OpenStack Dashboard (Horizon)

User logged out when transitioning to a project with non-admin role

Bug #1678204 reported by Shawn Johnson
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Dashboard (Horizon)
Confirmed
Medium
Ivan Kolodyazhny
OpenStack Dashboard (Horizon) rocky-2

Bug Description

When a user is viewing the admin overview tab of project A: If she switches to project B for which she is not an admin, she is logged out and given an "Unauthorized. Please try logging in again" error. Due to the "next" argument in the url, the user must also modify the browser url before she is able to log back in.

To replicate:

Create project A where the user is a member and admin.
Create project B where the user is a member.
Log into project A and view the Admin->System->Overview tab.
Switch to project B.

Other admin tabs affected differently. For example, switching projects from the Admin->System->Hypervisors tab will show the page template with no data.

I would expect any /admin/ url, for which a user is not an admin, to redirect to Project->Compute->Overview.

Revision history for this message
Akihiro Motoki (amotoki) wrote :

we received a similar feedback several time. I think it is time to revisit the current behavior.
If a log-in form is displayed, many users feel they need to log-in again even though there is a message that you can click the link shown to go back to the project page (or something).

Changed in horizon:
status: New → Confirmed
Revision history for this message
Akihiro Motoki (amotoki) wrote :

I also see more tricky behavior.

Assume user A has admin role for project X and member role for project Y.
When I opened Admin -> Network (for example) with Project X and then switched the project to project Y.
I was kicked out to the login form with a message "Unauthorized. Please try logging in again."
I tried to log-in with user A (of course I used a correct password), but I got the same message again "Unauthorized. Please try logging in again."

According to the horizon log, I got the unauthorized exception from tenant_list().

Unauthorized:
Traceback (most recent call last):
  File "/opt/stack/horizon/openstack_dashboard/dashboards/admin/networks/views.py", line 56, in _get_tenant_list
    tenants, has_more = api.keystone.tenant_list(self.request)
  File "/opt/stack/horizon/openstack_dashboard/api/keystone.py", line 352, in tenant_list
    manager = VERSIONS.get_project_manager(request, admin=admin)
  File "/opt/stack/horizon/openstack_dashboard/api/keystone.py", line 61, in get_project_manager
    manager = keystoneclient(*args, **kwargs).projects
  File "/opt/stack/horizon/openstack_dashboard/api/keystone.py", line 170, in keystoneclient
    raise exceptions.NotAuthorized
NotAuthorized

The URL is http://sheep6:8000/auth/login/?next=/admin/networks/ and I think the dashboard tried to open the admin dashboard again.

I am afraid that the current behavior of horizon potentially has a problem that a user cannot login forever without changing the URL explicitly if the user has both admin for one project and member for another project.

Changed in horizon:
importance: Undecided → High
milestone: none → pike-2
OpenStack Infra (hudson-openstack)
Changed in horizon:
assignee: nobody → xujun (yamajik)
status: Confirmed → In Progress
Rob Cresswell (robcresswell-deactivatedaccount)
Changed in horizon:
milestone: pike-2 → pike-3
Rob Cresswell (robcresswell-deactivatedaccount)
Changed in horizon:
milestone: pike-3 → queens-1
Ying Zuo (yingzuo)
Changed in horizon:
status: In Progress → New
assignee: xujun (yamajik) → nobody
Ying Zuo (yingzuo)
Changed in horizon:
milestone: queens-1 → queens-2
Revision history for this message
Ivan Kolodyazhny (e0ne) wrote :

Is it a duplicate of https://bugs.launchpad.net/horizon/+bug/1709077?

Revision history for this message
Ivan Kolodyazhny (e0ne) wrote :

This
"Other admin tabs affected differently. For example, switching projects from the Admin->System->Hypervisors tab will show the page template with no data.

I would expect any /admin/ url, for which a user is not an admin, to redirect to Project->Compute->Overview."

is not fixed in the scope of #1709077. So it's a bit different issue

Changed in horizon:
assignee: nobody → Ivan Kolodyazhny (e0ne)
status: New → Confirmed
Revision history for this message
Ying Zuo (yingzuo) wrote :

The main issue has been fixed, so I am setting a lower priority for this.

Changed in horizon:
importance: High → Medium
Ying Zuo (yingzuo)
Changed in horizon:
milestone: queens-2 → queens-3
Ying Zuo (yingzuo)
Changed in horizon:
milestone: queens-3 → queens-rc1
Ying Zuo (yingzuo)
Changed in horizon:
milestone: queens-rc1 → queens-rc2
Ying Zuo (yingzuo)
Changed in horizon:
milestone: queens-rc2 → rocky-1
Akihiro Motoki (amotoki)
Changed in horizon:
milestone: rocky-1 → rocky-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on horizon (master)

Change abandoned by Ivan Kolodyazhny (<email address hidden>) on branch: master
Review: https://review.openstack.org/465811
Reason: This review is > 4 months without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.