-
Bug
-
Resolution: Won't Do
-
Minor
-
None
-
rhos-16.2.z
-
False
-
-
False
-
None
-
-
-
Low
Description of problem:
When using the nova client to create key-pairs user quotas, the entry in the database is using the user name as the user id, therefore never actually enforcing the quota.
Version-Release number of selected component (if applicable):
16.2
How reproducible:
Always reproducible
Steps to Reproduce:
1. Create project, create user, assign member role to user:
(admin@admin) [stack@director.keller.lab ~]$ openstack project show -c id -c name keypair-quota-test
---------------------------------------+
| Field | Value |
---------------------------------------+
| id | 4fb96e87d5614e979950f635d8ccc8b2 |
| name | keypair-quota-test |
---------------------------------------+
2. Default key pairs quota of 100 applies to the project:
(admin@admin) [stack@director.keller.lab ~]$ openstack quota list --compute --detail --project 4fb96e87d5614e979950f635d8ccc8b2
-----------------------------------------+
| Resource | In Use | Reserved | Limit |
-----------------------------------------+
| cores | 0 | 0 | 20 |
| instances | 0 | 0 | 10 |
| key_pairs | 0 | 0 | 100 |
| metadata_items | 0 | 0 | 128 |
| ram | 0 | 0 | 51200 |
| server_group_members | 0 | 0 | 10 |
| server_groups | 0 | 0 | 10 |
-----------------------------------------+
(admin@admin) [stack@director.keller.lab ~]$
3. Must use the nova client because the openstack cli does not allow for a user quota to be setup:
(admin@admin) [stack@director.keller.lab ~]$ openstack quota set --help | grep user
(admin@admin) [stack@director.keller.lab ~]$
(admin@admin) [stack@director.keller.lab ~]$ nova quota-update
usage: nova quota-update [--user <user-id>] [--instances <instances>]
[--cores <cores>] [--ram <ram>]
[--metadata-items <metadata-items>]
[--key-pairs <key-pairs>]
[--server-groups <server-groups>]
[--server-group-members <server-group-members>]
[--force]
<tenant-id>
error: the following arguments are required: <tenant-id>
Try 'nova help quota-update' for more information.
(admin@admin) [stack@director.keller.lab ~]$
4. Create a user quota by user "name" in the project mentioned above:
(admin@admin) [stack@director.keller.lab ~]$ nova quota-update --user quotauser --key-pairs 10 4fb96e87d5614e979950f635d8ccc8b2
(admin@admin) [stack@director.keller.lab ~]$
5. Test quota limit by creating key pairs:
(admin@admin) [stack@director.keller.lab ~]$ source quotauser-keypair-quota-test-rc
(quotauser@keypair-quota-test) [stack@director.keller.lab ~]$
(quotauser@keypair-quota-test) [stack@director.keller.lab ~]$ for x in $(seq 1 20) ;do
> openstack keypair create keypair-$x > /dev/null || break
> done
(quotauser@keypair-quota-test) [stack@director.keller.lab ~]$ openstack keypair list -c Name -f value | wc -l
20
(quotauser@keypair-quota-test) [stack@director.keller.lab ~]$
Actual results:
The limit is not enforced.
Expected results:
The limit should be enforced. Example, when using the user "id" instead of the name, quota limit is correctly enforced:
1. Delete all current quotas
(quotauser@keypair-quota-test) [stack@director.keller.lab ~]$ openstack keypair list -c Name -f value | while read x ;do openstack keypair delete $x; done
(quotauser@keypair-quota-test) [stack@director.keller.lab ~]$
2. Source admin credentials and get user id:
(quotauser@keypair-quota-test) [stack@director.keller.lab ~]$ source overcloudrc
(admin@admin) [stack@director.keller.lab ~]$
(admin@admin) [stack@director.keller.lab ~]$ openstack user show -c id quotauser
---------------------------------------+
| Field | Value |
---------------------------------------+
| id | 77007fc9f4c140e4bb86a5eae3f2ab0b |
---------------------------------------+
(admin@admin) [stack@director.keller.lab ~]$
3. Create quota limit by user id:
(admin@admin) [stack@director.keller.lab ~]$ nova quota-update --user 77007fc9f4c140e4bb86a5eae3f2ab0b --key-pairs 10 4fb96e87d5614e979950f635d8ccc8b2
(admin@admin) [stack@director.keller.lab ~]$
4. Test key pair creation again:
(admin@admin) [stack@director.keller.lab ~]$ source quotauser-keypair-quota-test-rc
(quotauser@keypair-quota-test) [stack@director.keller.lab ~]$ for x in $(seq 1 20) ;do
> openstack keypair create keypair-$x > /dev/null || break
> done
Quota exceeded, too many key pairs. (HTTP 403) (Request-ID: req-39609d13-7131-4d40-bb26-3d7f1b3364a5)
(quotauser@keypair-quota-test) [stack@director.keller.lab ~]$
(quotauser@keypair-quota-test) [stack@director.keller.lab ~]$ openstack keypair list -c Name -f value | wc -l
10
(quotauser@keypair-quota-test) [stack@director.keller.lab ~]$
Additional info:
The database shows that in the first case the user name is used as user_id:
MariaDB [nova_api]> select * from project_user_quotas where project_id="4fb96e87d5614e979950f635d8ccc8b2";
--------------------------------------------------------------------------------------------------------------------
| id | created_at | updated_at | user_id | project_id | resource | hard_limit |
--------------------------------------------------------------------------------------------------------------------
| 47 | 2023-08-11 10:04:15 | NULL | quotauser | 4fb96e87d5614e979950f635d8ccc8b2 | key_pairs | 10 |
| 50 | 2023-08-11 10:08:46 | NULL | 77007fc9f4c140e4bb86a5eae3f2ab0b | 4fb96e87d5614e979950f635d8ccc8b2 | key_pairs | 10 |
--------------------------------------------------------------------------------------------------------------------
2 rows in set (0.000 sec)
I know that the nova client help clearly says "--user <user-id>" (and not user name), but so does the --project parameter, and that one has a check to block wrong requests when using the project name:
(admin@admin) [stack@director.keller.lab ~]$ nova quota-update --user 77007fc9f4c140e4bb86a5eae3f2ab0b --key-pairs 20 keypair-quota-test
ERROR (BadRequest): Project ID keypair-quota-test is not a valid project. (HTTP 400) (Request-ID: req-4ec1c846-4360-4b2e-bce8-beefa70ab461)
(admin@admin) [stack@director.keller.lab ~]$
- external trackers