Comment 10 for bug 1472031

@Tristan
We are disclosing information during error checking prior to user authorization being checked.

For example:
   https://github.com/openstack/cinder/blob/master/cinder/volume/api.py#L218
might tell user what volume types are supported by a consistency group;
   https://github.com/openstack/cinder/blob/master/cinder/volume/api.py#L230
might disclose information about source volume;
   https://github.com/openstack/cinder/blob/master/cinder/volume/api.py#L247
might disclose information about snapshot types;
   https://github.com/openstack/cinder/blob/master/cinder/volume/api.py#L255
might print some information about timing of availability zone cache updates.

A user could call create volume API to gain information (based on error messages) that otherwise the user would not have access to. Then this is security exposure.
But if this information can be obtained via some other normal means or this information is not exploitable, then this is not a security risk.