Deleted user still can delete volumes in Horizon
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Dashboard (Horizon) |
Confirmed
|
Medium
|
Unassigned | ||
OpenStack Identity (keystone) |
Invalid
|
Medium
|
Unassigned | ||
OpenStack Security Advisory |
Won't Fix
|
Undecided
|
Unassigned | ||
keystonemiddleware |
Triaged
|
Medium
|
Unassigned |
Bug Description
==Problem==
User session in a second browser is not terminated after deleting this user by admin from another browser. User is still able to manage some objects (delete volumes, for example) in a project after being deleted by admin.
==Steps to reproduce==
Install OpenStack following official docs for Stein.
Login as admin to (Horizon) in one browser.
Create a user with role 'member' and assign it to a project.
Open another browser and login as created user.
As admin user delete created user from "first" browser.
Switch to the "second" browser and try to browse through different sections in the dashboard as deleted user -> instances are not shown, but deleted user can list images, volumes, networks. Also this deleted user can delete a volume.
==Expected result==
User session in current browser is closed after user is deleted in another browser.
I tried this in Newton release and it works as expected (for a short time before session is ended, this deleted user can't list object in instances,volumes).
==Environment==
OpenStack Stein
rpm -qa | grep -i stein
centos-
cat /etc/redhat-release
CentOS Linux release 7.6.1810 (Core)
rpm -qa | grep -i horizon
python2-
rpm -qa | grep -i dashboard
openstack-
openstack-
Changed in horizon: | |
status: | New → Confirmed |
importance: | Undecided → High |
Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.