20:04:18 <robcresswell> #startmeeting horizon
20:04:19 <openstack> Meeting started Wed Aug  9 20:04:18 2017 UTC and is due to finish in 60 minutes.  The chair is robcresswell. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:04:20 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:04:22 <openstack> The meeting name has been set to 'horizon'
20:04:28 <robcresswell> ohai
20:04:34 <jeremy_moffitt> o/
20:04:37 <gary-smith> o/
20:04:39 <lucasxu> o/
20:04:41 <ying_zuo> o/
20:04:42 <rdopiera> o/
20:04:48 <robcresswell> These 9PM meetings -.- Sorry again for lateness.
20:04:53 <jgravel> o/
20:04:57 <e0ne> hi
20:05:05 <e0ne> robcresswell: 11 pm:)
20:05:13 <robcresswell> e0ne: You win
20:05:22 <robcresswell> Right, so, lets get started
20:05:32 <robcresswell> #topic Notices
20:05:44 <robcresswell> #info RC1 tagging day is tomorrow
20:06:09 <e0ne> do we have a list what should be merged before RC1?
20:06:25 <robcresswell> there's a handful of bugs targeted at RC1
20:06:26 <e0ne> or do we want to have merged
20:06:42 * robcresswell gets link
20:07:02 <robcresswell> #link https://launchpad.net/horizon/+milestone/pike-rc1
20:07:13 <e0ne> robcresswell: thanks
20:08:03 <robcresswell> If anyone has any last minute items, please ping me so we can get things merged
20:08:15 <robcresswell> We've an empty agenda again, so can move to open discussion
20:08:22 <robcresswell> #topic Open Discussion
20:08:38 <e0ne> I've got one bug  to discuss
20:08:49 <e0ne> #link https://bugs.launchpad.net/horizon/+bug/1709077
20:08:50 <openstack> Launchpad bug 1709077 in OpenStack Dashboard (Horizon) "Login bug when changing from admin project to private project" [Undecided,In progress] - Assigned to Ivan Kolodyazhny (e0ne)
20:09:15 <robcresswell> e0ne: ah yes, I'll dig out the relevant IRC log too
20:09:29 <e0ne> robcresswell: oh, thanks
20:09:37 <e0ne> I forgot to prepare that link:(
20:09:59 <robcresswell> e0ne: Feel free to explain the bug to others while I'm looking :)
20:10:16 <e0ne> #link https://review.openstack.org/#/c/491479/
20:10:54 <robcresswell> #link http://eavesdrop.openstack.org/irclogs/%23openstack-horizon/%23openstack-horizon.2017-08-07.log.html#t2017-08-07T12:45:06
20:10:55 <e0ne> so the issue is: we can't always redirect  to 'next_url' if NotAuthorized exception is raised
20:11:29 <e0ne> e.g. you're switching from tenantA with admin role to tenantB with member role only
20:11:49 <e0ne> in such case, you'll be always redirected to the login page:(
20:12:14 <e0ne> as a workaroind - you can remove 'next_url' param from the browser URL line
20:13:02 <e0ne> my proposal is to redirect to WEBROOT page  if user was asked to re-login after NotAuthorized is raised
20:13:10 <e0ne> but it's not an ideal UX :(
20:13:35 <rdopiera> can't we somehow distinguish between "logged out" and "no access"?
20:13:58 <e0ne> rdopiera: we already do it
20:14:21 <e0ne> no access means NotAuthorized is rised
20:14:35 <ying_zuo> I thought the login panel will show something like you are not authorized to access that page?
20:14:36 <e0ne> logged out - NotAuthenticeded
20:14:38 <robcresswell> If you look at my comment at 13:01 in that log, that explains the two cases where this happens
20:14:52 <e0ne> ying_zuo: you're right
20:15:03 <rdopiera> in that case, why are we sending the user to the login page on NotAuthorized in the first place?
20:15:43 <robcresswell> rdopiera: Because it's more useful than a blank page, making them log out and back in
20:16:02 <e0ne> rdopiera: good question. I thinks we're suggesting to re-login with a different user/role in a such way
20:16:13 <e0ne> robcresswell: +1
20:16:14 <rdopiera> how about we have a generic "not authorized" page that has a link to the login page and a link back?
20:16:55 <rdopiera> that's one more click for case 1), sure
20:17:05 <rdopiera> but at least avoids confusion
20:17:25 <rdopiera> and we can have a cute horizon project mascot image on it
20:17:33 <e0ne> :)
20:18:38 <ying_zuo> I think we can just redirect the user. it's little weird to show a link on log in page..
20:19:00 <rdopiera> but more seriously it would have an explicit message, something like "You are currently logged in as XXX and don't have the access to this page. You can either navigate away or login as a different user _here_."
20:19:31 <rdopiera> basically an error handler page
20:19:46 <e0ne> the current message is: "Unauthorized. Please try logging in again."
20:20:01 <e0ne> rdopiera: did you see my patch?
20:20:12 <ying_zuo> maybe just provide more information?
20:20:28 <rdopiera> e0ne: I did not
20:20:42 <e0ne> rdopiera: here is it https://review.openstack.org/#/c/491479/
20:20:45 <rdopiera> e0ne: I have now
20:21:01 <ying_zuo> indicating the user doesn't have permission to access the panel
20:21:41 <rdopiera> I think that web servers have solved this problem years ago with error pages, and that we should do something similar
20:21:42 <e0ne> ying_zuo, rdopiera: the issue is not only in 'explicit error message'
20:21:48 <robcresswell> ying_zuo: The problem is just how much "automatic" action you want to have. At the moment, we assume if they don't have auth, they want to login as a correct user
20:22:13 <robcresswell> The problem is, in some cases, you get a double login
20:22:17 <e0ne> ying_zuo, rdopiera: what if you re-login with the same user?
20:22:27 <rdopiera> e0ne: I think it is -- the whole confusion comes from the fact that you are redirecting the user, instead of making him stay on that page, but display an error message
20:23:00 <rdopiera> e0ne: then you still see the error page with the link to the login screen, and you can still navigate away from it (all the menus are visible, etc.)
20:23:38 <e0ne> rdopiera: it will show user some admin-only links and menus. I don't think that's acceptable
20:23:49 <rdopiera> e0ne: why would it?
20:24:21 <robcresswell> Maybe its more a problem with missing policy
20:24:25 <rdopiera> e0ne: the menus don't show you links to which you don't have access
20:24:28 <e0ne> rdopiera: you switched from admin to user on a /admin/ page
20:24:59 <rdopiera> e0ne: the menus are rendered by the same code on all pages
20:25:12 <rdopiera> e0ne: you see the same thing no matter on what page you are
20:25:18 <e0ne> rdopiera: ok, so it shouldn't be an issue
20:26:03 <rdopiera> just the content of the page would be replaced with the message
20:26:58 <e0ne> rdopiera: I like this idea
20:27:13 <e0ne> rdopiera: it could be done early in Queens only
20:29:17 <robcresswell> So...
20:30:43 <robcresswell> okay... I think this should work
20:30:57 <robcresswell> People might complain about the missing redirect though
20:31:21 <robcresswell> If you hit an admin url, like a saved link or something, I guess its just a couple of extra clicks
20:32:09 <robcresswell> e0ne: Are you able to put up a PoC?
20:32:27 <e0ne> rdopiera: yes, I can do it by EoD tomorrow
20:32:42 <robcresswell> e0ne: Okay it doesn't need to be *that* fast haha
20:32:47 <robcresswell> But sure, sounds good
20:33:01 <e0ne> robcresswell: but since it requires a new message we can't merge it in a Pike
20:33:28 <e0ne> robcresswell: it affects our customer, so I want to finish it asap
20:33:37 <rdopiera> we could just have a doge head instead of text ;)
20:33:50 <robcresswell> e0ne: Yeah. I'm not sure what we could do as a smaller fix for RC1.
20:33:58 <e0ne> rdopiera: :)
20:34:33 <rdopiera> maybe we have a message that we could repurpose somewhere already?
20:35:15 <rdopiera> we should have something like simple "no access" somewhere, I'd wager
20:35:48 <robcresswell> The other option is to do add some logic to the url handling.
20:36:06 <e0ne> robcresswell: what do you mean?
20:36:39 <rdopiera> redirect will always be surprising, whether it's to the login page or webroot
20:37:02 <robcresswell> e0ne: Just thinking aloud about solutions
20:37:31 <e0ne> rdopiera: for note: I proposed redirect to the webroot after re-login only
20:38:02 <rdopiera> 424:msgid "You are not authorized to access %s"
20:38:13 <rdopiera> 427:msgid "You do not have permission to access the resource:"
20:38:30 <rdopiera> we have such two strings
20:38:36 <rdopiera> I think one of them could be used
20:38:57 <e0ne> rdopiera: cool. what about something like 'please, try to re-login with different permissions'
20:39:09 <rdopiera> e0ne: we can add that in the next release
20:39:22 <e0ne> rdopiera: :)
20:39:24 <rdopiera> e0ne: with a link to login page that includes the next_url
20:39:49 <rdopiera> so that when you do login, you get back to that page
20:40:53 <e0ne> rdopiera: works for me, but it's half of the fix only without link to the login page:(
20:41:20 <rdopiera> let me look for a suitable message for the login link
20:41:42 <rdopiera> 230:"Login as different user or go back to <a href=\"%(home_url)s\">home page</a>"
20:41:46 <rdopiera> how about this?
20:41:58 <robcresswell> haha
20:42:15 <e0ne> rdopiera: great!
20:42:56 <rdopiera> not perfect, as there is no room for the link in the message
20:43:08 <rdopiera> but we can add a link with just "Login" after it
20:43:39 <e0ne> rdopiera: +1
20:43:43 <rdopiera> and in the next release, the "login as different user" part would be al ink
20:43:46 <rdopiera> a link
20:46:29 <robcresswell> Right, sounds like we have a plan forward
20:46:33 <e0ne> robcresswell: are you ok with this plan?
20:47:13 <robcresswell> e0ne: I think so. Ill so my brains a little fuzzy right now.
20:47:25 <robcresswell> rdopiera is generally sensible and he approves
20:48:01 <e0ne> robcresswell, rdopiera: great, thanks for the help!
20:48:03 <robcresswell> e0ne: Put up a PoC and we'll take a look
20:48:05 <robcresswell> :D
20:48:17 <robcresswell> Any other points to raise? Any bugs / patches / bps are welcome
20:48:17 <rdopiera> e0ne: ping me if you need any help with that
20:48:23 <jeremy_moffitt> the Denver PTG schedule has a M/Tu Horizon room listed, but nothing in the lower list for wed/th, is the expectation that any Horizon meetups will occur M/Tu? https://docs.google.com/spreadsheets/u/1/d/1xmOdT6uZ5XqViActr5sBOaz_mEgjKSCY7NEWcAEcT-A/pubhtml?gid=397241312&single=true
20:48:26 <rdopiera> e0ne: I think django has a mechanism for doing error pages
20:48:30 <e0ne> you forgot 'put up poc and ping us' ;)
20:49:12 <jeremy_moffitt> from the schedule link at https://www.openstack.org/ptg/#tab_schedule
20:49:21 <e0ne> rdopiera: it has. I hope it will be easy to implement
20:50:47 <robcresswell> jeremy_moffitt: Yeah, Horizon is Mon/ Tue
20:51:04 <robcresswell> jeremy_moffitt: I complained about that last time, but nothing changed :)
20:51:12 <jeremy_moffitt> cool, couple of us just got travel approval, will book accordingly, thanks!
20:51:31 <lucasxu> maybe someone can confirm this bug? #link https://bugs.launchpad.net/horizon/+bug/1709693
20:51:33 <openstack> Launchpad bug 1709693 in OpenStack Dashboard (Horizon) "Cannot create network in the admin/networks panel without creating a subnet" [Undecided,New]
20:51:52 <robcresswell> jeremy_moffitt: Awesome!
20:52:07 <robcresswell> The planning etherpad is https://etherpad.openstack.org/p/horizon-ptg-queens
20:52:18 <robcresswell> Its also in the Horizon room topic if you need it
20:52:24 <robcresswell> lucasxu: Looking
20:52:38 <lucasxu> thanks!
20:56:59 <robcresswell> lucasxu: Confirmed
20:57:07 <lucasxu> great :)
20:57:11 <ying_zuo> lucasxu: seems like there's a problem when the physical network and segmentation id are hidden
20:57:35 <ying_zuo> it works if you select a type with those two fields visible like vlan
20:57:45 <lucasxu> ying_zuo, right, was going to ping you since you had a patch related to this before.
20:57:56 <lucasxu> hmm, what if I just need a "local"?
20:58:05 <ying_zuo> sounds good
20:58:54 <robcresswell> We're about at the hour
20:59:03 <lucasxu> we'll see, i don't have a good solution yet
20:59:08 <lucasxu> but thanks guys.
20:59:17 <robcresswell> ying_zuo, lucasxu: Could you two discuss in the horizon room if you have chance? I dont want to cut you off
20:59:26 <lucasxu> sure, thanks
20:59:42 <robcresswell> Thanks everyone
20:59:53 <e0ne> see you next week
20:59:59 <robcresswell> #endmeeting