[openstack-dev] [neutron] Difficult to understand message when using incorrect role against object in Neutron
Sudipta Biswas3
sbiswas7 at in.ibm.com
Tue Mar 11 15:42:34 UTC 2014
Hi all,
I'm hitting a scenario where, a user runs an action against an object in
neutron for which they don't have the authority to perform the
action(perhaps their role allows read of the object, but not update). The
following returned to back to the user when such an action is performed:
"The resource could not be found". This can be confusing to users. For
example, basic users may not have the privilege to edit a network and
attempts doing that but ends up getting the resource not found message,
even though they have read privileges.
This is a confusing message because the object they just read in is now
stating that it does not exist. This is not true, the root issue is that
they do not have authority to it. One can argue that for security reasons,
we should state that the object does not exist. However, it creates a odd
scenario where you have certain roles that can read an object, but then
not create/update/delete it.
I have filed a community bug for the same:
https://bugs.launchpad.net/neutron/+bug/1290895
I'm proposing that we change the message to "The resource could not be
found or user's role does not have sufficient privileges to run the
operation."
I'm sending to the mailing list to see if there are any discussion points
against making this change.
Thanks,
Sudipto
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140311/e6a60acd/attachment.html>
More information about the OpenStack-dev
mailing list