Glance

API reports unauthorized when policy rejects action

Bug #956206 reported by Brian Waldon on 2012-03-15

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Glance	Fix Released	High	Brian Waldon	Glance 2012.1 "essex"

Bug Description

The API should report forbidden (403), not unauthorized (401). All we have to do is modify the exception raised in glance/api/v1/images.py in the _enforce function.

Brian Waldon (bcwaldon) on 2012-03-15

Changed in glance:
milestone:	none → essex-rc1

Brian Waldon (bcwaldon) on 2012-03-15

Changed in glance:
status:	New → In Progress
importance:	Undecided → Low
assignee:	nobody → Brian Waldon (bcwaldon)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-15: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5410

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-15: Fix merged to glance (master)

Reviewed: https://review.openstack.org/5410
Committed: http://github.com/openstack/glance/commit/e2e88d8aad7b9f7f2700bbb160058131f7e6d4ef
Submitter: Jenkins
Branch: master

commit e2e88d8aad7b9f7f2700bbb160058131f7e6d4ef
Author: Brian Waldon <email address hidden>
Date: Thu Mar 15 12:55:39 2012 -0700

Return 403 when policy engine denies action

* Fixes bug 956206

Change-Id: I0447a1a86fed2456c912395a0ab7d6e0aba03f66

Changed in glance:
status:	In Progress → Fix Committed

Revision history for this message

Brian Waldon (bcwaldon) wrote on 2012-03-20:

This fix was undone by commit 2e94076ca43ee3f31b1fc7f46b4c137d36bcd7db. Need to reapply the fix.

Changed in glance:
status:	Fix Committed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-20: Fix proposed to glance (master)

Fix proposed to branch: master
Review: https://review.openstack.org/5572

Brian Waldon (bcwaldon) on 2012-03-20

Changed in glance:
importance:	Low → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2012-03-20: Fix merged to glance (master)

Reviewed: https://review.openstack.org/5572
Committed: http://github.com/openstack/glance/commit/b0a608c09f0cd83b8ab3cccc8a3851bc3c98733c
Submitter: Jenkins
Branch: master

commit b0a608c09f0cd83b8ab3cccc8a3851bc3c98733c
Author: Brian Waldon <email address hidden>
Date: Tue Mar 20 09:17:52 2012 -0700

Ensure all unauthorized reponses return 403

    * Clean up authorization vs authentication failures internally
    * Remove ambiguous exception.NotAuthorized in favour of exception.Forbidden for authorization failures
    * Add exception.NotAuthenticated to make authentication failures more clear
    * Fixes bug 956206

Change-Id: I39ce0fcd77d4f06273040a2aa4913a9be911ceab

Changed in glance:
status:	In Progress → Fix Committed

Thierry Carrez (ttx) on 2012-03-21

Changed in glance:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2012-04-05

Changed in glance:
milestone:	essex-rc1 → 2012.1

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.