yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1541621] Re: Invalid fernet X-Subject-Token token should result in 404 instead of 401

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Guang Yee <1541621@xxxxxxxxxxxxxxxxxx>
Date: Fri, 04 Mar 2016 23:18:06 -0000
Reply-to: Bug 1541621 <1541621@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Also affects: keystone/liberty
Importance: Undecided
Status: New

--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1541621

Title:
Invalid fernet X-Subject-Token token should result in 404 instead of
401

Status in OpenStack Identity (keystone):
Fix Released
Status in OpenStack Identity (keystone) liberty series:
New

Bug description:
When a scoped fernet token is no longer valid (i.e. all the roles had
been removed from the scope), token validation should result in 404
instead of 401. According to Keystone V3 API spec, 401 is returned
only if X-Auth-Token is invalid [0]. Invalid X-Subject-Token should
yield 404. Furthermore, auth_token middleware only treat 404 as
invalid subject token and cache it accordingly [1]. Improper 401 will
cause unnecessary churn as middleware will repeatedly attempt to re-
authenticate the service user.

To reproduce the problem:

1. get a project scoped token
2. remove all the roles assigned to the user for that project
3. attempt to validate that project-scoped token will result in 401

[0] https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#401-unauthorized
[1] https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_identity.py#L215

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1541621/+subscriptions

References

[Bug 1541621] [NEW] Invalid subject fernet token should result in 404 instead of 401
From: Guang Yee, 2016-02-03