On 03/11/2014 11:42 AM, Sudipta Biswas3 wrote:
Hi all,
I'm hitting a scenario where, a user runs an action against an object
in neutron for which they don't have the authority to perform the
action(perhaps their role allows read of the object, but not update).
The following returned to back to the user when such an action is
performed: "The resource could not be found". This can be confusing
to users. For example, basic users may not have the privilege to edit
a network and attempts doing that but ends up getting the resource not
found message, even though they have read privileges.
This is a confusing message because the object they just read in is
now stating that it does not exist. This is not true, the root issue
is that they do not have authority to it. One can argue that for
security reasons, we should state that the object does not exist.
However, it creates a odd scenario where you have certain roles that
can read an object, but then not create/update/delete it.
I have filed a community bug for the same:
https://bugs.launchpad.net/neutron/+bug/1290895
I'm proposing that we change the message to "The resource could not be
found or user's role does not have sufficient privileges to run the
operation."
Ther is a serious security concern with people probing for information
that they do not have access too. The 404 is a way to make it
impossible to distinguish between "the object does not exist" and "it
exists but it does not belong to you."
I'm sending to the mailing list to see if there are any discussion
points against making this change.
Thanks,
Sudipto
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
[email protected]
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
