On Oct 6, 2014, at 12:35 PM, Eddie Sheffield <eddie.sheffi...@rackspace.com> 
wrote:

> I encountered an interesting situation with Glance policies. Basically we 
> have a situation where users in certain roles are not allowed to make certain 
> calls at all. In this specific case, we don't want users in those roles 
> listing or viewing members. When listing members, these users receive a 403 
> (Forbidden) but when showing an individual member the users receive 404 (Not 
> Found).
> 
> So the problem is that there are a couple of situations here and we don't 
> (can't?) distinguish the exact intent:
> 
> 1) A user IS allowed to make the call but isn't allowed to see a particular 
> member - in that case 404 makes sense because a 403 could imply the user 
> actually is there, you just can't look see them directly.
> 
> 2) A user IS NOT allowed to make the call at all. In this case a 403 makes 
> more sense because the user is forbidden at the call level.
> 
> At this point I'm mainly trying to spark some conversation on this. This 
> feels a bit inconsistent if users get 403 for a whole set of calls they are 
> barred from but 404 for others which are "sub" calls of the others (e.g. 
> listing members vs. showing a specific one.) But I don't have a specific 
> proposals at this time - first I'm trying to find out if others feel this is 
> a problem which should be addressed. If so I'm willing to work on a blueprint 
> and implementation

Generally you use a 404 to make sure no information is exposed about whether 
the user actually exists, but in the case of 2) I agree that a 403 is 
appropriate. It may be that 404 was used there because the same code path is 
taken in both cases.

Vish

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail

_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to