On 09/04/2015 01:42 PM, John Griffith wrote:
On Fri, Sep 4, 2015 at 11:35 AM, Mathieu Gagné <mga...@internap.com> wrote:
On 2015-09-04 12:50 PM, Monty Taylor wrote:
On 09/04/2015 10:55 AM, Morgan Fainberg wrote:
Obviously the translation of errors
would be more difficult if the enforcer is generating messages.
The type: "PolicyNotAuthorized" is a good general key. Also - even
though the command I sent was:
neutron net-create
On the command line, the entry in the policy_file is "create_network" -
so honestly I think that policy.json and oslo.policy should have (or be
able to have) all of the info needed to create almost the exact same
message. Perhaps "NeutronError" would just need to be
"OpenStackPolicyError"?
Oh. Wait. You meant translation like i18n translation. In that case, I
think it's easy:
message=_("Policy doesn't allow %(policy_key)s to be performed",
policy_key="create_network")
/me waves hands
I don't feel like this error message would be user-friendly:
"Policy doesn't allow os_compute_api:os-instance-actions to be performed"
Policy name aren't human readable and match nothing on the client side.
--
Mathieu
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Ok, so this:
ubuntu@devbox:~$ cinder reset-state 9dee0fae-864c-44f9-bdd7-3330a0f4e899
Reset state for volume 9dee0fae-864c-44f9-bdd7-3330a0f4e899 failed: Policy
doesn't allow volume_extension:volume_admin_actions:reset_status to be
performed. (HTTP 403) (Request-ID: req-8ed2c895-0d1f-4b2c-9859-ee15c19267de)
ERROR: Unable to reset the state for the specified volume(s).
ubuntu@devbox:~$
Is no good? You would like to see "less" in the output; like just the
command name itself and "Policy doesn't allow"?
To Mathieu's point, fair statement WRT the visibility of the policy name.
Totally agree on the policy name. The one I did happened to be clear -
that is not always the case. I'd love to see that.
But more to your question - yes, as an end user, I do't know what a
volume_extension:volume_admin_actions:reset_status is - but I do know
that I ran "cinder reset-state" - so getting:
'Cloud policy does not allow you to run reset_status"
would be fairly clear to me.
The other bits, the 403, the request-id and then the additional error
message are a bit too busy. (they seem like output for a debug or
verbose flag IMHO)
NOW -
ERROR: Unable to reset the state for the specified volume(s) - Policy
does not allow reset_status
would also work and would also be clear "this did not occur, the reason
is that you are not allowed to do this because the cloud admin has set a
policy.
Now that I'm talking out loud though - I'm policy is a little confusing
- because policy is not an end-user concept in any way.
"Your cloud administrator has disabled this API function"
is clearer and more to the point with less jargon.
I think the key points to communicate (verbally or through crafting):
- Yes, you logged in
- Yes, the API you called is a correct and real API
- No, you did not make a syntax error
- No, you are not allowed to call that real API on _this_ cloud
(without knowing those things, I tend to debug a TON of things before
figuring out "oh, the cloud admin turned off part of the API)
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
