https://review.openstack.org/#/c/388683/ changed the message for PolicyNotAuthorized exceptions to say something that is actually incorrect. It now says "%(target)s is disallowed by policy rule %(rule)s with %(creds)s ", but it isn't the target that is disallowed... it is the action (called the "rule" here).
This string is also too verbose and confusing if/when presented to a user. Nova and cinder present a much simpler message that is actually more useful to a user. They just say "Policy doesn't allow %(action)s to be performed." Ideally oslo.policy would return the same string for consistency and for the improved clarity. Yes, this omits target and credential information, which could be useful to someone. Log that if you think it might be useful, but don't return it in the exception message. It makes the message too long and too hard to read. The message is a string, and target and credentials are dicts. Not only do they make the message very ugly and hard for a human to parse, but they are giving information that is typically unnecessary and won't be understood by most users.
This issue was fixed in the openstack/