To enable this feature, you can see the
/doc/source/topics/settings.rst on this patch.
Change-Id: I784b92104be244f7f288d7648c20e61e0a0c1d09
Implements: blueprint operation-history-log
Putting back timezone awareness in the middleware which was accidently removed
by https://review.openstack.org/#/c/179513/
Change-Id: I01424dee71e778969d97cbb38899d898e01177fa
Closes-bug: #1538189
This change will simplify horizon session management and lesson
the load on session backends which currently are writing records
with every page request.
Pre-Requisite change: https://review.openstack.org/#/c/179800/
Change-Id: I3ff8ca6b56655c7c68743398fee903d651332867
Closes-bug: #1450914
Before this patch, if user's rights were changed
or revoked - there would be "Unauthorized" errors
on every page since user had no rights to view them
because he had no valid tokens in that case.
Now user will be logged out if he has no valid tokens.
Set `escalate` to True (for unauthorized-error)
to always log user out.
Also, now horizon.exceptions.NotAuthorized is a part of
UNAUTHORIZED tuple in the exceptions.py, because this type
of exception is re-raised after handling services unauthorized errors.
Looks like it was missing. Now the horizon.exceptions.NotAuthorized
is handled like all NotAuthorized exceptions.
And horizon_middleware.py in process_exception now generates
logout_reason for cases if user is not authorized.
Closes-Bug: #1252341
Closes-Bug: #1407105
Co-Authored-By: Paul Karikh <pkarikh@mirantis.com>
Change-Id: I417cad936ea80c0569c2f442fc87cbd58745757e
the horizon login page (really the middleware) accesses the session
too early in the login process, which will create session records
in the session backend. This is especially problematic when non-cookie
backends are used.
Change-Id: I9d2c40403fb9b0cfb512f2ff45397cbe0b050c71
Closes-Bug: 1394370
If both the keystone token and the session expired, the user was asked to login
twice. This is because the token expiration was not checked.
When a user had timed out both in session and keystone token validity, the user
was asked to log in, then the timestamp was checked, and the user logged out
again and asked to log in a second time.
We now check both the timestamp and keystone token validity before
authentication validity and force back the login page to retrieve a new
keystone token, avoiding the timeout race condition between session and token
validity which was forcing a dual login. A keystone token expiration is now
considered as a session timeout too.
Also, a page can start loading while the token is valid, and finish while it's
invalid. This was leading to errors during the page loading.
We now set a TOKEN_TIMEOUT_MARGIN period in seconds which allows defining
a margin before which we consider the token as expired.
This is a configurable parameter in the django settings because the time a page
takes to render is infra and deployment specific. This margin is preset to
ten seconds.
Requires: https://review.openstack.org/101556
Closes-Bug: 1308918
Change-Id: I0bf0d079a9dc000c1a30f0e20dcaa03b22d63e51
Previously a tuple was being created while iterating over each of the
arguments of a cookie for every cookie. This will prevent creating a tuple
that many times and uses a set to increase the performance of look-up using
`in`.
Change-Id: I10ffccae8eb3a9cb41b1045a08b891fed43efd99
Closes-Bug: 1359245
According to https://wiki.openstack.org/wiki/Python3 dict.iteritems()
should be replaced with six.iteritems(dict).
Change-Id: Ia2dcabbd071e1fcdf111ba83573785989a77aef0
Remove vim setting:
comment - # vim: tabstop=4 shiftwidth=4 softtabstop=4
at the top of source code files, except for files in
openstack/common.
Change-Id: I9a5c6b17c6ef7ecec601f4503dfc7b31fc72e90a
Close-bug: #1229324
For ajax requests, horizon.middleware does not currently copy the
logout_reason cookie into newly generated redirect_responses. This
will result in lost logout_reason messages when a user is redirected
to logout.
This patch adds the logout_reason cookie to the list of cookies
copied over from the incoming response to the newly created
outgoing response.
Change-Id: I089eff5627f870c8b3f0b7913693231602a8f9d4
Closes-Bug: #1298074
HorizonMiddleware causes excessive session rewrites
and possible race condition resulting in logouts
for ajax requests
Change-Id: I1e1181a0830e23d43bfcf89729b9a98f6aaad965
Closes-bug: #1253829
We have a lot of import with #noqa that is there to ignore h302,
because it's traditional to import and use a name directly, instead
of a whole module. This hides other errors and gives people the
impression that it's actually fine to import non-modules, you just
have to slap #noqa on those lines.
I went through the code and identified about a dozen names that are
most commonly imported this way. I remove the #noqa tag from them,
and added them to the list in import_exceptions.
I also removed a few unused imports that were revealed in the process.
Change-Id: I27afb8e2b1d4759ec974ded9464d8f010312ee78
When session storage is configured to use signed cookies, logging error when
cookie size is > 4KB.
Change-Id: Ia766f4505ce0527123a9fa9a62bf6d312858da46
Closes-Bug: #1214197
Admin users where not logged out after changing their own password in the user
settings pannel, and error messages where displayed afterwards.
Fixes bug 1226829
Change-Id: Iec0e34484e2bbc28a300d6259aab1a682e4a00ff
In an effort to help horizon more friendly to OpenStack hacking
guidelines, we now gate on H40* violations.
Change-Id: Id07294543660368d2f7f5ac363710176ab23b874
Signed-off-by: Paul Belanger <paul.belanger@polybeacon.com>
When the session expires and horizon does an Ajax call (for example,
to get a modal window), an exception is raised instead of redirecting
to the login screen, because the exception handler in the horizon
middleware doesn't add the "horizon" attribute to the request. This is
a very simple fix to avoid throwing the exception.
Change-Id: I663999dd616b1a4fa3292615eecf3cc44c3e808a
Closes-bug: #1224458
process_response refers request.horizon in case of ajax
request, but this attribute was not set on session timeout.
redirection to previous page was not sent.
IMPORTANT NOTE:
After a session timeout, when logging back in the requested modal dialogue
is displayed in a static view page.
Change-Id: I793b1c0a4c51107d263de0fe144dca26f5216d7a
Closes-Bug: #1214812
After browser session timeout, the user is now redirected back to the previous
screen upon login.
Also added a non regression unittest.
Change-Id: I995bc217803805364967688e9b896b9b54583b36
Closes-Bug: #1201619
The message is too general to be useful, and at this late stage it
could override a more useful message that may have been provided
earlier.
Change-Id: If819748f765ce30a71206a15f9874727e459dce8
Closes-Bug: #1221716
In some cases, particularly when having to log the user out after
performing some action (e.g. password change), we want to display a
friendly message on the login screen to explain to the user why they
have been redirected to the login page.
This adds a function to do so, and uses it in a couple of places:
- When updating one's own password using the Settings panel
- Session time out
- HTTP 401
Change-Id: Ie53c5552159304e1f1304ac6211b3accfd9aa623
Implements: blueprint messages-on-login-page
This patch replaces some method imports with module imports and
makes H302 test enabled.
Fixes bug 1188531
Change-Id: Ibfbddeaa19cbbb244da58ffd5c918c41f03a0c65
By default, Horizon just uses session, which expire, when the browser
is closed. This implements additionally a session timeout.
Change-Id: I140ee2ee37e092036a66d890d920423dfc493fba
Fixes: bug 1118441
This patch also re-organizes imports to import one per line.
Change-Id: Ia958e3a30a48d4308d08d51df243c1272425c316
Fixes: bug 1188529
Fixes: bug 1188537
Currently the redirect is always made to the url of the 'login' view.
This change makes redirects go to LOGIN_URL, so the default login view
can be replaced with a view at another url/name.
Fixes bug 1079444.
Change-Id: Ib56200679668dd053d3c6ac24807d2a2affc0df8
Moves everything OpenStack-specific (dashboards, apis, etc.)
into the openstack_dashboard project, achieving a much
cleaner separation between the project-specific code and
the generic Horizon framework code.
Change-Id: I7235b41d449b26c980668fc3eb4360b24508717b
Allows the creation of related objects during a workflow.
For example, this patch implements importing keypairs during
the launch instance workflow and allocating floating IP
addresses during the floating IP associate workflow.
This required several significant changes:
* SelfHandlingForm should no long return a redirect.
Instead, it should return either the object it
created/acted on, or else a boolean such as True.
* The ModalFormView now differentiates between GET
and POST.
* Due to the previous two items, SelfHandlingForm
was mostly gutted (no more maybe_handle, etc.).
* Modals now operate via a "stack" where only the
top modal is visible at any given time and closing
one causes the next one to become visible.
In the process of these large changes there was a large
amount of general code cleanup, especially in the javascript
code and the existing SelfHandlingForm subclasses/ModalFormView
subclasses. Many small bugs were fixed along with the cleanup.
Implements blueprint inline-object-creation.
Fixes bug 994677.
Fixes bug 1025977.
Fixes bug 1027342.
Fixes bug 1025919.
Change-Id: I1808b34cbf6f813eaedf767a6364e815c0c5e969
Switch to using the self-contained django_openstack_auth
package which is a proper django.contrib.auth pluggable
backend.
Notable functional improvements include:
* Better overall security via use of standard Django
auth code (well-vetted by security experts).
* Token expiration checking.
* User "enabled" attribute checking.
* Support for full range of Django auth attributes
such as is_anonymous, is_active, is_superuser, etc.
* Improved hooks for RBAC/permission-based acess control.
Regarding the RBAC/permission-based access control, this
patch moves all "role" and "service"-oriented checks to
permission checks. This will make transitioning to
policy-driven checking much easier once that fully lands
in OpenStack.
Implements blueprint move-keystone-support-to-django-auth-backend
Change-Id: I4f3112af797aff8c4c5e9930c6ca33a70e45589d
* Login page no longer displays user messages
inappropriately. Instead, login errors are handled
as form errors. Fixes bug 1012467.
* Messages triggered during an AJAX call are no longer
added to the standard message queue (which causes
them to appear on subsequent unrelated requests).
Instead, they are encoded and sent back with the AJAX
response, allowing them to be displayed to the user
client-side when they are relevant.
Fixes bug 1008799.
* Adds the last couple "compress" tags to the
_scripts.html template to completely implement
blueprint asset-compression.
Change-Id: I967f32b44603ded7ec95bd0b86e7d997c6a8b352
When a user tries to access a page and they are
not logged in, the message needs to be about
authentication, NOT authorization as it was before
this change. Needing to log in has nothing to do
with permissions and the messaging needs to
reflect that.
Fixes Bug #965810
Change-Id: Ic9de135d4d3d8e7b19524cd100a3fe7ea027e1f4
is overridden by subclass, e.g. EditRulesView and EditAttachmentsView
if they don't add X-Horizon-Location custom headers if redirect is
used. This mucking is probably the cleanest way to fix this in
the meantime.
* fix bug 961863
Change-Id: I213e23a150b4afaba1249584e8cb3b376095533e
This is somewhat of a hack for Essex, since the long-term solution
is a reworking of the way AJAX is handled. But it solves problems
in the interim and provides a significantly better experience.
Thanks to Andy Chong for pushing forward with the initial attempts
which lead to this patch.
Fixes bug 943518.
Change-Id: Ia65d926d3d406b07301e23b4c87de60c66ddec75
While updating these, a bug was discovered in the tab exception handling
which is also fixed by this patch. Fixes bug 955642.
Also incorporates some cleanup on the other details pages so that
they are all uniform and at their best.
Additionally, added a command to run_tests.sh to update all the translation
strings (./run_tests.sh -m or --makemessages).
Updates translation files.
Change-Id: I61287b91fb442f7343c2ddebfcc547dc559efbdf
This allows moving the call to get authorized tenants out of
the middleware (which was a wasteful call on many requests),
and allows the value to be re-used anytime it's accessed more
than once per request.
Fixes bug 942074.
Change-Id: Ic09b15adbffb16c0358bb28aec73345cc01834ad
There are no longer two separate projects living inside the horizon
repository. There is a single project now with a single setup.py,
single README, etc.
The openstack-dashboard/dashboard django project is now named
"openstack_dashboard" and lives as an example project in the
topmost horizon directory.
The "horizon/horizon" directory has been bumped up a level and now
is directly on the path when the root horizon directory is on
your python path.
Javascript media which the horizon module directly relies upon
now ships in the horizon/static dir rather than
openstack-dashboard/dashboard/static.
All the corresponding setup, installation, build, and env scripts
have been updated accordingly.
Implements blueprint unified-packaging.
Change-Id: Ieed8e3c777432cd046c3e0298869a9428756ab62
Kenji Ishii