The limit and registered limit APIs should account for different scopes

Bug #1818736 reported by Lance Bragstad on 2019-03-05
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Lance Bragstad

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release [0]. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the limit and registered limit APIs. This is because there are some limit and registered limit APIs that should be accessible to project users, domain users, and system users.

System users should be able to manage limits and registered limits across the entire deployment. At this point, project and domain users shouldn't be able to manage limits and registered limits. At some point in the future, we might consider opening up the functionality to domain users to manage limits for projects within the domains they have authorization on.

This bug report is strictly for tracking the ability to get information out of keystone regarding limits with system-scope, domain-scope, and project-scope.


tags: added: policy system-scope
Changed in keystone:
status: New → In Progress
importance: Undecided → Medium
assignee: nobody → Lance Bragstad (lbragstad)
Colleen Murphy (krinkle) on 2019-03-12
Changed in keystone:
milestone: none → stein-rc1
Colleen Murphy (krinkle) on 2019-03-20
Changed in keystone:
milestone: stein-rc1 → none
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers