Comment 8 for bug 1121494
Revision history for this message
| Dolph Mathews (dolph) wrote Re: EC2 authentication does not ensure user or tenant is enabled | #8 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
67d34a1
(Get the code!)
Hrm, I'd support that, but it's up to ttx. In this specific example, you could make the same call without a tenant to verify that authentication is succeeding, but then the only possibility for raising a 401 is that you're not authorized on the specified tenant... so I don't see any unnecessary exposure. However, I'd +1 for correcting it as part of this patch (I'd rather be on the safe side); it's not an issue worth distinctly tracking, IMO. Here's the line referenced above:
https:/
Looking through the same code, there's two other 401's that should really be 400's. There's also this:
https:/
... which I'm not sure represents an exposure or not. I'm guessing not, because either the auth will succeed or fail there without any granularity.