Bug 984525 - horizon: unauthorized errors when user admin tries to add itself to projects as Admin
horizon: unauthorized errors when user admin tries to add itself to projects ...
Status: CLOSED ERRATA
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-django-horizon (Show other bugs)
unspecified
x86_64 Linux
unspecified Severity high
: Upstream M2
: 4.0
Assigned To: Julie Pichon
Nir Magnezi
: Triaged
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-07-15 08:43 EDT by Dafna Ron
Modified: 2015-02-15 17:02 EST (History)
6 users (show)

See Also:
Fixed In Version: python-django-horizon-2013.2-0.12b3.el6ost
Doc Type: Bug Fix
Doc Text:
Cause: Keystone was revoking tokens when assigning a role to a user Consequence: The user would get authorisation errors in Horizon and need to reauthenticate Fix: Keystone no longer invalidates unscoped tokens when assigning a new role to a user Result: No impact on user or admin on-going session when being assigned new roles
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-19 18:54:48 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
logs (3.98 KB, application/x-gzip)
2013-07-15 08:43 EDT, Dafna Ron
no flags Details


External Trackers
Tracker ID Priority Status Summary Last Updated
Launchpad 1170186 None None None Never
OpenStack gerrit 34622 None None None Never
Red Hat Product Errata RHEA-2013:1859 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory 2013-12-20 19:01:48 EST

  None (edit)
Description Dafna Ron 2013-07-15 08:43:25 EDT
Created attachment 773712 [details]
logs

Description of problem:

I created a new project as user admin and tried to add user admin as admin and a member of the project and the following happens: 

1. if I add two both admin and member authentications, the first try will only modify the member permission. 
2. we get authentication errors on adding the admin permissions and yet we succeed in adding the permissions
3. in horizon, we fail to query the project list with authentication errors and have to logout-> in to see it again. 

Version-Release number of selected component (if applicable):

python-django-horizon-2013.1.2-1.el6ost.noarch

How reproducible:

100%

Steps to Reproduce:
1. login as user admin and create a new project
2. try to add user admin as both admin and user for the project 
3.

Actual results:

1. if I add two both admin and member authentications, the first try will only modify the member permission. 
2. we get authentication errors on adding the admin permissions and yet we succeed in adding the permissions
3. in horizon, we fail to query the project list with authentication errors and have to logout-> in to see it again. 

Expected results:

we should succeed with no errors. 

Additional info: logs


ESC[31;1mUnauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)ESC[0m
Traceback (most recent call last):
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/admin/projects/views.py", line 74, in get_data
    tenants = api.keystone.tenant_list(self.request, admin=True)
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/api/keystone.py", line 150, in tenant_list
    return keystoneclient(request, admin=admin).tenants.list()
  File "/usr/lib/python2.6/site-packages/keystoneclient/v2_0/tenants.py", line 116, in list
    tenant_list = self._list("/tenants%s" % query, "tenants")
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 67, in _list
    resp, body = self.api.get(url)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 408, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 404, in _cs_request
    **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 366, in request
    raise exceptions.from_response(resp, resp.text)
Unauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)
ESC[31;1mUnauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)ESC[0m
Traceback (most recent call last):
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/admin/projects/views.py", line 74, in get_data
    tenants = api.keystone.tenant_list(self.request, admin=True)
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/api/keystone.py", line 150, in tenant_list
    return keystoneclient(request, admin=admin).tenants.list()
  File "/usr/lib/python2.6/site-packages/keystoneclient/v2_0/tenants.py", line 116, in list
    tenant_list = self._list("/tenants%s" % query, "tenants")
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 67, in _list
    resp, body = self.api.get(url)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 408, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 404, in _cs_request
    **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 366, in request
    raise exceptions.from_response(resp, resp.text)
Unauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)
Comment 1 Julie Pichon 2013-07-17 07:24:26 EDT
This is due to a Keystone bug, where the tokens were being too eagerly invalidated. This is fixed in Havana. A backport to grizzly is currently in review.
Comment 4 Nir Magnezi 2013-11-12 03:26:35 EST
Verified NVR: python-django-horizon-2013.2-3.el6ost.noarch

Followed the steps to reproduce in Comment #0

Result:
=======
1. The user now acts as a tenant admin
2. There were no errors while setting both member and admin permissions to the user named 'admin'
3. Can see the projects list with no errors
4. There were no errors in httpd logs.
Comment 8 errata-xmlrpc 2013-12-19 18:54:48 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html

Note You need to log in before you can comment on or make changes to this bug.