"Unauthorized" error message needs more hints
Bug #1835303 reported by
Ben Nemec
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Triaged
|
Low
|
Abhishek Mahajan |
Bug Description
While I was testing the oslo.limit change, I initially had my password auth options set incorrectly and the exception message I got back was: "keystoneauth1.
That's confusing since I attempted to authenticate. It would be more user-friendly if the message in this scenario said something more like "Failed to authenticate due to bad username or password." At least an indication that the failure was due to bad input data, not an attempt to do something fundamentally wrong.
Changed in keystone: | |
assignee: | nobody → Abhishek Mahajan (mahajan-abhishek) |
assignee: | Abhishek Mahajan (mahajan-abhishek) → nobody |
assignee: | nobody → Abhishek Mahajan (mahajan-abhishek) |
Changed in keystone: | |
assignee: | Abhishek Mahajan (mahajan-abhishek) → nobody |
Changed in keystone: | |
status: | In Progress → Triaged |
Changed in keystone: | |
assignee: | nobody → Abhishek Mahajan (mahajan-abhishek) |
To post a comment you must log in.
The error message comes from keystone, not from keystoneauth:
https:/ /opendev. org/openstack/ keystone/ src/commit/ 3b13b4e5e7d72c2 eaef470d0f84537 a279e10e43/ keystone/ exception. py#L281
The vague details on the server side are intentional, as there are many reasons authentication could have failed, including the user does not exist or is disabled, their project or domain does not exist or is disabled, or they're using an auth method like token, application_ credential, trust, or external that failed in some other way. "bad username or password" wouldn't apply to those cases, and we don't want to get too specific about the failure since that gives more power to attackers.
However we could have keystoneauth override the message from keystone and say "Failed to authenticate" (omitting "due to...") if that is less confusing than "requires authentication".