<div dir="ltr"><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 4, 2015 at 11:35 AM, Mathieu Gagné <span dir="ltr"><<a href="mailto:mgagne@internap.com" target="_blank">mgagne@internap.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><span class="">On 2015-09-04 12:50 PM, Monty Taylor wrote:<br>
> On 09/04/2015 10:55 AM, Morgan Fainberg wrote:<br>
>><br>
</span><span class="">>> Obviously the translation of errors<br>
>> would be more difficult if the enforcer is generating messages.<br>
><br>
> The type: "PolicyNotAuthorized" is a good general key. Also - even<br>
> though the command I sent was:<br>
><br>
> neutron net-create<br>
><br>
> On the command line, the entry in the policy_file is "create_network" -<br>
> so honestly I think that policy.json and oslo.policy should have (or be<br>
> able to have) all of the info needed to create almost the exact same<br>
> message. Perhaps "NeutronError" would just need to be<br>
> "OpenStackPolicyError"?<br>
><br>
> Oh. Wait. You meant translation like i18n translation. In that case, I<br>
> think it's easy:<br>
><br>
> message=_("Policy doesn't allow %(policy_key)s to be performed",<br>
> policy_key="create_network")<br>
><br>
> /me waves hands<br>
><br>
<br>
</span>I don't feel like this error message would be user-friendly:<br>
<br>
"Policy doesn't allow os_compute_api:os-instance-actions to be performed"<br>
<br>
Policy name aren't human readable and match nothing on the client side.<br>
<span class=""><font color="#888888"><br>
--<br>
Mathieu<br>
</font></span><div class=""><div class="h5"><br>
__________________________________________________________________________<br>
OpenStack Development Mailing List (not for usage questions)<br>
Unsubscribe: <a href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe" rel="noreferrer" target="_blank">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" rel="noreferrer" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
</div></div></blockquote></div><br></div><div class="gmail_extra"><div class="gmail_default" style="font-family:monospace,monospace">Ok, so this:</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">ubuntu@devbox:~$ cinder reset-state 9dee0fae-864c-44f9-bdd7-3330a0f4e899</div><div class="gmail_default" style="font-family:monospace,monospace">Reset state for volume 9dee0fae-864c-44f9-bdd7-3330a0f4e899 failed: Policy doesn't allow volume_extension:volume_admin_actions:reset_status to be performed. (HTTP 403) (Request-ID: req-8ed2c895-0d1f-4b2c-9859-ee15c19267de)</div><div class="gmail_default" style="font-family:monospace,monospace">ERROR: Unable to reset the state for the specified volume(s).</div><div class="gmail_default" style="font-family:monospace,monospace">ubuntu@devbox:~$</div><br></div><div class="gmail_extra"><div class="gmail_default" style="font-family:monospace,monospace">Is no good? You would like to see "less" in the output; like just the command name itself and "Policy doesn't allow"?</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace">To Mathieu's point, fair statement WRT the visibility of the policy name.</div><div class="gmail_default" style="font-family:monospace,monospace"><br></div><div class="gmail_default" style="font-family:monospace,monospace"></div><br></div></div>