[openstack-dev] [barbican] Need opinion on bug 1347101
Tiwari, Arvind
arvind.tiwari at hp.com
Tue Jul 22 20:22:54 UTC 2014
I have logged below bug to enforce 'content-type' check before RBAC enforcement on POST requests, but seems we have difference in opinion.
https://bugs.launchpad.net/barbican/+bug/1347101
Please look at the above bug and share your thoughts.
"IMO" -
"content-type" enforcement is concern of REST subsystem (Pecan in this case) and RBAC is the applications concern. Application resides a level below REST subsystem, so these checks and response should also follow this notion.
RBAC enforcement should be done only after all the necessary checks related REST aspect has been performed. This way we can save costly RBAC validation, at the same time returning a legitimate "unauthorized" response for a request with bad "content type" does not makes sense.
Thanks,
Arvind
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140722/44b26309/attachment.html>
More information about the OpenStack-dev
mailing list