@ -1195,6 +1196,25 @@ class OpenStackAuthTestsWebSSO(OpenStackAuthTestsMixin,
|
|||
self.assertRedirects(response, redirect_url, status_code=302,
|
||||
target_status_code=404)
|
||||
|
||||
@override_settings(WEBSSO_KEYSTONE_URL='http://keystone-public:5000/v3')
|
||||
def test_websso_redirect_using_websso_keystone_url(self):
|
||||
origin = 'http://testserver/auth/websso/'
|
||||
protocol = 'oidc'
|
||||
redirect_url = ('%s/auth/OS-FEDERATION/identity_providers/%s'
|
||||
'/protocols/%s/websso?origin=%s' %
|
||||
(settings.WEBSSO_KEYSTONE_URL, self.idp_id,
|
||||
protocol, origin))
|
||||
|
||||
form_data = {'auth_type': self.idp_oidc_id,
|
||||
'region': settings.OPENSTACK_KEYSTONE_URL}
|
||||
url = reverse('login')
|
||||
|
||||
# POST to the page and redirect to keystone.
|
||||
response = self.client.post(url, form_data)
|
||||
# verify that the request was sent back to WEBSSO_KEYSTONE_URL
|
||||
self.assertRedirects(response, redirect_url, status_code=302,
|
||||
target_status_code=404)
|
||||
|
||||
def test_websso_login(self):
|
||||
projects = [self.data.project_one, self.data.project_two]
|
||||
domains = []
|
||||
|
|
|
@ -191,7 +191,8 @@ def get_websso_url(request, auth_url, websso_auth):
|
|||
:param request: Django http request object.
|
||||
:type request: django.http.HttpRequest
|
||||
:param auth_url: Keystone endpoint configured in the horizon setting.
|
||||
The value is derived from:
|
||||
If WEBSSO_KEYSTONE_URL is defined, its value will be
|
||||
used. Otherwise, the value is derived from:
|
||||
- OPENSTACK_KEYSTONE_URL
|
||||
- AVAILABLE_REGIONS
|
||||
:type auth_url: string
|
||||
|
|
|
@ -71,7 +71,8 @@ def login(request, template_name=None, extra_context=None, **kwargs):
|
|||
if request.method == 'POST':
|
||||
auth_type = request.POST.get('auth_type', 'credentials')
|
||||
if utils.is_websso_enabled() and auth_type != 'credentials':
|
||||
auth_url = request.POST.get('region')
|
||||
auth_url = getattr(settings, 'WEBSSO_KEYSTONE_URL',
|
||||
request.POST.get('region'))
|
||||
url = utils.get_websso_url(request, auth_url, auth_type)
|
||||
return shortcuts.redirect(url)
|
||||
|
||||
|
|
|
@ -247,6 +247,14 @@ OPENSTACK_KEYSTONE_DEFAULT_ROLE = "_member_"
|
|||
# variable.
|
||||
#WEBSSO_DEFAULT_REDIRECT_LOGOUT = None
|
||||
|
||||
# If set this URL will be used for web single-sign-on authentication
|
||||
# instead of OPENSTACK_KEYSTONE_URL. This is needed in the deployment
|
||||
# scenarios where network segmentation is used per security requirement.
|
||||
# In this case, the controllers are not reachable from public network.
|
||||
# Therefore, user's browser will not be able to access OPENSTACK_KEYSTONE_URL
|
||||
# if it is set to the internal endpoint.
|
||||
#WEBSSO_KEYSTONE_URL = "http://keystone-public.example.com/v3"
|
||||
|
||||
# The Keystone Provider drop down uses Keystone to Keystone federation
|
||||
# to switch between Keystone service providers.
|
||||
# Set display name for Identity Provider (dropdown display name)
|
||||
|
|
|
@ -0,0 +1,8 @@
|
|||
---
|
||||
fixes:
|
||||
- |
|
||||
[:bug:`1544703`] Add a new optional WEBSSO_KEYSTONE_URL property to
|
||||
facilitate WEBSSO deployments where network segmentation is used per
|
||||
security requirement. In this case, the controllers are not reachable
|
||||
from public network. Therefore, user's browser will not be able to access
|
||||
OPENSTACK_KEYSTONE_URL if it is set to the internal endpoint.
|
Loading…
Reference in New Issue