Comment 4 for bug 1862050

Generally, resource exhaustion due to rapid calls to expensive API methods by authenticated users is treated as a security hardening opportunity. Operators are recommended to place rate-limiting solutions in front of API endpoints to reduce the impact a user can cause (either intentionally or accidentally) by making rapid-fire requests. Since the account used can be readily identified and disabled, it's an expensive attack scenario unless the environment makes it easy for the attacker to obtain control of additional accounts. See the OpenStack Security Guide for relevant recommendations: https://docs.openstack.org/security-guide/api-endpoints/api-endpoint-configuration-recommendations.html#api-endpoint-rate-limiting