From 1765b923da5ae6f7f9c0f0b2d19a03b47d01dea0 Mon Sep 17 00:00:00 2001 From: Dave McCowan Date: Tue, 18 Aug 2015 18:33:13 -0400 Subject: [PATCH] Update Project Quotas design spec Upon discovery and discussion, this commit brings three changes to the design spec for project quotas. 1) Removal of quota support for transport keys. It turns out they are not a project resource and should not be managed on a per project basis. 2) New role for quota management. The management of project quotas can not fall to project level admins. This must be the responsibility of a service level admin. A new keystone role is introduced to implement this change. 3) Clarification of paging support. The examples are updated to clarify the paging support to be implemented for listing project quotas. Change-Id: I4d5fb76e2868f63f623a8a3cd0b14d0bba31290a Relates-to: blueprint quota-support-on-barbican-resources --- .../quota-support-for-barbican-resources.rst | 111 +++++++++++++----- 1 file changed, 84 insertions(+), 27 deletions(-) diff --git a/specs/liberty/quota-support-for-barbican-resources.rst b/specs/liberty/quota-support-for-barbican-resources.rst index 1e8a662..de67cd9 100644 --- a/specs/liberty/quota-support-for-barbican-resources.rst +++ b/specs/liberty/quota-support-for-barbican-resources.rst @@ -55,7 +55,6 @@ have quota support: * secrets * orders * containers -* transport_keys * consumers *Note:* @@ -111,9 +110,6 @@ quota limits: # default number of containers allowed per project quota_containers = -1 - # default number of transport_keys allowed per project - quota_transport_keys = -1 - # default number of consumers allowed per project quota_consumers = -1 @@ -143,10 +139,15 @@ per-project quotas are stored in db. A REST API for Barbican administrators for the quota CRUD operations will be implemented as well. Non-admin users will be provided with a REST API to get their own effective quotas for various resources. Keystone RBAC checks will -be employed to decide if a caller has the required admin role to perform -these admin-only operations. The details of this is discussed in a later -section below. +be employed to decide if a caller has the required role to perform +these operations. +Quota management should be under the purview of a service level administrator, +not a project level administrator. In the current Barbican implementation, +there are four user roles: admin, creator, observer, and auditor. All +of these roles are project level. Thus, to accomplish appropriate role +based access to for quota a management, a new role will be created. The +name of this role will be "key-manager:service-admin". Alternatives ------------ @@ -168,6 +169,17 @@ Another alternative is an initiative by Kevin Mitchell from Rackspace https://wiki.openstack.org/wiki/Boson. However, the Nova and Cinder design is more usable for Barbican. +In addition to the four resources specified above, a previous version of this +spec described implementing quotas support for transport_keys. This is not +possible based on the current implementation of transport_keys, because they +are defined per-plugin and not per-project. A project admin should not +be managing transport_keys at all. + +The name of the role required to manage project quotas is decided to be +"key-manager:service-admin". This foreshadows a future change where all +Barbican roles might be defined with a namespace of key-manager. A variety +of other role names ("service-admin", "barbican-admin", "cloud-admin") were +are also possible alternatives. Data model impact ----------------- @@ -191,7 +203,6 @@ The following new data models will be added: * secrets: Integer, nullable=True * orders: Integer, nullable=True * containers: Integer, nullable=True - * transport_keys: Integer, nullable=True * consumers: Integer, nullable=True **Constraints**: project_id must be unique @@ -210,7 +221,7 @@ REST API impact The following new REST API will be implemented to manage quotas CRUD operations. Please note that except for the first GET API, all the -other APIs require the caller to have admin role. +other APIs require the caller to have "key-manager:service-admin" role. * Get effective quotas (any Barbican user) @@ -256,7 +267,6 @@ other APIs require the caller to have admin role. 'secrets': {'type':'integer'} 'orders': {'type':'integer'}, 'containers': {'type':'integer'}, - 'transport_keys': {'type':'integer'} 'consumers': {'type':'integer'} }, 'additionalProperties': False @@ -287,12 +297,11 @@ other APIs require the caller to have admin role. "secrets": 10, "orders": 20, "containers": 10, - "transport_keys": 10, "consumers": -1 } } -* List all project quotas (admin only) +* List all project quotas (service-admin only) * Lists all configured project level resource quotas across all users for all projects. If a project does not have project specific quotas configured, @@ -302,7 +311,16 @@ other APIs require the caller to have admin role. configured value in that project. The returned list will be sorted by create date, and support standard limit/offset paging. - * GET /v1/project-quotas?limit=x&offset=y (Admin only) + The standard paging support includes adding three fields in the + response body, when applicable. + + * "total": showing the number of project-quotas records + + * "next": giving a URL to the next page of records + + * "prev": giving a URL to the previous page of records + + * GET /v1/project-quotas?limit=x&offset=y (service-admin only) * Normal http response code(s) 200 OK @@ -346,7 +364,6 @@ other APIs require the caller to have admin role. 'secrets': {'type': 'integer'}, 'orders': {'type': 'integer'}, 'containers': {'type': 'integer'}, - 'transport_keys': {'type': 'integer'}, 'consumers': {'type': 'integer'} } } @@ -359,7 +376,7 @@ other APIs require the caller to have admin role. * Example 1:: - An admin user listing all the project quotas + A service-admin user listing all the project quotas Request: @@ -381,7 +398,6 @@ other APIs require the caller to have admin role. "secrets": 2000, "orders": 0, "containers": -1, - "transport_keys": 100, "consumers": null } }, @@ -391,15 +407,58 @@ other APIs require the caller to have admin role. "secrets": 200, "orders": 100, "containers": -1, - "transport_keys": 0, "consumers": null } }, - ] + ], + "total" : 30, } -* Get quotas for a specific project (admin only) + * Example 2:: + + A service-admin user listing all the project quotas with paging + + Request: + + GET /v1/project-quotas?limit=2&offset=6 + + X-Auth-Token: + + Response: + + 200 OK + + Content-Type: application/json + + { + "project_quotas": [ + { + "project_id": "1234", + "project_quotas": { + "secrets": 2000, + "orders": 0, + "containers": -1, + "consumers": null + } + }, + { + "project_id": "5678", + "project_quotas": { + "secrets": 200, + "orders": 100, + "containers": -1, + "consumers": null + } + }, + ], + "total" : 30, + "next": "http://localhost:9311/v1/project_quotas?limit=2&offset=8", + "prev": "http://localhost:9311/v1/project_quotas?limit=2&offset=4" + } + + +* Get quotas for a specific project (service-admin only) * Returns a set of configured resource quotas for the specified project. If no project specific quota values have been configured (or if the @@ -441,7 +500,6 @@ other APIs require the caller to have admin role. 'secrets': {'type': 'integer'}, 'orders': {'type': 'integer'}, 'containers': {'type': 'integer'}, - 'transport_keys': {'type': 'integer'}, 'consumers': {'type': 'integer'} } } @@ -468,13 +526,12 @@ other APIs require the caller to have admin role. "secrets": 10, "orders": 20, "containers": -1, - "transport_keys": null, "consumers": 10 } } -* Update/Set quotas for a specific project (admin only) +* Update/Set quotas for a specific project (service-admin only) * Creates or updates the configured resource quotas for the specified project. It is not required to specify limits for all Barbican resources. @@ -514,7 +571,6 @@ other APIs require the caller to have admin role. 'secrets': {'type': 'integer'}, 'orders': {'type': 'integer'}, 'containers': {'type': 'integer'}, - 'transport_keys': {'type': 'integer'}, 'consumers': {'type': 'integer'} } } @@ -550,7 +606,7 @@ other APIs require the caller to have admin role. 204 OK -* Delete quotas for a specific project (admin only) +* Delete quotas for a specific project (service-admin only) * Deletes the configured resource quotas for the specified project. After this call succeeds, the default resource quotas will be @@ -610,8 +666,9 @@ other APIs require the caller to have admin role. * Policy changes - For all admin-only APIs, the caller is expected to have a barbican admin - role. The check for this will be added to the Barbican policy.json + For all service-admin-only APIs, the caller is expected to have a barbican + key-manager:service-admin role. The check for this will be added to the + Barbican policy.json file. Once implemented and enforced, all Barbican resource creation API could return @@ -674,7 +731,7 @@ Quota commands that a regular non-admin barbican user can make: barbican quota show -Quota commands that only a barbican admin can make +Quota commands that only a barbican service-admin can make * List the default quotas applicable to all new projects