neutron

Pecan is missing the logic to hide authorization failures as 404s

Bug #1714388 reported by Kevin Benton on 2017-09-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	neutron	Fix Released	High	Kevin Benton

Bug Description

The pecan code is missing the logic to translate some of the authorization failures into 404s instead of 403's.

https://github.com/openstack/neutron/blob/8d2c1bd88b14eefbea74c72f384cb9952e7ee62e/neutron/api/v2/base.py#L575-L585

https://github.com/openstack/neutron/blob/8d2c1bd88b14eefbea74c72f384cb9952e7ee62e/neutron/api/v2/base.py#L389-L393

Tags:

Kevin Benton (kevinbenton) on 2017-09-01

Changed in neutron:
importance:	Undecided → High

OpenStack Infra (hudson-openstack) on 2017-09-01

Changed in neutron:
assignee:	nobody → Kevin Benton (kevinbenton)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-11: Fix merged to neutron (master)

Reviewed: https://review.openstack.org/499433
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fe8107a8179deca093463bbc95b6ba8b54915bf7
Submitter: Jenkins
Branch: master

commit fe8107a8179deca093463bbc95b6ba8b54915bf7
Author: Kevin Benton <email address hidden>
Date: Wed Aug 30 20:15:49 2017 -0700

Pecan: fix logic of hiding authZ failures as 404s

    Change [1] altered the behavior of the legacy API controller
    to do the sane thing and return an HTTP 403 instead of a 404
    whenever a user got a policy authorization failure when trying
    to mutate a resource they have the permission to view.

This carries the same logic over to the pecan API.

    This also adjusts the logic for GET requests to return 404s
    instead of 403s to match the resource hiding behavior of the
    old controller.

1. I7a5b0a9e89c8a71490dd74497794a52489f46cd2

Closes-Bug: #1714388
Change-Id: I9e0d288a42bc63c2927bebe9c581b83e6fbe010b

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-11: Fix proposed to neutron (stable/pike)

Fix proposed to branch: stable/pike
Review: https://review.openstack.org/502561

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-13: Fix merged to neutron (stable/pike)

Reviewed: https://review.openstack.org/502561
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=63f6732d8ca848dff6fecd687e56fdb598f49d2e
Submitter: Jenkins
Branch: stable/pike

commit 63f6732d8ca848dff6fecd687e56fdb598f49d2e
Author: Kevin Benton <email address hidden>
Date: Wed Aug 30 20:15:49 2017 -0700

Pecan: fix logic of hiding authZ failures as 404s

This carries the same logic over to the pecan API.

    This also adjusts the logic for GET requests to return 404s
    instead of 403s to match the resource hiding behavior of the
    old controller.

1. I7a5b0a9e89c8a71490dd74497794a52489f46cd2

    Closes-Bug: #1714388
    Change-Id: I9e0d288a42bc63c2927bebe9c581b83e6fbe010b
    (cherry picked from commit fe8107a8179deca093463bbc95b6ba8b54915bf7)

tags:

added: in-stable-pike

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-09-25: Fix included in openstack/neutron 11.0.1

This issue was fixed in the openstack/neutron 11.0.1 release.

Ihar Hrachyshka (ihar-hrachyshka) on 2017-10-12

tags:

added: neutron-proactive-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-25: Fix included in openstack/neutron 12.0.0.0b1

This issue was fixed in the openstack/neutron 12.0.0.0b1 development milestone.

Bernard Cafarelli (bcafarel) on 2017-10-26

tags:

removed: neutron-proactive-backport-potential

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.