Activity log for bug #1840844

Date Who What changed Old value New value Message
2019-08-20 20:45:19 Gloria Gu bug added bug
2019-08-20 20:45:32 Gloria Gu horizon: assignee Gloria Gu (gloria-gu)
2019-08-20 20:47:06 Gloria Gu description When admin user tries to access project-> compute -> images, if the user failed on the identity: get_project policy, user will get logged out. code that failed is in openstack_dashboard/static/app/core/images/images.module.js .tableColumns .append( { id: 'owner', priority: 1, filters: [$memoize(keystone.getProjectName)], policies: [ {rules: [['identity', 'identity:get_project']]} ] }) it didn't happen in default Horizon. In our production cloud environment, keystone policy is "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s". If user is not a cloud_admin, the admin user of a project, need to be member of the domain to satisfies the rule. The problem here is the admin user should not get logged out. It is probably caused by horizon/static/framework/framework.module.js if (error.status === 403) { var msg2 = gettext('Forbidden. Redirecting to login'); handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService); } When admin user tries to access project-> compute -> images, if the user failed on the identity: get_project policy, user will get logged out. code that failed is in openstack_dashboard/static/app/core/images/images.module.js .tableColumns .append( { id: 'owner', priority: 1, filters: [$memoize(keystone.getProjectName)], policies: [ {rules: [['identity', 'identity:get_project']]} ] }) it didn't happen in default Horizon. In our production cloud environment, keystone policy is "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s". If user is not a cloud_admin, the admin user of a project, need to be member of the domain to satisfies the rule. The problem here is the admin user should not get logged out. It is probably caused by horizon/static/framework/framework.module.js   if (error.status === 403) {      var msg2 = gettext('Forbidden. Redirecting to login');      handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);   } some log info from keystone 19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG _cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json 19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy _load_policy_file Reloaded policy file: /etc/keystone/policy.json 19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You are not authorized to perform the requested action: identity:get_project.
2019-08-20 20:47:20 Gloria Gu horizon: status New In Progress
2019-08-20 20:50:37 Gloria Gu summary user with admin role get's logged out when trying to list images user with admin role gets logged out when trying to list images
2019-08-22 20:42:03 Keith Berger bug added subscriber Keith Berger
2019-09-03 17:15:54 OpenStack Infra horizon: assignee Gloria Gu (gloria-gu) Ivan Kolodyazhny (e0ne)
2019-09-03 20:13:54 OpenStack Infra horizon: status In Progress Fix Released
2019-09-12 16:34:44 OpenStack Infra tags in-stable-stein
2019-09-18 18:04:41 Gloria Gu horizon: assignee Ivan Kolodyazhny (e0ne) Gloria Gu (gloria-gu)
2019-10-01 06:57:43 OpenStack Infra tags in-stable-stein in-stable-rocky in-stable-stein
2019-12-16 11:51:00 Andrea Ieri bug added subscriber Canonical Field Medium
2020-04-16 14:58:52 OpenStack Infra tags in-stable-rocky in-stable-stein in-stable-queens in-stable-rocky in-stable-stein
2020-04-27 17:10:34 Jorge Niedbalski bug task added cloud-archive
2020-04-27 17:12:58 Jorge Niedbalski bug task added horizon (Ubuntu)
2020-04-27 17:13:13 Jorge Niedbalski nominated for series Ubuntu Eoan
2020-04-27 17:13:13 Jorge Niedbalski bug task added horizon (Ubuntu Eoan)
2020-04-27 17:13:13 Jorge Niedbalski nominated for series Ubuntu Bionic
2020-04-27 17:13:13 Jorge Niedbalski bug task added horizon (Ubuntu Bionic)
2020-04-27 17:13:13 Jorge Niedbalski nominated for series Ubuntu Groovy
2020-04-27 17:13:13 Jorge Niedbalski bug task added horizon (Ubuntu Groovy)
2020-04-27 17:13:13 Jorge Niedbalski nominated for series Ubuntu Focal
2020-04-27 17:13:13 Jorge Niedbalski bug task added horizon (Ubuntu Focal)
2020-04-27 17:44:32 Nicolas Bock attachment added bionic.debdiff https://bugs.launchpad.net/horizon/+bug/1840844/+attachment/5361828/+files/bionic.debdiff
2020-04-27 18:01:02 Corey Bryant horizon (Ubuntu Groovy): status New Fix Released
2020-04-27 18:01:08 Corey Bryant horizon (Ubuntu Eoan): status New Fix Released
2020-04-27 18:01:14 Corey Bryant horizon (Ubuntu Bionic): status New Triaged
2020-04-27 18:01:21 Corey Bryant horizon (Ubuntu Focal): status New Fix Released
2020-04-27 18:02:30 Corey Bryant nominated for series cloud-archive/queens
2020-04-27 18:02:30 Corey Bryant bug task added cloud-archive/queens
2020-04-27 18:03:02 Corey Bryant cloud-archive/queens: status New Triaged
2020-04-27 18:03:07 Corey Bryant cloud-archive: status New Fix Released
2020-04-27 20:15:04 Nicolas Bock tags in-stable-queens in-stable-rocky in-stable-stein in-stable-queens in-stable-rocky in-stable-stein sts-sponsor
2020-04-27 20:15:35 Nicolas Bock bug added subscriber Ubuntu Sponsors Team
2020-04-27 20:16:15 Nicolas Bock tags in-stable-queens in-stable-rocky in-stable-stein sts-sponsor in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed
2020-04-28 15:01:41 Nicolas Bock description When admin user tries to access project-> compute -> images, if the user failed on the identity: get_project policy, user will get logged out. code that failed is in openstack_dashboard/static/app/core/images/images.module.js .tableColumns .append( { id: 'owner', priority: 1, filters: [$memoize(keystone.getProjectName)], policies: [ {rules: [['identity', 'identity:get_project']]} ] }) it didn't happen in default Horizon. In our production cloud environment, keystone policy is "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s". If user is not a cloud_admin, the admin user of a project, need to be member of the domain to satisfies the rule. The problem here is the admin user should not get logged out. It is probably caused by horizon/static/framework/framework.module.js   if (error.status === 403) {      var msg2 = gettext('Forbidden. Redirecting to login');      handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);   } some log info from keystone 19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG _cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json 19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy _load_policy_file Reloaded policy file: /etc/keystone/policy.json 19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You are not authorized to perform the requested action: identity:get_project. [Impact] When admin user tries to access project-> compute -> images, if the user failed on the identity: get_project policy, user will get logged out. code that failed is in openstack_dashboard/static/app/core/images/images.module.js .tableColumns .append( { id: 'owner', priority: 1, filters: [$memoize(keystone.getProjectName)], policies: [ {rules: [['identity', 'identity:get_project']]} ] }) it didn't happen in default Horizon. In our production cloud environment, keystone policy is "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s". If user is not a cloud_admin, the admin user of a project, need to be member of the domain to satisfies the rule. The problem here is the admin user should not get logged out. It is probably caused by horizon/static/framework/framework.module.js   if (error.status === 403) {      var msg2 = gettext('Forbidden. Redirecting to login');      handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);   } some log info from keystone 19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG _cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json 19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy _load_policy_file Reloaded policy file: /etc/keystone/policy.json 19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You are not authorized to perform the requested action: identity:get_project. [Upstream fix description] Before this change when a 403 error was encountered, such as failure to have the permission to perform an operation, the user would get logged out from UI pages written in the AngularJS framework. For example, if an admin user lacks the get_project permission and tries to access the images page, project->compute->images, the 403 will forcibly log out the user. This change keeps the user logged in when a 403 error is encountered and displays an error message. The change only affects AngularJS pages. [Test Case] * Create a new user without the get_project permission * In the dashboard, access project->compute->images * The user will get logged out [Regression Potential] * The patch changes the behavior of the Horizon code in response to a 403 error. The 403 in the original bug report was caused by a missing get_project permission. While unlikely it is possible that this change is incorrect under different error scenarios.
2020-04-29 17:11:05 Mathew Hodson horizon (Ubuntu Bionic): importance Undecided High
2020-04-29 17:11:09 Mathew Hodson horizon (Ubuntu Eoan): importance Undecided High
2020-04-29 17:11:12 Mathew Hodson horizon (Ubuntu Focal): importance Undecided High
2020-04-29 17:11:14 Mathew Hodson horizon (Ubuntu Groovy): importance Undecided High
2020-05-01 20:19:55 Corey Bryant bug added subscriber Ubuntu Stable Release Updates Team
2020-05-26 20:47:38 Brian Murray horizon (Ubuntu Bionic): status Triaged Fix Committed
2020-05-26 20:47:43 Brian Murray bug added subscriber SRU Verification
2020-05-26 20:47:50 Brian Murray tags in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-needed verification-needed-bionic
2020-05-26 23:27:02 Brian Murray removed subscriber Ubuntu Sponsors Team
2020-05-27 12:41:05 Corey Bryant cloud-archive/queens: status Triaged Fix Committed
2020-05-27 12:41:08 Corey Bryant tags in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-needed verification-needed-bionic in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-needed verification-needed-bionic verification-queens-needed
2020-06-25 12:57:04 Nicolas Bock tags in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-needed verification-needed-bionic verification-queens-needed in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-needed verification-needed-bionic verification-queens-done
2020-06-25 13:01:42 Nicolas Bock bug added subscriber Nicolas Bock
2020-06-25 15:09:59 Nicolas Bock tags in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-needed verification-needed-bionic verification-queens-done in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-done-bionic verification-needed verification-queens-done
2020-06-29 12:54:23 Edward Hope-Morley tags in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-done-bionic verification-needed verification-queens-done in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-done verification-done-bionic verification-queens-done
2020-07-02 09:34:45 Łukasz Zemczak removed subscriber Ubuntu Stable Release Updates Team
2020-07-02 09:44:49 Launchpad Janitor horizon (Ubuntu Bionic): status Fix Committed Fix Released
2020-07-02 12:42:51 Corey Bryant cloud-archive/queens: status Fix Committed Fix Released