[Bug 1840844] Re: user with admin role gets logged out when trying to list images

Brian Murray 1840844 at bugs.launchpad.net
Tue May 26 20:47:52 UTC 2020 

Hello Gloria, or anyone else affected,

Accepted horizon into bionic-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/horizon/3:13.0.2-0ubuntu3 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
bionic to verification-done-bionic. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-bionic. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

** Changed in: horizon (Ubuntu Bionic)
       Status: Triaged => Fix Committed

** Tags added: verification-needed verification-needed-bionic

-- 
You received this bug notification because you are a member of Ubuntu
Sponsors Team, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1840844

Title:
  user with admin role gets logged out when trying to list images

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive queens series:
  Triaged
Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in horizon package in Ubuntu:
  Fix Released
Status in horizon source package in Bionic:
  Fix Committed
Status in horizon source package in Eoan:
  Fix Released
Status in horizon source package in Focal:
  Fix Released
Status in horizon source package in Groovy:
  Fix Released

Bug description:
  [Impact]

  When admin user tries to access project-> compute -> images, if the
  user failed on the identity: get_project policy, user  will get logged
  out.

  code that failed is in
  openstack_dashboard/static/app/core/images/images.module.js
  .tableColumns
  .append(

  { id: 'owner', priority: 1, filters:
  [$memoize(keystone.getProjectName)], policies: [

  {rules: [['identity', 'identity:get_project']]}
  ]
  })

  it didn't happen in default Horizon. In our production cloud
  environment, keystone policy is "identity:get_project":
  "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id
  or project_id:%(target.project.id)s". If user is not a cloud_admin,
  the admin user of a project, need to be member of the domain to
  satisfies the rule.

  The problem here is the admin user should not get logged out.
  It  is probably caused by horizon/static/framework/framework.module.js

    if (error.status === 403) {
       var msg2 = gettext('Forbidden. Redirecting to login');
       handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);
    }

  some log info from keystone

  19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG _cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
  19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy _load_policy_file Reloaded policy file: /etc/keystone/policy.json
  19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You are not authorized to perform the requested action: identity:get_project.

  [Upstream fix description]

  Before this change when a 403 error was encountered, such as failure to have the permission to perform an operation, the user would get logged out from UI pages written in the AngularJS framework. For example, if an admin user lacks the get_project permission and tries to access the
  images page, project->compute->images, the 403 will forcibly log out the user.

  This change keeps the user logged in when a 403 error is encountered
  and displays an error message. The change only affects AngularJS
  pages.

  [Test Case]

  * Create a new user without the get_project permission
  * In the dashboard, access project->compute->images
  * The user will get logged out

  [Regression Potential]

  * The patch changes the behavior of the Horizon code in response to a
  403 error. The 403 in the original bug report was caused by a missing
  get_project permission. While unlikely it is possible that this change
  is incorrect under different error scenarios.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1840844/+subscriptions

More information about the Ubuntu-sponsors mailing list