[RFE] 403 Forbidden improper usages cleanup

Bug #1673877 reported by Joanna Taryma
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ironic
Confirmed
Wishlist
Joanna Taryma

Bug Description

403 Forbidden error code is authorization related header, which is described in RFC 7231: https://tools.ietf.org/html/rfc7231#section-6.5.3

403 Forbidden is returned by following exception classes:
* NotAuthorized
* OperationNotPermitted (inherits from NotAuthorized)
* ExclusiveLockRequired (inherits from NotAuthorized, used in conductor only)
* ImageNotAuthorized (inherits from NotAuthorized, raised when glance service returns Forbidden or Unauthorized)
* HTTPForbidden (inherits from NotAuthorized)

It is returned by ironic API in following cases (all of them by OperationNotPermitted):
* retrieve single node using chassis parent resource: GET /chassis/<>/nodes/<>
* create a node using chassis parent resource: POST /chassis/<>/nodes
* update a node using chassis parent resource: PATCH /chassis/<>/nodes/<>
* delete a node using chassis parent resource: DELETE /chassis/<>/nodes/<>
* get port list filtered by both node and port group using parent resource path and/or query parameters
* get one port using node or port group parent resource path: GET /nodes/<>/ports/<> or GET /portgroups/<>/ports/<>
* create a port using node or port group parent resource path: POST /nodes/<>/ports or POST /portgroups/<>/ports
* update a port using node or port group parent resource path: PATCH /nodes/<>/ports/<> or PATCH /portgroups/<>/ports/<>
* delete a port using node or port group parent resource path: DELETE /nodes/<>/ports/<> or DELETE /portgroups/<>/ports/<>
* get one port group using node parent resource: GET /nodes/<>/portgroups/<>
* create a port group using node parent resource: POST /nodes/<>/portgroups
* update a port group using node parent resource: PATCH /nodes/<>/portgroups/<>
* delete a port group using node parent resource: DELETE /nodes/<>/portgroups/<>

All of these cases unrelated to reasons described in RFC, and should result in 400 Bad Request due to malformed (not handled by the server) URI. In this way, error response in listed cases will be more meaningful and intuitive.

Additionally, NotAuthorized exception should be renamed to Forbidden, because currently is misleading and can lead to the assumption that it returns 401 Unauthorized. NotAuthorized is a legacy name, that was copied from nova at the beginning of ironic project, however nova has it renamed to Forbidden already.

Tags: needs-spec rfe
Michael Turek (mjturek)
Changed in ironic:
status: New → Confirmed
importance: Undecided → Low
Changed in ironic:
importance: Low → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to ironic-specs (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/453926

Joanna Taryma (jtaryma)
Changed in ironic:
assignee: nobody → Joanna Taryma (jtaryma)
Ruby Loo (rloo)
tags: added: needs-spec
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.