[openstack-dev] This is what disabled-by-policy should look like to the user

Adam Young ayoung at redhat.com
Sat Sep 5 02:43:08 UTC 2015


On 09/04/2015 10:04 AM, Monty Taylor wrote:
> mordred at camelot:~$ neutron net-create test-net-mt
> Policy doesn't allow create_network to be performed.
>
> Thank you neutron. Excellent job.
>
> Here's what that looks like at the REST layer:
>
> DEBUG: keystoneclient.session RESP: [403] date: Fri, 04 Sep 2015 
> 13:55:47 GMT connection: close content-type: application/json; 
> charset=UTF-8 content-length: 130 x-openstack-request-id: 
> req-ba05b555-82f4-4aaf-91b2-bae37916498d
> RESP BODY: {"NeutronError": {"message": "Policy doesn't allow 
> create_network to be performed.", "type": "PolicyNotAuthorized", 
> "detail": ""}}
>
> As a user, I am not confused. I do not think that maybe I made a 
> mistake with my credentials. The cloud in question simply does not 
> allow user creation of networks. I'm fine with that. (as a user, that 
> might make this cloud unusable to me - but that's a choice I can now 
> make with solid information easily. Turns out, I don't need to create 
> networks for my application, so this actually makes it easier for me 
> personally)
>
> In any case- rather than complaining and being a whiny brat about 
> something that annoys me - I thought I'd say something nice about 
> something that the neutron team has done that especially pleases me.

Then let my Hijack:

Policy is still broken.  We need the pieces of Dynamic policy.

I am going to call for a cross project policy discussion for the 
upcoming summit.  Please, please, please all the projects attend. The 
operators have made it clear they need better policy support.


> I would love it if this became the experience across the board in 
> OpenStack for times when a feature of the API is disabled by local 
> policy. It's possible it already is and I just haven't directly 
> experienced it - so please don't take this as a backhanded 
> condemnation of anyone else.
>
> Monty
>
> __________________________________________________________________________ 
>
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: 
> OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




More information about the OpenStack-dev mailing list