2019-08-20 20:45:19 |
Gloria Gu |
bug |
|
|
added bug |
2019-08-20 20:45:32 |
Gloria Gu |
horizon: assignee |
|
Gloria Gu (gloria-gu) |
|
2019-08-20 20:47:06 |
Gloria Gu |
description |
When admin user tries to access project-> compute -> images, if the user failed on the identity: get_project policy, user will get logged out.
code that failed is in
openstack_dashboard/static/app/core/images/images.module.js
.tableColumns
.append(
{ id: 'owner', priority: 1, filters: [$memoize(keystone.getProjectName)], policies: [
{rules: [['identity', 'identity:get_project']]}
]
})
it didn't happen in default Horizon. In our production cloud environment, keystone policy is "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s". If user is not a cloud_admin, the admin user of a project, need to be member of the domain to satisfies the rule.
The problem here is the admin user should not get logged out.
It is probably caused by horizon/static/framework/framework.module.js
if (error.status === 403) {
var msg2 = gettext('Forbidden. Redirecting to login');
handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);
} |
When admin user tries to access project-> compute -> images, if the user failed on the identity: get_project policy, user will get logged out.
code that failed is in
openstack_dashboard/static/app/core/images/images.module.js
.tableColumns
.append(
{ id: 'owner', priority: 1, filters: [$memoize(keystone.getProjectName)], policies: [
{rules: [['identity', 'identity:get_project']]}
]
})
it didn't happen in default Horizon. In our production cloud environment, keystone policy is "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s". If user is not a cloud_admin, the admin user of a project, need to be member of the domain to satisfies the rule.
The problem here is the admin user should not get logged out.
It is probably caused by horizon/static/framework/framework.module.js
if (error.status === 403) {
var msg2 = gettext('Forbidden. Redirecting to login');
handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);
}
some log info from keystone
19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG _cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy _load_policy_file Reloaded policy file: /etc/keystone/policy.json
19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You are not authorized to perform the requested action: identity:get_project. |
|
2019-08-20 20:47:20 |
Gloria Gu |
horizon: status |
New |
In Progress |
|
2019-08-20 20:50:37 |
Gloria Gu |
summary |
user with admin role get's logged out when trying to list images |
user with admin role gets logged out when trying to list images |
|
2019-08-22 20:42:03 |
Keith Berger |
bug |
|
|
added subscriber Keith Berger |
2019-09-03 17:15:54 |
OpenStack Infra |
horizon: assignee |
Gloria Gu (gloria-gu) |
Ivan Kolodyazhny (e0ne) |
|
2019-09-03 20:13:54 |
OpenStack Infra |
horizon: status |
In Progress |
Fix Released |
|
2019-09-12 16:34:44 |
OpenStack Infra |
tags |
|
in-stable-stein |
|
2019-09-18 18:04:41 |
Gloria Gu |
horizon: assignee |
Ivan Kolodyazhny (e0ne) |
Gloria Gu (gloria-gu) |
|
2019-10-01 06:57:43 |
OpenStack Infra |
tags |
in-stable-stein |
in-stable-rocky in-stable-stein |
|
2019-12-16 11:51:00 |
Andrea Ieri |
bug |
|
|
added subscriber Canonical Field Medium |
2020-04-16 14:58:52 |
OpenStack Infra |
tags |
in-stable-rocky in-stable-stein |
in-stable-queens in-stable-rocky in-stable-stein |
|
2020-04-27 17:10:34 |
Jorge Niedbalski |
bug task added |
|
cloud-archive |
|
2020-04-27 17:12:58 |
Jorge Niedbalski |
bug task added |
|
horizon (Ubuntu) |
|
2020-04-27 17:13:13 |
Jorge Niedbalski |
nominated for series |
|
Ubuntu Eoan |
|
2020-04-27 17:13:13 |
Jorge Niedbalski |
bug task added |
|
horizon (Ubuntu Eoan) |
|
2020-04-27 17:13:13 |
Jorge Niedbalski |
nominated for series |
|
Ubuntu Bionic |
|
2020-04-27 17:13:13 |
Jorge Niedbalski |
bug task added |
|
horizon (Ubuntu Bionic) |
|
2020-04-27 17:13:13 |
Jorge Niedbalski |
nominated for series |
|
Ubuntu Groovy |
|
2020-04-27 17:13:13 |
Jorge Niedbalski |
bug task added |
|
horizon (Ubuntu Groovy) |
|
2020-04-27 17:13:13 |
Jorge Niedbalski |
nominated for series |
|
Ubuntu Focal |
|
2020-04-27 17:13:13 |
Jorge Niedbalski |
bug task added |
|
horizon (Ubuntu Focal) |
|
2020-04-27 17:44:32 |
Nicolas Bock |
attachment added |
|
bionic.debdiff https://bugs.launchpad.net/horizon/+bug/1840844/+attachment/5361828/+files/bionic.debdiff |
|
2020-04-27 18:01:02 |
Corey Bryant |
horizon (Ubuntu Groovy): status |
New |
Fix Released |
|
2020-04-27 18:01:08 |
Corey Bryant |
horizon (Ubuntu Eoan): status |
New |
Fix Released |
|
2020-04-27 18:01:14 |
Corey Bryant |
horizon (Ubuntu Bionic): status |
New |
Triaged |
|
2020-04-27 18:01:21 |
Corey Bryant |
horizon (Ubuntu Focal): status |
New |
Fix Released |
|
2020-04-27 18:02:30 |
Corey Bryant |
nominated for series |
|
cloud-archive/queens |
|
2020-04-27 18:02:30 |
Corey Bryant |
bug task added |
|
cloud-archive/queens |
|
2020-04-27 18:03:02 |
Corey Bryant |
cloud-archive/queens: status |
New |
Triaged |
|
2020-04-27 18:03:07 |
Corey Bryant |
cloud-archive: status |
New |
Fix Released |
|
2020-04-27 20:15:04 |
Nicolas Bock |
tags |
in-stable-queens in-stable-rocky in-stable-stein |
in-stable-queens in-stable-rocky in-stable-stein sts-sponsor |
|
2020-04-27 20:15:35 |
Nicolas Bock |
bug |
|
|
added subscriber Ubuntu Sponsors Team |
2020-04-27 20:16:15 |
Nicolas Bock |
tags |
in-stable-queens in-stable-rocky in-stable-stein sts-sponsor |
in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed |
|
2020-04-28 15:01:41 |
Nicolas Bock |
description |
When admin user tries to access project-> compute -> images, if the user failed on the identity: get_project policy, user will get logged out.
code that failed is in
openstack_dashboard/static/app/core/images/images.module.js
.tableColumns
.append(
{ id: 'owner', priority: 1, filters: [$memoize(keystone.getProjectName)], policies: [
{rules: [['identity', 'identity:get_project']]}
]
})
it didn't happen in default Horizon. In our production cloud environment, keystone policy is "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s". If user is not a cloud_admin, the admin user of a project, need to be member of the domain to satisfies the rule.
The problem here is the admin user should not get logged out.
It is probably caused by horizon/static/framework/framework.module.js
if (error.status === 403) {
var msg2 = gettext('Forbidden. Redirecting to login');
handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);
}
some log info from keystone
19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG _cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy _load_policy_file Reloaded policy file: /etc/keystone/policy.json
19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You are not authorized to perform the requested action: identity:get_project. |
[Impact]
When admin user tries to access project-> compute -> images, if the user failed on the identity: get_project policy, user will get logged out.
code that failed is in
openstack_dashboard/static/app/core/images/images.module.js
.tableColumns
.append(
{ id: 'owner', priority: 1, filters: [$memoize(keystone.getProjectName)], policies: [
{rules: [['identity', 'identity:get_project']]}
]
})
it didn't happen in default Horizon. In our production cloud environment, keystone policy is "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s". If user is not a cloud_admin, the admin user of a project, need to be member of the domain to satisfies the rule.
The problem here is the admin user should not get logged out.
It is probably caused by horizon/static/framework/framework.module.js
if (error.status === 403) {
var msg2 = gettext('Forbidden. Redirecting to login');
handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);
}
some log info from keystone
19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG _cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy _load_policy_file Reloaded policy file: /etc/keystone/policy.json
19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You are not authorized to perform the requested action: identity:get_project.
[Upstream fix description]
Before this change when a 403 error was encountered, such as failure to have the permission to perform an operation, the user would get logged out from UI pages written in the AngularJS framework. For example, if an admin user lacks the get_project permission and tries to access the
images page, project->compute->images, the 403 will forcibly log out the user.
This change keeps the user logged in when a 403 error is encountered and displays an error message. The change only affects AngularJS pages.
[Test Case]
* Create a new user without the get_project permission
* In the dashboard, access project->compute->images
* The user will get logged out
[Regression Potential]
* The patch changes the behavior of the Horizon code in response to a 403 error. The 403 in the original bug report was caused by a missing get_project permission. While unlikely it is possible that this change is incorrect under different error scenarios. |
|
2020-04-29 17:11:05 |
Mathew Hodson |
horizon (Ubuntu Bionic): importance |
Undecided |
High |
|
2020-04-29 17:11:09 |
Mathew Hodson |
horizon (Ubuntu Eoan): importance |
Undecided |
High |
|
2020-04-29 17:11:12 |
Mathew Hodson |
horizon (Ubuntu Focal): importance |
Undecided |
High |
|
2020-04-29 17:11:14 |
Mathew Hodson |
horizon (Ubuntu Groovy): importance |
Undecided |
High |
|
2020-05-01 20:19:55 |
Corey Bryant |
bug |
|
|
added subscriber Ubuntu Stable Release Updates Team |
2020-05-26 20:47:38 |
Brian Murray |
horizon (Ubuntu Bionic): status |
Triaged |
Fix Committed |
|
2020-05-26 20:47:43 |
Brian Murray |
bug |
|
|
added subscriber SRU Verification |
2020-05-26 20:47:50 |
Brian Murray |
tags |
in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed |
in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-needed verification-needed-bionic |
|
2020-05-26 23:27:02 |
Brian Murray |
removed subscriber Ubuntu Sponsors Team |
|
|
|
2020-05-27 12:41:05 |
Corey Bryant |
cloud-archive/queens: status |
Triaged |
Fix Committed |
|
2020-05-27 12:41:08 |
Corey Bryant |
tags |
in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-needed verification-needed-bionic |
in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-needed verification-needed-bionic verification-queens-needed |
|
2020-06-25 12:57:04 |
Nicolas Bock |
tags |
in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-needed verification-needed-bionic verification-queens-needed |
in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-needed verification-needed-bionic verification-queens-done |
|
2020-06-25 13:01:42 |
Nicolas Bock |
bug |
|
|
added subscriber Nicolas Bock |
2020-06-25 15:09:59 |
Nicolas Bock |
tags |
in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-needed verification-needed-bionic verification-queens-done |
in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-done-bionic verification-needed verification-queens-done |
|
2020-06-29 12:54:23 |
Edward Hope-Morley |
tags |
in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-done-bionic verification-needed verification-queens-done |
in-stable-queens in-stable-rocky in-stable-stein sts-sponsor sts-sru-needed verification-done verification-done-bionic verification-queens-done |
|
2020-07-02 09:34:45 |
Łukasz Zemczak |
removed subscriber Ubuntu Stable Release Updates Team |
|
|
|
2020-07-02 09:44:49 |
Launchpad Janitor |
horizon (Ubuntu Bionic): status |
Fix Committed |
Fix Released |
|
2020-07-02 12:42:51 |
Corey Bryant |
cloud-archive/queens: status |
Fix Committed |
Fix Released |
|