[openstack-dev] [cinder] [keystone] cinder quota behavior differences after Keystone mitaka upgrade

Matt Fischer matt at mattfischer.com
Mon Jun 27 16:13:18 UTC 2016

We upgraded our dev environment last week to Keystone stable/mitaka. Since
then we're unable to show or set quotas on projects of which the admin is
not a member. Looking at the cinder code, it seems that cinder is pulling a
project list and attempting to determine a hierarchy.  On Liberty Keystone,
projects seem to lack parents:

<Project description=Admin Tenant, domain_id=default, enabled=True,
id=9e839870dd0d4a2f96f9d71b7e7c5a4e, is_domain=False, links={u'self': u'
name=admin, parent_id=None, subtree=None>

In Mitaka, it seems that projects are children of the default domain:

<Project description=Admin Tenant, domain_id=default, enabled=True,
id=4764ba822ecb43e582794b875751924c, is_domain=False, links={u'self': u'
name=admin, parent_id=default, subtree=None>

In Liberty since all projects were parentless, the authorize_* code blocks
were skipped since both conditionals were false:


But now in Mitaka, the code is run, and it fails out since the projects are
"brothers", both with the parent of the default domain, but not
hierarchically related.

Previously it was a useful ability for us to be able to (as admins) set and
view  quotas for cinder projects. Now we need to scope into the user's
project to even be able to view their quotas, much less change them. This
seems broken, but I'm not sure where the issue is or why the keystone
behavior changed. Is this the expected behavior?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160627/1a4279df/attachment-0001.html>

More information about the OpenStack-dev mailing list