The limit and registered limit APIs should account for different scopes

Bug #1818736 reported by Lance Bragstad on 2019-03-05
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Medium
Lance Bragstad

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release [0]. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the limit and registered limit APIs. This is because there are some limit and registered limit APIs that should be accessible to project users, domain users, and system users.

System users should be able to manage limits and registered limits across the entire deployment. At this point, project and domain users shouldn't be able to manage limits and registered limits. At some point in the future, we might consider opening up the functionality to domain users to manage limits for projects within the domains they have authorization on.

This bug report is strictly for tracking the ability to get information out of keystone regarding limits with system-scope, domain-scope, and project-scope.

[0] https://review.openstack.org/#/c/525706/

tags: added: policy system-scope
Changed in keystone:
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Lance Bragstad (lbragstad)
Colleen Murphy (krinkle) on 2019-03-12
Changed in keystone:
milestone: none → stein-rc1
Colleen Murphy (krinkle) on 2019-03-20
Changed in keystone:
milestone: stein-rc1 → none
Colleen Murphy (krinkle) on 2019-09-23
Changed in keystone:
milestone: none → train-rc1
Changed in keystone:
assignee: Lance Bragstad (lbragstad) → Colleen Murphy (krinkle)

Fix proposed to branch: master
Review: https://review.opendev.org/684531

Changed in keystone:
assignee: Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal)

Change abandoned by Vishakha Agarwal (<email address hidden>) on branch: master
Review: https://review.opendev.org/684531

Reviewed: https://review.opendev.org/621023
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f249c9e2b0f39b688ba356feaca7818adfc9f739
Submitter: Zuul
Branch: master

commit f249c9e2b0f39b688ba356feaca7818adfc9f739
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 21:06:09 2018 +0000

    Allow domain users to access the limit API

    This commit adds domain-scope to the scope_types for limit policies,
    allowing domain users to access those APIs when enforce_scope is
    enabled. This commit also introduces some tests that explicitly show
    how domain users are expected to behave with the limits API. A
    subsequent patch will do the same for project users.

    This commit also modifies the GET /v3/limit policy to allow project
    users to filter responses by project_id, which isn't entirely useful
    outside of just calling the API with a project-scoped token.

    Change-Id: I9b38f3fd2f83efd508b2d9a6c323bbaa7169d4cd
    Related-Bug: 1805880
    Partial-Bug: 1818736

Reviewed: https://review.opendev.org/621024
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e938c496281daa6d1dab66d66bdb2d34abd5ddc3
Submitter: Zuul
Branch: master

commit e938c496281daa6d1dab66d66bdb2d34abd5ddc3
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 21:22:10 2018 +0000

    Add tests for project users interacting with limits

    This commit introduces some tests that explicitly show how project
    users are expected to behave with the limits API. A
    subsequent patch will clean up the now obsolete policies in the
    policy.v3cloudsample.json policy file.

    Related-Bug: 1805880
    Closes-Bug: 1818736

    Change-Id: I12d1200d8a11cadcc4f7b2604d51d8e5c73ea4b7

Changed in keystone:
status: In Progress → Fix Released

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Colleen Murphy (krinkle) on 2019-09-27
Changed in keystone:
assignee: Vishakha Agarwal (vishakha.agarwal) → Lance Bragstad (lbragstad)
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers