StarlingX

Horizon error- Suggest better handling when non-admin user navigates to Users - Role Assignments (and Groups) tabs

Bug #1951302 reported by Takamasa Takenaka
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
Low
Takamasa Takenaka

Bug Description

Brief Description
-----------------
Suggest better handling in Horizon navigation to the Role Assignments or Groups tab when the user is not an admin role

Horizon displays the following error

Error: Unauthorized. Please try logging in again.

Severity
-----------------
Standard

Steps to Reproduce
-----------------
1. Create a new role eg. not-admin (or alternatively use one of the existing roles that is not the admin role)
$ openstack role create not-admin
$ openstack role list
-------------------------------------------+

ID Name
-------------------------------------------+

1da72d5fc57d4ec29fd6c9c839603dfd reader
1e0310e9da3b4024bb51fccd621ce267 member
3223a57d98b841489fb2035328187a3c admin
f6ea521114d54f5aa6078e0aa24c58e1 member
72bfe75f8a134ac6a6723dfbae8b0ab3 creator
293fc64bf449415594b41d8c9d246b8a not-admin
b. openstack user create --password "1001" --project "admin" tenant12
c. openstack role add --user "tenant12" --project "admin" <role eg. member or creator or not-admin>

2. Confirm the new user 'tenant12' is created

openstack user-list --long
...

0a35288f59db4c51a2932d88587152a3 admin default admin@localhost True
e114c82de1b840e996260a091f032fb8 tenant11 11ca5c899c05469183c1db3004d517a4 default <email address hidden> True
69c1cf10d95d4a6a8bda88e5fa3aae37 tenant12 11ca5c899c05469183c1db3004d517a4 default True

3. Confirm the role that the user has been assigned eg. tenant12 role is member

$openstack role assignment list --name
--+

Role User Group Project Domain System Inherited
------------------------++-----------------------------------------------

admin admin@Default admin@Default False
...
creator tenant11@Default admin@Default False
member tenant12@Default admin@Default False

4. Log into Horizon as user tenant12 with valid password

5. Navigate to the Identity - Users panel
Click on the User name to see the Overview tab (user details)
Select the "Role assignments" tab to navigate to it. (or alternatively the Groups tab)

Expected Behavior
-----------------
Suggest either the tab should not be visible if the user is unauthorized
(or allow the user to view only but not allow Users actions such as Change Password, Disable User, Delete User))

Actual Behavior
-----------------
The following error pops up

Error: Unauthorized. Please try logging in again.

Horizon.log reports the following horizon.exceptions

2021-11-04 20:33:24,640 [ERROR] horizon.exceptions: Unauthorized:
Traceback (most recent call last):
File "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/identity/users/tabs.py", line 104, in get_roleassignmentstable_data
include_names=True)
File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", line 612, in role_assignments_list
manager = keystoneclient(request, admin=True).role_assignments
File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", line 165, in keystoneclient
raise exceptions.NotAuthorized
NotAuthorized
2021-11-04 20:33:24,641 [ERROR] horizon.exceptions: Unauthorized:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/horizon/tabs/base.py", line 175, in load_tab_data
tab._data = tab.get_context_data(self.request)
File "/usr/lib/python2.7/site-packages/horizon/tabs/base.py", line 533, in get_context_data
self.load_table_data()
File "/usr/lib/python2.7/site-packages/horizon/tabs/base.py", line 515, in load_table_data
table.data = data_func()
File "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/identity/users/tabs.py", line 109, in get_roleassignmentstable_data
_("Unable to display the role assignments of this user."))
File "/usr/lib/python2.7/site-packages/horizon/exceptions.py", line 330, in handle
log_method, log_entry, log_level)
File "/usr/lib/python2.7/site-packages/horizon/exceptions.py", line 226, in handle_unauthorized
raise NotAuthorized
NotAuthorized
2021-11-04 20:33:24,641 [ERROR] horizon.exceptions: Unauthorized:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/horizon/tabs/views.py", line 53, in get_context_data
context["tab_group"].load_tab_data()
File "/usr/lib/python2.7/site-packages/horizon/tabs/base.py", line 178, in load_tab_data
exceptions.handle(self.request)
File "/usr/lib/python2.7/site-packages/horizon/exceptions.py", line 330, in handle
log_method, log_entry, log_level)
File "/usr/lib/python2.7/site-packages/horizon/exceptions.py", line 226, in handle_unauthorized
raise NotAuthorized
NotAuthorized

2021-11-04 20:34:48,054 [ERROR] openstack_dashboard.dashboards.identity.users.tabs: Failed to get tenant 11ca5c899c05469183c1db3004d517a4:
2021-11-04 20:34:48,055 [ERROR] horizon.exceptions: Unauthorized:
Traceback (most recent call last):
File "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/identity/users/tabs.py", line 146, in get_groupstable_data
user_groups = api.keystone.group_list(self.request, user=user.id)
File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", line 527, in group_list
manager = keystoneclient(request, admin=True).groups
File "/usr/share/openstack-dashboard/openstack_dashboard/api/keystone.py", line 165, in keystoneclient
raise exceptions.NotAuthorized
NotAuthorized
2021-11-04 20:34:48,055 [ERROR] horizon.exceptions: Unauthorized:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/horizon/tabs/base.py", line 175, in load_tab_data
tab._data = tab.get_context_data(self.request)
File "/usr/lib/python2.7/site-packages/horizon/tabs/base.py", line 533, in get_context_data
self.load_table_data()
File "/usr/lib/python2.7/site-packages/horizon/tabs/base.py", line 515, in load_table_data
table.data = data_func()
File "/usr/share/openstack-dashboard/openstack_dashboard/dashboards/identity/users/tabs.py", line 149, in get_groupstable_data
_("Unable to display the groups of this user."))
File "/usr/lib/python2.7/site-packages/horizon/exceptions.py", line 330, in handle
log_method, log_entry, log_level)
File "/usr/lib/python2.7/site-packages/horizon/exceptions.py", line 226, in handle_unauthorized
raise NotAuthorized
NotAuthorized
2021-11-04 20:34:48,056 [ERROR] horizon.exceptions: Unauthorized:
Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/horizon/tabs/views.py", line 53, in get_context_data
context["tab_group"].load_tab_data()
File "/usr/lib/python2.7/site-packages/horizon/tabs/base.py", line 178, in load_tab_data
exceptions.handle(self.request)
File "/usr/lib/python2.7/site-packages/horizon/exceptions.py", line 330, in handle
log_method, log_entry, log_level)
File "/usr/lib/python2.7/site-packages/horizon/exceptions.py", line 226, in handle_unauthorized
raise NotAuthorized
NotAuthorized

Reproducibility
-----------------
State if the issue is 100% reproducible, intermittent or seen once. If it is intermittent, state the frequency of occurrence

System Configuration
-----------------
standard (any)

Branch/Pull Time/Commit
-----------------
2021-11-01_00-00-08

Last Pass
-----------------
Did this test scenario pass previously? If so, please indicate the load/pull time info of the last pass.

Use this section to also indicate if this is a new test scenario.

Timestamp/Logs
-----------------
see horizon.log above

Test Activity
-----------------
Feature Testing for story/2009284, but not directly to this feature.

Revision history for this message
Takamasa Takenaka (ttakenak) wrote :

Identity-User tab is implemented in:
git/horizon/openstack_dashboard/dashboards/identity/users/tabs.py

RoleAssignmentsTab()
GroupsTab()
These tabs has parent "TableTab" then its parent is "Tab"

Tab class has function "def allowed(self, request):" to make tab invisible if this method returns "False".
But current implementation always returns "True"

By using this method "allowed", we can control tab visibility.

In upstream, it is implemented as policy_rules;

1. Introduce policy_rules
    https://review.opendev.org/c/openstack/horizon/+/775014
2. Set policy for identity
    https://review.opendev.org/c/openstack/horizon/+/783307

Changed in starlingx:
assignee: nobody → Takamasa Takenaka (ttakenak)
status: New → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to upstream (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/upstream/+/818259

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to upstream (master)

Reviewed: https://review.opendev.org/c/starlingx/upstream/+/818259
Committed: https://opendev.org/starlingx/upstream/commit/39a1828ddfd67f23d32f176d043274d6561677c3
Submitter: "Zuul (22348)"
Branch: master

commit 39a1828ddfd67f23d32f176d043274d6561677c3
Author: Takamasa Takenaka <email address hidden>
Date: Wed Nov 17 15:10:17 2021 -0300

    Use policy_rules for user role assignment and group tabs

    This patch is ported from upstream:
    https://review.opendev.org/c/openstack/horizon/+/775014
    https://review.opendev.org/c/openstack/horizon/+/783307

    Test Plan:
    PASS: Confirm tabs "Role assignments" and "Groups"
          are invisible for non admin user.
    PASS: Confirm tabs "Role assignments" and "Groups"
          are visible for admin user
    PASS: All pass horizon.test.unit.tabs.test_tabs
          unit test

    Partial-Bug: 1951302

    Signed-off-by: Takamasa Takenaka <email address hidden>
    Change-Id: I073f526ad08017ef6f23b738a1da6d5e2fcf757a

Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → Low
tags: added: stx.gui
Changed in starlingx:
importance: Low → Medium
tags: added: stx.6.0
Ghada Khalil (gkhalil)
tags: removed: stx.6.0
Changed in starlingx:
importance: Medium → Low
Revision history for this message
Ghada Khalil (gkhalil) wrote :

LP is left open to port the changes to Debian as well

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to upstream (master)

Fix proposed to branch: master
Review: https://review.opendev.org/c/starlingx/upstream/+/820596

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to upstream (master)

Reviewed: https://review.opendev.org/c/starlingx/upstream/+/820596
Committed: https://opendev.org/starlingx/upstream/commit/3bd6a9daa6df4bcb3705da96509b65276c16cfa6
Submitter: "Zuul (22348)"
Branch: master

commit 3bd6a9daa6df4bcb3705da96509b65276c16cfa6
Author: Takamasa Takenaka <email address hidden>
Date: Mon Dec 6 18:41:55 2021 -0300

    Use policy_rules for user role assignment and group tabs

    This is ported for debian from:
    https://review.opendev.org/c/starlingx/upstream/+/818259

    This patch is ported from upstream:
    https://review.opendev.org/c/openstack/horizon/+/775014
    https://review.opendev.org/c/openstack/horizon/+/783307

    Test Plan:
    PASS: Create debian package for python-horizon
          Confirm change is applied when package is
          extracted
    PASS: All pass horizon.test.unit.tabs.test_tabs
          unit test

    Closes-Bug: 1951302

    Signed-off-by: Takamasa Takenaka <email address hidden>
    Change-Id: I2ada74d4bce28651f15617d11103252bbf94b65e

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
Ghada Khalil (gkhalil) wrote :

The fix for CentOS is included in stx.6.0 as it was merged before the r/stx.6.0 branch creation.
The fix for Debian is included in stx master only, but is not required in the r/stx.6.0 branch

tags: added: stx.6.0
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.