yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1754184] [NEW] Unified limits API shouldn't return a list of all limits

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Wed, 07 Mar 2018 22:47:08 -0000
Reply-to: Bug 1754184 <1754184@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

During the Rocky PTG, we reviewed the unified limit API as a group. One
of the things that became apparent during the discussion was that the
API shouldn't return a list of all limits when updating limits or
creating new limits.

Originally, the API was designed this way so that an operator, or user,
could double check their work after making a change. Where things get a
bit complicated is if you attempt to delegate limit management to other
users. For example, say a system administrator creates a new doamin for
a customer and sets some limits on that domain. Let's also assume the
customer has the ability to create projects within their domain and
manage their limits with respect to the limits the system administrator
set on the domain. If the customer makes a change to a limit within
their domain, they will get a response that contains limit information
for all projects, essentially leaking project information to someone who
isn't authorized to see that information.

We should change the unified limit API to account for this by not
returning a list of all limits on POST and PUT operations. This will be
a backwards incompatible change, but we should be able to make it
because the API is still marked as experimental.

** Affects: keystone
     Importance: Medium
         Status: Triaged


** Tags: limits

** Changed in: keystone
       Status: New => Triaged

** Changed in: keystone
   Importance: Undecided => Medium

** Tags added: limits

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1754184

Title:
  Unified limits API shouldn't return a list of all limits

Status in OpenStack Identity (keystone):
  Triaged

Bug description:
  During the Rocky PTG, we reviewed the unified limit API as a group.
  One of the things that became apparent during the discussion was that
  the API shouldn't return a list of all limits when updating limits or
  creating new limits.

  Originally, the API was designed this way so that an operator, or
  user, could double check their work after making a change. Where
  things get a bit complicated is if you attempt to delegate limit
  management to other users. For example, say a system administrator
  creates a new doamin for a customer and sets some limits on that
  domain. Let's also assume the customer has the ability to create
  projects within their domain and manage their limits with respect to
  the limits the system administrator set on the domain. If the customer
  makes a change to a limit within their domain, they will get a
  response that contains limit information for all projects, essentially
  leaking project information to someone who isn't authorized to see
  that information.

  We should change the unified limit API to account for this by not
  returning a list of all limits on POST and PUT operations. This will
  be a backwards incompatible change, but we should be able to make it
  because the API is still marked as experimental.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1754184/+subscriptions

Follow ups

[Bug 1754184] Re: Unified limits API shouldn't return a list of all limits
From: OpenStack Infra, 2018-06-19