From 6fdd1f6215756422068ad112509de5d7be057373 Mon Sep 17 00:00:00 2001
From: Brian Waldon <bcwaldon@gmail.com>
Date: Wed, 25 Jan 2012 10:37:33 -0800
Subject: [PATCH] Return 403 instead of 401 when policies reject

Fixes bug 921744

Change-Id: Ib4b6405dffa3ee2e8ef2b8a7710124f97f0fdf43
---
 nova/api/openstack/wsgi.py                                      | 2 +-
 .../api/openstack/compute/contrib/test_simple_tenant_usage.py   | 2 +-
 nova/tests/api/openstack/test_wsgi.py                           | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/nova/api/openstack/wsgi.py b/nova/api/openstack/wsgi.py
index 8a7a077b8f8b..26f6cc97f4c6 100644
--- a/nova/api/openstack/wsgi.py
+++ b/nova/api/openstack/wsgi.py
@@ -573,7 +573,7 @@ class ResourceExceptionHandler(object):
 
         if isinstance(ex_value, exception.NotAuthorized):
             msg = unicode(ex_value)
-            raise Fault(webob.exc.HTTPUnauthorized(explanation=msg))
+            raise Fault(webob.exc.HTTPForbidden(explanation=msg))
         elif isinstance(ex_value, TypeError):
             LOG.exception(ex_value)
             raise Fault(webob.exc.HTTPBadRequest())
diff --git a/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py b/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
index 18514c433d40..afb4e5fccc27 100644
--- a/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
+++ b/nova/tests/api/openstack/compute/contrib/test_simple_tenant_usage.py
@@ -174,7 +174,7 @@ class SimpleTenantUsageTest(test.TestCase):
         try:
             res = req.get_response(fakes.wsgi_app(
                                    fake_auth_context=self.alt_user_context))
-            self.assertEqual(res.status_int, 401)
+            self.assertEqual(res.status_int, 403)
         finally:
             policy.reset()
 
diff --git a/nova/tests/api/openstack/test_wsgi.py b/nova/tests/api/openstack/test_wsgi.py
index 3dfcb238807d..3974971fabd5 100644
--- a/nova/tests/api/openstack/test_wsgi.py
+++ b/nova/tests/api/openstack/test_wsgi.py
@@ -204,7 +204,7 @@ class ResourceTest(test.TestCase):
         req = webob.Request.blank('/tests')
         app = fakes.TestRouter(Controller())
         response = req.get_response(app)
-        self.assertEqual(response.status_int, 401)
+        self.assertEqual(response.status_int, 403)
 
     def test_dispatch(self):
         class Controller(object):