[openstack-dev] [neutron] Difficult to understand message when using incorrect role against object in Neutron

Sudipta Biswas3 sbiswas7 at in.ibm.com
Tue Mar 11 15:42:34 UTC 2014


Hi all,

I'm hitting a scenario where, a user runs an action against an object in 
neutron for which they don't have the authority to perform the 
action(perhaps their role allows read of the object, but not update). The 
following returned to back to the user when such an action is performed: 
"The resource could not be found".  This can be confusing to users.  For 
example, basic users may not have the privilege to edit a network and 
attempts doing that but ends up getting the resource not found message, 
even though they have read privileges.

This is a confusing message because the object they just read in is now 
stating that it does not exist. This is not true, the root issue is that 
they do not have authority to it. One can argue that for security reasons, 
we should state that the object does not exist. However, it creates a odd 
scenario where you have certain roles that can read an object, but then 
not create/update/delete it. 

I have filed a community bug for the same: 
https://bugs.launchpad.net/neutron/+bug/1290895

I'm proposing that we change the message to "The resource could not be 
found or user's role does not have sufficient privileges to run the 
operation."

I'm sending to the mailing list to see if there are any discussion points 
against making this change.

Thanks,
Sudipto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140311/e6a60acd/attachment.html>


More information about the OpenStack-dev mailing list