The behavior of "tenant access add" command is confusing

[shaominchen]

Currently the "tenant access add" command can be run any number of times to grant a datastore access for the same tenant. This may cause weird behavior which is counterintuitive. For example:

I have granted the following permissions for my tenant:

[root@localhost:/usr/lib/vmware/vmdkops/bin] vmdkops_admin tenant access ls --name MyTenant
Datastore   Create_volume  Delete_volume  Mount_volume  Max_volume_size  Total_size  
----------  -------------  -------------  ------------  ---------------  ----------  
datastore1  1              1              0             128.00MB         1.00GB      

Now I want to add the missing "mount" privilege. As the implementor, we know all the commands and we expect user to run "tenant access set" to modify the privileges. But a new user who are not familiar with all the command options might (incorrectly) do this instead:

[root@localhost:/usr/lib/vmware/vmdkops/bin] vmdkops_admin tenant access add --name MyTenant --datastore datastore1 --right mount
{'mount_volume': 1, 'global_visibility': 0, 'max_volume_size': 0, 'create_volume': 0, 'delete_volume': 0, 'datastore': 'datastore1', 'usage_quota': 0}
tenant access add succeeded

Now what happened? All the existing privilege settings are gone:

[root@localhost:/usr/lib/vmware/vmdkops/bin] vmdkops_admin tenant access ls --name MyTenant
Datastore   Create_volume  Delete_volume  Mount_volume  Max_volume_size  Total_size  
----------  -------------  -------------  ------------  ---------------  ----------  
datastore1  0              0              1             0B               0B          

This is not a correctness issue (we can argue this is a user error). But I think we can improve the usability a little bit and make the program more robust to prevent this wrong operation happening.

Regarding the solution, I think one option is to prevent user to run "tenant access add" twice on the same tenant, and we can print a tip message to remind user to use "tenant access set" to modify the permissions.

Any other suggestions are welcome.

[shaominchen]

we can print a tip message to remind user to use "tenant access set" to modify the permissions.

I just tried a different scenario:

First I revoked all access to a datastore for my tenant. Then I tried to run "tenant access set" directly - here's what I got:
[root@localhost:/usr/lib/vmware/vmdkops/bin] vmdkops_admin tenant access set --name MyTenant --datastore datastore1 --add-right create,delete,mount
No privileges exist for (MyTenant, datastore1)

So, for the current issue of running "tenant access add" multiple times, instead of reminding user to use "tenant access set", we can simply print a similar message, such as "Privileges already exist for (Tenant, Datastore)". This way the user experience will be more consistent.

[shaominchen]

This issue has already been fixed in the recent change:　#859

Now if we try to add the same privilege (same datastore, but other parameters are different), we will get the following error:

privilege for (TENANT, datastore) already exists.