Uploaded image for project: 'Red Hat OpenShift Data Science'
  1. Red Hat OpenShift Data Science
  2. RHODS-1968

Session mgmt: Users are not logged out of JH/RHODS when removed from rhods-users/admins group

XMLWordPrintable

    • 5
    • False
    • False
    • Hide

      User is logged out automatically when credentials are revoked from both JH spawner and RHODS dashboard. 
      RHODS dashboards checks for group membership before allowing a user to log in.

      Show
      User is logged out automatically when credentials are revoked from both JH spawner and RHODS dashboard.  RHODS dashboards checks for group membership before allowing a user to log in.
    • Release Notes
    • No
    • 1.24.0
    • No
    • Hide
      When a user's permissions for JupyterHub are revoked, it takes up to five minutes for JupyterHub to log the user out. After a user has been removed from a valid user group, the user is able to spawn a new notebook server for about 30 seconds, and is able to continue working in JupyterLab for up to five minutes before they are logged out.
      Show
      When a user's permissions for JupyterHub are revoked, it takes up to five minutes for JupyterHub to log the user out. After a user has been removed from a valid user group, the user is able to spawn a new notebook server for about 30 seconds, and is able to continue working in JupyterLab for up to five minutes before they are logged out.
    • Bug Fix
    • Done
    • No
    • Yes
    • None
    • MODH Sprint 31, MODH Sprint 32, RHODS 1.24
    • Medium

      Description of problem:

      In RHODS-348 there are three scenarios concerning user sessions, scenario no. 2 listed in the original issue is still not covered as expected in RHODS.

      User no longer has access to RHODS based on removal from RHODS user or admin group
      

      When a user is removed from the rhods-users group while being logged into the JH spawner, they are not automatically logged out. Refreshing the page does not log the user out. The only way for the change to take effect is to do an "hard" refresh (ctrl+f5 or similar); in this case the user is logged out, and upon login receives a 403 Forbidden error message.

      The original issue is also concerned with user session w.r.t. the RHODS dashboard, however being part of the rhods-users/admins group currently changes nothing as far as the dashboard is concerned. An OpenShift user not part of either group can always log into the dashboard, and consequently removing a logged in user from either group does not log them out of the dashboard.

      Prerequisites (if any, like setup, operators/versions):

      RHODS 1.1.1-41 on OSD

      Steps to Reproduce

      1. Install RHODS
      2. Add IdPs to your cluster
      3. Create user(s) in the IdP and OpenShift
      4. Add user(s) to rhods-users or admins group
      5. Log in the JH spawner
      6. User should be able to log in
      7. Remove user(s) from rhods-users or admins group
      8. Refresh JH spawner page
      9. User is still logged in
      10. Hard refresh the page / log out
      11. log in with the same user again, you should receive a 403 Forbidden error

       

      1. Same up to step 4
      2. Log in the RHODS dashboard
      3. Remove user(s) from rhods-users or admins group
      4. Refresh dashboard page, user should still be logged in
      5. Hard refresh/log out the page
      6. Log in with same user, the user should still be allowed to log in

      Actual results:

      User is not automatically logged out of the JH spawner when the credentials (i.e. group membership) are revoked. User session needs to expire by other means before the change is applied.

      User is not automatically logged out of the RHODS dashboard. Furthermore, user can still log into the dashboard after credentials are revoked (or before they are ever given).

      Expected results:

      User is logged out automatically when credentials are revoked from both JH spawner and RHODS dashboard. 
      RHODS dashboards checks for group membership before allowing a user to log in.

      Reproducibility (Always/Intermittent/Only Once):

      Always

      Build Details:

      RHODS 1.1.1-41 on OSD

      Additional info:

            juntwang@redhat.com Juntao Wang
            rhn-support-lgiorgi Luca Giorgi
            Luca Giorgi Luca Giorgi
            Votes:
            0 Vote for this issue
            Watchers:
            14 Start watching this issue

              Created:
              Updated:
              Resolved: