[openstack-dev] [Glance] Granularity of policies
Eddie Sheffield
eddie.sheffield at RACKSPACE.COM
Mon Oct 6 19:35:18 UTC 2014
I encountered an interesting situation with Glance policies. Basically we have a situation where users in certain roles are not allowed to make certain calls at all. In this specific case, we don't want users in those roles listing or viewing members. When listing members, these users receive a 403 (Forbidden) but when showing an individual member the users receive 404 (Not Found).
So the problem is that there are a couple of situations here and we don't (can't?) distinguish the exact intent:
1) A user IS allowed to make the call but isn't allowed to see a particular member - in that case 404 makes sense because a 403 could imply the user actually is there, you just can't look see them directly.
2) A user IS NOT allowed to make the call at all. In this case a 403 makes more sense because the user is forbidden at the call level.
At this point I'm mainly trying to spark some conversation on this. This feels a bit inconsistent if users get 403 for a whole set of calls they are barred from but 404 for others which are "sub" calls of the others (e.g. listing members vs. showing a specific one.) But I don't have a specific proposals at this time - first I'm trying to find out if others feel this is a problem which should be addressed. If so I'm willing to work on a blueprint and implementation.
- Eddie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141006/0ebd6ad1/attachment.html>
More information about the OpenStack-dev
mailing list