yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1842930] Re: Deleted user still can delete volumes in Horizon

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Morgan Fainberg <morgan.fainberg@xxxxxxxxx>
Date: Mon, 23 Sep 2019 17:26:12 -0000
Reply-to: Bug 1842930 <1842930@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Added Keystonemiddleware and documentation tags. Marked as "medium"
importance as it requires documentation changes but is not
critical/RC/otherwise impacting. Clear communication of expected
behavior is important and should be found in Horizon and
Keystonemiddleware's documentation.

I am marking invalid for Keystone itself as keystone will invalidate
it's internal cache (barring cases such as in-memory [not production
quality] dict-base cache).


** Tags added: documentation

** Also affects: keystonemiddleware
   Importance: Undecided
       Status: New

** Changed in: keystone
       Status: New => Confirmed

** Changed in: keystonemiddleware
       Status: New => Triaged

** Changed in: keystone
       Status: Confirmed => Triaged

** Changed in: keystone
   Importance: Undecided => Medium

** Changed in: keystonemiddleware
   Importance: Undecided => Medium

** Changed in: keystone
       Status: Triaged => Invalid

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1842930

Title:
  Deleted user still can delete volumes in Horizon

Status in OpenStack Dashboard (Horizon):
  Confirmed
Status in OpenStack Identity (keystone):
  Invalid
Status in keystonemiddleware:
  Triaged
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  ==Problem==
  User session in a second browser is not terminated after deleting this user by admin from another browser. User is still able to manage some objects (delete volumes, for example) in a project after being deleted by admin.

  ==Steps to reproduce==
  Install OpenStack following official docs for Stein.
  Login as admin to (Horizon) in one browser.
  Create a user with role 'member' and assign it to a project.
  Open another browser and login as created user.
  As admin user delete created user from "first" browser.
  Switch to the "second" browser and try to browse through different sections in the dashboard as deleted user -> instances are not shown, but deleted user can list images, volumes, networks. Also this deleted user can delete a volume.

  ==Expected result==
  User session in current browser is closed after user is deleted in another browser.
  I tried this in Newton release and it works as expected (for a short time before session is ended, this deleted user can't list object in instances,volumes).

  ==Environment==
  OpenStack Stein
  rpm -qa | grep -i stein
  centos-release-openstack-stein-1-1.el7.centos.noarch

  cat /etc/redhat-release
  CentOS Linux release 7.6.1810 (Core)

   rpm -qa | grep -i horizon
  python2-django-horizon-15.1.0-1.el7.noarch

  rpm -qa | grep -i dashboard
  openstack-dashboard-15.1.0-1.el7.noarch
  openstack-dashboard-theme-15.1.0-1.el7.noarch

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1842930/+subscriptions