Public bug reported: get sql-based Domain-specific driver configuration with incorrect group in URL, expected response 404, actual 403:
With sql-based Domain-specific driver configuration set up connection to a openldap or ad backend for a domain, if an invalid/typo group name (e.g. [identity2], instead of [identity]) in the request url for this domain is provided, we expect the response code 404 (not found), but actual is 403 (forbidden). The user actually has the permission to access the configuration. 403 forbidden seems misleading. Example: ~$ curl -k -H "X-Auth-Token:ADMIN" -XDELETE http://localhost:35357/v3/domains/6a006689702640ba92d5e536b238e893/config/invalidgroup Actual: {"error": {"message": "Invalid domain specific configuration: Group identity2 is not supported for domain specific configurations", "code": 403, "title": "Forbidden"}} Expected: ~$ curl -k -H "X-Auth-Token:ADMIN" -XDELETE http://localhost:35357/v3/domains/6a006689702640ba92d5e536b238e893/config/identity2 {"error": {"message": "Invalid domain specific configuration: Group identity2 is not supported for domain specific configurations", "code": 404, "title": "Not Found"}} ** Affects: keystone Importance: Undecided Assignee: Thomas Hsiao (thomas-hsiao) Status: New ** Changed in: keystone Assignee: (unassigned) => Thomas Hsiao (thomas-hsiao) -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1524515 Title: get sql-based Domain-specific driver configuration with incorrect group in URL, expected response 404, actual 403 Status in OpenStack Identity (keystone): New Bug description: get sql-based Domain-specific driver configuration with incorrect group in URL, expected response 404, actual 403: With sql-based Domain-specific driver configuration set up connection to a openldap or ad backend for a domain, if an invalid/typo group name (e.g. [identity2], instead of [identity]) in the request url for this domain is provided, we expect the response code 404 (not found), but actual is 403 (forbidden). The user actually has the permission to access the configuration. 403 forbidden seems misleading. Example: ~$ curl -k -H "X-Auth-Token:ADMIN" -XDELETE http://localhost:35357/v3/domains/6a006689702640ba92d5e536b238e893/config/invalidgroup Actual: {"error": {"message": "Invalid domain specific configuration: Group identity2 is not supported for domain specific configurations", "code": 403, "title": "Forbidden"}} Expected: ~$ curl -k -H "X-Auth-Token:ADMIN" -XDELETE http://localhost:35357/v3/domains/6a006689702640ba92d5e536b238e893/config/identity2 {"error": {"message": "Invalid domain specific configuration: Group identity2 is not supported for domain specific configurations", "code": 404, "title": "Not Found"}} To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1524515/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
