OpenStack Dashboard (Horizon)

Horizon password change is throwing Unathorized error

Bug #1776678 reported by Panneer Selvam on 2018-06-13

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Dashboard (Horizon)	Fix Released	Undecided	Radomir Dopieralski

Bug Description

Steps to reproduce:
1. Log into horizon as admin
2. navigate to settings > change password page
3. enter current password and new passwords
4. click on Change button

Expected:
Password should be updated

Actual:
Unauthorized eror is thrown

Notes:
- Run against devstack - master
- Screenshot attached.

Tags:

Revision history for this message

Panneer Selvam (wondernath) wrote on 2018-06-13:

Horizon_password_change_unauthorized.PNG Edit (16.8 KiB, image/png)

Panneer Selvam (wondernath) on 2018-06-18

summary:

- Horizon password change is throwing Unathorized error
+ Horizon password change is throwing Unathorized error on Devstack

Revision history for this message

Radomir Dopieralski (deshipu) wrote on 2018-10-12: Re: Horizon password change is throwing Unathorized error on Devstack

I can see the same problem both with master and stable/rocky.

Changed in horizon:
status:	New → Confirmed
summary:	- Horizon password change is throwing Unathorized error on Devstack + Horizon password change is throwing Unathorized error

Revision history for this message

Radomir Dopieralski (deshipu) wrote on 2018-10-12:

The problem is that the user_id is None, and the POST is going to:

http://keystone:5000/v3/users/None/password

Revision history for this message

Radomir Dopieralski (deshipu) wrote on 2018-10-12:

The problem is this code in the keystoneclient:

    @property
    def user_id(self):
        """Best effort to retrieve the user_id from the plugin.

        Some managers rely on being able to get the currently authenticated
        user id. This is a problem when we are trying to abstract away the
        details of an auth plugin.

For example changing a user's password can require access to the
currently authenticated user_id.

        Perform a best attempt to fetch this data. It will work in the legacy
        case and with identity plugins and be None otherwise which is the same
        as the historical behavior.
        """
        # the identity plugin case
        try:
            return self.session.auth.get_access(self.session).user_id
        except AttributeError: # nosec(cjschaef): attempt legacy retrival, or
            # return None
            pass

        # there is a case that we explicitly allow (tested by our unit tests)
        # that says you should be able to set the user_id on a legacy client
        # and it should overwrite the one retrieved via authentication. If it's
        # a legacy then self.session.auth is a client and we retrieve user_id.
        try:
            return self.session.auth.user_id
        except AttributeError: # nosec(cjschaef): retrivals failed, return
            # None
            pass

return None

and this code in Horizon:

def user_update_own_password(request, origpassword, password):
    client = keystoneclient(request, admin=False)
    client.user_id = request.user.id
    if VERSIONS.active < 3:
        return client.users.update_own_password(origpassword, password)
    else:
        return client.users.update_password(origpassword, password)

From the description above, this will only work with the legacy client.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-12: Fix proposed to horizon (master)

Fix proposed to branch: master
Review: https://review.openstack.org/609999

Changed in horizon:
assignee:	nobody → Radomir Dopieralski (deshipu)
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-21: Fix merged to horizon (master)

Reviewed: https://review.openstack.org/609999
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=bdb3f9d988afa23619af4d8c013ffa062347aa5f
Submitter: Zuul
Branch: master

commit bdb3f9d988afa23619af4d8c013ffa062347aa5f
Author: Radomir Dopieralski <email address hidden>
Date: Fri Oct 12 12:20:12 2018 +0200

Fix changing user's own password

    The original code is monkey-patching keystoneclient object to add a
    user_id attribute to it. This no longer works with more recent
    versions of keystoneclient, as they wrap the client in a helper
    class.

    I'm not happy with this solution, it's likely to have side effects
    and to break again. I'm putting it up for discussion for a better
    solution.

Change-Id: Idb296d1b10fa02a0b4852e96fe8cb2bdd70380e0
Closes-bug: #1776678

Changed in horizon:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-25: Fix included in openstack/horizon 15.0.0.0b1

This issue was fixed in the openstack/horizon 15.0.0.0b1 development milestone.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-30: Fix proposed to horizon (stable/rocky)

Fix proposed to branch: stable/rocky
Review: https://review.openstack.org/614202

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-10-30: Fix merged to horizon (stable/rocky)

Reviewed: https://review.openstack.org/614202
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=a2326af5c4cb67bf9cee3a1ea14b501cff04a299
Submitter: Zuul
Branch: stable/rocky

commit a2326af5c4cb67bf9cee3a1ea14b501cff04a299
Author: Radomir Dopieralski <email address hidden>
Date: Fri Oct 12 12:20:12 2018 +0200

Fix changing user's own password

    I'm not happy with this solution, it's likely to have side effects
    and to break again. I'm putting it up for discussion for a better
    solution.

    Change-Id: Idb296d1b10fa02a0b4852e96fe8cb2bdd70380e0
    Closes-bug: #1776678
    (cherry picked from commit bdb3f9d988afa23619af4d8c013ffa062347aa5f)