When validating a trust scoped token, raise 404 instead of 403 if trustor is disabled

Bug #1432892 reported by Samuel de Medeiros Queiroz on 2015-03-17
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Unassigned

Bug Description

Any validation error that occurs when checking a token should be caught and re-raised as 404 NotFound (TokenNotFound), as we currently do for v2 tokens [1].

For example, when validating a trust scoped token with disabled trustor, a 403 Forbidden exception with message 'Trustor is disabled.' is raised. This exception is appropriate when issuing tokens, but not when validating them.

[1]
https://github.com/openstack/keystone/blob/25d742ada803d8501e7c004242a625efd07fcaf6/keystone/token/providers/common.py#L618-L620

summary: - Wrong exception when validating trust scoped tokens with disabled
- trustor
+ Wrong exceptions when validating v3 tokens
description: updated

Won't this be changing API behaviour?

I narrowed the scope of the bug title to focus on the specific issue cited in the description. If there are other specific issues, we should track them separately.

summary: - Wrong exceptions when validating v3 tokens
+ 403 Forbidden when validating trust scoped token
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
description: updated
Changed in keystone:
milestone: none → kilo-rc1
Changed in keystone:
assignee: nobody → Lin Hua Cheng (lin-hua-cheng)
Changed in keystone:
assignee: Lin Hua Cheng (lin-hua-cheng) → nobody
summary: - 403 Forbidden when validating trust scoped token
+ When validating a trust scoped token, raise 404 instead of 403
summary: - When validating a trust scoped token, raise 404 instead of 403
+ When validating a trust scoped token, raise 404 instead of 403 if
+ trustor is disabled
Steve Martinelli (stevemar) wrote :

The only spot I see "Trustor is disabled" is when issuing a trust scoped token, and it raises a 403 if the user is in fact disabled.
Did you try to break this bug down too much?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers