← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #45806

[Bug 1541621] [NEW] Invalid subject fernet token should result in 404 instead of 401

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When a scoped fernet token is no longer valid (i.e. all the roles had
been removed from the scope), token validation should result in 404
instead of 401. According to Keystone V3 API spec, 401 is returned only
if X-Auth-Token is invalid. Invalid X-Subject-Token should yield 404.
Furthermore, auth_token middleware only treat 404 as invalid subject
token and cache it accordingly.  Improper 401 will cause unnecessary
churn as middleware will repeatedly attempt to  re-authenticate the
service user.

https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_identity.py#L215

To reproduce the problem:

1. get a project scoped token
2. remove all the roles assigned to the user for that project
3. attempt to validate that project-scoped token will result in 401

** Affects: keystone
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1541621

Title:
  Invalid subject fernet token should result in 404 instead of 401

Status in OpenStack Identity (keystone):
  New

Bug description:
  When a scoped fernet token is no longer valid (i.e. all the roles had
  been removed from the scope), token validation should result in 404
  instead of 401. According to Keystone V3 API spec, 401 is returned
  only if X-Auth-Token is invalid. Invalid X-Subject-Token should yield
  404. Furthermore, auth_token middleware only treat 404 as invalid
  subject token and cache it accordingly.  Improper 401 will cause
  unnecessary churn as middleware will repeatedly attempt to  re-
  authenticate the service user.

  https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_identity.py#L215

  To reproduce the problem:

  1. get a project scoped token
  2. remove all the roles assigned to the user for that project
  3. attempt to validate that project-scoped token will result in 401

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1541621/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next