OpenStack Dashboard (Horizon)

user with admin role get's logged out when trying to list images

Bug #1840843 reported by Gloria Gu
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Confirmed
High
Unassigned

Bug Description

When admin user tries to access project-> compute -> images, if the user failed on the identity: get_project policy, user will get logged out.

code that failed is in
openstack_dashboard/static/app/core/images/images.module.js
.tableColumns
.append(

{ id: 'owner', priority: 1, filters: [$memoize(keystone.getProjectName)], policies: [

{rules: [['identity', 'identity:get_project']]}
]
})

it didn't happen in default Horizon. In our production cloud environment, keystone policy is "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s". If user is not a cloud_admin, the admin user of a project, need to be member of the domain to satisfies the rule.

The problem here is the admin user should not get logged out.
It is probably caused by horizon/static/framework/framework.module.js

  if (error.status === 403) {
     var msg2 = gettext('Forbidden. Redirecting to login');
     handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);
  }

Ivan Kolodyazhny (e0ne)
Changed in horizon:
status: New → Confirmed
importance: Undecided → High
Gloria Gu (gloria-gu)
Changed in horizon:
assignee: nobody → Gloria Gu (gloria-gu)
Revision history for this message
Gloria Gu (gloria-gu) wrote :

@Ivan, it is odd, I am not sure why this was duplicated , looks like launchpad created exactly same 2 bugs , this one and https://bugs.launchpad.net/horizon/+bug/1840844 on 8/20. I didn't realize this exist until today. Can you mark https://bugs.launchpad.net/horizon/+bug/1840844 high? All our commits are associated with 1840844. Thanks.

Changed in horizon:
assignee: Gloria Gu (gloria-gu) → nobody
Revision history for this message
Daniel 'f0o' Preussker (dpreussker) wrote :

This seems to happen to non-admin users too.

request to `/api/keystone/projects/ba64922913be4f7ead058b00b25d39d7` where ba64922913be4f7ead058b00b25d39d7 is any other tenant than the one currently logged in results in the current user being logged out.

This seems unnecessary, the image in question is `--public`.

Due to this behavior, Image list is essentially unusable and subsequently also image upload from horizon.

Versions:
Ubuntu Bionic using cloud-archive:stein
openstack-dashboard 3:15.0.0-0ubuntu1~cloud0

Revision history for this message
Daniel 'f0o' Preussker (dpreussker) wrote :

Scrap my comment - it turns out it was a faulty policy.json that made itself into the deployment and nuked it

Revision history for this message
Vishal Manchanda (vishalmanchanda) wrote :

This bug is duplicate of https://bugs.launchpad.net/horizon/+bug/1840844 and fixes for this is already released.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.