To summarize, the issue is that we *can't* enforce child default quotas. The reason for this is because during actions like volume create (where we need to enforce quotas), we do not grab the parent_id for the project. However, since create volume is a non-admin action, we can't simply ask Keystone for the current project to get it's parent_project_id.
To solve this we are looking into the following (in preference order):
1) Adding parent_project_id to the Keystone token
2) Adding non-admin command in Keystone to retrieve parent_project_id
3) Use Cinder's "service" user
We will also discuss the general design for NestedQuotas to see if there's any changes we think should be made
To summarize, the issue is that we *can't* enforce child default quotas. The reason for this is because during actions like volume create (where we need to enforce quotas), we do not grab the parent_id for the project. However, since create volume is a non-admin action, we can't simply ask Keystone for the current project to get it's parent_project_id.
To solve this we are looking into the following (in preference order):
1) Adding parent_project_id to the Keystone token
2) Adding non-admin command in Keystone to retrieve parent_project_id
3) Use Cinder's "service" user
We will also discuss the general design for NestedQuotas to see if there's any changes we think should be made