← Back to team overview

yahoo-eng-team team mailing list archive

  1. yahoo-eng-team team
  2. Mailing list archive
  3. Message #63227

[Bug 1682621] [NEW] http 404 instead of 403 for role with read but not write access

  Thread PreviousDate PreviousThread Next 
Public bug reported:

While attempting DELETE on /networks and /routers I found I was getting
a HTTPNotFound error instead of PolicyNotAuthorized. The role I'm
testing has read access. Calls to GET for the network or router in
question are successful. Since the user has GET ability, I'd expect a
more accurate error when attempting a DELETE.

Steps to reproduce
1. Create a neutron network and/or router
2. Set a user to have a role whose policy allows get_network and get_router but not delete_network or delete_router ability
3. Confirm GET calls from the user for /network and /router are successful
4. Attempt DELETE call on the network created in step 1.

Expected Results:
1. DELETE call is unsuccessful and returns http 403 and PolicyNotAuthorized (or equivalent)

Actual Resutls:
1. DELETE call is unsuccessful and returns http 404 HTTPNotFound

Issue discovered using an early April ocata build, but likely has existed for a while.
Note: There may be other endpoints where this occurs. So far I've just noticed it in the two mentioned but I have not searched extensively. I see the try/catch with except oslo_policy.PolicyNotAuthorized in several places.

** Affects: neutron
     Importance: Undecided
     Assignee: Matthew Edmonds (edmondsw)
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1682621

Title:
  http 404 instead of 403 for role with read but not write access

Status in neutron:
  New

Bug description:
  While attempting DELETE on /networks and /routers I found I was
  getting a HTTPNotFound error instead of PolicyNotAuthorized. The role
  I'm testing has read access. Calls to GET for the network or router in
  question are successful. Since the user has GET ability, I'd expect a
  more accurate error when attempting a DELETE.

  Steps to reproduce
  1. Create a neutron network and/or router
  2. Set a user to have a role whose policy allows get_network and get_router but not delete_network or delete_router ability
  3. Confirm GET calls from the user for /network and /router are successful
  4. Attempt DELETE call on the network created in step 1.

  Expected Results:
  1. DELETE call is unsuccessful and returns http 403 and PolicyNotAuthorized (or equivalent)

  Actual Resutls:
  1. DELETE call is unsuccessful and returns http 404 HTTPNotFound

  Issue discovered using an early April ocata build, but likely has existed for a while.
  Note: There may be other endpoints where this occurs. So far I've just noticed it in the two mentioned but I have not searched extensively. I see the try/catch with except oslo_policy.PolicyNotAuthorized in several places.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1682621/+subscriptions

Follow ups

  Thread PreviousDate PreviousThread Next