Invalid fernet X-Subject-Token token should result in 404 instead of 401
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Lance Bragstad | ||
Liberty |
Fix Released
|
Medium
|
Guang Yee |
Bug Description
When a scoped fernet token is no longer valid (i.e. all the roles had been removed from the scope), token validation should result in 404 instead of 401. According to Keystone V3 API spec, 401 is returned only if X-Auth-Token is invalid [0]. Invalid X-Subject-Token should yield 404. Furthermore, auth_token middleware only treat 404 as invalid subject token and cache it accordingly [1]. Improper 401 will cause unnecessary churn as middleware will repeatedly attempt to re-authenticate the service user.
To reproduce the problem:
1. get a project scoped token
2. remove all the roles assigned to the user for that project
3. attempt to validate that project-scoped token will result in 401
[0] https:/
[1] https:/
Changed in keystone: | |
milestone: | none → mitaka-3 |
tags: | added: fernet |
description: | updated |
Changed in keystone: | |
assignee: | nobody → Lance Bragstad (lbragstad) |
status: | Confirmed → In Progress |
Changed in keystone: | |
assignee: | Lance Bragstad (lbragstad) → Steve Martinelli (stevemar) |
Changed in keystone: | |
assignee: | Steve Martinelli (stevemar) → Lance Bragstad (lbragstad) |
Changed in keystone: | |
assignee: | Lance Bragstad (lbragstad) → Raildo Mascena de Sousa Filho (raildo) |
Changed in keystone: | |
assignee: | Raildo Mascena de Sousa Filho (raildo) → Guang Yee (guang-yee) |
Changed in keystone: | |
assignee: | Guang Yee (guang-yee) → Lance Bragstad (lbragstad) |
Changed in keystone: | |
assignee: | Lance Bragstad (lbragstad) → Guang Yee (guang-yee) |
Changed in keystone: | |
assignee: | Guang Yee (guang-yee) → Steve Martinelli (stevemar) |
Changed in keystone: | |
assignee: | Steve Martinelli (stevemar) → Guang Yee (guang-yee) |
Changed in keystone: | |
milestone: | mitaka-3 → mitaka-rc1 |
Changed in keystone: | |
assignee: | Guang Yee (guang-yee) → Lance Bragstad (lbragstad) |
is this specific to fernet?