yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1818736] Re: The limit and registered limit APIs should account for different scopes

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: OpenStack Infra <1818736@xxxxxxxxxxxxxxxxxx>
Date: Thu, 26 Sep 2019 22:08:58 -0000
Reply-to: Bug 1818736 <1818736@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Reviewed:  https://review.opendev.org/621024
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e938c496281daa6d1dab66d66bdb2d34abd5ddc3
Submitter: Zuul
Branch:    master

commit e938c496281daa6d1dab66d66bdb2d34abd5ddc3
Author: Lance Bragstad <lbragstad@xxxxxxxxx>
Date:   Thu Nov 29 21:22:10 2018 +0000

    Add tests for project users interacting with limits
    
    This commit introduces some tests that explicitly show how project
    users are expected to behave with the limits API. A
    subsequent patch will clean up the now obsolete policies in the
    policy.v3cloudsample.json policy file.
    
    Related-Bug: 1805880
    Closes-Bug: 1818736
    
    Change-Id: I12d1200d8a11cadcc4f7b2604d51d8e5c73ea4b7


** Changed in: keystone
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Identity (keystone).
https://bugs.launchpad.net/bugs/1818736

Title:
  The limit and registered limit APIs should account for different
  scopes

Status in OpenStack Identity (keystone):
  Fix Released

Bug description:
  Keystone implemented scope_types for oslo.policy RuleDefault objects
  in the Queens release [0]. In order to take full advantage of
  scope_types, keystone is going to have to evolve policy enforcement
  checks in the limit and registered limit APIs. This is because there
  are some limit and registered limit APIs that should be accessible to
  project users, domain users, and system users.

  System users should be able to manage limits and registered limits
  across the entire deployment. At this point, project and domain users
  shouldn't be able to manage limits and registered limits. At some
  point in the future, we might consider opening up the functionality to
  domain users to manage limits for projects within the domains they
  have authorization on.

  This bug report is strictly for tracking the ability to get
  information out of keystone regarding limits with system-scope,
  domain-scope, and project-scope.

  [0] https://review.openstack.org/#/c/525706/

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1818736/+subscriptions

References

[Bug 1818736] [NEW] The limit and registered limit APIs should account for different scopes
From: Lance Bragstad, 2019-03-05