[openstack-dev] This is what disabled-by-policy should look like to the user

Morgan Fainberg morgan.fainberg at gmail.com
Fri Sep 4 17:45:34 UTC 2015


On Fri, Sep 4, 2015 at 10:35 AM, Mathieu Gagné <mgagne at internap.com> wrote:

> On 2015-09-04 12:50 PM, Monty Taylor wrote:
> > On 09/04/2015 10:55 AM, Morgan Fainberg wrote:
> >>
> >> Obviously the translation of errors
> >> would be more difficult if the enforcer is generating messages.
> >
> > The type: "PolicyNotAuthorized" is a good general key. Also - even
> > though the command I sent was:
> >
> > neutron net-create
> >
> > On the command line, the entry in the policy_file is "create_network" -
> > so honestly I think that policy.json and oslo.policy should have (or be
> > able to have) all of the info needed to create almost the exact same
> > message. Perhaps "NeutronError" would just need to be
> > "OpenStackPolicyError"?
> >
> > Oh. Wait. You meant translation like i18n translation. In that case, I
> > think it's easy:
> >
> > message=_("Policy doesn't allow %(policy_key)s to be performed",
> > policy_key="create_network")
> >
> > /me waves hands
> >
>
> I don't feel like this error message would be user-friendly:
>
> "Policy doesn't allow os_compute_api:os-instance-actions to be performed"
>
> Policy name aren't human readable and match nothing on the client side.
>
>
To be fair the message can be improved. Right now this is so far above what
you get in most cases. Digging a bit deeper, a lot of this is in
oslo.policy but it appears we have projects doing custom layers of
enforcement that change the results. The short solution is to clean up and
consistently raise an exception up and then work on the messaging.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150904/120fc8bb/attachment.html>


More information about the OpenStack-dev mailing list