Public bug reported: When admin user tries to access project-> compute -> images, if the user failed on the identity: get_project policy, user will get logged out.
code that failed is in openstack_dashboard/static/app/core/images/images.module.js .tableColumns .append( { id: 'owner', priority: 1, filters: [$memoize(keystone.getProjectName)], policies: [ {rules: [['identity', 'identity:get_project']]} ] }) it didn't happen in default Horizon. In our production cloud environment, keystone policy is "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s". If user is not a cloud_admin, the admin user of a project, need to be member of the domain to satisfies the rule. The problem here is the admin user should not get logged out. It is probably caused by horizon/static/framework/framework.module.js if (error.status === 403) { var msg2 = gettext('Forbidden. Redirecting to login'); handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService); } some log info from keystone 19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG _cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json 19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy _load_policy_file Reloaded policy file: /etc/keystone/policy.json 19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You are not authorized to perform the requested action: identity:get_project. ** Affects: horizon Importance: Undecided Assignee: Gloria Gu (gloria-gu) Status: In Progress ** Changed in: horizon Assignee: (unassigned) => Gloria Gu (gloria-gu) ** Description changed: When admin user tries to access project-> compute -> images, if the user failed on the identity: get_project policy, user will get logged out. code that failed is in openstack_dashboard/static/app/core/images/images.module.js .tableColumns .append( { id: 'owner', priority: 1, filters: [$memoize(keystone.getProjectName)], policies: [ {rules: [['identity', 'identity:get_project']]} ] }) it didn't happen in default Horizon. In our production cloud environment, keystone policy is "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s". If user is not a cloud_admin, the admin user of a project, need to be member of the domain to satisfies the rule. - The problem here is the admin user should not get logged out. - It is probably caused by horizon/static/framework/framework.module.js + The problem here is the admin user should not get logged out. + It is probably caused by horizon/static/framework/framework.module.js - if (error.status === 403) { - var msg2 = gettext('Forbidden. Redirecting to login'); - handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService); - } + if (error.status === 403) { + var msg2 = gettext('Forbidden. Redirecting to login'); + handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService); + } + + some log info from keystone + + 19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG _cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json + 19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy _load_policy_file Reloaded policy file: /etc/keystone/policy.json + 19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You are not authorized to perform the requested action: identity:get_project. ** Changed in: horizon Status: New => In Progress ** Summary changed: - user with admin role get's logged out when trying to list images + user with admin role gets logged out when trying to list images -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Dashboard (Horizon). https://bugs.launchpad.net/bugs/1840844 Title: user with admin role gets logged out when trying to list images Status in OpenStack Dashboard (Horizon): In Progress Bug description: When admin user tries to access project-> compute -> images, if the user failed on the identity: get_project policy, user will get logged out. code that failed is in openstack_dashboard/static/app/core/images/images.module.js .tableColumns .append( { id: 'owner', priority: 1, filters: [$memoize(keystone.getProjectName)], policies: [ {rules: [['identity', 'identity:get_project']]} ] }) it didn't happen in default Horizon. In our production cloud environment, keystone policy is "identity:get_project": "rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or project_id:%(target.project.id)s". If user is not a cloud_admin, the admin user of a project, need to be member of the domain to satisfies the rule. The problem here is the admin user should not get logged out. It is probably caused by horizon/static/framework/framework.module.js if (error.status === 403) { var msg2 = gettext('Forbidden. Redirecting to login'); handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents, toastService); } some log info from keystone 19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG _cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json 19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy _load_policy_file Reloaded policy file: /etc/keystone/policy.json 19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You are not authorized to perform the requested action: identity:get_project. To manage notifications about this bug go to: https://bugs.launchpad.net/horizon/+bug/1840844/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp