>"And as an admin (trusted user), we expect them to not break things."
>
>Sorry, I am going to have to disagree with you on this. The interface gives no indication that the request failed to produce the >desired effect. Add to that several facts: many quota-exceeded errors are masked by other quota exceeded error names and end >users will report quota exceeded errors as "my instance failed to start". These all add up to a bad user experience."
Yup, the UX is horrible for this one. can you expand on the error masking point?
>"This is part of a bigger issue, which is nova doesn't have great RBAC support. Say you want to create a tenant admin who can set >quotas per user."
>
>I don't see how role-based access control is necessary when a simple check "does this string correspond to a real project UUID (or >name if you want to support that)" would suffice.
Perhaps opinion was the wrong status, while I agree that there is something to fix here, I am not sure how you want to change things. For this to be confirmed I would like a more explicit explanation of what the issue is and what the desired outcome should be. Do you just want to make sure the tenant is valid? If so I can get behind that, but the bug description needs some updating.
>"And as an admin (trusted user), we expect them to not break things."
>
>Sorry, I am going to have to disagree with you on this. The interface gives no indication that the request failed to produce the >desired effect. Add to that several facts: many quota-exceeded errors are masked by other quota exceeded error names and end >users will report quota exceeded errors as "my instance failed to start". These all add up to a bad user experience."
Yup, the UX is horrible for this one. can you expand on the error masking point?
>"This is part of a bigger issue, which is nova doesn't have great RBAC support. Say you want to create a tenant admin who can set >quotas per user."
>
>I don't see how role-based access control is necessary when a simple check "does this string correspond to a real project UUID (or >name if you want to support that)" would suffice.
So nova doesn't keep track of project UUIDs, so this would have to be implemented as a call out to keystone. So I am not very familiar with the keystone API but I think you would need to call v2.0/tenants{ /tenantId} (http:// docs.openstack. org/api/ openstack- identity- service/ 2.0/content/ Tenant_ Operations. html) to make sure the tenant is valid or not.
>
>Marking as open for these reasons.
Perhaps opinion was the wrong status, while I agree that there is something to fix here, I am not sure how you want to change things. For this to be confirmed I would like a more explicit explanation of what the issue is and what the desired outcome should be. Do you just want to make sure the tenant is valid? If so I can get behind that, but the bug description needs some updating.