Enhance validation decorator with expected error code (403, 404)
Currently, certain services like Neutron and Keystone throw a 404 instead of a 403 if a user with a certain role cannot perform an action. Rather than wrapping each API call in a try/except block in the event that a 404 rather than a 403 is thrown due to lack of permissions, the decorator rbac_rule_
@rbac_rule_
...
Then the code in the decorator implementation:
try:
except exceptions.
Could be changed to:
try:
except expected_exception as e:
...
if irregular_msg:
...
Blueprint information
- Status:
- Complete
- Approver:
- Samantha Blanco
- Priority:
- Undefined
- Drafter:
- Felipe Monteiro
- Direction:
- Needs approval
- Assignee:
- Rick Bartra
- Definition:
- New
- Series goal:
- None
- Implementation:
- Implemented
- Milestone target:
- None
- Started by
- Rick Bartra
- Completed by
- Rick Bartra
Related branches
Related bugs
Sprints
Whiteboard
I disagree with this. 404 errors are not the correct response to an RBAC validation failure and should not be treated as acceptable. There is a single correct error code for an RBAC validation failure and that is 403 forbidden. -David
@David
While I agree with you regarding error codes conforming to HTTP standards, what if other services, like Neutron and Keystone, philosophically don't care, because they believe that higher security is more important than fidelity to HTTP codes.
Regardless of whether other services are adamant or receptive to changing their returned code from 404 to 403, all this does is redesign the framework so that a try/catch block followed by a lengthy LOG.whatever, is refactored into reusable code, because what we have now is bad design: It's needlessly long, it makes the code harder to read, it ignores the DRY principle, etc.
If you're worried about whether expected_
LOG.warning is for: to warn others that something irregular or not cool has happened. Also, documentation can be updated to tell others that this is something to look out for.
Finally, I think that just because other services may insist on throwing a 404 for forbidden exceptions, shouldn't make Patrole, as a testing framework, resistant to change. Patrole,
as a testing framework, can't really itself drive change; it can only point out errors and hope that other services make changes to their framework accordingly. -Felipe
@Felipe
If other projects intend to do it this way we should support them. I was a bit too zealous in the above comment. I am fine with 404/403, in the light of giving a 403 can be a security concern. I do think that when and how we use 404 vs 403 should be looked into in more detail, as I am unsure why some resources are deemed "protected" enough to need the extra security by obscurity offered by a 404 while others are not.
Gerrit topic: https:/
Addressed by: https:/
WIP: Enhance validation decorator