OpenStack Dashboard (Horizon)

Project creation fails if the current user is added to it

Bug #1166794 reported by Victoria Martinez de la Cruz
14
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
High
Lin Hua Cheng
OpenStack Dashboard (Horizon) 2013.2 "havana"

Bug Description

This is happening in a fresh Devstack deployment on Ubuntu 12.04 LTS.

Steps to reproduce:
1. Log in as admin
2. Go to projects tab
3. Create a new project; click in Users tab within the modal for the project creation and add the current user as a member of the new project.

Actual behavior: An error notification pops (There was an error submitting the form. Please try again.) and after a refresh I get an unauthorized error for every menu in the dashboard.

Expected behavior: create a new project and add current user to its users list with the selected role.

## Traceback ##

Environment:
Request Method: GET
Request URL: http://127.0.0.1/admin/projects/

Django Version: 1.4.5
Python Version: 2.7.3
Installed Applications:
['openstack_dashboard',
 'django.contrib.contenttypes',
 'django.contrib.auth',
 'django.contrib.sessions',
 'django.contrib.messages',
 'django.contrib.staticfiles',
 'django.contrib.humanize',
 'compressor',
 'horizon',
 'openstack_dashboard.dashboards.project',
 'openstack_dashboard.dashboards.admin',
 'openstack_dashboard.dashboards.settings',
 'openstack_auth']
Installed Middleware:
('django.middleware.common.CommonMiddleware',
 'django.middleware.csrf.CsrfViewMiddleware',
 'django.contrib.sessions.middleware.SessionMiddleware',
 'django.contrib.auth.middleware.AuthenticationMiddleware',
 'django.contrib.messages.middleware.MessageMiddleware',
 'horizon.middleware.HorizonMiddleware',
 'django.middleware.doc.XViewMiddleware',
 'django.middleware.locale.LocaleMiddleware',
 'django.middleware.clickjacking.XFrameOptionsMiddleware')

Traceback:
File "/usr/local/lib/python2.7/dist-packages/django/core/handlers/base.py" in get_response
  111. response = callback(request, *callback_args, **callback_kwargs)
File "/opt/stack/horizon/openstack_dashboard/wsgi/../../horizon/decorators.py" in dec
  38. return view_func(request, *args, **kwargs)
File "/opt/stack/horizon/openstack_dashboard/wsgi/../../horizon/decorators.py" in dec
  86. return view_func(request, *args, **kwargs)
File "/opt/stack/horizon/openstack_dashboard/wsgi/../../horizon/decorators.py" in dec
  54. return view_func(request, *args, **kwargs)
File "/opt/stack/horizon/openstack_dashboard/wsgi/../../horizon/decorators.py" in dec
  38. return view_func(request, *args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/django/views/generic/base.py" in view
  48. return self.dispatch(request, *args, **kwargs)
File "/usr/local/lib/python2.7/dist-packages/django/views/generic/base.py" in dispatch
  69. return handler(request, *args, **kwargs)
File "/opt/stack/horizon/openstack_dashboard/wsgi/../../horizon/tables/views.py" in get
  155. handled = self.construct_tables()
File "/opt/stack/horizon/openstack_dashboard/wsgi/../../horizon/tables/views.py" in construct_tables
  146. handled = self.handle_table(table)
File "/opt/stack/horizon/openstack_dashboard/wsgi/../../horizon/tables/views.py" in handle_table
  118. data = self._get_data_dict()
File "/opt/stack/horizon/openstack_dashboard/wsgi/../../horizon/tables/views.py" in _get_data_dict
  182. self._data = {self.table_class._meta.name: self.get_data()}
File "/opt/stack/horizon/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/admin/projects/views.py" in get_data
  77. _("Unable to retrieve project list."))
File "/opt/stack/horizon/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/admin/projects/views.py" in get_data
  74. tenants = api.keystone.tenant_list(self.request, admin=True)
File "/opt/stack/horizon/openstack_dashboard/wsgi/../../openstack_dashboard/api/keystone.py" in tenant_list
  150. return keystoneclient(request, admin=admin).tenants.list()
File "/opt/stack/python-keystoneclient/keystoneclient/v2_0/tenants.py" in list
  116. tenant_list = self._list("/tenants%s" % query, "tenants")
File "/opt/stack/python-keystoneclient/keystoneclient/base.py" in _list
  67. resp, body = self.api.get(url)
File "/opt/stack/python-keystoneclient/keystoneclient/client.py" in get
  408. return self._cs_request(url, 'GET', **kwargs)
File "/opt/stack/python-keystoneclient/keystoneclient/client.py" in _cs_request
  404. **kwargs)
File "/opt/stack/python-keystoneclient/keystoneclient/client.py" in request
  366. raise exceptions.from_response(resp, resp.text)

Exception Type: Unauthorized at /admin/projects/
Exception Value: Unable to communicate with identity service: {"error": {"message": "Could not find token: 0258edbd0b1378bfbc9f1c54d2830ae4", "code": 401, "title": "Not Authorized"}}. (HTTP 401)

##

Julie Pichon (jpichon)
Changed in horizon:
status: New → Confirmed
Revision history for this message
Julie Pichon (jpichon) wrote :

This is likely due to the fix for bug 1060426. It would appear we need to log out the user after updating their tenant information, or better deal with invalid tokens. This also applies to other users: if user demo is logged in and as an admin I add them to a new project, errors start popping up for the demo user.

Revision history for this message
Kieran Spear (kspear) wrote :

Does the project creation fail or just anything that happens after? I seem to remember coming across this before (being logged out when adding myself to a project). The quota update failed for me iirc, because it came after the role assignment.

It feels like Keystone is too eager to invalidate tokens, particularly in cases where authorizations are only added for a user.

Revision history for this message
Julie Pichon (jpichon) wrote :

The project creation/modification succeeds, but everything that happens afterward fails.

Success: Modified project "test".
Error: Unauthorized: Unable to retrieve project list. (and etc on any other page visited, with the 401 keystone error in the logs).

Revision history for this message
Mark Maglana (mmaglana) wrote :

It looks like Keystone is, in fact, invalidating all of the current user's tokens (scoped and unscoped). I tried testing this with Horizon and curl side by side and this is what I found:

1. Login as admin in Horizon
2. Go to projects
3. I can see ALL projects in the system (demo, admin, invisible_to_admin, alt_demo, service)
4. Used curl to get an unscoped token
5. Used curl with an unscoped token to get list of projects from http://X.X.X.X:5000/v2.0/tenants. I can only see the projects 'admin' and 'demo' which are the only projects where I'm explicitly a member
6. Create a project, 'demo too' with no members
7. At this point I can still see the full list of projects in Horizon even after refreshing
8. With curl I can still only see the 'admin' and 'demo' projects
9. Add myself to 'demo too'
10. Operation succeeded, however I got an error after that. Horizon could no longer retrieve the project list.
11. Used curl with the same unscoped token above to get list of projects. I get a response saying my unscoped token was no longer valid.

Revision history for this message
Mark Maglana (mmaglana) wrote :

Here's the related Keystone bug: https://bugs.launchpad.net/keystone/+bug/1170186

Revision history for this message
Philip Mark M. Deazeta (pdeazeta) wrote :

I've added a patch that could probably solve this problem
https://bugs.launchpad.net/keystone/+bug/1170186

diff --git a/keystone/identity/controllers.py b/keystone/identity/controllers.py
index e82b81f..7676195 100644
--- a/keystone/identity/controllers.py
+++ b/keystone/identity/controllers.py
@@ -299,7 +299,7 @@ class Role(controller.V2Controller):

         self.identity_api.add_role_to_user_and_project(
             context, user_id, tenant_id, role_id)
- self._delete_tokens_for_user(context, user_id)
+ self._delete_tokens_for_user(context, user_id, tenant_id)

         role_ref = self.identity_api.get_role(context, role_id)
         return {'role': role_ref}

Gabriel Hurley (gabriel-hurley)
Changed in horizon:
importance: Undecided → Critical
importance: Critical → High
milestone: none → havana-1
Gabriel Hurley (gabriel-hurley)
Changed in horizon:
milestone: havana-1 → havana-2
Lin Hua Cheng (lin-hua-cheng)
Changed in horizon:
assignee: nobody → Lin Hua Cheng (lin-hua-cheng)
Revision history for this message
Lin Hua Cheng (lin-hua-cheng) wrote :

There was a keystone patch (https://review.openstack.org/31548) that removed the code that revokes all the users token whenever a new role or grant is assigned to the user.

Verified that with the latest keystone code, this is no longer an issue.

Changed in horizon:
status: Confirmed → Fix Committed
Thierry Carrez (ttx)
Changed in horizon:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in horizon:
milestone: havana-2 → 2013.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.