17:10:32 #startmeeting keystone-office-hours 17:10:33 Meeting started Tue Sep 4 17:10:32 2018 UTC and is due to finish in 60 minutes. The chair is lbragstad. Information about MeetBot at http://wiki.debian.org/MeetBot. 17:10:35 Useful Commands: #action #agreed #help #info #idea #link #topic #startvote. 17:10:37 The meeting name has been set to 'keystone_office_hours' 17:39:20 lbragstad: ok 17:39:47 lbragstad: so, the reason we need to leak details on if a group exists or not, is communication to the user 17:40:14 lbragstad: i think i'm going to add an explicit .get check before enforcement. 17:40:31 wonder if i can craft the target in a better way 18:19:10 kmalloc but don't we want to keep that from the user? 18:19:20 they're unauthorized 18:19:36 so here is the case 18:19:56 i am trying to do "domain role X on group Y" 18:20:03 if the group doesn't exist, what is the expecation 18:20:14 a 403? "forbidden" or a "404, group not found" 18:20:24 [specifically the case of group not existing] 18:20:26 is the user authorized? 18:20:39 user it authenticated and is allowed to assign the role 18:20:49 then it should be a 404 18:20:51 IMO 18:21:05 then group patch [mostly] as is, will be fine 18:21:28 needs a quick pass then and a note. 18:21:54 however, just fyi, this does allow a bad actor to determine group existence. 18:22:04 as long as they can create a domain role and assign it 18:22:09 *shrug* not a huge leak 18:22:10 but it is. 18:22:24 if a user calls GET -H "X-Auth-Token: garbage-token" /v3/domains/{domain_id}/groups/{group_id}/roles/{role_id} then i don't think we should leak that the domain doesn't exist 18:22:55 if $domain_id doesn't exist, then we should expose that information i don't think 18:23:02 and return a 403 18:23:09 hm. 18:23:18 yeah see how this is nuanced and weird. 18:23:25 if the user is authenticated AND $domain_id doesn't exist, then we should return a 404 18:23:29 right? 18:23:33 hm. 18:23:44 yeh. 22:10:37 #endmeeting