+1 on glance-spec

We might want to define the scope. How far are we diverging from Openstack 
policy structure? Are there any other use cases which need policy changes? - 
some questions which come to my mind.

From: Eddie Sheffield [eddie.sheffi...@rackspace.com]
Sent: Monday, October 06, 2014 3:35 PM
To: OpenStack Dev List
Subject: [openstack-dev] [Glance] Granularity of policies

I encountered an interesting situation with Glance policies. Basically we have 
a situation where users in certain roles are not allowed to make certain calls 
at all. In this specific case, we don't want users in those roles listing or 
viewing members. When listing members, these users receive a 403 (Forbidden) 
but when showing an individual member the users receive 404 (Not Found).

So the problem is that there are a couple of situations here and we don't 
(can't?) distinguish the exact intent:

1) A user IS allowed to make the call but isn't allowed to see a particular 
member - in that case 404 makes sense because a 403 could imply the user 
actually is there, you just can't look see them directly.

2) A user IS NOT allowed to make the call at all. In this case a 403 makes more 
sense because the user is forbidden at the call level.

At this point I'm mainly trying to spark some conversation on this. This feels 
a bit inconsistent if users get 403 for a whole set of calls they are barred 
from but 404 for others which are "sub" calls of the others (e.g. listing 
members vs. showing a specific one.) But I don't have a specific proposals at 
this time - first I'm trying to find out if others feel this is a problem which 
should be addressed. If so I'm willing to work on a blueprint and 

- Eddie
OpenStack-dev mailing list

Reply via email to