Reviewed: https://review.openstack.org/277436 Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f1792f4089ccf28ec870104d0853e7fba242f24c Submitter: Jenkins Branch: master
commit f1792f4089ccf28ec870104d0853e7fba242f24c Author: Raildo Mascena <[email protected]> Date: Mon Feb 8 14:58:34 2016 +0000 Return 404 instead of 401 for tokens w/o roles If a scoped-token was validated and the user didn't have any role assignment on a project, keystone would return a 401 Unauthorized. This was the case when the fernet token provider was enabled because the reference is rebuilt on every request. The uuid token provider has a different behavior - if the token isn't found in the backend a 404 Not Found is returned. Furthermore, for persisted tokens, any validation error will result in 404, such as in the case where user no longer have any roles assigned for the given scope. These two behaviors should be consistent regardless of the token provider. Closes-Bug: 1541621 Change-Id: If9fd6060ed13a7c03ab8d70ebed1adecafef9160 ** Changed in: keystone Status: In Progress => Fix Released -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1541621 Title: Invalid fernet X-Subject-Token token should result in 404 instead of 401 Status in OpenStack Identity (keystone): Fix Released Bug description: When a scoped fernet token is no longer valid (i.e. all the roles had been removed from the scope), token validation should result in 404 instead of 401. According to Keystone V3 API spec, 401 is returned only if X-Auth-Token is invalid [0]. Invalid X-Subject-Token should yield 404. Furthermore, auth_token middleware only treat 404 as invalid subject token and cache it accordingly [1]. Improper 401 will cause unnecessary churn as middleware will repeatedly attempt to re- authenticate the service user. To reproduce the problem: 1. get a project scoped token 2. remove all the roles assigned to the user for that project 3. attempt to validate that project-scoped token will result in 401 [0] https://github.com/openstack/keystone-specs/blob/master/api/v3/identity-api-v3.rst#401-unauthorized [1] https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/_identity.py#L215 To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1541621/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
