Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 984525 - horizon: unauthorized errors when user admin tries to add itself to projects as Admin
Summary: horizon: unauthorized errors when user admin tries to add itself to projects ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat OpenStack
Classification: Red Hat
Component: python-django-horizon
Version: unspecified
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: Upstream M2
: 4.0
Assignee: Julie Pichon
QA Contact: Nir Magnezi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-15 12:43 UTC by Dafna Ron
Modified: 2015-02-15 22:02 UTC (History)
6 users (show)

Fixed In Version: python-django-horizon-2013.2-0.12b3.el6ost
Doc Type: Bug Fix
Doc Text:
Cause: Keystone was revoking tokens when assigning a role to a user Consequence: The user would get authorisation errors in Horizon and need to reauthenticate Fix: Keystone no longer invalidates unscoped tokens when assigning a new role to a user Result: No impact on user or admin on-going session when being assigned new roles
Clone Of:
Environment:
Last Closed: 2013-12-19 23:54:48 UTC
Target Upstream Version:


Attachments (Terms of Use)
logs (deleted)
2013-07-15 12:43 UTC, Dafna Ron
no flags Details


Links
System ID Priority Status Summary Last Updated
Launchpad 1170186 None None None Never
OpenStack gerrit 34622 None None None Never
Red Hat Product Errata RHEA-2013:1859 normal SHIPPED_LIVE Red Hat Enterprise Linux OpenStack Platform Enhancement Advisory 2013-12-21 00:01:48 UTC

Description Dafna Ron 2013-07-15 12:43:25 UTC
Created attachment 773712 [details]
logs

Description of problem:

I created a new project as user admin and tried to add user admin as admin and a member of the project and the following happens: 

1. if I add two both admin and member authentications, the first try will only modify the member permission. 
2. we get authentication errors on adding the admin permissions and yet we succeed in adding the permissions
3. in horizon, we fail to query the project list with authentication errors and have to logout-> in to see it again. 

Version-Release number of selected component (if applicable):

python-django-horizon-2013.1.2-1.el6ost.noarch

How reproducible:

100%

Steps to Reproduce:
1. login as user admin and create a new project
2. try to add user admin as both admin and user for the project 
3.

Actual results:

1. if I add two both admin and member authentications, the first try will only modify the member permission. 
2. we get authentication errors on adding the admin permissions and yet we succeed in adding the permissions
3. in horizon, we fail to query the project list with authentication errors and have to logout-> in to see it again. 

Expected results:

we should succeed with no errors. 

Additional info: logs


ESC[31;1mUnauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)ESC[0m
Traceback (most recent call last):
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/admin/projects/views.py", line 74, in get_data
    tenants = api.keystone.tenant_list(self.request, admin=True)
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/api/keystone.py", line 150, in tenant_list
    return keystoneclient(request, admin=admin).tenants.list()
  File "/usr/lib/python2.6/site-packages/keystoneclient/v2_0/tenants.py", line 116, in list
    tenant_list = self._list("/tenants%s" % query, "tenants")
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 67, in _list
    resp, body = self.api.get(url)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 408, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 404, in _cs_request
    **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 366, in request
    raise exceptions.from_response(resp, resp.text)
Unauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)
ESC[31;1mUnauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)ESC[0m
Traceback (most recent call last):
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/dashboards/admin/projects/views.py", line 74, in get_data
    tenants = api.keystone.tenant_list(self.request, admin=True)
  File "/usr/share/openstack-dashboard/openstack_dashboard/wsgi/../../openstack_dashboard/api/keystone.py", line 150, in tenant_list
    return keystoneclient(request, admin=admin).tenants.list()
  File "/usr/lib/python2.6/site-packages/keystoneclient/v2_0/tenants.py", line 116, in list
    tenant_list = self._list("/tenants%s" % query, "tenants")
  File "/usr/lib/python2.6/site-packages/keystoneclient/base.py", line 67, in _list
    resp, body = self.api.get(url)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 408, in get
    return self._cs_request(url, 'GET', **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 404, in _cs_request
    **kwargs)
  File "/usr/lib/python2.6/site-packages/keystoneclient/client.py", line 366, in request
    raise exceptions.from_response(resp, resp.text)
Unauthorized: Unable to communicate with identity service: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Not Authorized"}}. (HTTP 401)

Comment 1 Julie Pichon 2013-07-17 11:24:26 UTC
This is due to a Keystone bug, where the tokens were being too eagerly invalidated. This is fixed in Havana. A backport to grizzly is currently in review.

Comment 4 Nir Magnezi 2013-11-12 08:26:35 UTC
Verified NVR: python-django-horizon-2013.2-3.el6ost.noarch

Followed the steps to reproduce in Comment #0

Result:
=======
1. The user now acts as a tenant admin
2. There were no errors while setting both member and admin permissions to the user named 'admin'
3. Can see the projects list with no errors
4. There were no errors in httpd logs.

Comment 8 errata-xmlrpc 2013-12-19 23:54:48 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHEA-2013-1859.html


Note You need to log in before you can comment on or make changes to this bug.