← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #79831

[Bug 1840844] Re: user with admin role gets logged out when trying to list images

  Thread PreviousDate PreviousThread Next 
Reviewed:  https://review.opendev.org/677580
Committed: https://git.openstack.org/cgit/openstack/horizon/commit/?id=ab0e96df9506fb6f1783e0ee79b63934dabe0cbe
Submitter: Zuul
Branch:    master

commit ab0e96df9506fb6f1783e0ee79b63934dabe0cbe
Author: Gloria Gu <gfgu@xxxxxxxx>
Date:   Tue Aug 20 15:45:22 2019 -0700

    Avoid forced logout when 403 error encountered
    
    Before this change when a 403 error was encountered, such as failure to
    have the permission to perform an operation, the user would get logged
    out from UI pages written in the AngularJS framework. For example, if an
    admin user lacks the get_project permission and tries to access the
    images page, project->compute->images, the 403 will forcibly log out
    the user.
    
    This change keeps the user logged in when a 403 error is encountered and
    displays an error message. The change only affects AngularJS pages.
    
    Change-Id: I10a6eeb96dd1418449e1d15b1a3869cd4de9cafa
    Closes-bug: #1840844


** Changed in: horizon
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1840844

Title:
  user with admin role gets logged out when trying to list images

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  When admin user tries to access project-> compute -> images, if the
  user failed on the identity: get_project policy, user  will get logged
  out.

  code that failed is in
  openstack_dashboard/static/app/core/images/images.module.js
  .tableColumns
  .append(

  { id: 'owner', priority: 1, filters:
  [$memoize(keystone.getProjectName)], policies: [

  {rules: [['identity', 'identity:get_project']]}
  ]
  })

  it didn't happen in default Horizon. In our production cloud
  environment, keystone policy is "identity:get_project":
  "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id
  or project_id:%(target.project.id)s". If user is not a cloud_admin,
  the admin user of a project, need to be member of the domain to
  satisfies the rule.

  The problem here is the admin user should not get logged out.
  It  is probably caused by horizon/static/framework/framework.module.js

    if (error.status === 403) {
       var msg2 = gettext('Forbidden. Redirecting to login');
       handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService);
    }

  some log info from keystone

  19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG _cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
  19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy _load_policy_file Reloaded policy file: /etc/keystone/policy.json
  19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You are not authorized to perform the requested action: identity:get_project.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1840844/+subscriptions

References

  Thread PreviousDate PreviousThread Next