Default values for registered limit allows to set negative value

Bug #1797876 reported by Vishakha Agarwal on 2018-10-15
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
High
Vishakha Agarwal

Bug Description

In registered limit as well as project limit user can create and set negative default and resource limit. Limits set should be positive.

Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)

Fix proposed to branch: master
Review: https://review.openstack.org/610479

Changed in keystone:
status: New → In Progress
Changed in keystone:
importance: Undecided → High
Lance Bragstad (lbragstad) wrote :

I think we need to make sure we check other parts of OpenStack before enforcing limits to be positive. Literally, negative limits don't make sense, but negative values are used in other services to denote "unbound" limits [0].

To support services migrating in-service limits to keystone, we might have to consider supporting negative numbers. Although, I don't see a case where a value less than -1 is required (min -1).

I also think we will have to consider the enforcement model, too. For example, with strict-two-level hierarchical limits, a parent with a limit of 10 cores should prevent a child from having a limit of -1 on cores. In that same example, if a parent as a limit of -1 cores then a child may have a limit of -1 cores, where parent.limit >= child.limit.

Thoughts?

[0] http://git.openstack.org/cgit/openstack/nova/tree/nova/conf/quota.py#n29

tags: added: limits
Gage Hugo (gagehugo) wrote :

For this issue, -1 makes sense. That's a commonly used value to "disable" a setting, or in this case make it "unbound". The enforcement model might need to be a separate issue, that is a good point, we should likely be making sure a child can't be "unbound" when its parent is bound to a limit.

Morgan Fainberg (mdrnstm) wrote :

Marking as wont fix, the -1 is correct behavior for "no limit".

Changed in keystone:
status: In Progress → Won't Fix
Changed in keystone:
status: Won't Fix → In Progress

Reviewed: https://review.openstack.org/610479
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=230ae86a62d2be1666c080b5395a12695734451f
Submitter: Zuul
Branch: master

commit 230ae86a62d2be1666c080b5395a12695734451f
Author: Vishakha Agarwal <email address hidden>
Date: Mon Oct 15 16:47:10 2018 +0530

    Set Default and resource limit as defined schema

    Default_limit and Resource_limit should not be set
    as negative values or out of range. This patch
    addresses the above issue be checking the limit
    passed by the user should be minimum and maximum to
    the values defined in schema. If not, then raising
    the 400 bad request. Also added the test cases for the
    same.

    Change-Id: I089f3c231a38be1a1f769a35b4904f5c078d5d07
    Closes-Bug: #1797876

Changed in keystone:
status: In Progress → Fix Released

Reviewed: https://review.openstack.org/616072
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=84dc0a29042531ed5f4f1dfcc9a1a355bd219b27
Submitter: Zuul
Branch: master

commit 84dc0a29042531ed5f4f1dfcc9a1a355bd219b27
Author: Vishakha Agarwal <email address hidden>
Date: Wed Nov 7 09:56:39 2018 +0530

    Fixing nits

    This patch is a followup for the nitpicks
    for unified limits.

    Change-Id: I911c74cfdc317af0ece612c7ffe3bc57a0e5a67d
    Related-Patch: https://review.openstack.org/#/c/610479
    Related-Patch: https://review.openstack.org/#/c/612226/
    Related-Bug: #1797876

Changed in keystone:
milestone: none → stein-2

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers