Murano

[api]verify env template may return wrong http response

Bug #1477013 reported by Lei Zhang on 2015-07-22

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Murano	Fix Released	Medium	Akanksha Srivastava	Murano 2015.1.1

Bug Description

In murano/utils, there is a verify_env_template decorator, if request tenant doesn't match environment template' s tenant, a 401 HTTPUnauthorized is raised, should raise a 403 forbidden instead.

Same is true for both verify_env_template and verify_env decorators

See original description

Tags:

Revision history for this message

Kirill Zaitsev (kzaitsev) wrote on 2015-07-22:

Same is true for both verify_env_template and verify_env decorators

tags:	added: api
description:	updated
tags:	added: low-hanging-fruit
Changed in murano:
status:	New → Triaged

Revision history for this message

Kirill Zaitsev (kzaitsev) wrote on 2015-07-22:

Would also be nice to check and update documentation on this one =)

Revision history for this message

Lei Zhang (lei-a-zhang) wrote on 2015-07-22:

Not only those two decorators, there are some duplicate api code also does the verification work, so better to grep HTTPUnauthorized to make sure it is used in right place.

Lei Zhang (lei-a-zhang) on 2015-07-23

Changed in murano:
assignee:	nobody → Lei Zhang (lei-a-zhang)

Ekaterina Chernova (efedorova) on 2015-07-28

Changed in murano:
importance:	Undecided → Medium
milestone:	none → 2015.1.1

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-21: Fix proposed to murano (master)

Fix proposed to branch: master
Review: https://review.openstack.org/238269

Changed in murano:
assignee:	Lei Zhang (lei-a-zhang) → Akanksha Srivastava (akanksha-dlf)
status:	Triaged → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-10-23: Fix merged to murano (master)

Reviewed: https://review.openstack.org/238269
Committed: https://git.openstack.org/cgit/openstack/murano/commit/?id=1ca86fd4187e18086807505a95869d3b71538f28
Submitter: Jenkins
Branch: master

commit 1ca86fd4187e18086807505a95869d3b71538f28
Author: Akanksha <email address hidden>
Date: Thu Oct 22 04:19:36 2015 +0530

Return 403 instead of 401 HTTP Response

    401 Unauthorized is the HTTP status code used for authentication
    errors for eg. Missing or Bad Authentication. 403 Forbidden
    response is used for denying permission to access resources
    for a correctly authenticated user.
    This fix corrects the mistake in the api.

Change-Id: I0903b226cfe32a7aed69d265a27ca21d7cc9b98e
Closes-Bug:1477013

Changed in murano:
status:	In Progress → Fix Committed

Kirill Zaitsev (kzaitsev) on 2015-12-03

Changed in murano:
status:	Fix Committed → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.