)]}'
{"/PATCHSET_LEVEL":[{"author":{"_account_id":16137,"name":"Tobias Urdin","email":"tobias.urdin@binero.com","username":"tobasco"},"change_message_id":"4336c3b84d6b52c037c8d0c9371ac9b1fb01243f","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"9e098a92_a5ef838c","updated":"2022-04-26 08:02:14.000000000","message":"Hello Vishal, please see the other patch in the same topic which is the same kind of update but relating to the authentication requests https://review.opendev.org/c/openstack/horizon/+/839161\n\nTo give a small summary, the RFC 7239 \"Forwarded\" HTTP header is sent when setting the keystoneauth1.Session object\u0027s original_ip parameter. When Horizon sends an request to Keystone using the Session object it, today, sends a header like this:\n\nForwarded: for\u003d192.168.1.10;by\u003dopenstack_auth keystoneauth1/4.4.0 python-requests/2.25.1 CPython/3.6.8 \n\nWhere 192.168.1.10 in the above example is the IP address of HAProxy load balancer infront of Horizon. But it\u0027s not actually 192.168.1.10 that perform the login, it\u0027s the 100.64.10.10 client that is performing actions against Horizon, as HAProxy sends the X-Forwarded-For with 100.64.10.10 to Horizon, so the header should be:\n\nForwarded: for\u003d100.64.10.10;by\u003dopenstack_auth keystoneauth1/4.4.0 python-requests/2.25.1 CPython/3.6.8\n\nWhen it sends the request to Keystone, this simply uses the get_client_ip in auth utils instead of reading REMOTE_ADDR from the request.\n\nThe other patch I linked above (in the same topic as this) changes so that original_ip parameter is set on keystoneauth1.Session so that the \"Forwarded\" header is sent from Horizon to Keystone when you authenticate in Horizon web interface.\n\nThis is important in the realm of security and especially regarding audit and compliance because today Horizon proxies request to Keystone but we can never trace who actually made them while the support is already there in keystoneauth1.","commit_id":"e4ac4550c9851383f83fa0a0ff693c4e5c439bd1"},{"author":{"_account_id":29313,"name":"Vishal Manchanda","email":"manchandavishal143@gmail.com","username":"vishalmanchanda"},"change_message_id":"033de9347d05a3d3347fff4407c05ea36becb332","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"1df7bce1_50a729bb","updated":"2022-04-26 04:30:12.000000000","message":"Hi thanks for the patch, Could you add more details why we need this patch.\nAlso, please add some keystone api-ref or other details links which help us to review\nthis change.","commit_id":"e4ac4550c9851383f83fa0a0ff693c4e5c439bd1"},{"author":{"_account_id":16137,"name":"Tobias Urdin","email":"tobias.urdin@binero.com","username":"tobasco"},"change_message_id":"26c0e23003fd99b413bbb80385a646aea7158f4d","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"1868abaf_b78371d8","updated":"2022-04-26 08:02:42.000000000","message":"I added it to the meeting agenda as well. You can ping me on IRC (@tobias-urdin) if you want me clear anything up. Thanks!","commit_id":"e4ac4550c9851383f83fa0a0ff693c4e5c439bd1"},{"author":{"_account_id":841,"name":"Akihiro Motoki","email":"amotoki@gmail.com","username":"amotoki"},"change_message_id":"45a6bacafd10ad798c23ef7781f5d6dd39634d7e","unresolved":false,"context_lines":[],"source_content_type":"","patch_set":1,"id":"0047398a_e92e7926","updated":"2022-05-24 10:29:03.000000000","message":"This is more consistent to retrieve a client IP address.","commit_id":"e4ac4550c9851383f83fa0a0ff693c4e5c439bd1"}]}
