If a scoped-token was validated and the user didn't have any role assignment
on a project, keystone would return a 401 Unauthorized. This was the
case when the fernet token provider was enabled because the reference is
rebuilt on every request. The uuid token provider has a different behavior - if
the token isn't found in the backend a 404 Not Found is returned. Furthermore,
for persisted tokens, any validation error will result in 404, such as in the
case where user no longer have any roles assigned for the given scope.
These two behaviors should be consistent regardless of the token provider.
Reviewed: https:/ /review. openstack. org/277436 /git.openstack. org/cgit/ openstack/ keystone/ commit/ ?id=f1792f4089c cf28ec870104d08 53e7fba242f24c
Committed: https:/
Submitter: Jenkins
Branch: master
commit f1792f4089ccf28 ec870104d0853e7 fba242f24c
Author: Raildo Mascena <email address hidden>
Date: Mon Feb 8 14:58:34 2016 +0000
Return 404 instead of 401 for tokens w/o roles
If a scoped-token was validated and the user didn't have any role assignment
on a project, keystone would return a 401 Unauthorized. This was the
case when the fernet token provider was enabled because the reference is
rebuilt on every request. The uuid token provider has a different behavior - if
the token isn't found in the backend a 404 Not Found is returned. Furthermore,
for persisted tokens, any validation error will result in 404, such as in the
case where user no longer have any roles assigned for the given scope.
These two behaviors should be consistent regardless of the token provider.
Closes-Bug: 1541621 c03ab8d70ebed1a decafef9160
Change-Id: If9fd6060ed13a7