OpenStack Dashboard (Horizon)

User is not logged out once his token is revoked by keystone

Bug #1086189 reported by Kieran Spear
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
In Progress
Low
Paul Karikh
django-openstack-auth
Invalid
Undecided
Unassigned

Bug Description

Once user's token is revoked (due to, for example reducing user's set of roles in current tenant), on the next request he is not logged out, but instead gets a bunch of 'Unauthorized' errors. Not redirecting user in that case to log-in page does not make sense because he can't do anything useful without valid token.

See original description
Revision history for this message
Gabriel Hurley (gabriel-hurley) wrote :

That's probably a reasonable compromise. There are two things to avoid, though:

  1. Piling up lots of extra API calls on every request,
  2. Adding API calls (which may fail or time out in broken deployments) to routes which must never fail (e.g. logout).

As such it's important to be careful *where* and *how* the extra checks get added.

Changed in horizon:
importance: Undecided → Low
milestone: none → grizzly-2
status: New → Confirmed
Gabriel Hurley (gabriel-hurley)
Changed in horizon:
milestone: grizzly-2 → grizzly-3
Gabriel Hurley (gabriel-hurley)
Changed in horizon:
milestone: grizzly-3 → none
David Lyle (david-lyle)
Changed in django-openstack-auth:
importance: Undecided → Low
status: New → Confirmed
Vlad Okhrimenko (vokhrimenko)
Changed in horizon:
assignee: nobody → Vlad Okhrimenko (vokhrimenko)
Changed in django-openstack-auth:
assignee: nobody → Vlad Okhrimenko (vokhrimenko)
Revision history for this message
Lin Hua Cheng (lin-hua-cheng) wrote :

When a role is revoked, Keystone revokes all token for that user, the next time the user try to load another page the user gets redirected out.

Revision history for this message
Vlad Okhrimenko (vokhrimenko) wrote :

Hi Lin ! You've described is the desired outcome. But we get django error(Unauthorized (HTTP 401) (Request-ID: req-fca44549-25b8-4103-8a04-273c7bc40c3e)) instead. I will try make -- redirected out

Revision history for this message
Vlad Okhrimenko (vokhrimenko) wrote :

For repeat problem:
in one browser login user "demo" with "admin" privilege in tenant "demo", in other browser -- login user "admin" in tenant "admin". After that - user "admin" remove "admin"-role for user "demo" in tenant "demo". And then user "demo"go to (for example) /identity -- we get error message: "Error: Unauthorized: Unable to retrieve project list. " (not redirected out)

Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

I've updated Summary/Description to reflect the current problem in Horizon/Keystone interaction.

summary: - openstack_auth caches roles and service catalog until logout
+ User is not logged out once his token is revoked by keystone
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/142481

Changed in horizon:
status: Confirmed → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to django_openstack_auth (master)

Fix proposed to branch: master
Review: https://review.openstack.org/146141

Changed in django-openstack-auth:
status: Confirmed → In Progress
Revision history for this message
Lin Hua Cheng (lin-hua-cheng) wrote :

Adding some notes on what exceptions are raised for expired token and unauthorized access:

401 - unauthorized, this should mean that the user is *not* authenticated and a re-authentication should be sufficient to perform an action (revoked, expired, etc token).
403 - Forbidden, this should mean the current authorization doesn't allow the action to be performed.

In the 401 case redirecting to login should be sane (this may not actually be the case).

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on django_openstack_auth (master)

Change abandoned by Vlad Okhrimenko (<email address hidden>) on branch: master
Review: https://review.openstack.org/146141
Reason: Not need fix it in django_openstack_auth (only in Horizon)

Revision history for this message
Andrey Larionov (anlarionov) wrote :

Is there any plans to made Horizon more consistent in terms of token revocation?

Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

Paul, please investigate this bug in close contact with our Keystone team. According to what Vlad has told me, there are some weirdness in Keystone behavior - the user is being logged out not on the next immediate request after his set of roles has been shrunk, but several minutes later. Need to find out whether we could eliminate this lag.

Changed in django-openstack-auth:
status: In Progress → Invalid
importance: Low → Undecided
assignee: Vlad Okhrimenko (vokhrimenko) → nobody
Changed in horizon:
assignee: Vlad Okhrimenko (vokhrimenko) → Paul Karikh (pkarikh)
Revision history for this message
Andrey Larionov (anlarionov) wrote :

As i see this problem. After role was revoked and all the tokens was deleted, Horizon does not check token stored in session for revocation. All the calls to horizon.exceptions.handle() are made with escalate=False, so no redicrect produced. But setting escalate to True, could produce inconsistent behavior too.
I think, best solution would be to perform token validity check in exceptions.handle(), and if it's invalid (call to GET /v3/auth/tokens, for example), do the logout or drop session.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.