Add log statements for policy check failures

Misconfiguration of the policy.json file may
cause policy check failures. It's kind to the
developer to log the underlying exception
so that he/she can have more information as to
how to address the problem.

Closes bug: #1246139

Change-Id: I8664959cb98b3a41d159db3acb91da9baba810ae

diff --git a/neutron/policy.py b/neutron/policy.py
index a129813a2139dad48e17633ce25e791c51effe5c..c4c241a589f6448fb760da4d7f40d6d754c045bf 100644 (file)
--- a/neutron/policy.py
+++ b/neutron/policy.py
@@ -370,13 +370,16 @@ def enforce(context, action, target, plugin=None):
     :param plugin: currently unused and deprecated.
         Kept for backward compatibility.
 
-    :raises neutron.exceptions.PolicyNotAllowed: if verification fails.
+    :raises neutron.exceptions.PolicyNotAuthorized: if verification fails.
     """
 
     init()
     rule, target, credentials = _prepare_check(context, action, target)
-    return policy.check(rule, target, credentials,
-                        exc=exceptions.PolicyNotAuthorized, action=action)
+    result = policy.check(rule, target, credentials, action=action)
+    if not result:
+        LOG.debug(_("Failed policy check for '%s'"), action)
+        raise exceptions.PolicyNotAuthorized(action=action)
+    return result
 
 
 def check_is_admin(context):