Changes in openstack_dashboard/conf/*policy.json won't take effect for Panel visibility until User re-logins

Bug #1379358 reported by Timur Sufiev
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Low
Unassigned

Bug Description

The Panel class is a subclass of HorizonComponent class, which should check `self.policy_rules` while determining whether the entity is visible or not. Unfortunately the actual values `self.policy_rules` relies upon are being loaded during first request to Horizon, also the final result of checking whether Panel is visible or not will be cached in user session.

Speaking of concrete example, for Identity -> Users panel https://github.com/openstack/horizon/blob/2014.2.rc1/openstack_dashboard/dashboards/identity/users/panel.py#L29 you can check it yourself by changing both rules in https://github.com/openstack/horizon/blob/2014.2.rc1/openstack_dashboard/conf/keystone_policy.json#L43 to "!" and see that the panel is still visible - until you _both_ reload Horizon and re-login to clear session. After that it will be hidden.

While reloading Horizon is fine - because changing kind of server settings is involved, the need to sign-out and the sign-in for the visibility changes to take effect is not.

Timur Sufiev (tsufiev-x)
Changed in horizon:
assignee: nobody → Timur Sufiev (tsufiev-x)
Revision history for this message
Thiago Paiva Brito (outbrito) wrote :

@Timur: I tested it and happened that my panel has been disabled. But I had to log out and restart Horizon so it can update the policy that was already in memory. There is a double problem here:

1) Horizon isn't considering policy changes until restart

2) Permissions are persistent while the session is opened

Changed in horizon:
status: New → Opinion
Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

@Thiago, yes, you're right - I've just checked that Panel is actually hidden only after I _both_ reload Horizon and recreate the session. While reloading browser seems okay to me (after all, files inside Horizon source code were changed!), the need to manually log-out and log-in doesn't, because it prevents, say, cloud admin to change panels visibility for the users immediately - changes won't take an effect until users' sessions expire.

Timur Sufiev (tsufiev-x)
summary: - Attribute `policy_rules` of a Panel instance is not considered while
- determining the Panel visibility
+ Changes in openstack_dashboard/conf/*policy.json won't take effect for
+ Panel visibility until User re-logins
Timur Sufiev (tsufiev-x)
description: updated
description: updated
Revision history for this message
Thiago Paiva Brito (outbrito) wrote :

@Timur agreed. Will you take a look at it? If you want some help, I'm on IRC (tpborion).

Revision history for this message
Timur Sufiev (tsufiev-x) wrote :

@Thiago, sure, the fix should be pretty simple, will upload it in a while.

Changed in horizon:
status: Opinion → Confirmed
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/127531

Changed in horizon:
status: Confirmed → In Progress
Timur Sufiev (tsufiev-x)
Changed in horizon:
importance: Undecided → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on horizon (master)

Change abandoned by Timur Sufiev (<email address hidden>) on branch: master
Review: https://review.openstack.org/127531

Timur Sufiev (tsufiev-x)
Changed in horizon:
assignee: Timur Sufiev (tsufiev-x) → nobody
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers