Public bug reported: Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release [0]. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the limit and registered limit APIs. This is because there are some limit and registered limit APIs that should be accessible to project users, domain users, and system users.
System users should be able to manage limits and registered limits across the entire deployment. At this point, project and domain users shouldn't be able to manage limits and registered limits. At some point in the future, we might consider opening up the functionality to domain users to manage limits for projects within the domains they have authorization on. This bug report is strictly for tracking the ability to get information out of keystone regarding limits with system-scope, domain-scope, and project-scope. [0] https://review.openstack.org/#/c/525706/ ** Affects: keystone Importance: Undecided Status: New ** Tags: policy system-scope ** Tags added: policy system-scope -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to OpenStack Identity (keystone). https://bugs.launchpad.net/bugs/1818736 Title: The limit and registered limit APIs should account for different scopes Status in OpenStack Identity (keystone): New Bug description: Keystone implemented scope_types for oslo.policy RuleDefault objects in the Queens release [0]. In order to take full advantage of scope_types, keystone is going to have to evolve policy enforcement checks in the limit and registered limit APIs. This is because there are some limit and registered limit APIs that should be accessible to project users, domain users, and system users. System users should be able to manage limits and registered limits across the entire deployment. At this point, project and domain users shouldn't be able to manage limits and registered limits. At some point in the future, we might consider opening up the functionality to domain users to manage limits for projects within the domains they have authorization on. This bug report is strictly for tracking the ability to get information out of keystone regarding limits with system-scope, domain-scope, and project-scope. [0] https://review.openstack.org/#/c/525706/ To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1818736/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : yahoo-eng-team@lists.launchpad.net Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
