Barbican

Barbican returns a 400 when unable to find a plugin.

Bug #1416075 reported by Douglas Mendizábal on 2015-01-29

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Barbican	Fix Released	Medium	Juan Antonio Osorio Robles	Barbican 2015.1.0 "kilo"

Bug Description

I found this bug while testing the client against a Barbican instance that has stored secrets using different plugins. The scenario is this:

Barbican is running with a particular SecreStore plugin, let's call it PluginA. Then the secret store plugin is changed to a new plugin, let's call it PluginB.
The Barbican database contains secrets that were either encrypted with PluginA or PluginB.
When a client attempts to retrieve a secret that was stored using PluginA, Barbican responds with "400 - could not find plugin" since the only plugin available is PluginB.

The problem I see with this is that 400 errors imply that the client is in error, and that the request must somehow be changed so that the service can fulfill the request. This is not the case in this scenario, though, because there is nothing the client can do to their request to get their secret back.

Since this error is the result of a misconfiguration (leaving PluginA out of the config), or possibly due to a failed PluginA -> PluginB migration, I would expect the response to be a 500 (or 5xx) error, since the service itself must be modified to be able to fulfill the request.

Revision history for this message

John Wood (john-wood-w) wrote on 2015-01-29:

IMHO, agreed!

Juan Antonio Osorio Robles (juan-osorio-robles) on 2015-01-30

Changed in barbican:
assignee:	nobody → Juan Antonio Osorio Robles (juan-osorio-robles)

Douglas Mendizábal (dougmendizabal) on 2015-01-30

Changed in barbican:
status:	New → Confirmed
importance:	Undecided → Medium

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-01: Fix proposed to barbican (master)

Fix proposed to branch: master
Review: https://review.openstack.org/151936

Changed in barbican:
status:	Confirmed → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2015-02-09: Fix merged to barbican (master)

Reviewed: https://review.openstack.org/151936
Committed: https://git.openstack.org/cgit/openstack/barbican/commit/?id=b1effb65a641073fdba76da680890e290712b5a1
Submitter: Jenkins
Branch: master

commit b1effb65a641073fdba76da680890e290712b5a1
Author: Juan Antonio Osorio Robles <email address hidden>
Date: Sun Feb 1 19:46:32 2015 +0200

Change exception when store plugin is misconfigured

    If we try to get a plugin that supports the "retrieve" and "delete"
    operations and the plugin is not there, is is probably due to a server
    misconfiguration, since the plugin name is gotten from the metadata
    from the database; And if it was there in the first place, it means
    that it once was actually able to store that secret using a valid
    plugin. Thus, a new exception is raised if this is the case.

Change-Id: I2be8b9dd17a7bd12f10e55945b09257fce616f3d
Closes-Bug: #1416075

Changed in barbican:
status:	In Progress → Fix Committed

Douglas Mendizábal (dougmendizabal) on 2015-03-02

Changed in barbican:
milestone:	none → kilo-3

Thierry Carrez (ttx) on 2015-03-19

Changed in barbican:
status:	Fix Committed → Fix Released

Thierry Carrez (ttx) on 2015-04-30

Changed in barbican:
milestone:	kilo-3 → 2015.1.0

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.