Add project_id filter for listing limit

Add project_id filter for listing limit. This filter
can be only used by system-scoped request to fetch the
specified project's limits.

bp: strict-two-level-model

Change-Id: I1b8cc227ed0710702aa099f09821f6eb897bb32c

1 files changed, 10 insertions, 5 deletions

diff --git a/keystone/limit/controllers.py b/keystone/limit/controllers.py
index 440b55f94..a17bc865a 100644
--- a/keystone/limit/controllers.py
+++ b/keystone/limit/controllers.py
@@ -101,17 +101,22 @@ class LimitV3(controller.V3Controller):
             limit_id, limit)
         return LimitV3.wrap_member(request.context_dict, ref)
 
-    @controller.filterprotected('service_id', 'region_id', 'resource_name')
+    @controller.filterprotected('service_id', 'region_id', 'resource_name',
+                                'project_id')
     def list_limits(self, request, filters):
         hints = LimitV3.build_driver_hints(request, filters)
-        # TODO(wxy): Add system-scope check. If the request is system-scoped,
-        # it can get all limits.
         context = request.context
-        if not context.is_admin and not ('admin' in context.roles):
+        project_id_filter = hints.get_exact_filter_by_name('project_id')
+        if project_id_filter:
+            if context.system_scope:
+                refs = PROVIDERS.unified_limit_api.list_limits(hints)
+            else:
+                refs = []
+        else:
             project_id = context.project_id
             if project_id:
                 hints.add_filter('project_id', project_id)
-        refs = PROVIDERS.unified_limit_api.list_limits(hints)
+            refs = PROVIDERS.unified_limit_api.list_limits(hints)
         return LimitV3.wrap_collection(request.context_dict, refs, hints=hints)
 
     @controller.protected()