20:04:18 #startmeeting horizon 20:04:19 Meeting started Wed Aug 9 20:04:18 2017 UTC and is due to finish in 60 minutes. The chair is robcresswell. Information about MeetBot at http://wiki.debian.org/MeetBot. 20:04:20 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 20:04:22 The meeting name has been set to 'horizon' 20:04:28 ohai 20:04:34 o/ 20:04:37 o/ 20:04:39 o/ 20:04:41 o/ 20:04:42 o/ 20:04:48 These 9PM meetings -.- Sorry again for lateness. 20:04:53 o/ 20:04:57 hi 20:05:05 robcresswell: 11 pm:) 20:05:13 e0ne: You win 20:05:22 Right, so, lets get started 20:05:32 #topic Notices 20:05:44 #info RC1 tagging day is tomorrow 20:06:09 do we have a list what should be merged before RC1? 20:06:25 there's a handful of bugs targeted at RC1 20:06:26 or do we want to have merged 20:06:42 * robcresswell gets link 20:07:02 #link https://launchpad.net/horizon/+milestone/pike-rc1 20:07:13 robcresswell: thanks 20:08:03 If anyone has any last minute items, please ping me so we can get things merged 20:08:15 We've an empty agenda again, so can move to open discussion 20:08:22 #topic Open Discussion 20:08:38 I've got one bug to discuss 20:08:49 #link https://bugs.launchpad.net/horizon/+bug/1709077 20:08:50 Launchpad bug 1709077 in OpenStack Dashboard (Horizon) "Login bug when changing from admin project to private project" [Undecided,In progress] - Assigned to Ivan Kolodyazhny (e0ne) 20:09:15 e0ne: ah yes, I'll dig out the relevant IRC log too 20:09:29 robcresswell: oh, thanks 20:09:37 I forgot to prepare that link:( 20:09:59 e0ne: Feel free to explain the bug to others while I'm looking :) 20:10:16 #link https://review.openstack.org/#/c/491479/ 20:10:54 #link http://eavesdrop.openstack.org/irclogs/%23openstack-horizon/%23openstack-horizon.2017-08-07.log.html#t2017-08-07T12:45:06 20:10:55 so the issue is: we can't always redirect to 'next_url' if NotAuthorized exception is raised 20:11:29 e.g. you're switching from tenantA with admin role to tenantB with member role only 20:11:49 in such case, you'll be always redirected to the login page:( 20:12:14 as a workaroind - you can remove 'next_url' param from the browser URL line 20:13:02 my proposal is to redirect to WEBROOT page if user was asked to re-login after NotAuthorized is raised 20:13:10 but it's not an ideal UX :( 20:13:35 can't we somehow distinguish between "logged out" and "no access"? 20:13:58 rdopiera: we already do it 20:14:21 no access means NotAuthorized is rised 20:14:35 I thought the login panel will show something like you are not authorized to access that page? 20:14:36 logged out - NotAuthenticeded 20:14:38 If you look at my comment at 13:01 in that log, that explains the two cases where this happens 20:14:52 ying_zuo: you're right 20:15:03 in that case, why are we sending the user to the login page on NotAuthorized in the first place? 20:15:43 rdopiera: Because it's more useful than a blank page, making them log out and back in 20:16:02 rdopiera: good question. I thinks we're suggesting to re-login with a different user/role in a such way 20:16:13 robcresswell: +1 20:16:14 how about we have a generic "not authorized" page that has a link to the login page and a link back? 20:16:55 that's one more click for case 1), sure 20:17:05 but at least avoids confusion 20:17:25 and we can have a cute horizon project mascot image on it 20:17:33 :) 20:18:38 I think we can just redirect the user. it's little weird to show a link on log in page.. 20:19:00 but more seriously it would have an explicit message, something like "You are currently logged in as XXX and don't have the access to this page. You can either navigate away or login as a different user _here_." 20:19:31 basically an error handler page 20:19:46 the current message is: "Unauthorized. Please try logging in again." 20:20:01 rdopiera: did you see my patch? 20:20:12 maybe just provide more information? 20:20:28 e0ne: I did not 20:20:42 rdopiera: here is it https://review.openstack.org/#/c/491479/ 20:20:45 e0ne: I have now 20:21:01 indicating the user doesn't have permission to access the panel 20:21:41 I think that web servers have solved this problem years ago with error pages, and that we should do something similar 20:21:42 ying_zuo, rdopiera: the issue is not only in 'explicit error message' 20:21:48 ying_zuo: The problem is just how much "automatic" action you want to have. At the moment, we assume if they don't have auth, they want to login as a correct user 20:22:13 The problem is, in some cases, you get a double login 20:22:17 ying_zuo, rdopiera: what if you re-login with the same user? 20:22:27 e0ne: I think it is -- the whole confusion comes from the fact that you are redirecting the user, instead of making him stay on that page, but display an error message 20:23:00 e0ne: then you still see the error page with the link to the login screen, and you can still navigate away from it (all the menus are visible, etc.) 20:23:38 rdopiera: it will show user some admin-only links and menus. I don't think that's acceptable 20:23:49 e0ne: why would it? 20:24:21 Maybe its more a problem with missing policy 20:24:25 e0ne: the menus don't show you links to which you don't have access 20:24:28 rdopiera: you switched from admin to user on a /admin/ page 20:24:59 e0ne: the menus are rendered by the same code on all pages 20:25:12 e0ne: you see the same thing no matter on what page you are 20:25:18 rdopiera: ok, so it shouldn't be an issue 20:26:03 just the content of the page would be replaced with the message 20:26:58 rdopiera: I like this idea 20:27:13 rdopiera: it could be done early in Queens only 20:29:17 So... 20:30:43 okay... I think this should work 20:30:57 People might complain about the missing redirect though 20:31:21 If you hit an admin url, like a saved link or something, I guess its just a couple of extra clicks 20:32:09 e0ne: Are you able to put up a PoC? 20:32:27 rdopiera: yes, I can do it by EoD tomorrow 20:32:42 e0ne: Okay it doesn't need to be *that* fast haha 20:32:47 But sure, sounds good 20:33:01 robcresswell: but since it requires a new message we can't merge it in a Pike 20:33:28 robcresswell: it affects our customer, so I want to finish it asap 20:33:37 we could just have a doge head instead of text ;) 20:33:50 e0ne: Yeah. I'm not sure what we could do as a smaller fix for RC1. 20:33:58 rdopiera: :) 20:34:33 maybe we have a message that we could repurpose somewhere already? 20:35:15 we should have something like simple "no access" somewhere, I'd wager 20:35:48 The other option is to do add some logic to the url handling. 20:36:06 robcresswell: what do you mean? 20:36:39 redirect will always be surprising, whether it's to the login page or webroot 20:37:02 e0ne: Just thinking aloud about solutions 20:37:31 rdopiera: for note: I proposed redirect to the webroot after re-login only 20:38:02 424:msgid "You are not authorized to access %s" 20:38:13 427:msgid "You do not have permission to access the resource:" 20:38:30 we have such two strings 20:38:36 I think one of them could be used 20:38:57 rdopiera: cool. what about something like 'please, try to re-login with different permissions' 20:39:09 e0ne: we can add that in the next release 20:39:22 rdopiera: :) 20:39:24 e0ne: with a link to login page that includes the next_url 20:39:49 so that when you do login, you get back to that page 20:40:53 rdopiera: works for me, but it's half of the fix only without link to the login page:( 20:41:20 let me look for a suitable message for the login link 20:41:42 230:"Login as different user or go back to home page" 20:41:46 how about this? 20:41:58 haha 20:42:15 rdopiera: great! 20:42:56 not perfect, as there is no room for the link in the message 20:43:08 but we can add a link with just "Login" after it 20:43:39 rdopiera: +1 20:43:43 and in the next release, the "login as different user" part would be al ink 20:43:46 a link 20:46:29 Right, sounds like we have a plan forward 20:46:33 robcresswell: are you ok with this plan? 20:47:13 e0ne: I think so. Ill so my brains a little fuzzy right now. 20:47:25 rdopiera is generally sensible and he approves 20:48:01 robcresswell, rdopiera: great, thanks for the help! 20:48:03 e0ne: Put up a PoC and we'll take a look 20:48:05 :D 20:48:17 Any other points to raise? Any bugs / patches / bps are welcome 20:48:17 e0ne: ping me if you need any help with that 20:48:23 the Denver PTG schedule has a M/Tu Horizon room listed, but nothing in the lower list for wed/th, is the expectation that any Horizon meetups will occur M/Tu? https://docs.google.com/spreadsheets/u/1/d/1xmOdT6uZ5XqViActr5sBOaz_mEgjKSCY7NEWcAEcT-A/pubhtml?gid=397241312&single=true 20:48:26 e0ne: I think django has a mechanism for doing error pages 20:48:30 you forgot 'put up poc and ping us' ;) 20:49:12 from the schedule link at https://www.openstack.org/ptg/#tab_schedule 20:49:21 rdopiera: it has. I hope it will be easy to implement 20:50:47 jeremy_moffitt: Yeah, Horizon is Mon/ Tue 20:51:04 jeremy_moffitt: I complained about that last time, but nothing changed :) 20:51:12 cool, couple of us just got travel approval, will book accordingly, thanks! 20:51:31 maybe someone can confirm this bug? #link https://bugs.launchpad.net/horizon/+bug/1709693 20:51:33 Launchpad bug 1709693 in OpenStack Dashboard (Horizon) "Cannot create network in the admin/networks panel without creating a subnet" [Undecided,New] 20:51:52 jeremy_moffitt: Awesome! 20:52:07 The planning etherpad is https://etherpad.openstack.org/p/horizon-ptg-queens 20:52:18 Its also in the Horizon room topic if you need it 20:52:24 lucasxu: Looking 20:52:38 thanks! 20:56:59 lucasxu: Confirmed 20:57:07 great :) 20:57:11 lucasxu: seems like there's a problem when the physical network and segmentation id are hidden 20:57:35 it works if you select a type with those two fields visible like vlan 20:57:45 ying_zuo, right, was going to ping you since you had a patch related to this before. 20:57:56 hmm, what if I just need a "local"? 20:58:05 sounds good 20:58:54 We're about at the hour 20:59:03 we'll see, i don't have a good solution yet 20:59:08 but thanks guys. 20:59:17 ying_zuo, lucasxu: Could you two discuss in the horizon room if you have chance? I dont want to cut you off 20:59:26 sure, thanks 20:59:42 Thanks everyone 20:59:53 see you next week 20:59:59 #endmeeting