yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1754184] Re: Unified limits API shouldn't return a list of all limits

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1754184@xxxxxxxxxxxxxxxxxx>
Date: Tue, 19 Jun 2018 01:35:16 -0000
Reply-to: Bug 1754184 <1754184@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.openstack.org/559552
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=b385864c5d8c85c8911483b76c7787b33ebd84a3
Submitter: Zuul
Branch:    master

commit b385864c5d8c85c8911483b76c7787b33ebd84a3
Author: wangxiyuan <wangxiyuan@xxxxxxxxxx>
Date:   Sun Apr 8 14:57:18 2018 +0800

    Unified limit update APIs Refactor
    
    According to the API-WG's suggestion, the update registered
    limit/project limit APIs should be refactored as:
    1. Change PUT to PATCH
    2. Remove batch update limits support for PATCH
    
    Closes-Bug: #1754184
    Change-Id: I1102166ab425a55d8eaf85c75d8fd3a7dfbaceb6


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1754184

Title:
  Unified limits API shouldn't return a list of all limits

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  During the Rocky PTG, we reviewed the unified limit API as a group.
  One of the things that became apparent during the discussion was that
  the API shouldn't return a list of all limits when updating limits or
  creating new limits.

  Originally, the API was designed this way so that an operator, or
  user, could double check their work after making a change. Where
  things get a bit complicated is if you attempt to delegate limit
  management to other users. For example, say a system administrator
  creates a new doamin for a customer and sets some limits on that
  domain. Let's also assume the customer has the ability to create
  projects within their domain and manage their limits with respect to
  the limits the system administrator set on the domain. If the customer
  makes a change to a limit within their domain, they will get a
  response that contains limit information for all projects, essentially
  leaking project information to someone who isn't authorized to see
  that information.

  We should change the unified limit API to account for this by not
  returning a list of all limits on POST and PUT operations. This will
  be a backwards incompatible change, but we should be able to make it
  because the API is still marked as experimental.

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1754184/+subscriptions

References

[Bug 1754184] [NEW] Unified limits API shouldn't return a list of all limits
From: Lance Bragstad, 2018-03-07