OpenStack Compute (nova)

Response code 404 Vs 403 when operation is not allowed

Asked by Mandar Vaze

Related to : https://answers.launchpad.net/nova/+question/192138

when a member (non-admin) tries to reboot server belonging to different tenant, one would expect that 403-unauthorized HTTP code should be returned.

Setup
=====

Use RESTClient to POST to the following URL
http://<IPADDR>:8774/v2/<uuid_tenant1>/servers/<uuid_server_for_tenant2>/action
JSON Body :
{
    "reboot" : {
        "type" : "HARD"
    }
}
x-auth-token belongs to non-admin member for tenant1

Actual Response received :
{"itemNotFound": {"message": "The resource could not be found.", "code": 404}}

Should expected response be "403-unauthorized" ?

Current response 404 makes sense based on the fact that UUID of server provided does not belong to the tenant. So even before checking what actions are allowed or not, code returns "not found"
This would be similar even when invalid UUID is provide (e.g. string "ThisIsDummyUUID") - i.e. we'll get 404

Please comment whether 403 should be returned for "valid-server-uuid-but-belongs-to-different-tenant"

Question information

Language:
English Edit question
Status:
Answered
For:
OpenStack Compute (nova) Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
John Garbutt (johngarbutt) said : 		#1

I think it is trying to say that user is able to perform a reboot, but that the server does not exist in their view.

You don't want people being able to discover what ids other people have as servers.

I presume that is why it is happening anyway.

Revision history for this message
yong sheng gong (gongysh) said : 		#2

Each tenant should be in its own sandbox. If we response with 403 code, it should be kind of security issue.

Can you help with this problem?

Provide an answer of your own, or ask Mandar Vaze for more information if necessary.

To post a message you must log in.