Red Hat Training

A Red Hat training course is available for Red Hat OpenStack Platform

10.4. Configure the Dashboard

10.4.1. Configure Connections and Logging

Before users connect to the dashboard for the first time, the following parameters must be configured in the /etc/openstack-dashboard/local_settings file (sample files are available in the Configuration Reference Guide at https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux_OpenStack_Platform):

Procedure 10.2. Configuring Connections and Logging for the Dashboard

  1. Set the ALLOWED_HOSTS parameter with a comma-separated list of host/domain names that the application can serve. For example: 
    ALLOWED_HOSTS = ['horizon.example.com', 'localhost', '192.168.20.254', ]
  2. Update the CACHES settings with the memcached values: 
    SESSION_ENGINE = 'django.contrib.sessions.backends.cache'
CACHES = {
	'default': {
		'BACKEND' : 'django.core.cache.backends.memcached.MemcachedCache',
		'LOCATION' : 'memcacheURL:port',
	}
}
    Replace the following values:
    • Replace memcacheURL with IP address of the host on which memcached was installed.
    • Replace port with the value from the PORT parameter in the /etc/sysconfig/memcached file.
  3. Specify the host URL for the Identity service endpoint. For example: 
    OPENSTACK_KEYSTONE_URL="127.0.0.1"
  4. Update the dashboard's time zone: 
    TIME_ZONE="UTC"
    The time zone can also be updated using the dashboard GUI.
  5. To ensure the configuration changes take effect, restart the Apache service: 
    # systemctl restart httpd.service

Note

The HORIZON_CONFIG dictionary contains all the settings for the dashboard. Whether or not a service is in the dashboard depends on the Service Catalog configuration in the Identity service.

Note

It is recommended that you use the django-secure module to ensure that most of the recommended practices and modern browser protection mechanisms are enabled. For more information http://django-secure.readthedocs.org/en/latest/ (django-secure).

10.4.2. Configure the Dashboard to Use HTTPS

Although the default installation uses a non-encrypted channel (HTTP), it is possible to enable SSL support for the dashboard.

Procedure 10.3. Configuring the Dashboard to use HTTPS

  1. Open the /etc/openstack-dashboard/local_settings file in a text editor, and uncomment the following parameters: 
    SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTOCOL', 'https')
CSRF_COOKIE_SECURE = True
SESSION_COOKIE_SECURE = True
    The latter two settings instruct the browser to only send dashboard cookies over HTTPS connections, ensuring that sessions will not work over HTTP.
  2. Open the /etc/httpd/conf/httpd.conf file in a text editor, and add the following line: 
    NameVirtualHost *:443
  3. Open the /etc/httpd/conf.d/openstack-dashboard.conf file in a text editor.
    1. Delete the following lines: 
      WSGIDaemonProcess dashboard
WSGIProcessGroup dashboard
WSGISocketPrefix run/wsgi

WSGIScriptAlias /dashboard /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
Alias /static /usr/share/openstack-dashboard/static/

<Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
    <IfModule mod_deflate.c>
      SetOutputFilter DEFLATE
      <IfModule mod_headers.c>
        # Make sure proxies don’t deliver the wrong content
        Header append Vary User-Agent env=!dont-vary
      </IfModule>
    </IfModule>

  Order allow,deny
  Allow from all
</Directory>
<Directory /usr/share/openstack-dashboard/static>
  <IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access 6 month"
  </IfModule>
  <IfModule mod_deflate.c>
    SetOutputFilter DEFLATE
  </IfModule>

  Order allow,deny
  Allow from all
</Directory>

  RedirectMatch permanent ^/$ https://xxx.xxx.xxx.xxx:443/dashboard
    2. Add the following lines: 
      WSGIDaemonProcess dashboard
WSGIProcessGroup dashboard
WSGISocketPrefix run/wsgi
LoadModule ssl_module modules/mod_ssl.so

<VirtualHost *:80>
  ServerName openstack.example.com
  RedirectPermanent / https://openstack.example.com/
</VirtualHost>

<VirtualHost *:443>
    ServerName openstack.example.com
    SSLEngine On
    SSLCertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCACertificateFile /etc/httpd/SSL/openstack.example.com.crt
    SSLCertificateKeyFile /etc/httpd/SSL/openstack.example.com.key
    SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown
    WSGIScriptAlias / /usr/share/openstack-dashboard/openstack_dashboard/wsgi/django.wsgi
    WSGIDaemonProcess horizon user=apache group=apache processes=3 threads=10
    RedirectPermanent /dashboard https://openstack.example.com
    Alias /static /usr/share/openstack-dashboard/static/
    <Directory /usr/share/openstack-dashboard/openstack_dashboard/wsgi>
      Order allow,deny
      Allow from all
    </Directory>
</VirtualHost>

<Directory /usr/share/openstack-dashboard/static>
  <IfModule mod_expires.c>
    ExpiresActive On
    ExpiresDefault "access 6 month"
  </IfModule>
  <IfModule mod_deflate.c>
    SetOutputFilter DEFLATE
  </IfModule>

Order allow,deny
Allow from all
</Directory>

RedirectMatch permanent ^/$ /dashboard/
    In the new configuration, Apache listens on port 443 and redirects all non-secured requests to the HTTPS protocol. The <VirtualHost *:443> section defines the required options for this protocol, including private key, public key, and certificates.
  4. Restart the Apache service and the memcached service: 
    # systemctl restart httpd.service
# systemctl restart memcached.service
When using the HTTP version of the dashboard (through the browser), the user is redirected to the HTTPS version of the page.

10.4.3. Change the Default Role for the Dashboard

By default, the dashboard service uses the Identity role, _member_, which is created automatically by the Identity service. This is adequate for regular users. If you choose to create a different role and set the dashboard to use this role, you must create this role in the Identity service prior to using the dashboard, then configure the dashboard to use it.
Perform this procedure on the Identity service server, or on any machine onto which you have copied the keystonerc_admin file and on which the keystone command-line utility is installed.

Procedure 10.4. Changing the Default Role for the Dashboard

  1. Set up the shell to access keystone as the administrative user: 
    # source ~/keystonerc_admin
  2. Create the new role: 
    [(keystone_admin)]# keystone role-create --name NEW_ROLE
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
| id       | 8261ac4eabcc4da4b01610dbad6c038a |
| name     |              NEW_ROLE            |
+----------+----------------------------------+
    Replace NEW_ROLE with a name for the role.
  3. Open the /etc/openstack-dashboard/local_settings file in a text editor, and change the value of the following parameter: 
    OPENSTACK_KEYSTONE_DEFAULT_ROLE = 'NEW_ROLE'
    Replace NEW_ROLE with the name of the role you created in the previous step.
  4. Restart the Apache service for the change to take effect: 
    # systemctl restart httpd.service

10.4.4. Configure SELinux

SELinux is a security feature of Red Hat Enterprise Linux that provides access control. SELinux status values are 'Enforcing', 'Permissive', and 'Disabled'. If SELinux is in 'Enforcing' mode, you must modify the SELinux policy to allow connections from the httpd service to the Identity server. This is also recommended if SELinux is configured in 'Permissive' mode.

Procedure 10.5. Configuring SELinux to Allow Connections from the Apache Service

  1. Check the status of SELinux on the system: 
    # getenforce
  2. If the resulting value is 'Enforcing' or 'Permissive', allow connections between the httpd service and the Identity service: 
    # setsebool -P httpd_can_network_connect on

10.4.5. Configure the Dashboard Firewall

To allow users to connect to the dashboard, you must configure the system firewall to allow connections. The httpd service and the dashboard support both HTTP and HTTPS connections. All steps in this procedure must be performed on the server hosting the httpd service, while logged in as the root user.

Note

To protect authentication credentials and other data, it is highly recommended that you enable only HTTPS connections.

Procedure 10.6. Configuring the Firewall to Allow Dashboard Traffic

  1. Open the /etc/sysconfig/iptables configuration file in a text editor:
    • To allow incoming connections using only HTTPS, add the following firewall rule: 
      -A INPUT -p tcp --dport 443 -j ACCEPT
    • To allow incoming connections using both HTTP and HTTPS, add the following firewall rule: 
      -A INPUT -p tcp -m multiport --dports 80,443 -j ACCEPT
  2. Restart the iptables service for the changes to take effect: 
    # systemctl restart iptables.service

Important

These rules allow communication on ports 80 and 443 from all remote hosts to the server running the dashboard service. For information regarding the creation of more restrictive firewall rules, see the Red Hat Enterprise Linux Security Guide at the following link:
https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/