OpenStack Identity (keystone)

When validating a trust scoped token, raise 404 instead of 403 if trustor is disabled

Bug #1432892 reported by Samuel de Medeiros Queiroz on 2015-03-17

This bug report is a duplicate of: Bug #1435530: keystonemiddleware without TRL checking and default cache config can allow access after token revocation. Edit Remove

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Triaged	Medium	Unassigned	OpenStack Identity (keystone) kilo-rc1 "RC1"

Bug Description

Any validation error that occurs when checking a token should be caught and re-raised as 404 NotFound (TokenNotFound), as we currently do for v2 tokens [1].

For example, when validating a trust scoped token with disabled trustor, a 403 Forbidden exception with message 'Trustor is disabled.' is raised. This exception is appropriate when issuing tokens, but not when validating them.

[1]
https://github.com/openstack/keystone/blob/25d742ada803d8501e7c004242a625efd07fcaf6/keystone/token/providers/common.py#L618-L620

See original description

Samuel de Medeiros Queiroz (samueldmq) on 2015-03-17

summary:	- Wrong exception when validating trust scoped tokens with disabled - trustor + Wrong exceptions when validating v3 tokens
description:	updated

Revision history for this message

Boris Bobrov (bbobrov) wrote on 2015-03-17: Re: Wrong exceptions when validating v3 tokens

Won't this be changing API behaviour?

Revision history for this message

Dolph Mathews (dolph) wrote on 2015-03-18: Re: 403 Forbidden when validating trust scoped token

I narrowed the scope of the bug title to focus on the specific issue cited in the description. If there are other specific issues, we should track them separately.

summary:	- Wrong exceptions when validating v3 tokens + 403 Forbidden when validating trust scoped token
Changed in keystone:
status:	New → Triaged
importance:	Undecided → Medium

Lance Bragstad (lbragstad) on 2015-03-18

description:	updated
Changed in keystone:
milestone:	none → kilo-rc1

Lin Hua Cheng (lin-hua-cheng) on 2015-03-25

Changed in keystone:
assignee:	nobody → Lin Hua Cheng (lin-hua-cheng)

Lin Hua Cheng (lin-hua-cheng) on 2015-03-26

Changed in keystone:
assignee:	Lin Hua Cheng (lin-hua-cheng) → nobody

Steve Martinelli (stevemar) on 2015-03-30

summary:	- 403 Forbidden when validating trust scoped token + When validating a trust scoped token, raise 404 instead of 403
summary:	- When validating a trust scoped token, raise 404 instead of 403 + When validating a trust scoped token, raise 404 instead of 403 if + trustor is disabled

Revision history for this message

Steve Martinelli (stevemar) wrote on 2015-03-30:

The only spot I see "Trustor is disabled" is when issuing a trust scoped token, and it raises a 403 if the user is in fact disabled.
Did you try to break this bug down too much?

Report a bug

This report contains Public information

Everyone can see this information.

Duplicate of bug #1435530 Remove

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.