OpenStack Dashboard (Horizon)

User with member role could see the admin tab

Bug #1634968 reported by Hao Chen
56
This bug affects 12 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Fix Released
High
Satyanarayana Patibandla

Bug Description

We have deploymented an OpenStack cloud with newton release code. In horizon we found that even the member user could see the admin tab in horizon.

Admin tab should only been seen by the admin user in the cloud. And in mitaka we even have the limit that only cloud admin could see that admin tab. But this change https://github.com/openstack/horizon/commit/ce5fb26bf5f431f0cdaa6860a732338db868a8fb#diff-aff3bed89850c87f3629774f5a4599bcL23 breaks the previous behavior.

We should revert this change to give user the right privilege.

Tags: horizon-core
Revision history for this message
Richard Jones (r1chardj0n3s) wrote :

I need more information about your configuration. I can't see this with Horizon logging into a devstack as the "demo" user.

Changed in horizon:
status: New → Incomplete
importance: Undecided → High
Revision history for this message
Itxaka Serrano (itxaka) wrote :

Also cant see this.

Revision history for this message
Kenji Ishii (ken-ishii) wrote :

Me too.
And if Cloud admin you mentioned expresses '("identity", "cloud_admin"),', I think it's natural.
Because that right has a meaning in Identity. It means, that right is not all of systems administrator.
Other components behavior should not depend on Keystone policy. From the view of this, Paul's change is reasonable for me.

Revision history for this message
Martins Jakubovics (martins-k) wrote :

Can confirm this bug when building horizon from latest newton source code. If revert patch which mentioned above, then all works as it should.

Martins Jakubovics (martins-k)
Changed in horizon:
status: Incomplete → Confirmed
Satyanarayana Patibandla (satya-patibandla)
Changed in horizon:
assignee: nobody → Satyanarayana Patibandla (satya-patibandla)
Revision history for this message
Alejandro Comisario (alejandro-f) wrote :

Is this fixed already ?

Revision history for this message
Tadas Ustinavičius (tadas-u) wrote :

Having same issue here. Freshly installed Openstack Newton via openstack-ansible.
Newly created user with _member_ role is able to see administration tab.
If any of links inside administration tab is pressed, error is displayed and user is logged out.

Revision history for this message
Alejandro Comisario (alejandro-f) wrote :

this makes horizon un-usable among other things

Revision history for this message
andrew_shi (ashishenko) wrote :

I have the same issue: user with role 'Member' or '_member_' can see tab 'Admin'. When 'member' click any item in tab 'Admin', it'll become 'log out'.
I have fresh installation release Newton (installed via openstack-ansible)

Revision history for this message
HT (h5t4) wrote :

Quick hack is to remove ALL panels under Admin like this (you must do same for rotuers,volumes,metering etc.):

cat site-packages/openstack_dashboard/local/enabled/_70_admin_remove_defaults.py
PANEL = 'defaults'
PANEL_DASHBOARD = 'admin'
PANEL_GROUP = 'admin'
REMOVE_PANEL = True

Revision history for this message
David Lyle (david-lyle) wrote :

I believe this was addressed by https://github.com/openstack/horizon/commit/43e9df85ab286ddee96e9cff97f551781baf70d1 but it may not have been backported to your release.

Revision history for this message
David Lyle (david-lyle) wrote :

Actually, it was backported to newton: https://review.openstack.org/#/c/407121/

Changed in horizon:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.