get sql-based Domain-specific driver configuration with incorrect group in URL, expected response 404, actual 403
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Invalid
|
Wishlist
|
Unassigned |
Bug Description
get sql-based Domain-specific driver configuration with incorrect group in URL, expected response 404, actual 403:
With sql-based Domain-specific driver configuration set up connection to a openldap or ad backend for a domain,
if an invalid/typo group name (e.g. [identity2], instead of [identity]) in the request url for this domain is provided, we expect the response code 404 (not found), but actual is 403 (forbidden). The user actually has the permission to access the configuration. 403 forbidden seems misleading.
Example:
~$ curl -k -H "X-Auth-
Actual:
{"error": {"message": "Invalid domain specific configuration: Group identity2 is not supported for domain specific configurations", "code": 403, "title": "Forbidden"}}
Expected:
~$ curl -k -H "X-Auth-
{"error": {"message": "Invalid domain specific configuration: Group identity2 is not supported for domain specific configurations", "code": 404, "title": "Not Found"}}
Changed in keystone: | |
assignee: | nobody → Thomas Hsiao (thomas-hsiao) |
I'm not sure about this one, how do we "look up" the configuration group?
Looks like the author picked 403 deliberately: https:/ /github. com/openstack/ keystone/ blob/master/ keystone/ exception. py#L248- L249