Bug 806298 - [REST API]: GET'ing domain with bad credentials returns 404
[REST API]: GET'ing domain with bad credentials returns 404
Product: OpenShift Origin
Classification: Red Hat
Component: Pod (Show other bugs)
Unspecified Unspecified
high Severity high
: ---
: ---
Assigned To: Krishna Raman
libra bugs
: Triaged
: 806293 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2012-03-23 07:45 EDT by Andre Dietisheim
Modified: 2015-05-14 21:49 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2012-04-13 14:32:24 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andre Dietisheim 2012-03-23 07:45:06 EDT
If I do a GET on a specific domain i have while using erroneous credentials I get 404:

curl -v -k -H "Accept: application/xml" --user "adietish@redhat.com:BADPW" https://openshift.redhat.com/broker/rest/domains/1329997507457 -X GET

< HTTP/1.1 404 Not Found
< Date: Fri, 23 Mar 2012 11:42:33 GMT
< Server: Apache/2.2.15 (Red Hat)
< X-Powered-By: Phusion Passenger (mod_rails/mod_rack) 3.0.4
< X-Runtime: 0.945164
< Cache-Control: no-cache
< X-UA-Compatible: IE=Edge,chrome=1
< Status: 404
< Content-Type: application/xml; charset=utf-8
< Vary: Accept-Encoding,User-Agent
< ProxyTime: D=968946
< Connection: close
< Transfer-Encoding: chunked
<?xml version="1.0" encoding="UTF-8"?>
  <type nil="true"></type>
      <field nil="true"></field>
      <text>Domain 1329997507457 not found.</text>
  <data nil="true"></data>

I would have expected the response code 403
Comment 1 Andre Dietisheim 2012-03-23 07:46:37 EDT
The very same request (to the same existing domain) while using valid credentials, lists the expected informations.
Comment 2 Lili Nader 2012-03-23 22:52:31 EDT
since this is on production the authentication should be failing and routing the user to login or return a 401.
Comment 3 Andre Dietisheim 2012-03-26 09:43:09 EDT
switched severity to urgent since we cannot differentiate if a user has no domain or he's simply not authorized
Comment 4 Krishna Raman 2012-03-27 00:22:06 EDT
Comment 5 Xiaoli Tian 2012-03-29 04:55:41 EDT
(In reply to comment #4)
> 5764b5c849d19492c7186cf5d3bd66dfd564e955

Test this on devenv_1679, configure the instance to integrated environment (which will require authentication for user),

Access with invalid password will return access denied
curl -k -H 'Accept: application/xml' --user 'xtian+test5@redhat.com:invalidpwd' https://$instancedns/broker/rest/domains/doms6 -X GET
HTTP Basic: Access denied.

Access with valid password but non-exist domain:
curl -k -H 'Accept: application/xml' --user 'xtian+test5@redhat.com:validpwd' https://$instancedns/broker/rest/domains/doms7 -X GET
<?xml version="1.0" encoding="UTF-8"?>
  <type nil="true"></type>
    <datum nil="true"></datum>
      <text>Domain doms7 not found.</text>
      <field nil="true"></field>
Comment 6 Xiaoli Tian 2012-03-29 09:03:41 EDT
*** Bug 806293 has been marked as a duplicate of this bug. ***
Comment 7 Andre Dietisheim 2012-03-29 09:09:33 EDT
looks perfect, thanks!

Note You need to log in before you can comment on or make changes to this bug.