yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1541621] Re: Invalid fernet X-Subject-Token token should result in 404 instead of 401

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1541621@xxxxxxxxxxxxxxxxxx>
Date: Thu, 03 Mar 2016 11:22:09 -0000
Reply-to: Bug 1541621 <1541621@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/277436
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f1792f4089ccf28ec870104d0853e7fba242f24c
Submitter: Jenkins
Branch:    master

commit f1792f4089ccf28ec870104d0853e7fba242f24c
Author: Raildo Mascena <raildo@xxxxxxxxxxxxxxx>
Date:   Mon Feb 8 14:58:34 2016 +0000

    Return 404 instead of 401 for tokens w/o roles
    
    If a scoped-token was validated and the user didn't have any role assignment
    on a project, keystone would return a 401 Unauthorized. This was the
    case when the fernet token provider was enabled because the reference is
    rebuilt on every request. The uuid token provider has a different behavior - if
    the token isn't found in the backend a 404 Not Found is returned. Furthermore,
    for persisted tokens, any validation error will result in 404, such as in the
    case where user no longer have any roles assigned for the given scope.
    
    These two behaviors should be consistent regardless of the token provider.
    
    Closes-Bug: 1541621
    Change-Id: If9fd6060ed13a7c03ab8d70ebed1adecafef9160


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1541621

Title:
  Invalid fernet X-Subject-Token token should result in 404 instead of
  401

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  When a scoped fernet token is no longer valid (i.e. all the roles had
  been removed from the scope), token validation should result in 404
  instead of 401. According to Keystone V3 API spec, 401 is returned
  only if X-Auth-Token is invalid [0]. Invalid X-Subject-Token should
  yield 404. Furthermore, auth_token middleware only treat 404 as
  invalid subject token and cache it accordingly [1]. Improper 401 will
  cause unnecessary churn as middleware will repeatedly attempt to  re-
  authenticate the service user.

  
  To reproduce the problem:

  1. get a project scoped token
  2. remove all the roles assigned to the user for that project
  3. attempt to validate that project-scoped token will result in 401

  [0] https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#401-unauthorized
  [1] https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_identity.py#L215

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1541621/+subscriptions

References

[Bug 1541621] [NEW] Invalid subject fernet token should result in 404 instead of 401
From: Guang Yee, 2016-02-03