#openstack-meeting-3 log

20:00:34 <ying_zuo> #startmeeting horizon
20:00:35 <openstack> Meeting started Wed Aug 30 20:00:34 2017 UTC and is due to finish in 60 minutes.  The chair is ying_zuo. Information about MeetBot at http://wiki.debian.org/MeetBot.
20:00:36 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
20:00:39 <openstack> The meeting name has been set to 'horizon'
20:00:44 <ying_zuo> Hi everyone o/
20:00:50 <e0ne> hi
20:01:04 <david-lyle> o/
20:01:09 <robcresswell> o/
20:01:21 <rdopiera> o/
20:02:18 <ying_zuo> #topic Announcements
20:02:24 <ying_zuo> #info OpenStack Pike is available now!
20:02:29 <ying_zuo> #link https://www.openstack.org/software/pike/
20:02:37 <ying_zuo> Thanks everyone for your contribution in making this release successful!
20:02:53 <robcresswell> #o/
20:02:57 <e0ne> my congratulations!
20:03:00 <robcresswell> \o/ *
20:03:16 <ying_zuo> \o/
20:03:27 <ying_zuo> #info Schedule for PTG
20:03:32 <ying_zuo> #link https://etherpad.openstack.org/p/horizon-ptg-queens
20:03:43 <ying_zuo> Feel free to comment or add more topics in the open discussion time slots.
20:04:09 <ying_zuo> #info Bug report guidelines
20:04:15 <ying_zuo> #link https://bugs.launchpad.net/horizon/+filebug
20:04:21 <e0ne> ying_zuo: is it final schedule?
20:04:31 <ying_zuo> not really
20:04:51 <ying_zuo> are you planning to add changes?
20:05:35 <ying_zuo> you can add more topics in the open discussion time slots
20:06:04 <e0ne> ying_zuo: not yet. I'm trying to manage my schedule to resolve conflicts and participate in pagination discussion
20:06:05 <ying_zuo> there's a time slot for it each day
20:07:15 <ying_zuo> what time will work for you?
20:08:48 <ying_zuo> can you let me know in #openstack-horizon?
20:09:16 <e0ne> ying_zuo: before the noon on Monday or Tuesday will be great for me
20:09:34 <e0ne> ying_zuo: but I don't really want to change schedule if only me is interested in it
20:10:12 <e0ne> ying_zuo: I mean all day Tuesday
20:10:16 <ying_zuo> I will move it to Tuesday then
20:10:40 <ying_zuo> unless there's other objection...
20:11:30 <e0ne> ying_zuo: thank you. I apprciate it
20:11:40 <ying_zuo> np
20:12:01 <ying_zuo> going back to the bug report guidelines topic...
20:12:13 <ying_zuo> You will notice the report guidelines when you try to open a bug report now. Thanks robcresswell
20:12:26 <ying_zuo> This is to make sure the bug report has the important information and it will help both developers and reviewers.
20:12:56 <ying_zuo> #topic Open Discussion
20:14:07 <e0ne> I hope, my question will be fast enough
20:14:36 <e0ne> myself with rdopiera found that some admin pages could be open by non-admin users: http://paste.openstack.org/show/619772/
20:15:38 <e0ne> what is expected behaviour for /admin/ paged? should render some data for non-admin users or raise NotAuthorized error?
20:15:44 <ying_zuo> do they show admin information?
20:16:02 <e0ne> ying_zuo: no
20:16:03 <david-lyle> identity pages are designed to open based on roles and policy, the test is not admin or not
20:16:05 <rdopiera> they just show messages that they failed to get the information
20:16:20 <david-lyle> is this via going to the URL directly?
20:16:26 <rdopiera> yeah
20:16:34 <david-lyle> shrug
20:16:38 <david-lyle> :)
20:16:38 <rdopiera> I was trying to test the new "not authorized" page
20:16:40 <e0ne> ying_zuo: but sometimes (e.g. hypervisors) it shows almost empty page with error messages like 'can't retrieve data'
20:16:43 <rdopiera> and stumbled upon that
20:17:01 <e0ne> for note: it's reproducible on a current master
20:17:02 <ying_zuo> but that's because the users try to hack the pages
20:17:27 <rdopiera> ying_zuo: or they just changed the user to one that doesn't have the permission
20:17:43 <e0ne> I prefer to show some error and do not try to render such pages
20:17:53 <rdopiera> ying_zuo: which is the reason for working on the not authorized page in the first place
20:18:06 <ying_zuo> rdopiera: what do you mean?
20:18:37 <e0ne> ying_zuo: we're talking about this patch https://review.openstack.org/491479
20:18:37 <ying_zuo> how can they change the user?
20:18:40 <rdopiera> ying_zuo: you can switch domains or other things, and suddenly not have the permission to see the page on which you are currently
20:18:41 <david-lyle> so I'm guessing old policy files
20:19:15 <david-lyle> https://github.com/openstack/horizon/blob/master/openstack_dashboard/dashboards/admin/hypervisors/panel.py#L24
20:19:26 <david-lyle> that policy rule is relatively new
20:19:31 <ying_zuo> I see. so they can do actions that they are not supposed to
20:19:32 <rdopiera> david-lyle: that seems to work fine, as the page is not displayed in the menu
20:19:55 <david-lyle> rdopiera, ok
20:19:57 <david-lyle> hmm
20:19:58 <rdopiera> ying_zuo: no, because the services will check the permissions on their side and not allow that
20:20:10 <rdopiera> ying_zuo: you just get an empty page with a lot of errors
20:20:29 <e0ne> ^^ and it's not a user-friendly at all
20:20:30 <rdopiera> which is not critically bad, in fact could be acceptable
20:20:33 <rdopiera> but a bit messy
20:20:39 <ying_zuo> it's cleaner to just disable the panel
20:20:42 <e0ne> rdopiera: +1
20:20:56 <rdopiera> ying_zuo: the panel is disabled correctly
20:21:19 <rdopiera> ying_zuo: but if you were on that page while you switched domains or users, you will still visit that page
20:21:23 <ying_zuo> I meant setting the policy rule to disalbe it as david-lyle mentioned
20:21:52 <ying_zuo> got it
20:22:19 <rdopiera> we are working on a patch that displays a "not authorized" page then
20:22:34 <rdopiera> and it works on most of the pages, which raise the correct exception
20:22:43 <rdopiera> but those pages for some reason don't
20:23:28 <e0ne> ying_zuo: here is a screenshot of hypervisors page: https://cl.ly/3M423D1Z2b34
20:24:02 <ying_zuo> thanks e0ne
20:24:11 <rdopiera> I think the problem is that they have a catch-all try-except and don't delegate the exception handling to horizon
20:24:22 <rdopiera> but I didn't verify that
20:24:29 <e0ne> ying_zuo: other pages in the list look similar
20:24:57 <e0ne> rdopiera: let's decide what do we want to have first
20:25:29 <e0ne> rdopiera: IMO, we'll be able to fix it really quick if we decide what is excepted behaviour
20:26:11 * e0ne wants quick meetings at 11pm
20:28:06 <robcresswell> I feel like I missed the "solutions" part of the discussion
20:28:35 <ying_zuo> I think just raise an exception. doesn't need to show a "not authorized" page.
20:28:38 <e0ne> robcresswell: +1 :(
20:28:45 <david-lyle> where is unauthorized escaping in admin.instance ?
20:28:57 <robcresswell> So, the Not Authorised page from before is no longer an option?
20:29:07 <rdopiera> robcresswell: it works on most pages
20:29:16 <e0ne> ying_zuo: but we're talking about '/admin/some-page' and non-admin users
20:29:30 <david-lyle> rdopiera, by luck?
20:29:42 <rdopiera> another possibility is that those pages raise some other exception that doesn't get caught by our "not authorized page" mechanism
20:30:02 <rdopiera> david-lyle: by courage
20:30:06 <robcresswell> hahaha
20:30:07 <e0ne> david-lyle, rdopiera: it depends on policies and who raises NotAuthorized exception
20:30:15 <e0ne> rdopiera: :)
20:30:47 <david-lyle> I'm looking at admin.instance get_data and not seeing any non-blanket "except Exception"
20:30:51 <rdopiera> I say let's get the page to work on most pages, and then we can start cleaning up the mess
20:30:56 <david-lyle> so I'm wondering what is working there
20:31:06 <david-lyle> most likely we're leaking exceptions somehow
20:31:08 <robcresswell> Alright so... whats the question here, exactly?
20:31:18 <robcresswell> ah my internet skipped there, once sec
20:31:18 <e0ne> the question is:
20:31:20 <robcresswell> one*
20:31:21 <rdopiera> "what should we do" :)
20:31:37 <e0ne> what is expected result for such cases?
20:32:08 <robcresswell> e0ne: Expected result? Isn't this what we discussed before though? A Not Authorised page with a login box or something
20:32:27 <robcresswell> or a "Go to Login" and "Go to home"
20:32:31 <e0ne> if non-admin user somehow opens e.g. /admin/hypersvisors/ page. what should be?
20:32:39 <david-lyle> robcresswell, so we catch all exceptions other than not authorized?
20:33:00 <robcresswell> david-lyle: Sorry?
20:33:19 <e0ne> robcresswell: it's a bit different case, but I'm OK to show Not Authorized page
20:33:24 <david-lyle> the policy before was not let exception bubble up to the user uncaught
20:33:32 <robcresswell> e0ne: I'm having deja vu, I thought we discussed this a few weeks ago :p
20:33:50 <robcresswell> david-lyle: Ah, I see your train of thought now
20:34:01 <e0ne> robcresswell: not really this issue, but very similar
20:34:04 <david-lyle> which the unauthorized page would cover but at a different level, it seems weird to only bubble that one
20:34:28 <e0ne> robcresswell: now we have pages that partially work for non-admin
20:34:56 <david-lyle> partially work is maybe an overstatement :)
20:35:01 <robcresswell> Not weird, not really. In web stuff I write separately I usually have redirects for specific HTTP codes. (401, 403, off the top of my head)
20:35:03 <david-lyle> they don't load data
20:35:26 <david-lyle> robcresswell, sure, ideally we should be explicit about our exceptions
20:35:46 <e0ne> robcresswell: e.g.: http://10.13.0.43/dashboard/admin/volume_types/ can be both opened by admin and non-admin users
20:35:53 <david-lyle> unfortunately things have gotten lax and we attempt to catch all generally
20:36:01 <e0ne> robcresswell: but non-admins won't see private volume types
20:36:15 <robcresswell> urgh, this "admin" concept
20:36:24 <david-lyle> admin is not a concept
20:36:29 <david-lyle> it's a legacy
20:36:47 <e0ne> IMO, we should not allow for non-admin to open any of /admin/* pages
20:36:51 <robcresswell> I meant specifically the Horizon interpretation of admin
20:36:55 <david-lyle> hiding pages from the nav should be sufficient
20:37:04 <rdopiera> e0ne: there are no admins
20:37:31 <rdopiera> e0ne: permissions defpend on the policies
20:37:48 <e0ne> OK, replace, please, 'admin' to 'users w/o permissions to open this page or view all data on the page'
20:38:18 <david-lyle> if a user wants to go directly to a page what is the harm of being told you're not authorized to get the data on the page?
20:38:22 <robcresswell> So, the issue as described before was something like, if you can see admin/instances on one project, but then you change to one where you can't, Horizon gives you a double login in some circumstances
20:38:53 <rdopiera> david-lyle: no harm, but it's messy, it would be nicer to show a nice "not authorized" message and a link to the login page
20:39:17 <david-lyle> on that login page I've lost all context
20:39:26 <david-lyle> perhaps I'm just scoped to the wrong project
20:39:47 <robcresswell> david-lyle: Horizon passes through that little "next" link though
20:40:13 <robcresswell> Which is problematic if you try a different login, and thats not got permissions either, I *think* is the issue
20:40:17 <david-lyle> with the project you were scoped to visable to the user?
20:40:54 <robcresswell> No, but isn't the idea that you would then login under a different user (magic admin account) to do some action?
20:41:03 <david-lyle> the user could have been correct
20:41:11 <david-lyle> the project scope could have been wrong
20:41:33 <robcresswell> True
20:42:04 * robcresswell is thinking
20:42:12 <david-lyle> I think it's by strange luck that some pages would filter out and other won't at this point. I worry that the behavior will not be reliable
20:42:38 <robcresswell> What's the alternative, show a blank page?
20:43:08 <david-lyle> just show the page with the error message that you don't have proper privilege to view the contents of this page
20:43:20 <david-lyle> that's what the identity pages do
20:43:36 <david-lyle> but they're intended for all users to be able to hit
20:43:55 <robcresswell> I wonder if people would complain about losing the redirect functionality
20:44:25 <lucasxu> i will ;(
20:44:43 <e0ne> robcresswell: we can redirect to login page with a correct '?next=' param
20:45:00 <rdopiera> we discussed that already
20:45:08 <rdopiera> and agreed on it
20:45:12 <e0ne> rdopiera: +1
20:45:20 <robcresswell> e0ne: Right, but I'm saying that if we just displayed a blank page with an error, we lose that
20:45:23 <rdopiera> the problem now is whether all pages should behave consistently or not
20:45:38 <david-lyle> +1 to consistency
20:45:41 <e0ne> robcresswell: page with error and login link
20:45:42 <rdopiera> and how urgent it is
20:45:54 <rdopiera> personally I think it would be nice to be consistent but it's not high priority
20:45:57 <e0ne> rdopiera: +1, I absolutely agree
20:46:00 <robcresswell> e0ne: Didn't we just say we can't reliably do that?
20:46:35 <robcresswell> I *think* what david-lyle was suggesting is that if you go to admin/instances without correct permissions you just show a blank page with "You dont have permissions to do X / Y"
20:47:04 <e0ne> what about page like https://review.openstack.org/#/c/491479/9/horizon/templates/not_authorized.html
20:47:05 <e0ne> ?
20:47:40 <robcresswell> e0ne: You're not reading my questions. Didn't we say earlie that we could not reliably determine that?
20:47:42 <robcresswell> earlier*
20:47:48 <david-lyle> I think with policy that becomes a very gray line
20:48:21 <rdopiera> robcresswell: we can determine very reliably that we got an exception from the api
20:48:36 <e0ne> robcresswell: we can catch needed API from APIs
20:48:41 <robcresswell> "Something went wrong. Would you like to log out?"
20:48:46 <e0ne> *can catch needed exception
20:49:00 <david-lyle> rdopiera, so are you suggest we rewrite all the excepts in the get_data calls?
20:49:22 <robcresswell> e0ne: I thought you and rdopiera earlier said we cannot get the exception reliably
20:49:27 <e0ne> robcresswell: I hope, all APIs can return not authorized. we can handle them correctly
20:49:54 <e0ne> robcresswell: it's only in a *current* implementation of some pages
20:50:02 <rdopiera> david-lyle: something like that, perhaps fix it in the handling of the exceptions, less invasive
20:50:11 <david-lyle> so so except Exception as e, if e is not UnAuthorized?
20:50:39 <rdopiera> david-lyle: we have an exception handler function already that handles most of those exceptions
20:50:46 <rdopiera> david-lyle: but for some reason not all of them
20:51:31 <rdopiera> david-lyle: and it does see those exceptions, because it displays the messages
20:52:07 <e0ne> 10mins reminder
20:52:17 <david-lyle> so https://github.com/openstack/horizon/blob/master/openstack_dashboard/exceptions.py#L29 isn't broad enough?
20:52:33 <rdopiera> apparently
20:52:58 <david-lyle> hypervisors doesn't use novaclient.Unauthorized?
20:53:00 <rdopiera> or some other special case is happening
20:53:15 <rdopiera> I didn't analyze the code enough to be sure
20:53:18 <e0ne> david-lyle: the issue is, sometimes we catch Exception and return error message to user instead of re-raising NonAuthorized
20:54:22 * robcresswell reminds everyone we have crippling performance issues on other pages, even if users sometimes have to log in twice when they try and view a page they dont have permissions for.
20:54:43 <rdopiera> e0ne: that coould make sense when the page contains multiple things, and some of them the user has permission to see
20:55:01 <e0ne> rdopiera: good point
20:55:12 <rdopiera> so maybe let's leave it as it is for now
20:55:18 <robcresswell> e0ne: If it is possible to correctly identify that a NotAuthorised exception is there in all cases, then we can consider doing something special
20:55:18 <david-lyle> e0ne, I understand. My two points are I think a blanket unauthorized for a page that attempts to make several API calls may not be correct and two, it seems you'll have to reverse engineer all client authorization failures to handle them properly
20:55:43 <e0ne> david-lyle: I agree
20:55:51 <e0ne> looks like we have a decision:
20:56:17 <david-lyle> to me the unauthorized page is a carry over from the admin/non-admin days when things were binary
20:56:34 <rdopiera> it's better than the redirect
20:56:41 <e0ne> try to handle NotAuthorised if we can or leave it as is for now
20:58:19 <e0ne> 2mins reminder
20:58:29 <ying_zuo> cool. I think that's it for today. Thanks everyone for attending.
20:58:32 <rdopiera> tick tock
20:58:41 <rdopiera> goodnight
20:58:54 <e0ne> see you next week
20:58:54 <ying_zuo> #endmeeting