Fuel for OpenStack

Token is not revoked after logout in Fuel UI

Bug #1375622 reported by Łukasz Oleś on 2014-09-30

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Fuel for OpenStack	Fix Committed	Medium	Vitaly Kramskikh	Fuel for OpenStack 6.0

Bug Description

In 5.1 release access control was introduced for Fuel master node. Keystone is used for authentication. When user is using Fuel UI, he need to provide user name and password and he gets authorization token which allows him to use Fuel UI.
When user presses logout link his token is cleared from cache, but is not deleted.
Is token somehow was stolen it can be used until it's not expired.

Proposed solution:
When user logout his token should be revoked. If for some reason keystone is not accessible at this moment, there shouldn't be an any error.

Tags:

Łukasz Oleś (loles) on 2014-09-30

Changed in fuel:
importance:	Undecided → Critical

Aleksey Kasatkin (alekseyk-ru) on 2014-09-30

Changed in fuel:
assignee:	nobody → Fuel UI Team (fuel-ui)

Przemyslaw Kaminski (pkaminski) on 2014-10-01

Changed in fuel:
assignee:	Fuel UI Team (fuel-ui) → Przemyslaw Kaminski (pkaminski)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-03: Fix proposed to fuel-web (master)

Fix proposed to branch: master
Review: https://review.openstack.org/125933

Changed in fuel:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-07: Fix merged to fuel-web (master)

Reviewed: https://review.openstack.org/125933
Committed: https://git.openstack.org/cgit/stackforge/fuel-web/commit/?id=1b8b0f92448c7d630eed0ff69146e7befc772fc2
Submitter: Jenkins
Branch: master

commit 1b8b0f92448c7d630eed0ff69146e7befc772fc2
Author: Przemyslaw Kaminski <email address hidden>
Date: Fri Oct 3 13:22:35 2014 +0200

Revoke token from keystone after user logout

Also, add test_login_logout.js

Change-Id: Ibf1660624d3441c249b319fa69eb3775c9716b9c
Closes-Bug: #1375622

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-09: Related fix proposed to fuel-web (stable/5.1)

Related fix proposed to branch: stable/5.1
Review: https://review.openstack.org/127234

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-09: Change abandoned on fuel-web (stable/5.1)

Change abandoned by Przemyslaw Kaminski (<email address hidden>) on branch: stable/5.1
Review: https://review.openstack.org/127234

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-10: Fix proposed to fuel-web (stable/5.1)

Fix proposed to branch: stable/5.1
Review: https://review.openstack.org/127497

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-10: Fix merged to fuel-web (stable/5.1)

Reviewed: https://review.openstack.org/127497
Committed: https://git.openstack.org/cgit/stackforge/fuel-web/commit/?id=486b94c62792173ced2ade19b8d80c7903dcfceb
Submitter: Jenkins
Branch: stable/5.1

commit 486b94c62792173ced2ade19b8d80c7903dcfceb
Author: Przemyslaw Kaminski <email address hidden>
Date: Fri Oct 3 13:22:35 2014 +0200

Revoke token from keystone after user logout

Also, add test_login_logout.js

    Change-Id: Ibf1660624d3441c249b319fa69eb3775c9716b9c
    Closes-Bug: #1375622
    (cherry picked from commit 1b8b0f92448c7d630eed0ff69146e7befc772fc2)

Revision history for this message

Atze de Vries (atze-devries) wrote on 2014-10-28:

Is there i work arround for this? I can't login to the fuel-web.

Revision history for this message

Przemyslaw Kaminski (pkaminski) wrote on 2014-10-28:

Could you provide more information on how you can't login to fuel-web?

Revision history for this message

Atze de Vries (atze-devries) wrote on 2014-10-28:

Sorry, neglect my question.. It seemed like the same issue but the issue was a full drive..

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-28: Related fix merged to fuel-web (master)

#10

Reviewed: https://review.openstack.org/131079
Committed: https://git.openstack.org/cgit/stackforge/fuel-web/commit/?id=d8d9d96608f759d765ec0b1016e7363229ffc35a
Submitter: Jenkins
Branch: master

commit d8d9d96608f759d765ec0b1016e7363229ffc35a
Author: Przemyslaw Kaminski <email address hidden>
Date: Tue Oct 28 10:12:37 2014 +0100

Fix KeystoneClient issue when token was expired

    KeystoneClient should always first try to use username/password and only if
    they are not provided, do a fallback to this.token. Otherwise for expired
    tokens login is not possible.

Related-Bug: #1375622
Change-Id: Ia85278402799d7d19e0c0aee975cc986de5879f9

Vitaly Kramskikh (vkramskikh) on 2014-10-28

Changed in fuel:
assignee:	Przemyslaw Kaminski (pkaminski) → Vitaly Kramskikh (vkramskikh)
status:	Fix Committed → In Progress

Revision history for this message

Vitaly Kramskikh (vkramskikh) wrote on 2014-10-28:

#11

Reduced priority as partial fix was merged. Now UI is not blocked, but it only shows login page after first page change.

Changed in fuel:
importance:	Critical → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-28: Fix proposed to fuel-web (master)

#12

Fix proposed to branch: master
Review: https://review.openstack.org/131522

Vitaly Kramskikh (vkramskikh) on 2014-10-29

Changed in fuel:
status:	In Progress → Fix Committed

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-31: Related fix proposed to fuel-web (stable/5.1)

#13

Related fix proposed to branch: stable/5.1
Review: https://review.openstack.org/132221

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-31: Change abandoned on fuel-web (stable/5.1)

#14

Change abandoned by Przemyslaw Kaminski (<email address hidden>) on branch: stable/5.1
Review: https://review.openstack.org/132221
Reason: Wrong Change-Id, created new review

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-10-31: Related fix proposed to fuel-web (stable/5.1)

#15

Related fix proposed to branch: stable/5.1
Review: https://review.openstack.org/132285

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2014-11-05: Related fix merged to fuel-web (stable/5.1)

#16

Reviewed: https://review.openstack.org/132285
Committed: https://git.openstack.org/cgit/stackforge/fuel-web/commit/?id=175bc01373d4ebb9bf88cfb775d0a8230964ec47
Submitter: Jenkins
Branch: stable/5.1

commit 175bc01373d4ebb9bf88cfb775d0a8230964ec47
Author: Przemyslaw Kaminski <email address hidden>
Date: Tue Oct 28 10:12:37 2014 +0100

Fix KeystoneClient issue when token was expired

    KeystoneClient should always first try to use username/password and only if
    they are not provided, do a fallback to this.token. Otherwise for expired
    tokens login is not possible.

Related-Bug: #1375622
(cherry picked from commit d8d9d96608f759d765ec0b1016e7363229ffc35a)

Change-Id: Ia85278402799d7d19e0c0aee975cc986de5879f9

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.