[openstack-dev] This is what disabled-by-policy should look like to the user

Monty Taylor mordred at inaugust.com
Fri Sep 4 18:41:48 UTC 2015


On 09/04/2015 01:42 PM, John Griffith wrote:
> On Fri, Sep 4, 2015 at 11:35 AM, Mathieu Gagné <mgagne at internap.com> wrote:
>
>> On 2015-09-04 12:50 PM, Monty Taylor wrote:
>>> On 09/04/2015 10:55 AM, Morgan Fainberg wrote:
>>>>
>>>> Obviously the translation of errors
>>>> would be more difficult if the enforcer is generating messages.
>>>
>>> The type: "PolicyNotAuthorized" is a good general key. Also - even
>>> though the command I sent was:
>>>
>>> neutron net-create
>>>
>>> On the command line, the entry in the policy_file is "create_network" -
>>> so honestly I think that policy.json and oslo.policy should have (or be
>>> able to have) all of the info needed to create almost the exact same
>>> message. Perhaps "NeutronError" would just need to be
>>> "OpenStackPolicyError"?
>>>
>>> Oh. Wait. You meant translation like i18n translation. In that case, I
>>> think it's easy:
>>>
>>> message=_("Policy doesn't allow %(policy_key)s to be performed",
>>> policy_key="create_network")
>>>
>>> /me waves hands
>>>
>>
>> I don't feel like this error message would be user-friendly:
>>
>> "Policy doesn't allow os_compute_api:os-instance-actions to be performed"
>>
>> Policy name aren't human readable and match nothing on the client side.
>>
>> --
>> Mathieu
>>
>> __________________________________________________________________________
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
> ​Ok, so this:
>
> ubuntu at devbox:~$ cinder reset-state 9dee0fae-864c-44f9-bdd7-3330a0f4e899
> Reset state for volume 9dee0fae-864c-44f9-bdd7-3330a0f4e899 failed: Policy
> doesn't allow volume_extension:volume_admin_actions:reset_status to be
> performed. (HTTP 403) (Request-ID: req-8ed2c895-0d1f-4b2c-9859-ee15c19267de)
> ERROR: Unable to reset the state for the specified volume(s).
> ubuntu at devbox:~$​
>
> ​Is no good?  You would like to see "less" in the output; like just the
> command name itself and "Policy doesn't allow"?
>
> To Mathieu's point, fair statement WRT the visibility of the policy name.

Totally agree on the policy name. The one I did happened to be clear - 
that is not always the case. I'd love to see that.

But more to your question - yes, as an end user, I do't know what a 
volume_extension:volume_admin_actions:reset_status is - but I do know 
that I ran "cinder reset-state" - so getting:

'Cloud policy does not allow you to run reset_status"

would be fairly clear to me.

The other bits, the 403, the request-id and then the additional error 
message are a bit too busy. (they seem like output for a debug or 
verbose flag IMHO)

NOW -

  ERROR: Unable to reset the state for the specified volume(s) - Policy 
does not allow reset_status

would also work and would also be clear "this did not occur, the reason 
is that you are not allowed to do this because the cloud admin has set a 
policy.

Now that I'm talking out loud though - I'm policy is a little confusing 
- because policy is not an end-user concept in any way.

"Your cloud administrator has disabled this API function"

is clearer and more to the point with less jargon.

I think the key points to communicate (verbally or through crafting):

- Yes, you logged in
- Yes, the API you called is a correct and real API
- No, you did not make a syntax error
- No, you are not allowed to call that real API on _this_ cloud

(without knowing those things, I tend to debug a TON of things before 
figuring out "oh, the cloud admin turned off part of the API)




More information about the OpenStack-dev mailing list