OpenStack Identity (keystone)

The limit and registered limit APIs should account for different scopes

Bug #1818736 reported by Lance Bragstad on 2019-03-05

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	OpenStack Identity (keystone)	Fix Released	Medium	Lance Bragstad	OpenStack Identity (keystone) train-rc1

Bug Description

Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release [0]. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the limit and registered limit APIs. This is because there are some limit and registered limit APIs that should be accessible to project users, domain users, and system users.

System users should be able to manage limits and registered limits across the entire deployment. At this point, project and domain users shouldn't be able to manage limits and registered limits. At some point in the future, we might consider opening up the functionality to domain users to manage limits for projects within the domains they have authorization on.

This bug report is strictly for tracking the ability to get information out of keystone regarding limits with system-scope, domain-scope, and project-scope.

[0] https://review.openstack.org/#/c/525706/

Tags:

Lance Bragstad (lbragstad) on 2019-03-05

tags:

added: policy system-scope

Lance Bragstad (lbragstad) on 2019-03-06

Changed in keystone:
status:	New → In Progress
importance:	Undecided → Medium
assignee:	nobody → Lance Bragstad (lbragstad)

Colleen Murphy (krinkle) on 2019-03-12

Changed in keystone:
milestone:	none → stein-rc1

Colleen Murphy (krinkle) on 2019-03-20

Changed in keystone:
milestone:	stein-rc1 → none

Colleen Murphy (krinkle) on 2019-09-23

Changed in keystone:
milestone:	none → train-rc1

OpenStack Infra (hudson-openstack) on 2019-09-24

Changed in keystone:
assignee:	Lance Bragstad (lbragstad) → Colleen Murphy (krinkle)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-25: Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/684531

Changed in keystone:
assignee:	Colleen Murphy (krinkle) → Vishakha Agarwal (vishakha.agarwal)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-26: Change abandoned on keystone (master)

Change abandoned by Vishakha Agarwal (<email address hidden>) on branch: master
Review: https://review.opendev.org/684531

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-26: Fix merged to keystone (master)

Reviewed: https://review.opendev.org/621023
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=f249c9e2b0f39b688ba356feaca7818adfc9f739
Submitter: Zuul
Branch: master

commit f249c9e2b0f39b688ba356feaca7818adfc9f739
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 21:06:09 2018 +0000

Allow domain users to access the limit API

    This commit adds domain-scope to the scope_types for limit policies,
    allowing domain users to access those APIs when enforce_scope is
    enabled. This commit also introduces some tests that explicitly show
    how domain users are expected to behave with the limits API. A
    subsequent patch will do the same for project users.

    This commit also modifies the GET /v3/limit policy to allow project
    users to filter responses by project_id, which isn't entirely useful
    outside of just calling the API with a project-scoped token.

    Change-Id: I9b38f3fd2f83efd508b2d9a6c323bbaa7169d4cd
    Related-Bug: 1805880
    Partial-Bug: 1818736

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-26:

Reviewed: https://review.opendev.org/621024
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=e938c496281daa6d1dab66d66bdb2d34abd5ddc3
Submitter: Zuul
Branch: master

commit e938c496281daa6d1dab66d66bdb2d34abd5ddc3
Author: Lance Bragstad <email address hidden>
Date: Thu Nov 29 21:22:10 2018 +0000

Add tests for project users interacting with limits

    This commit introduces some tests that explicitly show how project
    users are expected to behave with the limits API. A
    subsequent patch will clean up the now obsolete policies in the
    policy.v3cloudsample.json policy file.

Related-Bug: 1805880
Closes-Bug: 1818736

Change-Id: I12d1200d8a11cadcc4f7b2604d51d8e5c73ea4b7

Changed in keystone:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2019-09-27: Fix included in openstack/keystone 16.0.0.0rc1

This issue was fixed in the openstack/keystone 16.0.0.0rc1 release candidate.

Colleen Murphy (krinkle) on 2019-09-27

Changed in keystone:
assignee:	Vishakha Agarwal (vishakha.agarwal) → Lance Bragstad (lbragstad)

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.