Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
Please unblock package horizon
[ Reason ]
This upload fixes 2 problems. Let me explain.
1/ Don't load user role assignment or groups tabs for non-admins
OpenStack manages access rights to its API through "roles". A list
of roles can be assigned to a user. These operations (ie: role
assignments) can be performed by any user with the admin role. It
is possible to manage user roles with Horizon. Unfortunately, the
role assignment tabs where also displayed for non-admins, which isn't
great (a newbie would click and see some error messages, that's not
a very nice user experience...). So I added to the Horizon package
the patch from upstream, which they are also in the process of
backporting:
https://review.opendev.org/c/openstack/horizon/+/783547
2/ Do not do boot-from-volume by default when launching instances
With the current default in Horizon, launching a new VM is done using
the "boot from volume" option of OpenStack. In our opinion, this isn't
a nice default, which can complicate things for newbies, so it's much
nicer to get the default set to Flase, which is what the 2nd patch is
doing.
[ Impact ]
Clearly, these 2 patches are just some last minutes polishing of the
package, but I think it's nice to have them.
[ Tests ]
Upstream runs extensive functional testing with Selenium, upstream unit
tests are run at build time in the Debian package, and we also are
running the modified version of the package in a production public cloud,
so we're good regarding tests. :)
[ Risks ]
This is very minimum risk change, which is only changing defaults and
fixing display.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock horizon/18.6.2-5
diff -Nru horizon-18.6.2/debian/changelog horizon-18.6.2/debian/changelog
--- horizon-18.6.2/debian/changelog 2021-06-29 14:53:41.000000000 +0200
+++ horizon-18.6.2/debian/changelog 2021-07-14 11:19:22.000000000 +0200
@@ -1,3 +1,11 @@
+horizon (3:18.6.2-5) unstable; urgency=medium
+
+ * Add patches:
+ - Dont_load_user_role_assignment_or_groups_tabs_for_non-admins.patch
+ - do-not-create-volume-by-default-when-launching-instance.patch
+
+ -- Thomas Goirand <z...@debian.org> Wed, 14 Jul 2021 11:19:22 +0200
+
horizon (3:18.6.2-4) unstable; urgency=medium
* Do not use an enable folder in /etc, as this marks all files from plugins
diff -Nru
horizon-18.6.2/debian/patches/do-not-create-volume-by-default-when-launching-instance.patch
horizon-18.6.2/debian/patches/do-not-create-volume-by-default-when-launching-instance.patch
---
horizon-18.6.2/debian/patches/do-not-create-volume-by-default-when-launching-instance.patch
1970-01-01 01:00:00.000000000 +0100
+++
horizon-18.6.2/debian/patches/do-not-create-volume-by-default-when-launching-instance.patch
2021-07-14 11:19:22.000000000 +0200
@@ -0,0 +1,19 @@
+Description: Do not create volume by default when launching instance
+ By default, Horizon creates a volume and wants users to boot from it, which is
+ not what a user should do by default. This patch restors sanity in the default
+ behavior.
+Author: Thomas Goirand <z...@debian.org>
+Forwarded: no
+Last-Update: 2021-07-14
+
+--- horizon-18.6.2.orig/openstack_dashboard/defaults.py
++++ horizon-18.6.2/openstack_dashboard/defaults.py
+@@ -251,7 +251,7 @@ LAUNCH_INSTANCE_NG_ENABLED = True
+ # properties found in the Launch Instance modal.
+ LAUNCH_INSTANCE_DEFAULTS = {
+ 'config_drive': False,
+- 'create_volume': True,
++ 'create_volume': False,
+ 'hide_create_volume': False,
+ 'disable_image': False,
+ 'disable_instance_snapshot': False,
diff -Nru
horizon-18.6.2/debian/patches/Dont_load_user_role_assignment_or_groups_tabs_for_non-admins.patch
horizon-18.6.2/debian/patches/Dont_load_user_role_assignment_or_groups_tabs_for_non-admins.patch
---
horizon-18.6.2/debian/patches/Dont_load_user_role_assignment_or_groups_tabs_for_non-admins.patch
1970-01-01 01:00:00.000000000 +0100
+++
horizon-18.6.2/debian/patches/Dont_load_user_role_assignment_or_groups_tabs_for_non-admins.patch
2021-07-14 11:19:22.000000000 +0200
@@ -0,0 +1,45 @@
+Description: Don't load user role assignment or groups tabs for non-admins
+ As a non admin user, navigate to Identity -> Users. Then click on the
+ username of your user to go to the detail page.
+ .
+ Only the allowed Overview tab is visible.
+ .
+ The view shows three tabs: Overview, Role assignments, Groups. Click on
+ either Role assignments or Groups. An error will appear, showing that
+ the API call is unauthorised, and the table content will fail to load.
+ .
+ This change fixes the issue by conditionally loading the tabs based on
+ policy.
+Author: Mark Goddard <m...@stackhpc.com>
+Date: Fri, 19 Mar 2021 15:05:31 +0000
+Closes-Bug: #1920214
+Change-Id: Ic8b723e6fd423b96a4f5eff54f9392cee534ed9e
+Origin: upstream, https://review.opendev.org/c/openstack/horizon/+/783547
+Last-Update: 2021-07-14
+
+diff --git a/openstack_dashboard/dashboards/identity/users/tabs.py
b/openstack_dashboard/dashboards/identity/users/tabs.py
+index 30bcd0a..fe8fa3b 100644
+--- a/openstack_dashboard/dashboards/identity/users/tabs.py
++++ b/openstack_dashboard/dashboards/identity/users/tabs.py
+@@ -90,6 +90,10 @@
+ template_name = "horizon/common/_detail_table.html"
+ preload = False
+
++ def allowed(self, request):
++ return policy.check((("identity", "identity:list_role_assignments"),),
++ self.request)
++
+ def get_roleassignmentstable_data(self):
+ user = self.tab_group.kwargs['user']
+
+@@ -136,6 +140,10 @@
+ template_name = "horizon/common/_detail_table.html"
+ preload = False
+
++ def allowed(self, request):
++ return policy.check((("identity", "identity:list_groups"),),
++ self.request)
++
+ def get_groupstable_data(self):
+ user_groups = []
+ user = self.tab_group.kwargs['user']
diff -Nru horizon-18.6.2/debian/patches/series
horizon-18.6.2/debian/patches/series
--- horizon-18.6.2/debian/patches/series 2021-06-29 14:53:41.000000000
+0200
+++ horizon-18.6.2/debian/patches/series 2021-07-14 11:19:22.000000000
+0200
@@ -1,2 +1,4 @@
fixed-horizon-MANIFEST.in.patch
fix-manage.py-sheebang.patch
+Dont_load_user_role_assignment_or_groups_tabs_for_non-admins.patch
+do-not-create-volume-by-default-when-launching-instance.patch
