On Oct 6, 2014, at 12:35 PM, Eddie Sheffield <[email protected]> wrote:
> I encountered an interesting situation with Glance policies. Basically we > have a situation where users in certain roles are not allowed to make certain > calls at all. In this specific case, we don't want users in those roles > listing or viewing members. When listing members, these users receive a 403 > (Forbidden) but when showing an individual member the users receive 404 (Not > Found). > > So the problem is that there are a couple of situations here and we don't > (can't?) distinguish the exact intent: > > 1) A user IS allowed to make the call but isn't allowed to see a particular > member - in that case 404 makes sense because a 403 could imply the user > actually is there, you just can't look see them directly. > > 2) A user IS NOT allowed to make the call at all. In this case a 403 makes > more sense because the user is forbidden at the call level. > > At this point I'm mainly trying to spark some conversation on this. This > feels a bit inconsistent if users get 403 for a whole set of calls they are > barred from but 404 for others which are "sub" calls of the others (e.g. > listing members vs. showing a specific one.) But I don't have a specific > proposals at this time - first I'm trying to find out if others feel this is > a problem which should be addressed. If so I'm willing to work on a blueprint > and implementation Generally you use a 404 to make sure no information is exposed about whether the user actually exists, but in the case of 2) I agree that a 403 is appropriate. It may be that 404 was used there because the same code path is taken in both cases. Vish
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ OpenStack-dev mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
