Copied SRU info to bug description
** Description changed:
+ [Impact]
+
When admin user tries to access project-> compute -> images, if the user
failed on the identity: get_project policy, user will get logged out.
code that failed is in
openstack_dashboard/static/app/core/images/images.module.js
.tableColumns
.append(
{ id: 'owner', priority: 1, filters:
[$memoize(keystone.getProjectName)], policies: [
{rules: [['identity', 'identity:get_project']]}
]
})
it didn't happen in default Horizon. In our production cloud
environment, keystone policy is "identity:get_project":
"rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or
project_id:%(target.project.id)s". If user is not a cloud_admin, the
admin user of a project, need to be member of the domain to satisfies
the rule.
The problem here is the admin user should not get logged out.
It is probably caused by horizon/static/framework/framework.module.js
if (error.status === 403) {
var msg2 = gettext('Forbidden. Redirecting to login');
handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents,
toastService);
}
some log info from keystone
19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG
_cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy
_load_policy_file Reloaded policy file: /etc/keystone/policy.json
19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You
are not authorized to perform the requested action: identity:get_project.
+
+ [Upstream fix description]
+
+ Before this change when a 403 error was encountered, such as failure to have
the permission to perform an operation, the user would get logged out from UI
pages written in the AngularJS framework. For example, if an admin user lacks
the get_project permission and tries to access the
+ images page, project->compute->images, the 403 will forcibly log out the user.
+
+ This change keeps the user logged in when a 403 error is encountered and
+ displays an error message. The change only affects AngularJS pages.
+
+ [Test Case]
+
+ * Create a new user without the get_project permission
+ * In the dashboard, access project->compute->images
+ * The user will get logged out
+
+ [Regression Potential]
+
+ * The patch changes the behavior of the Horizon code in response to a
+ 403 error. The 403 in the original bug report was caused by a missing
+ get_project permission. While unlikely it is possible that this change
+ is incorrect under different error scenarios.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1840844
Title:
user with admin role gets logged out when trying to list images
To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1840844/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
