[Bug 1717615] Re: encoded slashes being blocked by Apache

Frode Nordahl frode.nordahl at gmail.com
Mon Nov 27 12:43:05 UTC 2017 

Completed verification for xenial by following the steps in the test
case and verifying that the error is visible before upgrading to the
proposed package and subsequently verifying that the error is no longer
visible after upgrading to the proposed package.

** Description changed:

  [Impact]
  We came across a situation where we were unable to view resources in a stack inside Horizon. We traced it down to a communication problem with the Heat Apache frontend and Heat. After adjusting the log level for Apache, we came across the following error in the logs:
  
  [client 213.173.193.177:33920] AH00026: found %2f (encoded '/') in URI
  (decoded='/v1/c064a39d602d4f42bc49e09057c97683/stacks/heat_test_foo/b5c125a3-d452-49a1-
  a12e-03e098fbb38c/resources/foo_vm-01'), returning 404
  
  As a workaround, we currently added the following line to the
  /etc/apache/sites-enabled/openstack-https_frontend.conf on our Heat
  instance:
  
  AllowEncodedSlashes On
  
  It is worth noting we tried to use the NoDecode option as well and that
  is didn't resolve the problem.
  
  [Test Case]
- See details in impact section. For our testing we deploy OpenStack with the OpenStack charms to deploy Horizon, Heat, etc.
- 
+ 1. Deploy OpenStack with Juju
+ 2. Enable Keystone v3: juju config keystone preferred-api-version=3
+ 3. Enable SSL:         juju config keystone https-service-endpoints=True
+ 4. Add heat:
+    - juju deploy heat
+    - juju add-relation heat keystone
+    - juju add-relation heat percona-cluster
+    - juju add-relation heat rabbitmq-server
+ 5. Deploy a stack: openstack stack create --parameter admin_pass=Ubuntu \
+                                           --parameter image=cirros-0.4.0 \
+                                           --parameter key_name=test \
+                                           --parameter network=network
+ 6. Verify that it deploys: openstack stack list
+ 7. Verify that heat works in OpenStack Dashboard
+ 8. Verify that displaying Heat resources tab in OpenStack Dashboard does
+    NOT work.
  
  [Regression Potential]
  Low. The patch being backported is from the upstream stable/pike branch. There were some minor adjustments required to apply the patch to earlier releases, but the patches are nearly identical.

** Tags removed: verification-needed-xenial
** Tags added: verification-done-xenial

** Description changed:

  [Impact]
  We came across a situation where we were unable to view resources in a stack inside Horizon. We traced it down to a communication problem with the Heat Apache frontend and Heat. After adjusting the log level for Apache, we came across the following error in the logs:
  
  [client 213.173.193.177:33920] AH00026: found %2f (encoded '/') in URI
  (decoded='/v1/c064a39d602d4f42bc49e09057c97683/stacks/heat_test_foo/b5c125a3-d452-49a1-
  a12e-03e098fbb38c/resources/foo_vm-01'), returning 404
  
  As a workaround, we currently added the following line to the
  /etc/apache/sites-enabled/openstack-https_frontend.conf on our Heat
  instance:
  
  AllowEncodedSlashes On
  
  It is worth noting we tried to use the NoDecode option as well and that
  is didn't resolve the problem.
  
  [Test Case]
  1. Deploy OpenStack with Juju
  2. Enable Keystone v3: juju config keystone preferred-api-version=3
  3. Enable SSL:         juju config keystone https-service-endpoints=True
  4. Add heat:
-    - juju deploy heat
-    - juju add-relation heat keystone
-    - juju add-relation heat percona-cluster
-    - juju add-relation heat rabbitmq-server
+    - juju deploy heat
+    - juju add-relation heat keystone
+    - juju add-relation heat percona-cluster
+    - juju add-relation heat rabbitmq-server
+    - juju run-action heat/0 domain-setup
  5. Deploy a stack: openstack stack create --parameter admin_pass=Ubuntu \
-                                           --parameter image=cirros-0.4.0 \
-                                           --parameter key_name=test \
-                                           --parameter network=network
+                                           --parameter image=cirros-0.4.0 \
+                                           --parameter key_name=test \
+                                           --parameter network=network
  6. Verify that it deploys: openstack stack list
  7. Verify that heat works in OpenStack Dashboard
  8. Verify that displaying Heat resources tab in OpenStack Dashboard does
-    NOT work.
+    NOT work.
  
  [Regression Potential]
  Low. The patch being backported is from the upstream stable/pike branch. There were some minor adjustments required to apply the patch to earlier releases, but the patches are nearly identical.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to Ubuntu Cloud Archive.
https://bugs.launchpad.net/bugs/1717615

Title:
  encoded slashes being blocked by Apache

Status in OpenStack heat charm:
  Invalid
Status in Charm Helpers:
  Invalid
Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive mitaka series:
  Fix Committed
Status in Ubuntu Cloud Archive newton series:
  Fix Committed
Status in Ubuntu Cloud Archive ocata series:
  Fix Committed
Status in OpenStack Heat:
  Invalid
Status in python-heatclient package in Ubuntu:
  Fix Released
Status in python-heatclient source package in Xenial:
  Fix Committed
Status in python-heatclient source package in Zesty:
  Fix Committed

Bug description:
  [Impact]
  We came across a situation where we were unable to view resources in a stack inside Horizon. We traced it down to a communication problem with the Heat Apache frontend and Heat. After adjusting the log level for Apache, we came across the following error in the logs:

  [client 213.173.193.177:33920] AH00026: found %2f (encoded '/') in URI
  (decoded='/v1/c064a39d602d4f42bc49e09057c97683/stacks/heat_test_foo/b5c125a3-d452-49a1-
  a12e-03e098fbb38c/resources/foo_vm-01'), returning 404

  As a workaround, we currently added the following line to the
  /etc/apache/sites-enabled/openstack-https_frontend.conf on our Heat
  instance:

  AllowEncodedSlashes On

  It is worth noting we tried to use the NoDecode option as well and
  that is didn't resolve the problem.

  [Test Case]
  1. Deploy OpenStack with Juju
  2. Enable Keystone v3: juju config keystone preferred-api-version=3
  3. Enable SSL:         juju config keystone https-service-endpoints=True
  4. Add heat:
     - juju deploy heat
     - juju add-relation heat keystone
     - juju add-relation heat percona-cluster
     - juju add-relation heat rabbitmq-server
     - juju run-action heat/0 domain-setup
  5. Deploy a stack: openstack stack create --parameter admin_pass=Ubuntu \
                                            --parameter image=cirros-0.4.0 \
                                            --parameter key_name=test \
                                            --parameter network=network
  6. Verify that it deploys: openstack stack list
  7. Verify that heat works in OpenStack Dashboard
  8. Verify that displaying Heat resources tab in OpenStack Dashboard does
     NOT work.

  [Regression Potential]
  Low. The patch being backported is from the upstream stable/pike branch. There were some minor adjustments required to apply the patch to earlier releases, but the patches are nearly identical.

To manage notifications about this bug go to:
https://bugs.launchpad.net/charm-heat/+bug/1717615/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list