[Openstack-operators] Better error messages for API policy enforcements

Andrew Laski andrew at lascii.com
Thu Dec 3 15:09:27 UTC 2015


On 12/02/15 at 03:24pm, Robert Starmer wrote:
>I can't think of a case where better error response and log messages are
>not useful/desired.

I agree with this, but I don't think that custom error messages defined 
in policy.json are the way to go.  The API response should be standard 
across deployments so error response improvements should be done in the 
code.

There has also been discussion about tackling this from the other end 
and allowing users to get a list of things they're allowed to do before 
even making a request.  This doesn't directly address providing 
information to users on what they need to do to gain a new capability 
but whatever API is created to provide a list of capabilities may be the 
better place to add that info rather than the current policy failure 
response.

>
>Robert
>
>On Wed, Dec 2, 2015 at 2:39 PM, Mike Dorman <mdorman at godaddy.com> wrote:
>
>> We use some custom API policies (as in policy.json) to restrict certain
>> operations to particular roles or requiring some fields on calls (i.e. we
>> require that users give us an availability zone when booting an instance.)
>>
>> When the policy causes the operation to be denied, the only response that
>> goes back to the user is something like “operation is denied by policy.”
>>  This is confusing and it’d be really nice if we could send back a response
>> like “you need to have xxxx role to do this”, or “availability zone is
>> required.”
>>
>> I was thinking about writing up a RFE bug for a feature that would allow
>> configuration of a custom “policy denied” message in policy.json.  Would
>> this be useful/desired by others?
>>
>> Mike
>>
>>
>> _______________________________________________
>> OpenStack-operators mailing list
>> OpenStack-operators at lists.openstack.org
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
>>
>>

>_______________________________________________
>OpenStack-operators mailing list
>OpenStack-operators at lists.openstack.org
>http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators




More information about the OpenStack-operators mailing list