[openstack-dev] This is what disabled-by-policy should look like to the user

Morgan Fainberg morgan.fainberg at gmail.com
Fri Sep 4 14:55:31 UTC 2015



> On Sep 4, 2015, at 07:04, Monty Taylor <mordred at inaugust.com> wrote:
> 
> mordred at camelot:~$ neutron net-create test-net-mt
> Policy doesn't allow create_network to be performed.
> 
> Thank you neutron. Excellent job.
> 
> Here's what that looks like at the REST layer:
> 
> DEBUG: keystoneclient.session RESP: [403] date: Fri, 04 Sep 2015 13:55:47 GMT connection: close content-type: application/json; charset=UTF-8 content-length: 130 x-openstack-request-id: req-ba05b555-82f4-4aaf-91b2-bae37916498d
> RESP BODY: {"NeutronError": {"message": "Policy doesn't allow create_network to be performed.", "type": "PolicyNotAuthorized", "detail": ""}}
> 
> As a user, I am not confused. I do not think that maybe I made a mistake with my credentials. The cloud in question simply does not allow user creation of networks. I'm fine with that. (as a user, that might make this cloud unusable to me - but that's a choice I can now make with solid information easily. Turns out, I don't need to create networks for my application, so this actually makes it easier for me personally)
> 

The 403 (yay good HTTP error choice) and message is great here.

We should make this the default (I think we can do something like this baking it into the enforcer in oslo.policy so that it is consistent across openstack). Obviously the translation of errors would be more difficult if the enforcer is generating messages. 

--Morgan





More information about the OpenStack-dev mailing list