Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release [0]. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the limit and registered limit APIs. This is because there are some limit and registered limit APIs that should be accessible to project users, domain users, and system users.
System users should be able to manage limits and registered limits across the entire deployment. At this point, project and domain users shouldn't be able to manage limits and registered limits. At some point in the future, we might consider opening up the functionality to domain users to manage limits for projects within the domains they have authorization on.
This bug report is strictly for tracking the ability to get information out of keystone regarding limits with system-scope, domain-scope, and project-scope.
[0] https://review.openstack.org/#/c/525706/
Fix proposed to branch: master /review. opendev. org/684531
Review: https:/