If a scoped-token was validated and the user didn't have any role assignment
on a project, keystone would return a 401 Unauthorized. This was the
case when the fernet token provider was enabled because the reference is
rebuilt on every request. The uuid token provider has a different behavior - if
the token isn't found in the backend a 404 Not Found is returned. Furthermore,
for persisted tokens, any validation error will result in 404, such as in the
case where user no longer have any roles assigned for the given scope.
These two behaviors should be consistent regardless of the token provider.
Reviewed: https:/ /review. openstack. org/288816 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=53a6dc0e6a9 5f74905106d51f6 50bf4c2014bc08
Committed: https:/
Submitter: Jenkins
Branch: stable/liberty
commit 53a6dc0e6a95f74 905106d51f650bf 4c2014bc08
Author: Raildo Mascena <email address hidden>
Date: Mon Feb 8 14:58:34 2016 +0000
Return 404 instead of 401 for tokens w/o roles
If a scoped-token was validated and the user didn't have any role assignment
on a project, keystone would return a 401 Unauthorized. This was the
case when the fernet token provider was enabled because the reference is
rebuilt on every request. The uuid token provider has a different behavior - if
the token isn't found in the backend a 404 Not Found is returned. Furthermore,
for persisted tokens, any validation error will result in 404, such as in the
case where user no longer have any roles assigned for the given scope.
These two behaviors should be consistent regardless of the token provider.
Conflicts: tests/unit/ test_v3_ auth.py token/provider. py
keystone/
keystone/
Closes-Bug: 1541621 c03ab8d70ebed1a decafef9160 ec870104d0853e7 fba242f24c)
Change-Id: If9fd6060ed13a7
(cherry picked from commit f1792f4089ccf28