yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1524515] [NEW] get sql-based Domain-specific driver configuration with incorrect group in URL, expected response 404, actual 403

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Thomas Hsiao <thomas.hsiao@xxxxxx>
Date: Wed, 09 Dec 2015 22:18:16 -0000
Reply-to: Bug 1524515 <1524515@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

get sql-based Domain-specific driver configuration with incorrect group
in URL, expected response 404, actual 403:

With sql-based Domain-specific driver configuration set up connection to a openldap or  ad backend for a domain,
if an invalid/typo group name (e.g. [identity2], instead of [identity]) in the request url for this domain is provided,  we expect the response code 404 (not found), but actual is 403 (forbidden).  The user actually has the permission to access the configuration. 403 forbidden seems misleading. 

Example:
~$ curl -k -H "X-Auth-Token:ADMIN" -XDELETE http://localhost:35357/v3/domains/6a006689702640ba92d5e536b238e893/config/invalidgroup

Actual:
{"error": {"message": "Invalid domain specific configuration: Group identity2 is not supported for domain specific configurations", "code": 403, "title": "Forbidden"}}

Expected:
~$ curl -k -H "X-Auth-Token:ADMIN" -XDELETE http://localhost:35357/v3/domains/6a006689702640ba92d5e536b238e893/config/identity2
{"error": {"message": "Invalid domain specific configuration: Group identity2 is not supported for domain specific configurations", "code": 404, "title": "Not Found"}}

** Affects: keystone
     Importance: Undecided
     Assignee: Thomas Hsiao (thomas-hsiao)
         Status: New

** Changed in: keystone
     Assignee: (unassigned) => Thomas Hsiao (thomas-hsiao)

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1524515

Title:
  get sql-based Domain-specific driver configuration with incorrect
  group in URL, expected response 404, actual 403

Status in OpenStack Identity (keystone):
  New

Bug description:
  get sql-based Domain-specific driver configuration with incorrect
  group in URL, expected response 404, actual 403:

  With sql-based Domain-specific driver configuration set up connection to a openldap or  ad backend for a domain,
  if an invalid/typo group name (e.g. [identity2], instead of [identity]) in the request url for this domain is provided,  we expect the response code 404 (not found), but actual is 403 (forbidden).  The user actually has the permission to access the configuration. 403 forbidden seems misleading. 

  Example:
  ~$ curl -k -H "X-Auth-Token:ADMIN" -XDELETE http://localhost:35357/v3/domains/6a006689702640ba92d5e536b238e893/config/invalidgroup

  Actual:
  {"error": {"message": "Invalid domain specific configuration: Group identity2 is not supported for domain specific configurations", "code": 403, "title": "Forbidden"}}

  Expected:
  ~$ curl -k -H "X-Auth-Token:ADMIN" -XDELETE http://localhost:35357/v3/domains/6a006689702640ba92d5e536b238e893/config/identity2
  {"error": {"message": "Invalid domain specific configuration: Group identity2 is not supported for domain specific configurations", "code": 404, "title": "Not Found"}}

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1524515/+subscriptions

Follow ups

[Bug 1524515] Re: get sql-based Domain-specific driver configuration with incorrect group in URL, expected response 404, actual 403
From: Steve Martinelli, 2016-08-01