[Openstack-security] [Bug 1621626] Re: Unauthenticated requests return information

Jeremy Stanley fungi at yuggoth.org
Tue Sep 27 18:47:59 UTC 2016 

** Changed in: ossa
       Status: Incomplete => Won't Fix

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1621626

Title:
  Unauthenticated requests return information

Status in OpenStack Identity (keystone):
  New
Status in OpenStack Security Advisory:
  Won't Fix

Bug description:
  
  I can get information back on an unauthenticated request.

   $ curl http://192.168.122.126:35357/v3/projects/8d34a533f85b423e8589061cde451edd/users/68ec7d9b6e464649b11d1340d5e05666/roles/ca314e7f7faf4f948bf6e7cf2077806e
   {"error": {"message": "Could not find role: ca314e7f7faf4f948bf6e7cf2077806e", "code": 404, "title": "Not Found"}}

  This should have returned 401 Unauthenticated, like this:

   $ curl http://192.168.122.126:35357/v3/projects
   {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}

  To recreate, just start up devstack on stable/mitaka and do the above
  request.

  I tried this on master and it's fixed. Probably by
  https://review.openstack.org/#/c/339356/

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1621626/+subscriptions

More information about the Openstack-security mailing list