Open Stack

Eddie,

+1 on glance-spec

We might want to define the scope. How far are we diverging from Openstack policy structure? Are there any other use cases which need policy changes? - some questions which come to my mind.

Thanks,
-Nikhil
________________________________
From: Eddie Sheffield [eddie.sheffield at RACKSPACE.COM]
Sent: Monday, October 06, 2014 3:35 PM
To: OpenStack Dev List
Subject: [openstack-dev] [Glance] Granularity of policies

I encountered an interesting situation with Glance policies. Basically we have a situation where users in certain roles are not allowed to make certain calls at all. In this specific case, we don't want users in those roles listing or viewing members. When listing members, these users receive a 403 (Forbidden) but when showing an individual member the users receive 404 (Not Found).

So the problem is that there are a couple of situations here and we don't (can't?) distinguish the exact intent:

1) A user IS allowed to make the call but isn't allowed to see a particular member - in that case 404 makes sense because a 403 could imply the user actually is there, you just can't look see them directly.

2) A user IS NOT allowed to make the call at all. In this case a 403 makes more sense because the user is forbidden at the call level.

At this point I'm mainly trying to spark some conversation on this. This feels a bit inconsistent if users get 403 for a whole set of calls they are barred from but 404 for others which are "sub" calls of the others (e.g. listing members vs. showing a specific one.) But I don't have a specific proposals at this time - first I'm trying to find out if others feel this is a problem which should be addressed. If so I'm willing to work on a blueprint and implementation.

- Eddie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141010/7ac76bc8/attachment.html>