<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Sep 4, 2015 at 10:35 AM, Mathieu Gagné <span dir="ltr"><<a href="mailto:mgagne@internap.com" target="_blank">mgagne@internap.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span class="">On 2015-09-04 12:50 PM, Monty Taylor wrote:<br>
> On 09/04/2015 10:55 AM, Morgan Fainberg wrote:<br>
>><br>
</span><span class="">>> Obviously the translation of errors<br>
>> would be more difficult if the enforcer is generating messages.<br>
><br>
> The type: "PolicyNotAuthorized" is a good general key. Also - even<br>
> though the command I sent was:<br>
><br>
> neutron net-create<br>
><br>
> On the command line, the entry in the policy_file is "create_network" -<br>
> so honestly I think that policy.json and oslo.policy should have (or be<br>
> able to have) all of the info needed to create almost the exact same<br>
> message. Perhaps "NeutronError" would just need to be<br>
> "OpenStackPolicyError"?<br>
><br>
> Oh. Wait. You meant translation like i18n translation. In that case, I<br>
> think it's easy:<br>
><br>
> message=_("Policy doesn't allow %(policy_key)s to be performed",<br>
> policy_key="create_network")<br>
><br>
> /me waves hands<br>
><br>
<br>
</span>I don't feel like this error message would be user-friendly:<br>
<br>
"Policy doesn't allow os_compute_api:os-instance-actions to be performed"<br>
<br>
Policy name aren't human readable and match nothing on the client side.<br><div class="HOEnZb"><div class="h5"><br></div></div></blockquote><div><br></div><div>To be fair the message can be improved. Right now this is so far above what you get in most cases. Digging a bit deeper, a lot of this is in oslo.policy but it appears we have projects doing custom layers of enforcement that change the results. The short solution is to clean up and consistently raise an exception up and then work on the messaging. </div></div><br></div></div>