Update Project Quotas design spec

Upon discovery and discussion, this commit brings three changes to the
design spec for project quotas.

1) Removal of quota support for transport keys.  It turns out they
   are not a project resource and should not be managed on a per
   project basis.
2) New role for quota management.  The management of project quotas
   can not fall to project level admins.  This must be the responsibility
   of a service level admin.  A new keystone role is introduced to
   implement this change.
3) Clarification of paging support.  The examples are updated to clarify
   the paging support to be implemented for listing project quotas.

Change-Id: I4d5fb76e2868f63f623a8a3cd0b14d0bba31290a
Relates-to: blueprint quota-support-on-barbican-resources
This commit is contained in:
Dave McCowan 2015-08-18 18:33:13 -04:00
parent 15ebc25606
commit 1765b923da
1 changed files with 84 additions and 27 deletions

View File

@ -55,7 +55,6 @@ have quota support:
* secrets
* orders
* containers
* transport_keys
* consumers
*Note:*
@ -111,9 +110,6 @@ quota limits:
# default number of containers allowed per project
quota_containers = -1
# default number of transport_keys allowed per project
quota_transport_keys = -1
# default number of consumers allowed per project
quota_consumers = -1
@ -143,10 +139,15 @@ per-project quotas are stored in db.
A REST API for Barbican administrators for the quota CRUD operations will be
implemented as well. Non-admin users will be provided with a REST API to get
their own effective quotas for various resources. Keystone RBAC checks will
be employed to decide if a caller has the required admin role to perform
these admin-only operations. The details of this is discussed in a later
section below.
be employed to decide if a caller has the required role to perform
these operations.
Quota management should be under the purview of a service level administrator,
not a project level administrator. In the current Barbican implementation,
there are four user roles: admin, creator, observer, and auditor. All
of these roles are project level. Thus, to accomplish appropriate role
based access to for quota a management, a new role will be created. The
name of this role will be "key-manager:service-admin".
Alternatives
------------
@ -168,6 +169,17 @@ Another alternative is an initiative by Kevin Mitchell from Rackspace
https://wiki.openstack.org/wiki/Boson. However, the Nova and Cinder design
is more usable for Barbican.
In addition to the four resources specified above, a previous version of this
spec described implementing quotas support for transport_keys. This is not
possible based on the current implementation of transport_keys, because they
are defined per-plugin and not per-project. A project admin should not
be managing transport_keys at all.
The name of the role required to manage project quotas is decided to be
"key-manager:service-admin". This foreshadows a future change where all
Barbican roles might be defined with a namespace of key-manager. A variety
of other role names ("service-admin", "barbican-admin", "cloud-admin") were
are also possible alternatives.
Data model impact
-----------------
@ -191,7 +203,6 @@ The following new data models will be added:
* secrets: Integer, nullable=True
* orders: Integer, nullable=True
* containers: Integer, nullable=True
* transport_keys: Integer, nullable=True
* consumers: Integer, nullable=True
**Constraints**: project_id must be unique
@ -210,7 +221,7 @@ REST API impact
The following new REST API will be implemented to manage quotas CRUD
operations. Please note that except for the first GET API, all the
other APIs require the caller to have admin role.
other APIs require the caller to have "key-manager:service-admin" role.
* Get effective quotas (any Barbican user)
@ -256,7 +267,6 @@ other APIs require the caller to have admin role.
'secrets': {'type':'integer'}
'orders': {'type':'integer'},
'containers': {'type':'integer'},
'transport_keys': {'type':'integer'}
'consumers': {'type':'integer'}
},
'additionalProperties': False
@ -287,12 +297,11 @@ other APIs require the caller to have admin role.
"secrets": 10,
"orders": 20,
"containers": 10,
"transport_keys": 10,
"consumers": -1
}
}
* List all project quotas (admin only)
* List all project quotas (service-admin only)
* Lists all configured project level resource quotas across all users for all
projects. If a project does not have project specific quotas configured,
@ -302,7 +311,16 @@ other APIs require the caller to have admin role.
configured value in that project. The returned list will be sorted
by create date, and support standard limit/offset paging.
* GET /v1/project-quotas?limit=x&offset=y (Admin only)
The standard paging support includes adding three fields in the
response body, when applicable.
* "total": showing the number of project-quotas records
* "next": giving a URL to the next page of records
* "prev": giving a URL to the previous page of records
* GET /v1/project-quotas?limit=x&offset=y (service-admin only)
* Normal http response code(s)
200 OK
@ -346,7 +364,6 @@ other APIs require the caller to have admin role.
'secrets': {'type': 'integer'},
'orders': {'type': 'integer'},
'containers': {'type': 'integer'},
'transport_keys': {'type': 'integer'},
'consumers': {'type': 'integer'}
}
}
@ -359,7 +376,7 @@ other APIs require the caller to have admin role.
* Example 1::
An admin user listing all the project quotas
A service-admin user listing all the project quotas
Request:
@ -381,7 +398,6 @@ other APIs require the caller to have admin role.
"secrets": 2000,
"orders": 0,
"containers": -1,
"transport_keys": 100,
"consumers": null
}
},
@ -391,15 +407,58 @@ other APIs require the caller to have admin role.
"secrets": 200,
"orders": 100,
"containers": -1,
"transport_keys": 0,
"consumers": null
}
},
]
],
"total" : 30,
}
* Get quotas for a specific project (admin only)
* Example 2::
A service-admin user listing all the project quotas with paging
Request:
GET /v1/project-quotas?limit=2&offset=6
X-Auth-Token:<token>
Response:
200 OK
Content-Type: application/json
{
"project_quotas": [
{
"project_id": "1234",
"project_quotas": {
"secrets": 2000,
"orders": 0,
"containers": -1,
"consumers": null
}
},
{
"project_id": "5678",
"project_quotas": {
"secrets": 200,
"orders": 100,
"containers": -1,
"consumers": null
}
},
],
"total" : 30,
"next": "http://localhost:9311/v1/project_quotas?limit=2&offset=8",
"prev": "http://localhost:9311/v1/project_quotas?limit=2&offset=4"
}
* Get quotas for a specific project (service-admin only)
* Returns a set of configured resource quotas for the specified project.
If no project specific quota values have been configured (or if the
@ -441,7 +500,6 @@ other APIs require the caller to have admin role.
'secrets': {'type': 'integer'},
'orders': {'type': 'integer'},
'containers': {'type': 'integer'},
'transport_keys': {'type': 'integer'},
'consumers': {'type': 'integer'}
}
}
@ -468,13 +526,12 @@ other APIs require the caller to have admin role.
"secrets": 10,
"orders": 20,
"containers": -1,
"transport_keys": null,
"consumers": 10
}
}
* Update/Set quotas for a specific project (admin only)
* Update/Set quotas for a specific project (service-admin only)
* Creates or updates the configured resource quotas for the specified
project. It is not required to specify limits for all Barbican resources.
@ -514,7 +571,6 @@ other APIs require the caller to have admin role.
'secrets': {'type': 'integer'},
'orders': {'type': 'integer'},
'containers': {'type': 'integer'},
'transport_keys': {'type': 'integer'},
'consumers': {'type': 'integer'}
}
}
@ -550,7 +606,7 @@ other APIs require the caller to have admin role.
204 OK
* Delete quotas for a specific project (admin only)
* Delete quotas for a specific project (service-admin only)
* Deletes the configured resource quotas for the specified
project. After this call succeeds, the default resource quotas will be
@ -610,8 +666,9 @@ other APIs require the caller to have admin role.
* Policy changes
For all admin-only APIs, the caller is expected to have a barbican admin
role. The check for this will be added to the Barbican policy.json
For all service-admin-only APIs, the caller is expected to have a barbican
key-manager:service-admin role. The check for this will be added to the
Barbican policy.json file.
Once implemented and enforced, all Barbican resource creation API could return
@ -674,7 +731,7 @@ Quota commands that a regular non-admin barbican user can make:
barbican quota show
Quota commands that only a barbican admin can make
Quota commands that only a barbican service-admin can make
* List the default quotas applicable to all new projects