이 콘텐츠는 선택한 언어로 제공되지 않습니다.
10.4. Configure the Dashboard
10.4.1. Configure Connections and Logging
Before users connect to the dashboard for the first time, the following parameters must be configured in the
/etc/openstack-dashboard/local_settings
file (sample files are available in the Configuration Reference Guide at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform):
Procedure 10.2. Configuring Connections and Logging for the Dashboard
- Set the
ALLOWED_HOSTS
parameter with a comma-separated list of host/domain names that the application can serve. For example:ALLOWED_HOSTS = ['horizon.example.com', 'localhost', '192.168.20.254', ]
- Update the
CACHES
settings with thememcached
values:SESSION_ENGINE = 'django.contrib.sessions.backends.cache' CACHES = { 'default': { 'BACKEND' : 'django.core.cache.backends.memcached.MemcachedCache', 'LOCATION' : 'memcacheURL:port', } }
Replace the following values:- Replace memcacheURL with IP address of the host on which
memcached
was installed. - Replace port with the value from the
PORT
parameter in the/etc/sysconfig/memcached
file.
- Specify the host URL for the Identity service endpoint. For example:
OPENSTACK_KEYSTONE_URL="127.0.0.1"
- Update the dashboard's time zone:
TIME_ZONE="UTC"
The time zone can also be updated using the dashboard GUI. - To ensure the configuration changes take effect, restart the Apache service:
#
systemctl restart httpd.service
Note
The
HORIZON_CONFIG
dictionary contains all the settings for the dashboard. Whether or not a service is in the dashboard depends on the Service Catalog configuration in the Identity service.
Note
It is recommended that you use the
django-secure
module to ensure that most of the recommended practices and modern browser protection mechanisms are enabled. For more information http://django-secure.readthedocs.org/en/latest/ (django-secure).
10.4.2. Configure the Dashboard to Use HTTPS
Although the default installation uses a non-encrypted channel (HTTP), it is possible to enable SSL support for the dashboard.
Procedure 10.3. Configuring the Dashboard to use HTTPS
- Open the
/etc/openstack-dashboard/local_settings
file in a text editor, and uncomment the following parameters:SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https') CSRF_COOKIE_SECURE = True SESSION_COOKIE_SECURE = True
The latter two settings instruct the browser to only send dashboard cookies over HTTPS connections, ensuring that sessions will not work over HTTP. - Open the
/etc/httpd/conf/httpd.conf
file in a text editor, and add the following line:NameVirtualHost *:443
- Open the
/etc/httpd/conf.d/openstack-dashboard.conf
file in a text editor.- Delete the following lines:
WSGIDaemonProcess dashboard WSGIProcessGroup dashboard WSGISocketPrefix run/wsgi WSGIScriptAlias /dashboard /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi Alias /static /usr/share/openstack-dashboard/static/ <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi> <IfModule mod_deflate.c> SetOutputFilter DEFLATE <IfModule mod_headers.c> # Make sure proxies donât deliver the wrong content Header append Vary User-Agent env=!dont-vary </IfModule> </IfModule> Order allow,deny Allow from all </Directory> <Directory /usr/share/openstack-dashboard/static> <IfModule mod_expires.c> ExpiresActive On ExpiresDefault "access 6 month" </IfModule> <IfModule mod_deflate.c> SetOutputFilter DEFLATE </IfModule> Order allow,deny Allow from all </Directory> RedirectMatch permanent ^/$ https://xxx.xxx.xxx.xxx:443/dashboard
- Add the following lines:
WSGIDaemonProcess dashboard WSGIProcessGroup dashboard WSGISocketPrefix run/wsgi LoadModule ssl_module modules/mod_ssl.so <VirtualHost *:80> ServerName openstack.example.com RedirectPermanent / https://openstack.example.com/ </VirtualHost> <VirtualHost *:443> ServerName openstack.example.com SSLEngine On SSLCertificateFile /etc/httpd/SSL/openstack.example.com.crt SSLCACertificateFile /etc/httpd/SSL/openstack.example.com.crt SSLCertificateKeyFile /etc/httpd/SSL/openstack.example.com.key SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi WSGIDaemonProcess horizon user=apache group=apache processes=3 threads=10 RedirectPermanent /dashboard https://openstack.example.com Alias /static /usr/share/openstack-dashboard/static/ <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi> Order allow,deny Allow from all </Directory> </VirtualHost> <Directory /usr/share/openstack-dashboard/static> <IfModule mod_expires.c> ExpiresActive On ExpiresDefault "access 6 month" </IfModule> <IfModule mod_deflate.c> SetOutputFilter DEFLATE </IfModule> Order allow,deny Allow from all </Directory> RedirectMatch permanent ^/$ /dashboard/
In the new configuration, Apache listens on port 443 and redirects all non-secured requests to the HTTPS protocol. The<VirtualHost *:443>
section defines the required options for this protocol, including private key, public key, and certificates. - Restart the Apache service and the
memcached
service:#
systemctl restart httpd.service
#
systemctl restart memcached.service
When using the HTTP version of the dashboard (through the browser), the user is redirected to the HTTPS version of the page.
10.4.3. Change the Default Role for the Dashboard
By default, the dashboard service uses the Identity role,
_member_
, which is created automatically by the Identity service. This is adequate for regular users. If you choose to create a different role and set the dashboard to use this role, you must create this role in the Identity service prior to using the dashboard, then configure the dashboard to use it.
Perform this procedure on the Identity service server, or on any machine onto which you have copied the
keystonerc_admin
file and on which the keystone command-line utility is installed.
Procedure 10.4. Changing the Default Role for the Dashboard
- Set up the shell to access keystone as the administrative user:
#
source ~/keystonerc_admin
- Create the new role:
[(keystone_admin)]#
keystone role-create --name NEW_ROLE
+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 8261ac4eabcc4da4b01610dbad6c038a | | name | NEW_ROLE | +----------+----------------------------------+Replace NEW_ROLE with a name for the role. - Open the
/etc/openstack-dashboard/local_settings
file in a text editor, and change the value of the following parameter:OPENSTACK_KEYSTONE_DEFAULT_ROLE = 'NEW_ROLE'
Replace NEW_ROLE with the name of the role you created in the previous step. - Restart the Apache service for the change to take effect:
#
systemctl restart httpd.service
10.4.4. Configure SELinux
SELinux is a security feature of Red Hat Enterprise Linux that provides access control. SELinux status values are 'Enforcing', 'Permissive', and 'Disabled'. If SELinux is in 'Enforcing' mode, you must modify the SELinux policy to allow connections from the
httpd
service to the Identity server. This is also recommended if SELinux is configured in 'Permissive' mode.
Procedure 10.5. Configuring SELinux to Allow Connections from the Apache Service
- Check the status of SELinux on the system:
#
getenforce
- If the resulting value is 'Enforcing' or 'Permissive', allow connections between the
httpd
service and the Identity service:#
setsebool -P httpd_can_network_connect on
10.4.5. Configure the Dashboard Firewall
To allow users to connect to the dashboard, you must configure the system firewall to allow connections. The
httpd
service and the dashboard support both HTTP and HTTPS connections. All steps in this procedure must be performed on the server hosting the httpd
service, while logged in as the root
user.
Note
To protect authentication credentials and other data, it is highly recommended that you enable only HTTPS connections.
Procedure 10.6. Configuring the Firewall to Allow Dashboard Traffic
- Open the
/etc/sysconfig/iptables
configuration file in a text editor:- To allow incoming connections using only HTTPS, add the following firewall rule:
-A INPUT -p tcp --dport 443 -j ACCEPT
- To allow incoming connections using both HTTP and HTTPS, add the following firewall rule:
-A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
- Restart the
iptables
service for the changes to take effect:#
systemctl restart iptables.service
Important
These rules allow communication on ports 80 and 443 from all remote hosts to the server running the dashboard service. For information regarding the creation of more restrictive firewall rules, see the Red Hat Enterprise Linux Security Guide at the following link: