OpenStack Dashboard (Horizon)

Horizon doesn't create new scoped token when user role is removed

Bug #1528967 reported by Mitali Parthasarathy on 2015-12-23

This bug report is a duplicate of: Bug #1252341: Horizon crashes when removing logged user from project. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Confirmed	Undecided	Unassigned
	Kilo	Fix Committed	Undecided	Unassigned	OpenStack Dashboard (Horizon) 2015.1.4

Bug Description

When a user logs into Horizon an unscoped token is created using which a scoped token is obtained. I am logged into Horizon and remove myself from a project which is not the current active project. This results in all my scoped tokens getting invalidated. I have some API calls in the middleware that require authorization which fail because the token is invalid. Horizon will throw an Unauthorized error (see attachment) and the only way to recover from this is to clear cookies, logout and log back in again.

Horizon should immediately obtain a new scoped token if previous token is invalidated. Alternatively, keystone should not invalidate all tokens (for all projects) when user is removed from one project.

Tags:

Revision history for this message

Mitali Parthasarathy (mnparthasarathy) wrote on 2015-12-23:

Screen Shot 2015-12-16 at 6.41.53 PM.png Edit (197.6 KiB, image/png)

affects:

django-openstack-auth → horizon

Itxaka Serrano (itxaka) on 2016-04-12

Changed in horizon:
status:	New → Confirmed

Revision history for this message

Itxaka Serrano (itxaka) wrote on 2016-04-12:

To reproduce it:

- Create tenant test
- Add your current user to the test tenant
- Remove your user from the test tenant

Expected:

User is removed. User is still logged in.

Actual:

On Kilo: User is removed, tokens are revoked, cookies still valid, user is confronted with an empty dashboard and an error message.

On Liberty/mitaka: User is removed, user is logged out.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-12: Fix proposed to horizon (stable/kilo)

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/304504

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-06: Fix merged to horizon (stable/kilo)

Reviewed: https://review.openstack.org/304504
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=38dfe3d907c35dad82514005f9075c0fb1f57a2e
Submitter: Jenkins
Branch: stable/kilo

commit 38dfe3d907c35dad82514005f9075c0fb1f57a2e
Author: Vlad Okhrimenko <email address hidden>
Date: Wed Dec 17 16:47:16 2014 +0200

Logout user if he has no valid tokens

    Before this patch, if user's rights were changed
    or revoked - there would be "Unauthorized" errors
    on every page since user had no rights to view them
    because he had no valid tokens in that case.

    Now user will be logged out if he has no valid tokens.
    Set `escalate` to True (for unauthorized-error)
    to always log user out.

    Also, now horizon.exceptions.NotAuthorized is a part of
    UNAUTHORIZED tuple in the exceptions.py, because this type
    of exception is re-raised after handling services unauthorized errors.
    Looks like it was missing. Now the horizon.exceptions.NotAuthorized
    is handled like all NotAuthorized exceptions.

And horizon_middleware.py in process_exception now generates
logout_reason for cases if user is not authorized.

Conflicts:
openstack_dashboard/dashboards/project/overview/tests.py

    Closes-Bug: #1528967
    Closes-Bug: #1252341
    Closes-Bug: #1407105
    Co-Authored-By: Paul Karikh <email address hidden>
    Change-Id: I417cad936ea80c0569c2f442fc87cbd58745757e
    (cherry picked from commit 878c703fd006569219d3fc5be459f6ab76a48a15)