| 2019-09-05 14:01:49 |
Arthur Nikolayev |
bug |
|
|
added bug |
| 2019-09-05 17:10:03 |
Jeremy Stanley |
bug task added |
|
ossa |
|
| 2019-09-05 17:10:19 |
Jeremy Stanley |
ossa: status |
New |
Incomplete |
|
| 2019-09-05 17:10:35 |
Jeremy Stanley |
description |
==Problem==
User session in a second browser is not terminated after deleting this user by admin from another browser. User is still able to manage some objects (delete volumes, for example) in a project after being deleted by admin.
==Steps to reproduce==
Install OpenStack following official docs for Stein.
Login as admin to (Horizon) in one browser.
Create a user with role 'member' and assign it to a project.
Open another browser and login as created user.
As admin user delete created user from "first" browser.
Switch to the "second" browser and try to browse through different sections in the dashboard as deleted user -> instances are not shown, but deleted user can list images, volumes, networks. Also this deleted user can delete a volume.
==Expected result==
User session in current browser is closed after user is deleted in another browser.
I tried this in Newton release and it works as expected (for a short time before session is ended, this deleted user can't list object in instances,volumes).
==Environment==
OpenStack Stein
rpm -qa | grep -i stein
centos-release-openstack-stein-1-1.el7.centos.noarch
cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
rpm -qa | grep -i horizon
python2-django-horizon-15.1.0-1.el7.noarch
rpm -qa | grep -i dashboard
openstack-dashboard-15.1.0-1.el7.noarch
openstack-dashboard-theme-15.1.0-1.el7.noarch |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
==Problem==
User session in a second browser is not terminated after deleting this user by admin from another browser. User is still able to manage some objects (delete volumes, for example) in a project after being deleted by admin.
==Steps to reproduce==
Install OpenStack following official docs for Stein.
Login as admin to (Horizon) in one browser.
Create a user with role 'member' and assign it to a project.
Open another browser and login as created user.
As admin user delete created user from "first" browser.
Switch to the "second" browser and try to browse through different sections in the dashboard as deleted user -> instances are not shown, but deleted user can list images, volumes, networks. Also this deleted user can delete a volume.
==Expected result==
User session in current browser is closed after user is deleted in another browser.
I tried this in Newton release and it works as expected (for a short time before session is ended, this deleted user can't list object in instances,volumes).
==Environment==
OpenStack Stein
rpm -qa | grep -i stein
centos-release-openstack-stein-1-1.el7.centos.noarch
cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
rpm -qa | grep -i horizon
python2-django-horizon-15.1.0-1.el7.noarch
rpm -qa | grep -i dashboard
openstack-dashboard-15.1.0-1.el7.noarch
openstack-dashboard-theme-15.1.0-1.el7.noarch |
|
| 2019-09-05 17:11:36 |
Jeremy Stanley |
bug |
|
|
added subscriber Horizon Core security contacts |
| 2019-09-18 08:34:56 |
Ivan Kolodyazhny |
horizon: status |
New |
Confirmed |
|
| 2019-09-18 08:34:58 |
Ivan Kolodyazhny |
horizon: importance |
Undecided |
High |
|
| 2019-09-19 14:49:28 |
Jeremy Stanley |
ossa: status |
Incomplete |
Won't Fix |
|
| 2019-09-19 14:49:41 |
Jeremy Stanley |
tags |
|
security |
|
| 2019-09-19 14:49:55 |
Jeremy Stanley |
description |
This issue is being treated as a potential security risk under embargo. Please do not make any public mention of embargoed (private) security vulnerabilities before their coordinated publication by the OpenStack Vulnerability Management Team in the form of an official OpenStack Security Advisory. This includes discussion of the bug or associated fixes in public forums such as mailing lists, code review systems and bug trackers. Please also avoid private disclosure to other individuals not already approved for access to this information, and provide this same reminder to those who are made aware of the issue prior to publication. All discussion should remain confined to this private bug report, and any proposed fixes should be added to the bug as attachments.
==Problem==
User session in a second browser is not terminated after deleting this user by admin from another browser. User is still able to manage some objects (delete volumes, for example) in a project after being deleted by admin.
==Steps to reproduce==
Install OpenStack following official docs for Stein.
Login as admin to (Horizon) in one browser.
Create a user with role 'member' and assign it to a project.
Open another browser and login as created user.
As admin user delete created user from "first" browser.
Switch to the "second" browser and try to browse through different sections in the dashboard as deleted user -> instances are not shown, but deleted user can list images, volumes, networks. Also this deleted user can delete a volume.
==Expected result==
User session in current browser is closed after user is deleted in another browser.
I tried this in Newton release and it works as expected (for a short time before session is ended, this deleted user can't list object in instances,volumes).
==Environment==
OpenStack Stein
rpm -qa | grep -i stein
centos-release-openstack-stein-1-1.el7.centos.noarch
cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
rpm -qa | grep -i horizon
python2-django-horizon-15.1.0-1.el7.noarch
rpm -qa | grep -i dashboard
openstack-dashboard-15.1.0-1.el7.noarch
openstack-dashboard-theme-15.1.0-1.el7.noarch |
==Problem==
User session in a second browser is not terminated after deleting this user by admin from another browser. User is still able to manage some objects (delete volumes, for example) in a project after being deleted by admin.
==Steps to reproduce==
Install OpenStack following official docs for Stein.
Login as admin to (Horizon) in one browser.
Create a user with role 'member' and assign it to a project.
Open another browser and login as created user.
As admin user delete created user from "first" browser.
Switch to the "second" browser and try to browse through different sections in the dashboard as deleted user -> instances are not shown, but deleted user can list images, volumes, networks. Also this deleted user can delete a volume.
==Expected result==
User session in current browser is closed after user is deleted in another browser.
I tried this in Newton release and it works as expected (for a short time before session is ended, this deleted user can't list object in instances,volumes).
==Environment==
OpenStack Stein
rpm -qa | grep -i stein
centos-release-openstack-stein-1-1.el7.centos.noarch
cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
rpm -qa | grep -i horizon
python2-django-horizon-15.1.0-1.el7.noarch
rpm -qa | grep -i dashboard
openstack-dashboard-15.1.0-1.el7.noarch
openstack-dashboard-theme-15.1.0-1.el7.noarch |
|
| 2019-09-19 14:50:02 |
Jeremy Stanley |
information type |
Private Security |
Public |
|
| 2019-09-19 15:14:20 |
Akihiro Motoki |
bug task added |
|
keystone |
|
| 2019-09-19 15:14:31 |
Akihiro Motoki |
horizon: assignee |
|
Akihiro Motoki (amotoki) |
|
| 2019-09-23 17:23:19 |
Morgan Fainberg |
tags |
security |
documentation security |
|
| 2019-09-23 17:23:35 |
Morgan Fainberg |
bug task added |
|
keystonemiddleware |
|
| 2019-09-23 17:23:54 |
Morgan Fainberg |
keystone: status |
New |
Confirmed |
|
| 2019-09-23 17:23:58 |
Morgan Fainberg |
keystonemiddleware: status |
New |
Triaged |
|
| 2019-09-23 17:24:01 |
Morgan Fainberg |
keystone: status |
Confirmed |
Triaged |
|
| 2019-09-23 17:24:04 |
Morgan Fainberg |
keystone: importance |
Undecided |
Medium |
|
| 2019-09-23 17:24:10 |
Morgan Fainberg |
keystonemiddleware: importance |
Undecided |
Medium |
|
| 2019-09-23 17:26:23 |
Morgan Fainberg |
keystone: status |
Triaged |
Invalid |
|
| 2019-09-30 12:57:59 |
Akihiro Motoki |
horizon: importance |
High |
Medium |
|
| 2021-02-28 12:09:29 |
Akihiro Motoki |
horizon: assignee |
Akihiro Motoki (amotoki) |
|
|
