yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1682621] Re: http 404 instead of 403 for role with read but not write access

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1682621@xxxxxxxxxxxxxxxxxx>
Date: Mon, 17 Apr 2017 05:00:38 -0000
Reply-to: Bug 1682621 <1682621@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/456894
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=2ae14cc9adcfd35357008f77c62d67ed19c0278a
Submitter: Jenkins
Branch:    master

commit 2ae14cc9adcfd35357008f77c62d67ed19c0278a
Author: Matthew Edmonds <edmondsw@xxxxxxxxxx>
Date:   Fri Apr 14 08:22:43 2017 -0400

    fix overaggressive 403->404 conversion
    
    When a user is not authorized to see a given resource, we need to
    convert HTTP 403s into HTTP 404s to avoid giving away information
    that the resource exists. However, the previous code was being
    overaggressive and doing this conversion even in some cases where
    the user is allowed to see the resource and really needs to know
    that what they were trying to do is forbidden, not be told that the
    resource doesn't exist. This fixes that logic to only do the 403
    to 404 conversion when truly appropriate.
    
    Change-Id: I7a5b0a9e89c8a71490dd74497794a52489f46cd2
    Closes-Bug: 1682621


** Changed in: neutron
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1682621

Title:
  http 404 instead of 403 for role with read but not write access

Status in neutron:
  Fix Released

Bug description:
  While attempting DELETE on /networks and /routers I found I was
  getting a HTTPNotFound error instead of PolicyNotAuthorized. The role
  I'm testing has read access. Calls to GET for the network or router in
  question are successful. Since the user has GET ability, I'd expect a
  more accurate error when attempting a DELETE.

  Steps to reproduce
  1. Create a neutron network and/or router
  2. Set a user to have a role whose policy allows get_network and get_router but not delete_network or delete_router ability
  3. Confirm GET calls from the user for /network and /router are successful
  4. Attempt DELETE call on the network created in step 1.

  Expected Results:
  1. DELETE call is unsuccessful and returns http 403 and PolicyNotAuthorized (or equivalent)

  Actual Resutls:
  1. DELETE call is unsuccessful and returns http 404 HTTPNotFound

  Issue discovered using an early April ocata build, but likely has existed for a while.
  Note: There may be other endpoints where this occurs. So far I've just noticed it in the two mentioned but I have not searched extensively. I see the try/catch with except oslo_policy.PolicyNotAuthorized in several places.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1682621/+subscriptions

References

[Bug 1682621] [NEW] http 404 instead of 403 for role with read but not write access
From: Charles Volzka, 2017-04-13