"And as an admin (trusted user), we expect them to not break things."
Sorry, I am going to have to disagree with you on this. The interface gives no indication that the request failed to produce the desired effect. Add to that several facts: many quota-exceeded errors are masked by other quota exceeded error names and end users will report quota exceeded errors as "my instance failed to start". These all add up to a bad user experience.
"This is part of a bigger issue, which is nova doesn't have great RBAC support. Say you want to create a tenant admin who can set quotas per user."
I don't see how role-based access control is necessary when a simple check "does this string correspond to a real project UUID (or name if you want to support that)" would suffice.
"And as an admin (trusted user), we expect them to not break things."
Sorry, I am going to have to disagree with you on this. The interface gives no indication that the request failed to produce the desired effect. Add to that several facts: many quota-exceeded errors are masked by other quota exceeded error names and end users will report quota exceeded errors as "my instance failed to start". These all add up to a bad user experience.
"This is part of a bigger issue, which is nova doesn't have great RBAC support. Say you want to create a tenant admin who can set quotas per user."
I don't see how role-based access control is necessary when a simple check "does this string correspond to a real project UUID (or name if you want to support that)" would suffice.
Marking as open for these reasons.