From reviews-return-19781-apmail-mesos-reviews-archive=mesos.apache.org@mesos.apache.org Mon Jan 11 13:25:28 2016 Return-Path: X-Original-To: apmail-mesos-reviews-archive@minotaur.apache.org Delivered-To: apmail-mesos-reviews-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 5B43E18D8A for ; Mon, 11 Jan 2016 13:25:28 +0000 (UTC) Received: (qmail 74518 invoked by uid 500); 11 Jan 2016 13:25:28 -0000 Delivered-To: apmail-mesos-reviews-archive@mesos.apache.org Received: (qmail 74492 invoked by uid 500); 11 Jan 2016 13:25:28 -0000 Mailing-List: contact reviews-help@mesos.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: reviews@mesos.apache.org Delivered-To: mailing list reviews@mesos.apache.org Received: (qmail 74474 invoked by uid 99); 11 Jan 2016 13:25:28 -0000 Received: from reviews-vm.apache.org (HELO reviews.apache.org) (140.211.11.40) by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 11 Jan 2016 13:25:28 +0000 Received: from reviews.apache.org (localhost [127.0.0.1]) by reviews.apache.org (Postfix) with ESMTP id 9908C2803F6; Mon, 11 Jan 2016 13:25:27 +0000 (UTC) Content-Type: multipart/alternative; boundary="===============0342302001854425509==" MIME-Version: 1.0 Subject: Re: Review Request 42027: Changes HTTP responses from Unauthorized (401) to Forbidden (403). From: "Alexander Rojas" To: "Greg Mann" , "Alexander Rukletsov" , "Joerg Schad" , "Jan Schlicht" , "Till Toenshoff" Cc: "mesos" , "Alexander Rojas" , "Mesos ReviewBot" Date: Mon, 11 Jan 2016 13:25:27 -0000 Message-ID: <20160111132527.26792.90347@reviews.apache.org> X-ReviewBoard-URL: https://reviews.apache.org/ Auto-Submitted: auto-generated Sender: "Alexander Rojas" X-ReviewGroup: mesos X-Auto-Response-Suppress: DR, RN, OOF, AutoReply X-ReviewRequest-URL: https://reviews.apache.org/r/42027/ X-Sender: "Alexander Rojas" References: <20160108134900.1692.30225@reviews.apache.org> In-Reply-To: <20160108134900.1692.30225@reviews.apache.org> Reply-To: "Alexander Rojas" X-ReviewRequest-Repository: mesos --===============0342302001854425509== MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/42027/ ----------------------------------------------------------- (Updated Jan. 11, 2016, 2:25 p.m.) Review request for mesos, Alexander Rukletsov, Greg Mann, Joerg Schad, Jan Schlicht, and Till Toenshoff. Changes ------- Benjamin's review requested changes. Summary (updated) ----------------- Changes HTTP responses from Unauthorized (401) to Forbidden (403). Bugs: MESOS-4305 https://issues.apache.org/jira/browse/MESOS-4305 Repository: mesos Description (updated) ------- It is a common patter within Mesos to return an HTTP 401 (Unauthorized) response whenever the request is invalid for whatever reason. However, according to the [RFC-2617 Section 1.2](https://tools.ietf.org/html/rfc2617#section-1.2): > The 401 (Unauthorized) response message is used by an origin server to challenge the authorization of a user agent. This response MUST include a WWW-Authenticate header field containing at least one challenge applicable to the requested resource. Meaning that despite the confusing name, the status code _401 Unauthorized_ should be used only for authentication purposes. On the other hand, the [RFC-2616 Section 10.4.4](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4) states: > _(403 Forbidden is returned when)_ The server understood the request, but is refusing to fulfill it. Authorization will not help and the request SHOULD NOT be repeated. If the request method was not HEAD and the server wishes to make public why the request has not been fulfilled, it SHOULD describe the reason for the refusal in the entity. If the server does not wish to make this information available to the client, the status code 404 (Not Found) can be used instead. As such, _403 (Forbidden)_ seems to be a better return code when replying inside endpoint handlers, while _401 (Unauthorized)_ should be left to the HTTP Authenticators only. Diffs (updated) ----- docs/authorization.md a928f1722dc67cd791d78ebbe4591f2e8f2e8f2a src/master/http.cpp bcafc7aff89659a68352f3876ce6042f8b34bd5d src/master/quota_handler.cpp 134a93b1d1b6e050aa8a5037ffbec2cc305b0694 src/tests/master_quota_tests.cpp 776a168254af6fa8a5d87d4580b35d83f2d5909a src/tests/persistent_volume_endpoints_tests.cpp f0cce190abc90f0fae84d6c3db20e8215c2d8132 src/tests/reservation_endpoints_tests.cpp b8edd6fafedd4c2221a8d19c1ebc71254071a8c7 src/tests/scheduler_http_api_tests.cpp 4d23a5a8368e0ed126469fa4a90a889b339ad004 src/tests/teardown_tests.cpp 97cc89ba168aefff8512f6d1a25c4f7ddf180bae Diff: https://reviews.apache.org/r/42027/diff/ Testing ------- make check Thanks, Alexander Rojas --===============0342302001854425509==--