OpenStack Identity (keystone)

Default values for registered limit allows to set negative value

Bug #1797876 reported by Vishakha Agarwal
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
High
Vishakha Agarwal
OpenStack Identity (keystone) stein-2

Bug Description

In registered limit as well as project limit user can create and set negative default and resource limit. Limits set should be positive.

Tags: limits
Vishakha Agarwal (vishakha.agarwal)
Changed in keystone:
assignee: nobody → Vishakha Agarwal (vishakha.agarwal)
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/610479

Changed in keystone:
status: New → In Progress
Lance Bragstad (lbragstad)
Changed in keystone:
importance: Undecided → High
Revision history for this message
Lance Bragstad (lbragstad) wrote :

I think we need to make sure we check other parts of OpenStack before enforcing limits to be positive. Literally, negative limits don't make sense, but negative values are used in other services to denote "unbound" limits [0].

To support services migrating in-service limits to keystone, we might have to consider supporting negative numbers. Although, I don't see a case where a value less than -1 is required (min -1).

I also think we will have to consider the enforcement model, too. For example, with strict-two-level hierarchical limits, a parent with a limit of 10 cores should prevent a child from having a limit of -1 on cores. In that same example, if a parent as a limit of -1 cores then a child may have a limit of -1 cores, where parent.limit >= child.limit.

Thoughts?

[0] http://git.openstack.org/cgit/openstack/nova/tree/nova/conf/quota.py#n29

Lance Bragstad (lbragstad)
tags: added: limits
Revision history for this message
Gage Hugo (gagehugo) wrote :

For this issue, -1 makes sense. That's a commonly used value to "disable" a setting, or in this case make it "unbound". The enforcement model might need to be a separate issue, that is a good point, we should likely be making sure a child can't be "unbound" when its parent is bound to a limit.

Revision history for this message
Morgan Fainberg (mdrnstm) wrote :

Marking as wont fix, the -1 is correct behavior for "no limit".

Changed in keystone:
status: In Progress → Won't Fix
OpenStack Infra (hudson-openstack)
Changed in keystone:
status: Won't Fix → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/610479
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=230ae86a62d2be1666c080b5395a12695734451f
Submitter: Zuul
Branch: master

commit 230ae86a62d2be1666c080b5395a12695734451f
Author: Vishakha Agarwal <email address hidden>
Date: Mon Oct 15 16:47:10 2018 +0530

    Set Default and resource limit as defined schema

    Default_limit and Resource_limit should not be set
    as negative values or out of range. This patch
    addresses the above issue be checking the limit
    passed by the user should be minimum and maximum to
    the values defined in schema. If not, then raising
    the 400 bad request. Also added the test cases for the
    same.

    Change-Id: I089f3c231a38be1a1f769a35b4904f5c078d5d07
    Closes-Bug: #1797876

Changed in keystone:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to keystone (master)

Related fix proposed to branch: master
Review: https://review.openstack.org/616072

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to keystone (master)

Reviewed: https://review.openstack.org/616072
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=84dc0a29042531ed5f4f1dfcc9a1a355bd219b27
Submitter: Zuul
Branch: master

commit 84dc0a29042531ed5f4f1dfcc9a1a355bd219b27
Author: Vishakha Agarwal <email address hidden>
Date: Wed Nov 7 09:56:39 2018 +0530

    Fixing nits

    This patch is a followup for the nitpicks
    for unified limits.

    Change-Id: I911c74cfdc317af0ece612c7ffe3bc57a0e5a67d
    Related-Patch: https://review.openstack.org/#/c/610479
    Related-Patch: https://review.openstack.org/#/c/612226/
    Related-Bug: #1797876

Lance Bragstad (lbragstad)
Changed in keystone:
milestone: none → stein-2
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/keystone 15.0.0.0rc1

This issue was fixed in the openstack/keystone 15.0.0.0rc1 release candidate.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.