Horizon doesn't create new scoped token when user role is removed
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Confirmed
|
Undecided
|
Unassigned | ||
Kilo |
Fix Committed
|
Undecided
|
Unassigned |
Bug Description
When a user logs into Horizon an unscoped token is created using which a scoped token is obtained. I am logged into Horizon and remove myself from a project which is not the current active project. This results in all my scoped tokens getting invalidated. I have some API calls in the middleware that require authorization which fail because the token is invalid. Horizon will throw an Unauthorized error (see attachment) and the only way to recover from this is to clear cookies, logout and log back in again.
Horizon should immediately obtain a new scoped token if previous token is invalidated. Alternatively, keystone should not invalidate all tokens (for all projects) when user is removed from one project.
Changed in horizon: | |
status: | New → Confirmed |
To reproduce it:
- Create tenant test
- Add your current user to the test tenant
- Remove your user from the test tenant
Expected:
User is removed. User is still logged in.
Actual:
On Kilo: User is removed, tokens are revoked, cookies still valid, user is confronted with an empty dashboard and an error message.
On Liberty/mitaka: User is removed, user is logged out.