Horizon error- Suggest better handling when non-admin user navigates to Users - Role Assignments (and Groups) tabs
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
StarlingX |
Fix Released
|
Low
|
Takamasa Takenaka |
Bug Description
Brief Description
-----------------
Suggest better handling in Horizon navigation to the Role Assignments or Groups tab when the user is not an admin role
Horizon displays the following error
Error: Unauthorized. Please try logging in again.
Severity
-----------------
Standard
Steps to Reproduce
-----------------
1. Create a new role eg. not-admin (or alternatively use one of the existing roles that is not the admin role)
$ openstack role create not-admin
$ openstack role list
-------
ID Name
-------
1da72d5fc57d4ec
1e0310e9da3b402
3223a57d98b8414
f6ea521114d54f5
72bfe75f8a134ac
293fc64bf449415
b. openstack user create --password "1001" --project "admin" tenant12
c. openstack role add --user "tenant12" --project "admin" <role eg. member or creator or not-admin>
2. Confirm the new user 'tenant12' is created
openstack user-list --long
...
0a35288f59db4c5
e114c82de1b840e
69c1cf10d95d4a6
3. Confirm the role that the user has been assigned eg. tenant12 role is member
$openstack role assignment list --name
--+
Role User Group Project Domain System Inherited
-------
admin admin@Default admin@Default False
...
creator tenant11@Default admin@Default False
member tenant12@Default admin@Default False
4. Log into Horizon as user tenant12 with valid password
5. Navigate to the Identity - Users panel
Click on the User name to see the Overview tab (user details)
Select the "Role assignments" tab to navigate to it. (or alternatively the Groups tab)
Expected Behavior
-----------------
Suggest either the tab should not be visible if the user is unauthorized
(or allow the user to view only but not allow Users actions such as Change Password, Disable User, Delete User))
Actual Behavior
-----------------
The following error pops up
Error: Unauthorized. Please try logging in again.
Horizon.log reports the following horizon.exceptions
2021-11-04 20:33:24,640 [ERROR] horizon.exceptions: Unauthorized:
Traceback (most recent call last):
File "/usr/share/
include_names=True)
File "/usr/share/
manager = keystoneclient(
File "/usr/share/
raise exceptions.
NotAuthorized
2021-11-04 20:33:24,641 [ERROR] horizon.exceptions: Unauthorized:
Traceback (most recent call last):
File "/usr/lib/
tab._data = tab.get_
File "/usr/lib/
self.load_
File "/usr/lib/
table.data = data_func()
File "/usr/share/
_("Unable to display the role assignments of this user."))
File "/usr/lib/
log_method, log_entry, log_level)
File "/usr/lib/
raise NotAuthorized
NotAuthorized
2021-11-04 20:33:24,641 [ERROR] horizon.exceptions: Unauthorized:
Traceback (most recent call last):
File "/usr/lib/
context[
File "/usr/lib/
exceptions.
File "/usr/lib/
log_method, log_entry, log_level)
File "/usr/lib/
raise NotAuthorized
NotAuthorized
2021-11-04 20:34:48,054 [ERROR] openstack_
2021-11-04 20:34:48,055 [ERROR] horizon.exceptions: Unauthorized:
Traceback (most recent call last):
File "/usr/share/
user_groups = api.keystone.
File "/usr/share/
manager = keystoneclient(
File "/usr/share/
raise exceptions.
NotAuthorized
2021-11-04 20:34:48,055 [ERROR] horizon.exceptions: Unauthorized:
Traceback (most recent call last):
File "/usr/lib/
tab._data = tab.get_
File "/usr/lib/
self.load_
File "/usr/lib/
table.data = data_func()
File "/usr/share/
_("Unable to display the groups of this user."))
File "/usr/lib/
log_method, log_entry, log_level)
File "/usr/lib/
raise NotAuthorized
NotAuthorized
2021-11-04 20:34:48,056 [ERROR] horizon.exceptions: Unauthorized:
Traceback (most recent call last):
File "/usr/lib/
context[
File "/usr/lib/
exceptions.
File "/usr/lib/
log_method, log_entry, log_level)
File "/usr/lib/
raise NotAuthorized
NotAuthorized
Reproducibility
-----------------
State if the issue is 100% reproducible, intermittent or seen once. If it is intermittent, state the frequency of occurrence
System Configuration
-----------------
standard (any)
Branch/Pull Time/Commit
-----------------
2021-11-01_00-00-08
Last Pass
-----------------
Did this test scenario pass previously? If so, please indicate the load/pull time info of the last pass.
Use this section to also indicate if this is a new test scenario.
Timestamp/Logs
-----------------
see horizon.log above
Test Activity
-----------------
Feature Testing for story/2009284, but not directly to this feature.
Changed in starlingx: | |
importance: | Undecided → Low |
tags: | added: stx.gui |
Changed in starlingx: | |
importance: | Low → Medium |
tags: | added: stx.6.0 |
tags: | removed: stx.6.0 |
Changed in starlingx: | |
importance: | Medium → Low |
Identity-User tab is implemented in: openstack_ dashboard/ dashboards/ identity/ users/tabs. py
git/horizon/
RoleAssignments Tab()
GroupsTab()
These tabs has parent "TableTab" then its parent is "Tab"
Tab class has function "def allowed(self, request):" to make tab invisible if this method returns "False".
But current implementation always returns "True"
By using this method "allowed", we can control tab visibility.
In upstream, it is implemented as policy_rules;
1. Introduce policy_rules /review. opendev. org/c/openstack /horizon/ +/775014 /review. opendev. org/c/openstack /horizon/ +/783307
https:/
2. Set policy for identity
https:/