[Bug 1840844] Re: user with admin role gets logged out when trying to list images
Nicolas Bock
1840844 at bugs.launchpad.net
Fri Jun 26 15:52:04 UTC 2020
Notes on verification:
1. Create domain/project/user:
openstack domain create sru
openstack project create --domain sru sru
openstack user create --domain sru --password pass --project sru --project-domain sru sru
openstack role add --project sru --user sru --user-domain sru member
2. Modify the Glance policies
--- /etc/glance/policy.json 2020-06-26 15:38:09.616136115 +0000
+++ /etc/glance/policy.json.original 2020-06-26 15:37:58.176276003 +0000
@@ -5,7 +5,7 @@
"add_image": "",
"delete_image": "",
"get_image": "",
- "get_images": "role:admin",
+ "get_images": "",
"modify_image": "",
"publicize_image": "role:admin",
"communitize_image": "",
This will lead to a 403 response from Glance for any non-admin user
trying to
openstack image list
3. Log into the dashboard as the sru user
4. Got to Project/Compute/Images
The UI will throw an error message but then log the user out. The
dashboard will go back to the login screen.
5. Install the SRU in the openstack-dashboard unit
5.a. enable proposed repository
5.b. upgrade python-django-horizon package
6. Repeat steps 3 and 4. This time however, the user will not be
logged out and only get an error message.
--
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to horizon in Ubuntu.
https://bugs.launchpad.net/bugs/1840844
Title:
user with admin role gets logged out when trying to list images
Status in Ubuntu Cloud Archive:
Fix Released
Status in Ubuntu Cloud Archive queens series:
Fix Committed
Status in OpenStack Dashboard (Horizon):
Fix Released
Status in horizon package in Ubuntu:
Fix Released
Status in horizon source package in Bionic:
Fix Committed
Status in horizon source package in Eoan:
Fix Released
Status in horizon source package in Focal:
Fix Released
Status in horizon source package in Groovy:
Fix Released
Bug description:
[Impact]
When admin user tries to access project-> compute -> images, if the
user failed on the identity: get_project policy, user will get logged
out.
code that failed is in
openstack_dashboard/static/app/core/images/images.module.js
.tableColumns
.append(
{ id: 'owner', priority: 1, filters:
[$memoize(keystone.getProjectName)], policies: [
{rules: [['identity', 'identity:get_project']]}
]
})
it didn't happen in default Horizon. In our production cloud
environment, keystone policy is "identity:get_project":
"rule:cloud_admin or rule:admin_and_matching_target_project_domain_id
or project_id:%(target.project.id)s". If user is not a cloud_admin,
the admin user of a project, need to be member of the domain to
satisfies the rule.
The problem here is the admin user should not get logged out.
It is probably caused by horizon/static/framework/framework.module.js
if (error.status === 403) {
var msg2 = gettext('Forbidden. Redirecting to login');
handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);
}
some log info from keystone
19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG _cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy _load_policy_file Reloaded policy file: /etc/keystone/policy.json
19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You are not authorized to perform the requested action: identity:get_project.
[Upstream fix description]
Before this change when a 403 error was encountered, such as failure to have the permission to perform an operation, the user would get logged out from UI pages written in the AngularJS framework. For example, if an admin user lacks the get_project permission and tries to access the
images page, project->compute->images, the 403 will forcibly log out the user.
This change keeps the user logged in when a 403 error is encountered
and displays an error message. The change only affects AngularJS
pages.
[Test Case]
* Create a new user without the get_project permission
* In the dashboard, access project->compute->images
* The user will get logged out
[Regression Potential]
* The patch changes the behavior of the Horizon code in response to a
403 error. The 403 in the original bug report was caused by a missing
get_project permission. While unlikely it is possible that this change
is incorrect under different error scenarios.
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1840844/+subscriptions
More information about the Ubuntu-openstack-bugs
mailing list