[Yahoo-eng-team] [Bug 1840844] Re: user with admin role gets logged out when trying to list images

Mon, 27 Apr 2020 10:21:41 -0700 

** Also affects: cloud-archive
   Importance: Undecided
       Status: New

** Also affects: horizon (Ubuntu)
   Importance: Undecided
       Status: New

** Also affects: horizon (Ubuntu Eoan)
   Importance: Undecided
       Status: New

** Also affects: horizon (Ubuntu Bionic)
   Importance: Undecided
       Status: New

** Also affects: horizon (Ubuntu Groovy)
   Importance: Undecided
       Status: New

** Also affects: horizon (Ubuntu Focal)
   Importance: Undecided
       Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1840844

Title:
  user with admin role gets logged out when trying to list images

Status in Ubuntu Cloud Archive:
  New
Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in horizon package in Ubuntu:
  New
Status in horizon source package in Bionic:
  New
Status in horizon source package in Eoan:
  New
Status in horizon source package in Focal:
  New
Status in horizon source package in Groovy:
  New

Bug description:
  When admin user tries to access project-> compute -> images, if the
  user failed on the identity: get_project policy, user  will get logged
  out.

  code that failed is in
  openstack_dashboard/static/app/core/images/images.module.js
  .tableColumns
  .append(

  { id: 'owner', priority: 1, filters:
  [$memoize(keystone.getProjectName)], policies: [

  {rules: [['identity', 'identity:get_project']]}
  ]
  })

  it didn't happen in default Horizon. In our production cloud
  environment, keystone policy is "identity:get_project":
  "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id
  or project_id:%(target.project.id)s". If user is not a cloud_admin,
  the admin user of a project, need to be member of the domain to
  satisfies the rule.

  The problem here is the admin user should not get logged out.
  It  is probably caused by horizon/static/framework/framework.module.js

    if (error.status === 403) {
       var msg2 = gettext('Forbidden. Redirecting to login');
       handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, 
toastService);
    }

  some log info from keystone

  19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG 
_cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
  19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy 
_load_policy_file Reloaded policy file: /etc/keystone/policy.json
  19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You 
are not authorized to perform the requested action: identity:get_project.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1840844/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to     : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

Reply via email to