Horizon crashes when removing logged user from project

This bug is also reproducible if the user has two roles in project (admin and member), and one is removed (member).

In Keystone identity controller ( /keystone/keystone/identity :977)

        # Now delete any tokens for this user or, in the case of a group,
        # tokens from all the uses who are members of this group.
        if user_id:
            self._delete_tokens_for_user(user_id)
        else:
            self._delete_tokens_for_group(group_id)

the delete_token_for_user is called without the project_id so, the token is removed for all the projects.
Adding project_id solves the case when removing a role for the current user.

For the reported bug, maybe a force logout should be made.
Thoughts?

Fix proposed to branch: master
Review: https://review.openstack.org/59826

Partial fix for this bug was submitted to review in Keystone.
For Horizon, I need some help deciding how to proceed.

When a role is removed from a project, if the user is logged
in that project we have some issues:
1- the user has two roles in a project (admin and member, not current prj)
 and member role is removed --> solved with keystone fix in patch 1
2- the user has admin role in two projects, remove from admin role from a project (not current project)
 --> solved with keystone patch
3- the user has at least two roles in a project (admin and member, current project)
 and member is removed --> token is removed in keystone.
 Three options here:
 a- force the user to logout (like change password)
  I don't like this option because if the user is changing the grants of various users
  it will be interrupted when the current user is selected to update.
  Changes for other users will be discarded.
 b- Prevent to remove current user's roles and display a warning message.
  Don't seems to be solution, the current admin user can add roles but can't remove.
 c- Regenerate the token after removing the role assignment.
  I think this is the best option. No clue where to start. Not sure if a similar situation
  as solution a can take place.

Option C is the assumed design from keystone's standpoint. We have to revoke your token because it expresses authorization that you no longer have, so we're forcing clients to regenerate tokens to utilize their reduced authorization.

Setting status back to Confirmed since no one is currently assigned.

What I think, even the keystone fix is in, we still need to prevent user remove logged-in user from current project.

NO, Horizon needs to cleanly handle the users tokens getting revoked, regardless of what causes that.

Looks like keystone team is working on it. There are two bugs:

1) "All user tokens are considered revoked on it's group role revocation" https://bugs.launchpad.net/keystone/+bug/1402760
2) @Role revocation invalidates tokens on all user projects" https://bugs.launchpad.net/keystone/+bug/1401926

And there is a fix for them: https://review.openstack.org/#/c/141854/. Right now it is on review.
Despite this, I'm goint to investigate if we can impove mechanism which handles revoked tokens.

Also, possibly these bug is about the same problem: "User is not logged out once his token is revoked by keystone" https://bugs.launchpad.net/horizon/+bug/1086189

Reviewed: https://review.openstack.org/142481
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=878c703fd006569219d3fc5be459f6ab76a48a15
Submitter: Jenkins
Branch: master

commit 878c703fd006569219d3fc5be459f6ab76a48a15
Author: Vlad Okhrimenko <email address hidden>
Date: Wed Dec 17 16:47:16 2014 +0200

    Logout user if he has no valid tokens

    Before this patch, if user's rights were changed
    or revoked - there would be "Unauthorized" errors
    on every page since user had no rights to view them
    because he had no valid tokens in that case.

    Now user will be logged out if he has no valid tokens.
    Set `escalate` to True (for unauthorized-error)
    to always log user out.

    Also, now horizon.exceptions.NotAuthorized is a part of
    UNAUTHORIZED tuple in the exceptions.py, because this type
    of exception is re-raised after handling services unauthorized errors.
    Looks like it was missing. Now the horizon.exceptions.NotAuthorized
    is handled like all NotAuthorized exceptions.

    And horizon_middleware.py in process_exception now generates
    logout_reason for cases if user is not authorized.

    Closes-Bug: #1252341
    Closes-Bug: #1407105
    Co-Authored-By: Paul Karikh <email address hidden>
    Change-Id: I417cad936ea80c0569c2f442fc87cbd58745757e

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/304504

Reviewed: https://review.openstack.org/304504
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=38dfe3d907c35dad82514005f9075c0fb1f57a2e
Submitter: Jenkins
Branch: stable/kilo

commit 38dfe3d907c35dad82514005f9075c0fb1f57a2e
Author: Vlad Okhrimenko <email address hidden>
Date: Wed Dec 17 16:47:16 2014 +0200

    Logout user if he has no valid tokens

    Before this patch, if user's rights were changed
    or revoked - there would be "Unauthorized" errors
    on every page since user had no rights to view them
    because he had no valid tokens in that case.

    Now user will be logged out if he has no valid tokens.
    Set `escalate` to True (for unauthorized-error)
    to always log user out.

    Also, now horizon.exceptions.NotAuthorized is a part of
    UNAUTHORIZED tuple in the exceptions.py, because this type
    of exception is re-raised after handling services unauthorized errors.
    Looks like it was missing. Now the horizon.exceptions.NotAuthorized
    is handled like all NotAuthorized exceptions.

    And horizon_middleware.py in process_exception now generates
    logout_reason for cases if user is not authorized.

    Conflicts:
     openstack_dashboard/dashboards/project/overview/tests.py

    Closes-Bug: #1528967
    Closes-Bug: #1252341
    Closes-Bug: #1407105
    Co-Authored-By: Paul Karikh <email address hidden>
    Change-Id: I417cad936ea80c0569c2f442fc87cbd58745757e
    (cherry picked from commit 878c703fd006569219d3fc5be459f6ab76a48a15)

This issue was fixed in the openstack/horizon 2015.1.4 release.

This issue was fixed in the openstack/horizon 2015.1.4 release.