[openstack-dev] [neutron] Difficult to understand message when using incorrect role against object in Neutron

Adam Young ayoung at redhat.com
Wed Mar 12 13:17:09 UTC 2014

On 03/11/2014 11:42 AM, Sudipta Biswas3 wrote:
> Hi all,
> I'm hitting a scenario where, a user runs an action against an object 
> in neutron for which they don't have the authority to perform the 
> action(perhaps their role allows read of the object, but not update). 
> The following returned to back to the user when such an action is 
> performed: "The resource could not be found".  This can be confusing 
> to users.  For example, basic users may not have the privilege to edit 
> a network and attempts doing that but ends up getting the resource not 
> found message, even though they have read privileges.
> This is a confusing message because the object they just read in is 
> now stating that it does not exist. This is not true, the root issue 
> is that they do not have authority to it. One can argue that for 
> security reasons, we should state that the object does not exist. 
> However, it creates a odd scenario where you have certain roles that 
> can read an object, but then not create/update/delete it.
> I have filed a community bug for the same: 
> https://bugs.launchpad.net/neutron/+bug/1290895
> I'm proposing that we change the message to "The resource could not be 
> found or user's role does not have sufficient privileges to run the 
> operation."
Ther is a serious security concern with people probing for information 
that they do not have access too.  The 404 is a way to make it 
impossible to distinguish between "the object does not exist" and "it 
exists but it does not belong to you."

> I'm sending to the mailing list to see if there are any discussion 
> points against making this change.
> Thanks,
> Sudipto
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20140312/f5280dd7/attachment.html>

More information about the OpenStack-dev mailing list