This is by design; disable debug mode to suppress the details of auth
failures from the API.
Please re-open if debug is already False.
** Changed in: keystone
Status: New => Invalid
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1153743
Title:
giving out too much info on authenticate
Status in OpenStack Identity (Keystone):
Invalid
Bug description:
When I authenticate with a user that doesn't exist, Keystone tells me that
the reason authentication failed is because the user doesn't exist:
$ curl -i -H "Content-Type: application/json" -d '{"auth":
{"identity": { "methods": ["password"], "password": {"user": {"name":
"user1", "password": "ofs5dac", "domain": { "name": "default"}}}}}}'
http://localhost:35357/v3/auth/tokens
{"error": {"message": "Could not find user: user1", "code": 401,
"title": "Not Authorized"}}
This is a problem because an attacker can attempt authentication with
different user names and figure out what users exist on the system.
Keystone should respond with a generic message about not being able to
authenticate.
To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1153743/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
