-
Notifications
You must be signed in to change notification settings - Fork 18.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
500 response code for commands denied by auth plugin #22428
Comments
ping @liron-l @dimastopel PTAL |
This fix tried to address the issue raised in moby#22428 where HTTP 500 status code would be returned for commands denied by auth plugin, instead of HTTP 403 (StatusForbidden). The reason for this issue is that the error message for commands denied by auth plugin was not captured properly. This fix updates the error message capturing to address the issue. An additional test has been added to cover the changes. This fix fixes moby#22428. Signed-off-by: Yong Tang <yong.tang.github@outlook.com>
The issue seems to have been caused by the fact that the error message: A PR #22431 has been created to try to address this issue. |
Thanks @lblackstone, all response modification steps were removed as part of the authorization framework code review (and we will definitely fix the documentation). Re response code, I'm not sure 403 (Forbidden) is the most appropriate, possibly 401 (unauthorized), @runcom, @diogomonica, @estesp WDYT? |
makes sense to me |
wait, I don't think it will work well. If we reply 401 during a pull operation (for instance) and the 401 comes from the auth plugin I suspect we get a login prompt (cause the cli assumes 401 is from the registry) ping @aaronlehmann |
Given HTTP 401 will most likely interact improperly with any APIs that deal with auth (all the registry-interaction commands including From https://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html:
|
…st code (403). - Return 403 (forbidden) when request is denied in authorization flows (including integration test) - Fix moby#22428 - Close moby#22431 Signed-off-by: Liron Levin <liron@twistlock.com>
Output of
docker version
:Output of
docker info
:Additional environment details (AWS, VirtualBox, physical, etc.):
Vagrant-created VirtualBox VM
Steps to reproduce the issue:
Describe the results you received:
Describe the results you expected:
Expected the status code to be a 403 Forbidden
Additional information you deem important (e.g. issue happens only occasionally):
According to the auth plugin docs, it looks like it should be possible to modify the response code. However, the relevant fields don't seem to actually be in the code base. (e.g., ModifiedStatusCode appears in the docs, but not the code).
The text was updated successfully, but these errors were encountered: