yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1818736] [NEW] The limit and registered limit APIs should account for different scopes

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Lance Bragstad <lbragstad@xxxxxxxxx>
Date: Tue, 05 Mar 2019 22:03:20 -0000
Reply-to: Bug 1818736 <1818736@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

Keystone implemented scope_types for oslo.policy RuleDefault objects in
the Queens release [0]. In order to take full advantage of scope_types,
keystone is going to have to evolve policy enforcement checks in the
limit and registered limit APIs. This is because there are some limit
and registered limit APIs that should be accessible to project users,
domain users, and system users.

System users should be able to manage limits and registered limits
across the entire deployment. At this point, project and domain users
shouldn't be able to manage limits and registered limits. At some point
in the future, we might consider opening up the functionality to domain
users to manage limits for projects within the domains they have
authorization on.

This bug report is strictly for tracking the ability to get information
out of keystone regarding limits with system-scope, domain-scope, and
project-scope.

[0] https://review.openstack.org/#/c/525706/

** Affects: keystone
     Importance: Undecided
         Status: New


** Tags: policy system-scope

** Tags added: policy system-scope

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1818736

Title:
  The limit and registered limit APIs should account for different
  scopes

Status in OpenStack Identity (keystone):
  New

Bug description:
  Keystone implemented scope_types for oslo.policy RuleDefault objects
  in the Queens release [0]. In order to take full advantage of
  scope_types, keystone is going to have to evolve policy enforcement
  checks in the limit and registered limit APIs. This is because there
  are some limit and registered limit APIs that should be accessible to
  project users, domain users, and system users.

  System users should be able to manage limits and registered limits
  across the entire deployment. At this point, project and domain users
  shouldn't be able to manage limits and registered limits. At some
  point in the future, we might consider opening up the functionality to
  domain users to manage limits for projects within the domains they
  have authorization on.

  This bug report is strictly for tracking the ability to get
  information out of keystone regarding limits with system-scope,
  domain-scope, and project-scope.

  [0] https://review.openstack.org/#/c/525706/

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1818736/+subscriptions

Follow ups

[Bug 1818736] Re: The limit and registered limit APIs should account for different scopes
From: OpenStack Infra, 2019-09-26