Sunstone sign out does not really sign out


after upgrade to 5.0, we have discovered a strange problem with login to Sunstone. Steps to (more-or-less) reproduce:

  • log in as oneadmin
  • use the Sunstone interface for a while
  • sign out (this should lead to the login form)
  • without closing a browser tab or window, use this form to log in as a different user
  • use the Sunstone interface for a while

The observed behaviour (by two different users with two different browsers on two different workstations) is that occasionally the browser is redirected to https://my.sunstone.addresss/login instead of doing the desired action. This displays a blank page. Deleting the /login part from the URL and manually loading the root URL (https://my.sunstone.address/) gives a Sunstone session logged in as oneadmin without the need for entering the password.

So I guess there is something in the Sunstone javascript which persists across the signin out and then logging in as an ordinary user.

That said, the “impersonate user” functionality for oneadmin would be a heplful addition to Sunstone.

Can you look at it? Thanks!

Thank you for reporting it.

We’ll try to reproduce and fix the problem:

Best regards.

OK, thanks. As always, I am not sure which topic to discuss in the forum and what should be put to the issue tracker.

Generally we prefer tickets to be clearly bugs, and the forum for things that could be configuration problems or similar.

Can you provide more details about the exact opennebula version, and sunstone configuration? Is is using memcached? default server, or another one? Do your users have the default ‘core’ auth driver?

OpenNebula 5.0.2-2 from CentOS7 RPMs. No memcached, internal server (wrapped to HTTPS by stunnel). User oneadmin uses the core auth, all the other users use LDAP.