ID Quota Limit #84
Labels
final
final issue state
user story
Issues that follow user story format in order to describe community needs
Milestone
Comments
Closed
athu-tran
added
the
user story
5 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
User story: As a Root CNA, I want the IDR to not allow CNAs or CNA-LRs under my administrative control to have more IDs in the Reserved state than their ID quota (hard limit) so that CNAs or CNA-LRs do not reserve too many IDs and allow them to become stale or cause RBP problems.
AC:
When a user for a CNA or CNA-LR requests to reserve an amount of IDs that would exceed that CNA's ID quota, the IDR returns an error message (HTTP 403 Forbidden). This error message informs the user/consuming client that the amount would exceed the CNA’s quota and include useful information like the current ID quota and how many IDs the CNA could currently reserve.
*Note: For Phase 1 implementation, the Root CNA, and CNA-LR role is filled by MITRE, hence the implementation is limited to CNAs and MITRE as the only Root CNA and CNA-LR.
Historical Requirements:
R7: The Requestor and Managing Root needs to be notified (logging?) when any error condition occurs during ID Reservation requested operations. See Note* above. There is only 1 “managing root” which is the Secretariat for Phase 1. Note: The need to inform the “managing root” is not part of the user story. Logging is not part of the user story.
R12: Requests are checked against preset organizational values (e.g., ID quota) on a pre-request basis
R13: A quota is enforced based on hard limits. The quota usage will follow the formula:
available_ids = hard_limit - reserved_but_not_published_id_count
R14: Published IDs will not count against the quota.
R15: Reservation of IDs up to the hard limit will be allowed. For example, if a CNA has quota of 100 CVE IDs with 90 reserved but not published, they then have 10 CVE IDs available for future reservations.
R16: Requests for IDs will be rejected once the hard limit is reached.
The hard and soft limits need to be dynamically resized based on an algorithm that considers the organization's historic population stats, highest usage within a useful timeframe, and projected growth. (optional)
R17: The Requestor and Managing Root needs to be notified when soft and/or hard limits are reached. See Note* above. There is only 1 “managing root” which is the Secretariat for Phase 1.
R20: Any response should return the requested number of CVE IDs and balance information on the quota status after this request is completed. (Email receipt as well) Note: This User Story does not include email notification of the response.
The text was updated successfully, but these errors were encountered: