[Yahoo-eng-team] [Bug 1840844] Re: user with admin role gets logged out when trying to list images

[Corey Bryant]

This bug was fixed in the package horizon - 3:13.0.2-0ubuntu3~cloud0
---

 horizon (3:13.0.2-0ubuntu3~cloud0) xenial-queens; urgency=medium
 .
   * New update for the Ubuntu Cloud Archive.
 .
 horizon (3:13.0.2-0ubuntu3) bionic; urgency=medium
 .
   * d/p/Avoid_forced_logout_when_403_error_encountered.patch:
 Cherry-picked from upstream stable/queens to prevent forced logout when
 403 forbidden encountered, such as when access not allowed by policy
 (LP: #1840844).


** Changed in: cloud-archive/queens
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1840844

Title:
  user with admin role gets logged out when trying to list images

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive queens series:
  Fix Released
Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in horizon package in Ubuntu:
  Fix Released
Status in horizon source package in Bionic:
  Fix Released
Status in horizon source package in Eoan:
  Fix Released
Status in horizon source package in Focal:
  Fix Released
Status in horizon source package in Groovy:
  Fix Released

Bug description:
  [Impact]

  When admin user tries to access project-> compute -> images, if the
  user failed on the identity: get_project policy, user  will get logged
  out.

  code that failed is in
  openstack_dashboard/static/app/core/images/images.module.js
  .tableColumns
  .append(

  { id: 'owner', priority: 1, filters:
  [$memoize(keystone.getProjectName)], policies: [

  {rules: [['identity', 'identity:get_project']]}
  ]
  })

  it didn't happen in default Horizon. In our production cloud
  environment, keystone policy is "identity:get_project":
  "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id
  or project_id:%(target.project.id)s". If user is not a cloud_admin,
  the admin user of a project, need to be member of the domain to
  satisfies the rule.

  The problem here is the admin user should not get logged out.
  It  is probably caused by horizon/static/framework/framework.module.js

    if (error.status === 403) {
   var msg2 = gettext('Forbidden. Redirecting to login');
   handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, 
toastService);
    }

  some log info from keystone

  19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG 
_cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
  19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy 
_load_policy_file Reloaded policy file: /etc/keystone/policy.json
  19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You 
are not authorized to perform the requested action: identity:get_project.

  [Upstream fix description]

  Before this change when a 403 error was encountered, such as failure to have 
the permission to perform an operation, the user would get logged out from UI 
pages written in the AngularJS framework. For example, if an admin user lacks 
the get_project permission and tries to access the
  images page, project->compute->images, the 403 will forcibly log out the user.

  This change keeps the user logged in when a 403 error is encountered
  and displays an error message. The change only affects AngularJS
  pages.

  [Test Case]

  * Create a new user without the get_project permission
  * In the dashboard, access project->compute->images
  * The user will get logged out

  [Regression Potential]

  * The patch changes the behavior of the Horizon code in response to a
  403 error. The 403 in the original bug report was caused by a missing
  get_project permission. While unlikely it is possible that this change
  is incorrect under different error scenarios.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1840844/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1840844] Re: user with admin role gets logged out when trying to list images

[Launchpad Bug Tracker]

This bug was fixed in the package horizon - 3:13.0.2-0ubuntu3

---
horizon (3:13.0.2-0ubuntu3) bionic; urgency=medium

  * d/p/Avoid_forced_logout_when_403_error_encountered.patch:
Cherry-picked from upstream stable/queens to prevent forced logout when
403 forbidden encountered, such as when access not allowed by policy
(LP: #1840844).

 -- Nicolas Bock   Mon, 27 Apr 2020 17:29:24
+

** Changed in: horizon (Ubuntu Bionic)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1840844

Title:
  user with admin role gets logged out when trying to list images

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive queens series:
  Fix Committed
Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in horizon package in Ubuntu:
  Fix Released
Status in horizon source package in Bionic:
  Fix Released
Status in horizon source package in Eoan:
  Fix Released
Status in horizon source package in Focal:
  Fix Released
Status in horizon source package in Groovy:
  Fix Released

Bug description:
  [Impact]

  When admin user tries to access project-> compute -> images, if the
  user failed on the identity: get_project policy, user  will get logged
  out.

  code that failed is in
  openstack_dashboard/static/app/core/images/images.module.js
  .tableColumns
  .append(

  { id: 'owner', priority: 1, filters:
  [$memoize(keystone.getProjectName)], policies: [

  {rules: [['identity', 'identity:get_project']]}
  ]
  })

  it didn't happen in default Horizon. In our production cloud
  environment, keystone policy is "identity:get_project":
  "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id
  or project_id:%(target.project.id)s". If user is not a cloud_admin,
  the admin user of a project, need to be member of the domain to
  satisfies the rule.

  The problem here is the admin user should not get logged out.
  It  is probably caused by horizon/static/framework/framework.module.js

    if (error.status === 403) {
   var msg2 = gettext('Forbidden. Redirecting to login');
   handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, 
toastService);
    }

  some log info from keystone

  19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG 
_cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
  19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy 
_load_policy_file Reloaded policy file: /etc/keystone/policy.json
  19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You 
are not authorized to perform the requested action: identity:get_project.

  [Upstream fix description]

  Before this change when a 403 error was encountered, such as failure to have 
the permission to perform an operation, the user would get logged out from UI 
pages written in the AngularJS framework. For example, if an admin user lacks 
the get_project permission and tries to access the
  images page, project->compute->images, the 403 will forcibly log out the user.

  This change keeps the user logged in when a 403 error is encountered
  and displays an error message. The change only affects AngularJS
  pages.

  [Test Case]

  * Create a new user without the get_project permission
  * In the dashboard, access project->compute->images
  * The user will get logged out

  [Regression Potential]

  * The patch changes the behavior of the Horizon code in response to a
  403 error. The 403 in the original bug report was caused by a missing
  get_project permission. While unlikely it is possible that this change
  is incorrect under different error scenarios.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1840844/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1840844] Re: user with admin role gets logged out when trying to list images

[Corey Bryant]

** Changed in: horizon (Ubuntu Groovy)
   Status: New => Fix Released

** Changed in: horizon (Ubuntu Eoan)
   Status: New => Fix Released

** Changed in: horizon (Ubuntu Bionic)
   Status: New => Triaged

** Changed in: horizon (Ubuntu Focal)
   Status: New => Fix Released

** Also affects: cloud-archive/queens
   Importance: Undecided
   Status: New

** Changed in: cloud-archive/queens
   Status: New => Triaged

** Changed in: cloud-archive
   Status: New => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1840844

Title:
  user with admin role gets logged out when trying to list images

Status in Ubuntu Cloud Archive:
  Fix Released
Status in Ubuntu Cloud Archive queens series:
  Triaged
Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in horizon package in Ubuntu:
  Fix Released
Status in horizon source package in Bionic:
  Triaged
Status in horizon source package in Eoan:
  Fix Released
Status in horizon source package in Focal:
  Fix Released
Status in horizon source package in Groovy:
  Fix Released

Bug description:
  When admin user tries to access project-> compute -> images, if the
  user failed on the identity: get_project policy, user  will get logged
  out.

  code that failed is in
  openstack_dashboard/static/app/core/images/images.module.js
  .tableColumns
  .append(

  { id: 'owner', priority: 1, filters:
  [$memoize(keystone.getProjectName)], policies: [

  {rules: [['identity', 'identity:get_project']]}
  ]
  })

  it didn't happen in default Horizon. In our production cloud
  environment, keystone policy is "identity:get_project":
  "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id
  or project_id:%(target.project.id)s". If user is not a cloud_admin,
  the admin user of a project, need to be member of the domain to
  satisfies the rule.

  The problem here is the admin user should not get logged out.
  It  is probably caused by horizon/static/framework/framework.module.js

    if (error.status === 403) {
   var msg2 = gettext('Forbidden. Redirecting to login');
   handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, 
toastService);
    }

  some log info from keystone

  19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG 
_cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
  19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy 
_load_policy_file Reloaded policy file: /etc/keystone/policy.json
  19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You 
are not authorized to perform the requested action: identity:get_project.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1840844/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1840844] Re: user with admin role gets logged out when trying to list images

[Jorge Niedbalski]

** Also affects: cloud-archive
   Importance: Undecided
   Status: New

** Also affects: horizon (Ubuntu)
   Importance: Undecided
   Status: New

** Also affects: horizon (Ubuntu Eoan)
   Importance: Undecided
   Status: New

** Also affects: horizon (Ubuntu Bionic)
   Importance: Undecided
   Status: New

** Also affects: horizon (Ubuntu Groovy)
   Importance: Undecided
   Status: New

** Also affects: horizon (Ubuntu Focal)
   Importance: Undecided
   Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1840844

Title:
  user with admin role gets logged out when trying to list images

Status in Ubuntu Cloud Archive:
  New
Status in OpenStack Dashboard (Horizon):
  Fix Released
Status in horizon package in Ubuntu:
  New
Status in horizon source package in Bionic:
  New
Status in horizon source package in Eoan:
  New
Status in horizon source package in Focal:
  New
Status in horizon source package in Groovy:
  New

Bug description:
  When admin user tries to access project-> compute -> images, if the
  user failed on the identity: get_project policy, user  will get logged
  out.

  code that failed is in
  openstack_dashboard/static/app/core/images/images.module.js
  .tableColumns
  .append(

  { id: 'owner', priority: 1, filters:
  [$memoize(keystone.getProjectName)], policies: [

  {rules: [['identity', 'identity:get_project']]}
  ]
  })

  it didn't happen in default Horizon. In our production cloud
  environment, keystone policy is "identity:get_project":
  "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id
  or project_id:%(target.project.id)s". If user is not a cloud_admin,
  the admin user of a project, need to be member of the domain to
  satisfies the rule.

  The problem here is the admin user should not get logged out.
  It  is probably caused by horizon/static/framework/framework.module.js

    if (error.status === 403) {
   var msg2 = gettext('Forbidden. Redirecting to login');
   handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, 
toastService);
    }

  some log info from keystone

  19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG 
_cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
  19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy 
_load_policy_file Reloaded policy file: /etc/keystone/policy.json
  19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You 
are not authorized to perform the requested action: identity:get_project.

To manage notifications about this bug go to:
https://bugs.launchpad.net/cloud-archive/+bug/1840844/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp

[Yahoo-eng-team] [Bug 1840844] Re: user with admin role gets logged out when trying to list images

[OpenStack Infra]

Reviewed:  https://review.opendev.org/677580
Committed: 
https://git.openstack.org/cgit/openstack/horizon/commit/?id=ab0e96df9506fb6f1783e0ee79b63934dabe0cbe
Submitter: Zuul
Branch:master

commit ab0e96df9506fb6f1783e0ee79b63934dabe0cbe
Author: Gloria Gu 
Date:   Tue Aug 20 15:45:22 2019 -0700

Avoid forced logout when 403 error encountered

Before this change when a 403 error was encountered, such as failure to
have the permission to perform an operation, the user would get logged
out from UI pages written in the AngularJS framework. For example, if an
admin user lacks the get_project permission and tries to access the
images page, project->compute->images, the 403 will forcibly log out
the user.

This change keeps the user logged in when a 403 error is encountered and
displays an error message. The change only affects AngularJS pages.

Change-Id: I10a6eeb96dd1418449e1d15b1a3869cd4de9cafa
Closes-bug: #1840844


** Changed in: horizon
   Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1840844

Title:
  user with admin role gets logged out when trying to list images

Status in OpenStack Dashboard (Horizon):
  Fix Released

Bug description:
  When admin user tries to access project-> compute -> images, if the
  user failed on the identity: get_project policy, user  will get logged
  out.

  code that failed is in
  openstack_dashboard/static/app/core/images/images.module.js
  .tableColumns
  .append(

  { id: 'owner', priority: 1, filters:
  [$memoize(keystone.getProjectName)], policies: [

  {rules: [['identity', 'identity:get_project']]}
  ]
  })

  it didn't happen in default Horizon. In our production cloud
  environment, keystone policy is "identity:get_project":
  "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id
  or project_id:%(target.project.id)s". If user is not a cloud_admin,
  the admin user of a project, need to be member of the domain to
  satisfies the rule.

  The problem here is the admin user should not get logged out.
  It  is probably caused by horizon/static/framework/framework.module.js

    if (error.status === 403) {
   var msg2 = gettext('Forbidden. Redirecting to login');
   handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, 
toastService);
    }

  some log info from keystone

  19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG 
_cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
  19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy 
_load_policy_file Reloaded policy file: /etc/keystone/policy.json
  19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You 
are not authorized to perform the requested action: identity:get_project.

To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1840844/+subscriptions

-- 
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help   : https://help.launchpad.net/ListHelp