Testing a new use case for a policy approach, I was contantly receiving a NotFound response on trying to access a volume. I could see the volume on horizon's inteface but cannot access it through python-cinderclient. Digging into cinder code I found that I could not access it due to policy restrictions, but the exception being thrown was NotFound instead of the far more informative PolicyNotAuthorized exception. Looking why is that I found this piece of code:
cinder/cinder/volume/api.py line 308:
try:
check_policy(old_ctxt, 'get', volume)
except exception.PolicyNotAuthorized:
# raise VolumeNotFound instead to make sure Cinder behaves
# as it used to
raise exception.VolumeNotFound(volume_id=volume_id)
return volume
I believe it's an grotesque error to throw an exception that points into a direction that isn't the cause of the failure just because it was what cinder did in the past. Debuggers got crazy searching for an error when what's indeed happening is a completely different thing.
This is a) an established API b) A security feature that prevents probing for volume IDs. Probing was much more of a problem when we used integer IDs ratehr than UUIDs, but still, by design.