yahoo-eng-team team mailing list archive
-
yahoo-eng-team team
-
Mailing list archive
-
Message #83720
[Bug 1893284] [NEW] Per-user quotas not scoped correctly when creating a server
Public bug reported:
While looking into an issue reported on the ML [1] around per-user
quotas not working properly, I found a bug where quota checking is not
scoped correctly when creating a server.
This causes per-user quota limits not to be honored during these API
requests.
The problem is in a utility function we use for checking quota when
creating servers:
https://github.com/openstack/nova/blob/f521f4dbace0e35bedd089369da6f6969da5ca32/nova/compute/utils.py#L1104-L1120
The Quotas.check_deltas method needs a user_id keyword arg in order to
scope a quota check to a particular user. However, when we call
check_num_instances_quota we don't pass a project_id or user_id because
at the time of the quota check, we have not yet created an instance
record and thus will not use that to determine the appropriate project
and user. Instead, we should rely on the RequestContext.project_id and
RequestContext.user_id as defaults in this case, but
check_num_instances_quota only defaults project_id and not user_id.
check_num_instances_quota should also default user_id to the
RequestContext.user_id when user_id is not explicitly passed.
[1] http://lists.openstack.org/pipermail/openstack-
discuss/2020-August/016861.html
** Affects: nova
Importance: Medium
Assignee: melanie witt (melwitt)
Status: In Progress
** Affects: nova/pike
Importance: Undecided
Status: New
** Affects: nova/queens
Importance: Undecided
Status: New
** Affects: nova/rocky
Importance: Undecided
Status: New
** Affects: nova/stein
Importance: Undecided
Status: New
** Affects: nova/train
Importance: Undecided
Status: New
** Affects: nova/ussuri
Importance: Undecided
Status: New
** Tags: quotas
** Summary changed:
- Per-user quotas not scoped correctly when creating or restoring a server
+ Per-user quotas not scoped correctly when creating a server
** Description changed:
While looking into an issue reported on the ML [1] around per-user
quotas not working properly, I found a bug where quota checking is not
- scoped correctly when creating or restoring a server.
+ scoped correctly when creating a server.
This causes per-user quota limits not to be honored during these API
requests.
The problem is in a utility function we use for checking quota when
creating or restoring servers:
https://github.com/openstack/nova/blob/f521f4dbace0e35bedd089369da6f6969da5ca32/nova/compute/utils.py#L1104-L1120
The Quotas.check_deltas method needs a user_id keyword arg in order to
scope a quota check to a particular user. However, when we call
check_num_instances_quota we don't pass a project_id or user_id because
at the time of the quota check, we have not yet created an instance
record and thus will not use that to determine the appropriate project
and user. Instead, we should rely on the RequestContext.project_id and
RequestContext.user_id as defaults in this case, but
check_num_instances_quota only defaults project_id and not user_id.
check_num_instances_quota should also default user_id to the
RequestContext.user_id when user_id is not explicitly passed.
[1] http://lists.openstack.org/pipermail/openstack-
discuss/2020-August/016861.html
** Description changed:
While looking into an issue reported on the ML [1] around per-user
quotas not working properly, I found a bug where quota checking is not
scoped correctly when creating a server.
This causes per-user quota limits not to be honored during these API
requests.
The problem is in a utility function we use for checking quota when
- creating or restoring servers:
+ creating servers:
https://github.com/openstack/nova/blob/f521f4dbace0e35bedd089369da6f6969da5ca32/nova/compute/utils.py#L1104-L1120
The Quotas.check_deltas method needs a user_id keyword arg in order to
scope a quota check to a particular user. However, when we call
check_num_instances_quota we don't pass a project_id or user_id because
at the time of the quota check, we have not yet created an instance
record and thus will not use that to determine the appropriate project
and user. Instead, we should rely on the RequestContext.project_id and
RequestContext.user_id as defaults in this case, but
check_num_instances_quota only defaults project_id and not user_id.
check_num_instances_quota should also default user_id to the
RequestContext.user_id when user_id is not explicitly passed.
[1] http://lists.openstack.org/pipermail/openstack-
discuss/2020-August/016861.html
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to OpenStack Compute (nova).
https://bugs.launchpad.net/bugs/1893284
Title:
Per-user quotas not scoped correctly when creating a server
Status in OpenStack Compute (nova):
In Progress
Status in OpenStack Compute (nova) pike series:
New
Status in OpenStack Compute (nova) queens series:
New
Status in OpenStack Compute (nova) rocky series:
New
Status in OpenStack Compute (nova) stein series:
New
Status in OpenStack Compute (nova) train series:
New
Status in OpenStack Compute (nova) ussuri series:
New
Bug description:
While looking into an issue reported on the ML [1] around per-user
quotas not working properly, I found a bug where quota checking is not
scoped correctly when creating a server.
This causes per-user quota limits not to be honored during these API
requests.
The problem is in a utility function we use for checking quota when
creating servers:
https://github.com/openstack/nova/blob/f521f4dbace0e35bedd089369da6f6969da5ca32/nova/compute/utils.py#L1104-L1120
The Quotas.check_deltas method needs a user_id keyword arg in order to
scope a quota check to a particular user. However, when we call
check_num_instances_quota we don't pass a project_id or user_id
because at the time of the quota check, we have not yet created an
instance record and thus will not use that to determine the
appropriate project and user. Instead, we should rely on the
RequestContext.project_id and RequestContext.user_id as defaults in
this case, but check_num_instances_quota only defaults project_id and
not user_id.
check_num_instances_quota should also default user_id to the
RequestContext.user_id when user_id is not explicitly passed.
[1] http://lists.openstack.org/pipermail/openstack-
discuss/2020-August/016861.html
To manage notifications about this bug go to:
https://bugs.launchpad.net/nova/+bug/1893284/+subscriptions
Follow ups