yahoo-eng-team team mailing list archive

[melanie witt <1893284@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

While looking into an issue reported on the ML [1] around per-user
quotas not working properly, I found a bug where quota checking is not
scoped correctly when creating a server.

This causes per-user quota limits not to be honored during these API
requests.

The problem is in a utility function we use for checking quota when
creating servers:

https://github.com/openstack/nova/blob/f521f4dbace0e35bedd089369da6f6969da5ca32/nova/compute/utils.py#L1104-L1120

The Quotas.check_deltas method needs a user_id keyword arg in order to
scope a quota check to a particular user. However, when we call
check_num_instances_quota we don't pass a project_id or user_id because
at the time of the quota check, we have not yet created an instance
record and thus will not use that to determine the appropriate project
and user. Instead, we should rely on the RequestContext.project_id and
RequestContext.user_id as defaults in this case, but
check_num_instances_quota only defaults project_id and not user_id.

check_num_instances_quota should also default user_id to the
RequestContext.user_id when user_id is not explicitly passed.

[1] http://lists.openstack.org/pipermail/openstack-
discuss/2020-August/016861.html

** Affects: nova
     Importance: Medium
     Assignee: melanie witt (melwitt)
         Status: In Progress

** Affects: nova/pike
     Importance: Undecided
         Status: New

** Affects: nova/queens
     Importance: Undecided
         Status: New

** Affects: nova/rocky
     Importance: Undecided
         Status: New

** Affects: nova/stein
     Importance: Undecided
         Status: New

** Affects: nova/train
     Importance: Undecided
         Status: New

** Affects: nova/ussuri
     Importance: Undecided
         Status: New


** Tags: quotas

** Summary changed:

- Per-user quotas not scoped correctly when creating or restoring a server
+ Per-user quotas not scoped correctly when creating a server

** Description changed:

  While looking into an issue reported on the ML [1] around per-user
  quotas not working properly, I found a bug where quota checking is not
- scoped correctly when creating or restoring a server.
+ scoped correctly when creating a server.
  
  This causes per-user quota limits not to be honored during these API
  requests.
  
  The problem is in a utility function we use for checking quota when
  creating or restoring servers:
  
  https://github.com/openstack/nova/blob/f521f4dbace0e35bedd089369da6f6969da5ca32/nova/compute/utils.py#L1104-L1120
  
  The Quotas.check_deltas method needs a user_id keyword arg in order to
  scope a quota check to a particular user. However, when we call
  check_num_instances_quota we don't pass a project_id or user_id because
  at the time of the quota check, we have not yet created an instance
  record and thus will not use that to determine the appropriate project
  and user. Instead, we should rely on the RequestContext.project_id and
  RequestContext.user_id as defaults in this case, but
  check_num_instances_quota only defaults project_id and not user_id.
  
  check_num_instances_quota should also default user_id to the
  RequestContext.user_id when user_id is not explicitly passed.
  
  [1] http://lists.openstack.org/pipermail/openstack-
  discuss/2020-August/016861.html

** Description changed:

  While looking into an issue reported on the ML [1] around per-user
  quotas not working properly, I found a bug where quota checking is not
  scoped correctly when creating a server.
  
  This causes per-user quota limits not to be honored during these API
  requests.
  
  The problem is in a utility function we use for checking quota when
- creating or restoring servers:
+ creating servers:
  
  https://github.com/openstack/nova/blob/f521f4dbace0e35bedd089369da6f6969da5ca32/nova/compute/utils.py#L1104-L1120
  
  The Quotas.check_deltas method needs a user_id keyword arg in order to
  scope a quota check to a particular user. However, when we call
  check_num_instances_quota we don't pass a project_id or user_id because
  at the time of the quota check, we have not yet created an instance
  record and thus will not use that to determine the appropriate project
  and user. Instead, we should rely on the RequestContext.project_id and
  RequestContext.user_id as defaults in this case, but
  check_num_instances_quota only defaults project_id and not user_id.
  
  check_num_instances_quota should also default user_id to the
  RequestContext.user_id when user_id is not explicitly passed.
  
  [1] http://lists.openstack.org/pipermail/openstack-
  discuss/2020-August/016861.html

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1893284

Title:
  Per-user quotas not scoped correctly when creating a server

Status in OpenStack Compute (nova):
  In Progress
Status in OpenStack Compute (nova) pike series:
  New
Status in OpenStack Compute (nova) queens series:
  New
Status in OpenStack Compute (nova) rocky series:
  New
Status in OpenStack Compute (nova) stein series:
  New
Status in OpenStack Compute (nova) train series:
  New
Status in OpenStack Compute (nova) ussuri series:
  New

Bug description:
  While looking into an issue reported on the ML [1] around per-user
  quotas not working properly, I found a bug where quota checking is not
  scoped correctly when creating a server.

  This causes per-user quota limits not to be honored during these API
  requests.

  The problem is in a utility function we use for checking quota when
  creating servers:

  https://github.com/openstack/nova/blob/f521f4dbace0e35bedd089369da6f6969da5ca32/nova/compute/utils.py#L1104-L1120

  The Quotas.check_deltas method needs a user_id keyword arg in order to
  scope a quota check to a particular user. However, when we call
  check_num_instances_quota we don't pass a project_id or user_id
  because at the time of the quota check, we have not yet created an
  instance record and thus will not use that to determine the
  appropriate project and user. Instead, we should rely on the
  RequestContext.project_id and RequestContext.user_id as defaults in
  this case, but check_num_instances_quota only defaults project_id and
  not user_id.

  check_num_instances_quota should also default user_id to the
  RequestContext.user_id when user_id is not explicitly passed.

  [1] http://lists.openstack.org/pipermail/openstack-
  discuss/2020-August/016861.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1893284/+subscriptions