Zaqar doesn't require X-PROJECT-ID header in requests (noauth)
Bug #1544328 reported by
Eva Balycheva
This bug affects 1 person
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| zaqar |
Invalid
|
Undecided
|
Eva Balycheva | ||
Bug Description
My Zaqar is configured to use 'noauth' authentication back end.
When I don't provide X-PROJECT-ID header in my requests, Zaqar processes my requests without showing any errors.
Seems like X-PROJECT-ID header don't go through any validation. I'm able to use any string as X-PROJECT-ID header.
See some recourds from mongodb Zaqar "queues" collection: http://
All requests seem to be working normally with any X-PROJECT-ID header. Maybe it's not a bug.
But according to Wiki (https:/
| Changed in zaqar: | |
| assignee: | nobody → Eva Balycheva (ubershy) |
Revision history for this message
| wangxiyuan (wangxiyuan) wrote | #1 |
Revision history for this message
| Eva Balycheva (ubershy) wrote | #2 |
| Changed in zaqar: | |
| status: | New → Invalid |
To post a comment you must log in.
IMO, noauth means that anyone could do anything with zaqar. So the user could get all queues information. If so, do we really want project id here?
On the other hand, according to the wiki, I guess it hope that noauth could work the same as keystone auth except token verify. If so, we indeed need users provide project-id.
I prefer to leave the noauth as it is. And which one is better depends on the design and the use case of Zaqar. Maybe I'm wrong as well. Thought?