#openstack-keystone log

17:10:32 <lbragstad> #startmeeting keystone-office-hours
17:10:33 <openstack> Meeting started Tue Sep  4 17:10:32 2018 UTC and is due to finish in 60 minutes.  The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot.
17:10:35 <openstack> Useful Commands: #action #agreed #help #info #idea #link #topic #startvote.
17:10:37 <openstack> The meeting name has been set to 'keystone_office_hours'
17:39:20 <kmalloc> lbragstad: ok
17:39:47 <kmalloc> lbragstad: so, the reason we need to leak details on if a group exists or not, is communication to the user
17:40:14 <kmalloc> lbragstad: i think i'm going to add an explicit .get check before enforcement.
17:40:31 <kmalloc> wonder if i can craft the target in a better way
18:19:10 <lbragstad> kmalloc but don't we want to keep that from the user?
18:19:20 <lbragstad> they're unauthorized
18:19:36 <kmalloc> so here is the case
18:19:56 <kmalloc> i am trying to do "domain role X on group Y"
18:20:03 <kmalloc> if the group doesn't exist, what is the expecation
18:20:14 <kmalloc> a 403? "forbidden" or a "404, group not found"
18:20:24 <kmalloc> [specifically the case of group not existing]
18:20:26 <lbragstad> is the user authorized?
18:20:39 <kmalloc> user it authenticated and is allowed to assign the role
18:20:49 <lbragstad> then it should be a 404
18:20:51 <lbragstad> IMO
18:21:05 <kmalloc> then group patch [mostly] as is, will be fine
18:21:28 <kmalloc> needs a quick pass then and a note.
18:21:54 <kmalloc> however, just fyi, this does allow a bad actor to determine group existence.
18:22:04 <kmalloc> as long as they can create a domain role and assign it
18:22:09 <kmalloc> *shrug* not a huge leak
18:22:10 <kmalloc> but it is.
18:22:24 <lbragstad> if a user calls GET -H "X-Auth-Token: garbage-token" /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} then i don't think we should leak that the domain doesn't exist
18:22:55 <lbragstad> if $domain_id doesn't exist, then we should expose that information i don't think
18:23:02 <lbragstad> and return a 403
18:23:09 <kmalloc> hm.
18:23:18 <kmalloc> yeah see how this is nuanced and weird.
18:23:25 <lbragstad> if the user is authenticated AND $domain_id doesn't exist, then we should return a 404
18:23:29 <lbragstad> right?
18:23:33 <kmalloc> hm.
18:23:44 <kmalloc> yeh.
22:10:37 <lbragstad> #endmeeting