984525 – horizon: unauthorized errors when user admin tries to add itself to projects as Admin

Bug 984525 - horizon: unauthorized errors when user admin tries to add itself to projects as Admin

Summary: horizon: unauthorized errors when user admin tries to add itself to projects ...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	python-django-horizon
Sub Component:
Version:	unspecified
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	high
Target Milestone:	Upstream M2
Target Release:	4.0
Assignee:	Julie Pichon
QA Contact:	Nir Magnezi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-07-15 12:43 UTC by Dafna Ron
Modified:	2015-02-15 22:02 UTC (History)
CC List:	6 users (show)
Fixed In Version:	python-django-horizon-2013.2-0.12b3.el6ost
Doc Type:	Bug Fix
Doc Text:	Cause: Keystone was revoking tokens when assigning a role to a user Consequence: The user would get authorisation errors in Horizon and need to reauthenticate Fix: Keystone no longer invalidates unscoped tokens when assigning a new role to a user Result: No impact on user or admin on-going session when being assigned new roles
Clone Of:
Environment:
Last Closed:	2013-12-19 23:54:48 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
logs (3.98 KB, application/x-gzip) 2013-07-15 12:43 UTC, Dafna Ron	no flags	Details
View All

Links
System	ID	Priority	Status	Summary	Last Updated
Launchpad	1170186	None	None	None	Never
OpenStack gerrit	34622	None	None	None	Never
Red Hat Product Errata	RHEA-2013:1859	normal	SHIPPED_LIVE	Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory	2013-12-21 00:01:48 UTC

Description Dafna Ron 2013-07-15 12:43:25 UTC

Created attachment 773712 [details]
logs

Description of problem:

I created a new project as user admin and tried to add user admin as admin and a member of the project and the following happens: 

1. if I add two both admin and member authentications, the first try will only modify the member permission. 
2. we get authentication errors on adding the admin permissions and yet we succeed in adding the permissions
3. in horizon, we fail to query the project list with authentication errors and have to logout-> in to see it again. 

Version-Release number of selected component (if applicable):

python-django-horizon-2013.1.2-1.el6ost.noarch

How reproducible:

100%

Steps to Reproduce:
1. login as user admin and create a new project
2. try to add user admin as both admin and user for the project 
3.

Actual results:

1. if I add two both admin and member authentications, the first try will only modify the member permission. 
2. we get authentication errors on adding the admin permissions and yet we succeed in adding the permissions
3. in horizon, we fail to query the project list with authentication errors and have to logout-> in to see it again. 

Expected results:

we should succeed with no errors. 

Additional info: logs


ESC[31;1mUnauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)ESC[0m
Traceback (most recent call last):
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/admin/projects/views.py", line 74, in get_data
    tenants = api.keystone.tenant_list(self.request, admin=True)
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/api/keystone.py", line 150, in tenant_list
    return keystoneclient(request, admin=admin).tenants.list()
  File "/usr/lib/python2.6/site-packages/keystoneclient/v2_0/tenants.py", line 116, in list
    tenant_list = self._list("/tenants%s" % query, "tenants")
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 67, in _list
    resp, body = self.api.get(url)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 408, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 404, in _cs_request
    **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 366, in request
    raise exceptions.from_response(resp, resp.text)
Unauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)
ESC[31;1mUnauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)ESC[0m
Traceback (most recent call last):
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/admin/projects/views.py", line 74, in get_data
    tenants = api.keystone.tenant_list(self.request, admin=True)
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/api/keystone.py", line 150, in tenant_list
    return keystoneclient(request, admin=admin).tenants.list()
  File "/usr/lib/python2.6/site-packages/keystoneclient/v2_0/tenants.py", line 116, in list
    tenant_list = self._list("/tenants%s" % query, "tenants")
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 67, in _list
    resp, body = self.api.get(url)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 408, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 404, in _cs_request
    **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 366, in request
    raise exceptions.from_response(resp, resp.text)
Unauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)

Comment 1 Julie Pichon 2013-07-17 11:24:26 UTC

This is due to a Keystone bug, where the tokens were being too eagerly invalidated. This is fixed in Havana. A backport to grizzly is currently in review.

Comment 4 Nir Magnezi 2013-11-12 08:26:35 UTC

Verified NVR: python-django-horizon-2013.2-3.el6ost.noarch

Followed the steps to reproduce in Comment #0

Result:
=======
1. The user now acts as a tenant admin
2. There were no errors while setting both member and admin permissions to the user named 'admin'
3. Can see the projects list with no errors
4. There were no errors in httpd logs.

Comment 8 errata-xmlrpc 2013-12-19 23:54:48 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html

Note You need to log in before you can comment on or make changes to this bug.