← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #11373

[Bug 1290895] [NEW] Difficult to understand message when using incorrect role against object in Neutron

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When a user runs an action against an object in neutron for which they
don't have authority to (perhaps their role allows read of the object,
but not update), they get the message "The resource could not be found".
For example: User doesn't have the privilege to edit a network and
attempts doing that but ends up getting the resource not found message.

This is a bad message because the object they just read in is now
stating that it does not exist. This is not true, the root issue is that they
do not have authority to it.

 One can argue that for security reasons, we should state that the object
 does not exist. However, it creates a odd scenario where you have
 certain roles that can read an object, but then not write to it.

 I'm proposing that we change the message to "The resource could not be
 found or user's role does not have sufficient privileges to run the
 operation."

Two identified test cases applicable to this would be the remove/edit
networks.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1290895

Title:
  Difficult to understand message when using incorrect role against
  object in Neutron

Status in OpenStack Neutron (virtual network service):
  New

Bug description:
  When a user runs an action against an object in neutron for which they
  don't have authority to (perhaps their role allows read of the object,
  but not update), they get the message "The resource could not be found".
  For example: User doesn't have the privilege to edit a network and
  attempts doing that but ends up getting the resource not found message.

  This is a bad message because the object they just read in is now
  stating that it does not exist. This is not true, the root issue is that they
  do not have authority to it.

   One can argue that for security reasons, we should state that the object
   does not exist. However, it creates a odd scenario where you have
   certain roles that can read an object, but then not write to it.

   I'm proposing that we change the message to "The resource could not be
   found or user's role does not have sufficient privileges to run the
   operation."

  Two identified test cases applicable to this would be the remove/edit
  networks.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1290895/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next