OpenStack Identity (keystone)

  1. Bug #1541621
  2. Comment #9

Comment 9 for bug 1541621

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (stable/liberty)

Reviewed: https://review.openstack.org/288816
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=53a6dc0e6a95f74905106d51f650bf4c2014bc08
Submitter: Jenkins
Branch: stable/liberty

commit 53a6dc0e6a95f74905106d51f650bf4c2014bc08
Author: Raildo Mascena <email address hidden>
Date: Mon Feb 8 14:58:34 2016 +0000

    Return 404 instead of 401 for tokens w/o roles

    If a scoped-token was validated and the user didn't have any role assignment
    on a project, keystone would return a 401 Unauthorized. This was the
    case when the fernet token provider was enabled because the reference is
    rebuilt on every request. The uuid token provider has a different behavior - if
    the token isn't found in the backend a 404 Not Found is returned. Furthermore,
    for persisted tokens, any validation error will result in 404, such as in the
    case where user no longer have any roles assigned for the given scope.

    These two behaviors should be consistent regardless of the token provider.

    Conflicts:
     keystone/tests/unit/test_v3_auth.py
     keystone/token/provider.py

    Closes-Bug: 1541621
    Change-Id: If9fd6060ed13a7c03ab8d70ebed1adecafef9160
    (cherry picked from commit f1792f4089ccf28ec870104d0853e7fba242f24c)