Response code 404 Vs 403 when operation is not allowed

asked 2012-03-30 11:22:38 -0500

mandarvaze gravatar image

Related to : (

when a member (non-admin) tries to reboot server belonging to different tenant, one would expect that 403-unauthorized HTTP code should be returned.


Use RESTClient to POST to the following URL http://<ipaddr>:8774/v2/<uuid_tenant1>/servers/<uuid_server_for_tenant2>/action JSON Body : { "reboot" : { "type" : "HARD" } } x-auth-token belongs to non-admin member for tenant1

Actual Response received : {"itemNotFound": {"message": "The resource could not be found.", "code": 404}}

Should expected response be "403-unauthorized" ?

Current response 404 makes sense based on the fact that UUID of server provided does not belong to the tenant. So even before checking what actions are allowed or not, code returns "not found" This would be similar even when invalid UUID is provide (e.g. string "ThisIsDummyUUID") - i.e. we'll get 404

Please comment whether 403 should be returned for "valid-server-uuid-but-belongs-to-different-tenant"

edit retag flag offensive close merge delete

2 answers

Sort by ยป oldest newest most voted

answered 2012-03-30 12:50:54 -0500

johngarbutt gravatar image

I think it is trying to say that user is able to perform a reboot, but that the server does not exist in their view.

You don't want people being able to discover what ids other people have as servers.

I presume that is why it is happening anyway.

edit flag offensive delete link more

answered 2012-03-30 13:21:12 -0500

gongysh gravatar image

Each tenant should be in its own sandbox. If we response with 403 code, it should be kind of security issue.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2012-03-30 11:22:38 -0500

Seen: 86 times

Last updated: Mar 30 '12