Re: Review Request 42027: Changed HTTP responses from Unauthorized (401) to Forbidden (403).

Alexander Rojas Wed, 20 Jan 2016 06:03:50 -0800

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/42027/
-----------------------------------------------------------


(Updated Jan. 20, 2016, 3:03 p.m.)


Review request for mesos, Alexander Rukletsov, Greg Mann, Joerg Schad, Jan 
Schlicht, and Till Toenshoff.


Bugs: MESOS-4305
    https://issues.apache.org/jira/browse/MESOS-4305


Repository: mesos


Description (updated)
-------

It is a common pattern within Mesos to return an HTTP 401 (Unauthorized) 
response whenever the request is invalid for whatever reason. However, 
according to the [RFC-2617 Section 
1.2](https://tools.ietf.org/html/rfc2617#section-1.2):
> The 401 (Unauthorized) response message is used by an origin server  to 
> challenge the authorization of a user agent. This response MUST include a 
> WWW-Authenticate header field containing at least one challenge applicable to 
> the requested resource.

Meaning that despite the confusing name, the status code _401 Unauthorized_ 
should be used only for authentication purposes. On the other hand, the 
[RFC-2616 Section 
10.4.4](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4) 
states:
> _(403 Forbidden is returned when)_ The server understood the request, but is 
> refusing to fulfill it. Authorization will not help and the request SHOULD 
> NOT be repeated. If the request method was not HEAD and the server wishes to 
> make public why the request has not been fulfilled, it SHOULD describe the 
> reason for the refusal in the entity. If the server does not wish to make 
> this information available to the client, the status code 404 (Not Found) can 
> be used instead.

As such, _403 (Forbidden)_ seems to be a better return code when replying 
inside endpoint handlers, while _401 (Unauthorized)_ should be left to the HTTP 
Authenticators only.


Diffs
-----

  docs/authorization.md a928f1722dc67cd791d78ebbe4591f2e8f2e8f2a 
  src/master/http.cpp 34a70ee50553492fc8c3947497ab5922f4379d72 
  src/master/quota_handler.cpp f44736cd5849d4fb22a75c1238d433a1c0c9708d 
  src/tests/master_quota_tests.cpp e8cb074c2913cafdc6b1792896f29e53f1210c9d 
  src/tests/persistent_volume_endpoints_tests.cpp 
f0cce190abc90f0fae84d6c3db20e8215c2d8132 
  src/tests/reservation_endpoints_tests.cpp 
b8edd6fafedd4c2221a8d19c1ebc71254071a8c7 
  src/tests/scheduler_http_api_tests.cpp 
143bd414c6d9ad0b7b7c23c390b7d497e4be3e6d 
  src/tests/teardown_tests.cpp 97cc89ba168aefff8512f6d1a25c4f7ddf180bae 

Diff: https://reviews.apache.org/r/42027/diff/


Testing
-------

make check


Thanks,

Alexander Rojas

Re: Review Request 42027: Changed HTTP responses from Unauthorized (401) to Forbidden (403).

Reply via email to