user with admin role gets logged out when trying to list images

Bug #1840844 reported by Gloria Gu on 2019-08-20
24
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Undecided
Gloria Gu
Ubuntu Cloud Archive
Undecided
Unassigned
Queens
Undecided
Unassigned
horizon (Ubuntu)
Status tracked in Groovy
Bionic
High
Unassigned
Eoan
High
Unassigned
Focal
High
Unassigned
Groovy
High
Unassigned

Bug Description

[Impact]

When admin user tries to access project-> compute -> images, if the user failed on the identity: get_project policy, user will get logged out.

code that failed is in
openstack_dashboard/static/app/core/images/images.module.js
.tableColumns
.append(

{ id: 'owner', priority: 1, filters: [$memoize(keystone.getProjectName)], policies: [

{rules: [['identity', 'identity:get_project']]}
]
})

it didn't happen in default Horizon. In our production cloud environment, keystone policy is "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s". If user is not a cloud_admin, the admin user of a project, need to be member of the domain to satisfies the rule.

The problem here is the admin user should not get logged out.
It is probably caused by horizon/static/framework/framework.module.js

  if (error.status === 403) {
     var msg2 = gettext('Forbidden. Redirecting to login');
     handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);
  }

some log info from keystone

19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG _cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy _load_policy_file Reloaded policy file: /etc/keystone/policy.json
19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You are not authorized to perform the requested action: identity:get_project.

[Upstream fix description]

Before this change when a 403 error was encountered, such as failure to have the permission to perform an operation, the user would get logged out from UI pages written in the AngularJS framework. For example, if an admin user lacks the get_project permission and tries to access the
images page, project->compute->images, the 403 will forcibly log out the user.

This change keeps the user logged in when a 403 error is encountered and displays an error message. The change only affects AngularJS pages.

[Test Case]

* Create a new user without the get_project permission
* In the dashboard, access project->compute->images
* The user will get logged out

[Regression Potential]

* The patch changes the behavior of the Horizon code in response to a 403 error. The 403 in the original bug report was caused by a missing get_project permission. While unlikely it is possible that this change is incorrect under different error scenarios.

Gloria Gu (gloria-gu) on 2019-08-20
Changed in horizon:
assignee: nobody → Gloria Gu (gloria-gu)
description: updated
Changed in horizon:
status: New → In Progress
Gloria Gu (gloria-gu) on 2019-08-20
summary: - user with admin role get's logged out when trying to list images
+ user with admin role gets logged out when trying to list images
Changed in horizon:
assignee: Gloria Gu (gloria-gu) → Ivan Kolodyazhny (e0ne)

Reviewed: https://review.opendev.org/677580
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=ab0e96df9506fb6f1783e0ee79b63934dabe0cbe
Submitter: Zuul
Branch: master

commit ab0e96df9506fb6f1783e0ee79b63934dabe0cbe
Author: Gloria Gu <email address hidden>
Date: Tue Aug 20 15:45:22 2019 -0700

    Avoid forced logout when 403 error encountered

    Before this change when a 403 error was encountered, such as failure to
    have the permission to perform an operation, the user would get logged
    out from UI pages written in the AngularJS framework. For example, if an
    admin user lacks the get_project permission and tries to access the
    images page, project->compute->images, the 403 will forcibly log out
    the user.

    This change keeps the user logged in when a 403 error is encountered and
    displays an error message. The change only affects AngularJS pages.

    Change-Id: I10a6eeb96dd1418449e1d15b1a3869cd4de9cafa
    Closes-bug: #1840844

Changed in horizon:
status: In Progress → Fix Released

Reviewed: https://review.opendev.org/679859
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=65a49dd16501b80967315e7d62e9d7a6c66a9ed6
Submitter: Zuul
Branch: stable/stein

commit 65a49dd16501b80967315e7d62e9d7a6c66a9ed6
Author: Gloria Gu <email address hidden>
Date: Tue Aug 20 15:45:22 2019 -0700

    Avoid forced logout when 403 error encountered

    Before this change when a 403 error was encountered, such as failure to
    have the permission to perform an operation, the user would get logged
    out from UI pages written in the AngularJS framework. For example, if an
    admin user lacks the get_project permission and tries to access the
    images page, project->compute->images, the 403 will forcibly log out
    the user.

    This change keeps the user logged in when a 403 error is encountered and
    displays an error message. The change only affects AngularJS pages.

    Change-Id: I10a6eeb96dd1418449e1d15b1a3869cd4de9cafa
    Closes-bug: #1840844
    (cherry picked from commit ab0e96df9506fb6f1783e0ee79b63934dabe0cbe)

tags: added: in-stable-stein

This issue was fixed in the openstack/horizon 16.0.0.0b2 development milestone.

Gloria Gu (gloria-gu) wrote :
Changed in horizon:
assignee: Ivan Kolodyazhny (e0ne) → Gloria Gu (gloria-gu)

Reviewed: https://review.opendev.org/681868
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=81740d310f7078a10435ecbeb3e7a31bc62c7497
Submitter: Zuul
Branch: stable/rocky

commit 81740d310f7078a10435ecbeb3e7a31bc62c7497
Author: Gloria Gu <email address hidden>
Date: Tue Aug 20 15:45:22 2019 -0700

    Avoid forced logout when 403 error encountered

    Before this change when a 403 error was encountered, such as failure to
    have the permission to perform an operation, the user would get logged
    out from UI pages written in the AngularJS framework. For example, if an
    admin user lacks the get_project permission and tries to access the
    images page, project->compute->images, the 403 will forcibly log out
    the user.

    This change keeps the user logged in when a 403 error is encountered and
    displays an error message. The change only affects AngularJS pages.

    Change-Id: I10a6eeb96dd1418449e1d15b1a3869cd4de9cafa
    Closes-bug: #1840844
    (cherry picked from commit ab0e96df9506fb6f1783e0ee79b63934dabe0cbe)

tags: added: in-stable-rocky

This issue was fixed in the openstack/horizon 14.0.4 release.

This issue was fixed in the openstack/horizon 15.1.1 release.

Andrea Ieri (aieri) wrote :

Subscribed field-medium as we have a production cloud on xenial queens being affected by this. Would it be possible to have the fix backported?

Akihiro Motoki (amotoki) wrote :

Everyone can propose a backport to stable branches. stable/queens is now in the extended maintenance phase, so it is not a main focus on the upstream development team but anyone interested in it can propose a backport.

Keith Berger (keith-berger) wrote :

It just got approved teluka (thanks e0ne) based on your request. so you just need to watch to see when it merges.

Reviewed: https://review.opendev.org/703083
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=a2acb3e5c178cd5b18228c42d98129d68226f61c
Submitter: Zuul
Branch: stable/queens

commit a2acb3e5c178cd5b18228c42d98129d68226f61c
Author: Gloria Gu <email address hidden>
Date: Tue Aug 20 15:45:22 2019 -0700

    Avoid forced logout when 403 error encountered

    Before this change when a 403 error was encountered, such as failure to
    have the permission to perform an operation, the user would get logged
    out from UI pages written in the AngularJS framework. For example, if an
    admin user lacks the get_project permission and tries to access the
    images page, project->compute->images, the 403 will forcibly log out
    the user.

    This change keeps the user logged in when a 403 error is encountered and
    displays an error message. The change only affects AngularJS pages.

    Change-Id: I10a6eeb96dd1418449e1d15b1a3869cd4de9cafa
    Closes-bug: #1840844
    (cherry picked from commit ab0e96df9506fb6f1783e0ee79b63934dabe0cbe)
    (cherry picked from commit 81740d310f7078a10435ecbeb3e7a31bc62c7497)

tags: added: in-stable-queens
Nicolas Bock (nicolasbock) wrote :
Changed in horizon (Ubuntu Groovy):
status: New → Fix Released
Changed in horizon (Ubuntu Eoan):
status: New → Fix Released
Changed in horizon (Ubuntu Bionic):
status: New → Triaged
Changed in horizon (Ubuntu Focal):
status: New → Fix Released
Changed in cloud-archive:
status: New → Fix Released
Nicolas Bock (nicolasbock) wrote :

[Impact]

Before this change when a 403 error was encountered, such as failure to have the permission to perform an operation, the user would get logged out from UI pages written in the AngularJS framework. For example, if an admin user lacks the get_project permission and tries to access the
images page, project->compute->images, the 403 will forcibly log out the user.

This change keeps the user logged in when a 403 error is encountered and displays an error message. The change only affects AngularJS pages.

[Test Case]

* Create a new user without the get_project permission
* In the dashboard, access project->compute->images
* The user will get logged out

[Regression Potential]

* The patch changes the behavior of the Horizon code in response to a 403 error. The 403 in the original bug report was caused by a missing get_project permission. While unlikely it is possible that this change is incorrect under different error scenarios.

tags: added: sts-sponsor
tags: added: sts-sru-needed
Nicolas Bock (nicolasbock) wrote :

Copied SRU info to bug description

description: updated
Mathew Hodson (mhodson) on 2020-04-29
Changed in horizon (Ubuntu Bionic):
importance: Undecided → High
Changed in horizon (Ubuntu Eoan):
importance: Undecided → High
Changed in horizon (Ubuntu Focal):
importance: Undecided → High
Changed in horizon (Ubuntu Groovy):
importance: Undecided → High
Corey Bryant (corey.bryant) wrote :

This is already fixed in bionic-rocky horizon 3:14.0.4-0ubuntu1~cloud0.

Corey Bryant (corey.bryant) wrote :

I've uploaded horizon 3:13.0.2-0ubuntu3 to the bionic unapproved queue with Nicolas' debdiff applied.

Hello Gloria, or anyone else affected,

Accepted horizon into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/horizon/3:13.0.2-0ubuntu3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in horizon (Ubuntu Bionic):
status: Triaged → Fix Committed
tags: added: verification-needed verification-needed-bionic
Corey Bryant (corey.bryant) wrote :

Hello Gloria, or anyone else affected,

Accepted horizon into queens-proposed. The package will build now and be available in the Ubuntu Cloud Archive in a few hours, and then in the -proposed repository.

Please help us by testing this new package. To enable the -proposed repository:

  sudo add-apt-repository cloud-archive:queens-proposed
  sudo apt-get update

Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, and change the tag from verification-queens-needed to verification-queens-done. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-queens-failed. In either case, details of your testing will help us make a better decision.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance!

tags: added: verification-queens-needed
Nicolas Bock (nicolasbock) wrote :

I can verify the queens package.

tags: added: verification-queens-done
removed: verification-queens-needed
Nicolas Bock (nicolasbock) wrote :

Verified bionic

tags: added: verification-done-bionic
removed: verification-needed-bionic
Nicolas Bock (nicolasbock) wrote :

Notes on verification:

1. Create domain/project/user:

    openstack domain create sru
    openstack project create --domain sru sru
    openstack user create --domain sru --password pass --project sru --project-domain sru sru
    openstack role add --project sru --user sru --user-domain sru member

2. Modify the Glance policies

    --- /etc/glance/policy.json 2020-06-26 15:38:09.616136115 +0000
    +++ /etc/glance/policy.json.original 2020-06-26 15:37:58.176276003 +0000
    @@ -5,7 +5,7 @@
         "add_image": "",
         "delete_image": "",
         "get_image": "",
    - "get_images": "role:admin",
    + "get_images": "",
         "modify_image": "",
         "publicize_image": "role:admin",
         "communitize_image": "",

This will lead to a 403 response from Glance for any non-admin user trying to

    openstack image list

3. Log into the dashboard as the sru user

4. Got to Project/Compute/Images

The UI will throw an error message but then log the user out. The
dashboard will go back to the login screen.

5. Install the SRU in the openstack-dashboard unit

5.a. enable proposed repository
5.b. upgrade python-django-horizon package

6. Repeat steps 3 and 4. This time however, the user will not be
   logged out and only get an error message.

tags: added: verification-done
removed: verification-needed

The verification of the Stable Release Update for horizon has completed successfully and the package is now being released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package horizon - 3:13.0.2-0ubuntu3

---------------
horizon (3:13.0.2-0ubuntu3) bionic; urgency=medium

  * d/p/Avoid_forced_logout_when_403_error_encountered.patch:
    Cherry-picked from upstream stable/queens to prevent forced logout when
    403 forbidden encountered, such as when access not allowed by policy
    (LP: #1840844).

 -- Nicolas Bock <email address hidden> Mon, 27 Apr 2020 17:29:24 +0000

Changed in horizon (Ubuntu Bionic):
status: Fix Committed → Fix Released
Corey Bryant (corey.bryant) wrote :

The verification of the Stable Release Update for horizon has completed successfully and the package has now been released to -updates. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Corey Bryant (corey.bryant) wrote :

This bug was fixed in the package horizon - 3:13.0.2-0ubuntu3~cloud0
---------------

 horizon (3:13.0.2-0ubuntu3~cloud0) xenial-queens; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 horizon (3:13.0.2-0ubuntu3) bionic; urgency=medium
 .
   * d/p/Avoid_forced_logout_when_403_error_encountered.patch:
     Cherry-picked from upstream stable/queens to prevent forced logout when
     403 forbidden encountered, such as when access not allowed by policy
     (LP: #1840844).

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers