yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1840843] [NEW] user with admin role get's logged out when trying to list images

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Gloria Gu <gfgu@xxxxxxxx>
Date: Tue, 20 Aug 2019 20:45:15 -0000
Reply-to: Bug 1840843 <1840843@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

When admin user tries to access project-> compute -> images, if the user
failed on the identity: get_project policy, user  will get logged out.

code that failed is in
openstack_dashboard/static/app/core/images/images.module.js
.tableColumns
.append(

{ id: 'owner', priority: 1, filters:
[$memoize(keystone.getProjectName)], policies: [

{rules: [['identity', 'identity:get_project']]}
]
})

it didn't happen in default Horizon. In our production cloud
environment, keystone policy is "identity:get_project":
"rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or
project_id:%(target.project.id)s". If user is not a cloud_admin,  the
admin user of a project, need to be member of the domain to satisfies
the rule.

The problem here is the admin user should not get logged out. 
It  is probably caused by horizon/static/framework/framework.module.js 

  if (error.status === 403) {
     var msg2 = gettext('Forbidden. Redirecting to login');
     handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);
  }

** Affects: horizon
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1840843

Title:
  user with admin role get's logged out when trying to list images

Status in OpenStack Dashboard (Horizon):
  New

Bug description:
  When admin user tries to access project-> compute -> images, if the
  user failed on the identity: get_project policy, user  will get logged
  out.

  code that failed is in
  openstack_dashboard/static/app/core/images/images.module.js
  .tableColumns
  .append(

  { id: 'owner', priority: 1, filters:
  [$memoize(keystone.getProjectName)], policies: [

  {rules: [['identity', 'identity:get_project']]}
  ]
  })

  it didn't happen in default Horizon. In our production cloud
  environment, keystone policy is "identity:get_project":
  "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id
  or project_id:%(target.project.id)s". If user is not a cloud_admin,
  the admin user of a project, need to be member of the domain to
  satisfies the rule.

  The problem here is the admin user should not get logged out. 
  It  is probably caused by horizon/static/framework/framework.module.js 

    if (error.status === 403) {
       var msg2 = gettext('Forbidden. Redirecting to login');
       handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);
    }

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1840843/+subscriptions

Follow ups

[Bug 1840843] Re: user with admin role get's logged out when trying to list images
From: Vishal Manchanda, 2020-01-31