Public bug reported:
When admin user tries to access project-> compute -> images, if the user
failed on the identity: get_project policy, user will get logged out.
code that failed is in
openstack_dashboard/static/app/core/images/images.module.js
.tableColumns
.append(
{ id: 'owner', priority: 1, filters:
[$memoize(keystone.getProjectName)], policies: [
{rules: [['identity', 'identity:get_project']]}
]
})
it didn't happen in default Horizon. In our production cloud
environment, keystone policy is "identity:get_project":
"rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or
project_id:%(target.project.id)s". If user is not a cloud_admin, the
admin user of a project, need to be member of the domain to satisfies
the rule.
The problem here is the admin user should not get logged out.
It is probably caused by horizon/static/framework/framework.module.js
if (error.status === 403) {
var msg2 = gettext('Forbidden. Redirecting to login');
handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents,
toastService);
}
some log info from keystone
19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG
_cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy
_load_policy_file Reloaded policy file: /etc/keystone/policy.json
19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You
are not authorized to perform the requested action: identity:get_project.
** Affects: horizon
Importance: Undecided
Assignee: Gloria Gu (gloria-gu)
Status: In Progress
** Changed in: horizon
Assignee: (unassigned) => Gloria Gu (gloria-gu)
** Description changed:
When admin user tries to access project-> compute -> images, if the user
failed on the identity: get_project policy, user will get logged out.
code that failed is in
openstack_dashboard/static/app/core/images/images.module.js
.tableColumns
.append(
{ id: 'owner', priority: 1, filters:
[$memoize(keystone.getProjectName)], policies: [
{rules: [['identity', 'identity:get_project']]}
]
})
it didn't happen in default Horizon. In our production cloud
environment, keystone policy is "identity:get_project":
"rule:cloud_admin or rule:admin_and_matching_target_project_domain_id or
project_id:%(target.project.id)s". If user is not a cloud_admin, the
admin user of a project, need to be member of the domain to satisfies
the rule.
- The problem here is the admin user should not get logged out.
- It is probably caused by horizon/static/framework/framework.module.js
+ The problem here is the admin user should not get logged out.
+ It is probably caused by horizon/static/framework/framework.module.js
- if (error.status === 403) {
- var msg2 = gettext('Forbidden. Redirecting to login');
- handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents,
toastService);
- }
+ if (error.status === 403) {
+ var msg2 = gettext('Forbidden. Redirecting to login');
+ handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents,
toastService);
+ }
+
+ some log info from keystone
+
+ 19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG
_cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
+ 19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy
_load_policy_file Reloaded policy file: /etc/keystone/policy.json
+ 19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You
are not authorized to perform the requested action: identity:get_project.
** Changed in: horizon
Status: New => In Progress
** Summary changed:
- user with admin role get's logged out when trying to list images
+ user with admin role gets logged out when trying to list images
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Dashboard (Horizon).
https://bugs.launchpad.net/bugs/1840844
Title:
user with admin role gets logged out when trying to list images
Status in OpenStack Dashboard (Horizon):
In Progress
Bug description:
When admin user tries to access project-> compute -> images, if the
user failed on the identity: get_project policy, user will get logged
out.
code that failed is in
openstack_dashboard/static/app/core/images/images.module.js
.tableColumns
.append(
{ id: 'owner', priority: 1, filters:
[$memoize(keystone.getProjectName)], policies: [
{rules: [['identity', 'identity:get_project']]}
]
})
it didn't happen in default Horizon. In our production cloud
environment, keystone policy is "identity:get_project":
"rule:cloud_admin or rule:admin_and_matching_target_project_domain_id
or project_id:%(target.project.id)s". If user is not a cloud_admin,
the admin user of a project, need to be member of the domain to
satisfies the rule.
The problem here is the admin user should not get logged out.
It is probably caused by horizon/static/framework/framework.module.js
if (error.status === 403) {
var msg2 = gettext('Forbidden. Redirecting to login');
handleRedirectMessage(msg2, $rootScope, $window, frameworkEvents,
toastService);
}
some log info from keystone
19389 (oslo_policy._cache_handler): 2019-08-20 02:07:25,856 DEBUG
_cache_handler read_cached_file Reloading cached file /etc/keystone/policy.json
19389 (oslo_policy.policy): 2019-08-20 02:07:26,010 DEBUG policy
_load_policy_file Reloaded policy file: /etc/keystone/policy.json
19389 (keystone.common.wsgi): 2019-08-20 02:07:26,019 WARNING wsgi _call_ You
are not authorized to perform the requested action: identity:get_project.
To manage notifications about this bug go to:
https://bugs.launchpad.net/horizon/+bug/1840844/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
