If a scoped-token was validated and the user didn't have any role assignment
on a project, keystone would return a 401 Unauthorized. This was the
case when the fernet token provider was enabled because the reference is
rebuilt on every request. The uuid token provider has a different behavior - if
the token isn't found in the backend a 404 Not Found is returned. Furthermore,
for persisted tokens, any validation error will result in 404, such as in the
case where user no longer have any roles assigned for the given scope.
These two behaviors should be consistent regardless of the token provider.
This problem was not fixed entirely with https://review.openstack.org/#/c/277436/
because of token caching in devstack which masks the wrong error code for the
period of time the token is cached. Therefore, in order to test this in devstack
you need to take into account the caching time after un-assigning the role on
a project and while using the same fernet token.
Closes-Bug: #1541621
Change-Id: I9d36c5c73d5a832cd04dd4c1368b8d769e0acc4c
(cherry picked from commit fde57f68e290575e874234fc751d2380637a07f5)
Reviewed: https:/ /review. openstack. org/327386 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=6b84b243a1c 92ecfc8c5256317 47c0f6eaa30f2d
Committed: https:/
Submitter: Jenkins
Branch: stable/mitaka
commit 6b84b243a1c92ec fc8c525631747c0 f6eaa30f2d
Author: Roxana Gherle <email address hidden>
Date: Fri May 27 10:00:39 2016 -0700
Return 404 instead of 401 for tokens w/o roles
If a scoped-token was validated and the user didn't have any role assignment
on a project, keystone would return a 401 Unauthorized. This was the
case when the fernet token provider was enabled because the reference is
rebuilt on every request. The uuid token provider has a different behavior - if
the token isn't found in the backend a 404 Not Found is returned. Furthermore,
for persisted tokens, any validation error will result in 404, such as in the
case where user no longer have any roles assigned for the given scope.
These two behaviors should be consistent regardless of the token provider.
This problem was not fixed entirely with https:/ /review. openstack. org/#/c/ 277436/
because of token caching in devstack which masks the wrong error code for the
period of time the token is cached. Therefore, in order to test this in devstack
you need to take into account the caching time after un-assigning the role on
a project and while using the same fernet token.
Closes-Bug: #1541621 2cd04dd4c1368b8 d769e0acc4c e874234fc751d23 80637a07f5)
Change-Id: I9d36c5c73d5a83
(cherry picked from commit fde57f68e290575