From 8c8735a73afb16d5856f0aa6088e9ae406c52beb Mon Sep 17 00:00:00 2001 From: Dan Prince <dprince@redhat.com> Date: Wed, 11 Apr 2012 16:21:29 -0400 Subject: [PATCH] Implement quotas for security groups. Fixes LP Bug #969545 for Diablo. Change-Id: Ibc02256b6debd29c56307320acc48e9cfae85ba9 --- nova/api/ec2/cloud.py | 12 +++++ nova/api/openstack/contrib/quotas.py | 5 ++- nova/api/openstack/contrib/security_groups.py | 12 +++++ nova/db/api.py | 10 ++++ nova/db/sqlalchemy/api.py | 19 ++++++++ nova/quota.py | 32 ++++++++++++++ nova/tests/api/openstack/contrib/test_quotas.py | 16 +++++-- .../api/openstack/contrib/test_security_groups.py | 44 ++++++++++++++++++++ nova/tests/test_cloud.py | 25 +++++++++++ nova/tests/test_quota.py | 32 ++++++++++++++- 10 files changed, 201 insertions(+), 6 deletions(-) diff --git a/nova/api/ec2/cloud.py b/nova/api/ec2/cloud.py index 64fce0c..cd41921 100644 --- a/nova/api/ec2/cloud.py +++ b/nova/api/ec2/cloud.py @@ -42,6 +42,7 @@ from nova import ipv6 from nova import log as logging from nova import network from nova import rpc +from nova import quota from nova import utils from nova import volume from nova.api.ec2 import ec2utils @@ -856,6 +857,13 @@ class CloudController(object): raise exception.ApiError(_(err) % values_for_rule) postvalues.append(values_for_rule) + allowed = quota.allowed_security_group_rules(context, + security_group['id'], + 1) + if allowed < 1: + msg = _("Quota exceeded, too many security group rules.") + raise exception.ApiError(msg) + for values_for_rule in postvalues: security_group_rule = db.security_group_rule_create( context, @@ -908,6 +916,10 @@ class CloudController(object): if db.security_group_exists(context, context.project_id, group_name): raise exception.ApiError(_('group %s already exists') % group_name) + if quota.allowed_security_groups(context, 1) < 1: + msg = _("Quota exceeded, too many security groups.") + raise exception.ApiError(msg) + group = {'user_id': context.user_id, 'project_id': context.project_id, 'name': group_name, diff --git a/nova/api/openstack/contrib/quotas.py b/nova/api/openstack/contrib/quotas.py index 459b71d..1688326 100644 --- a/nova/api/openstack/contrib/quotas.py +++ b/nova/api/openstack/contrib/quotas.py @@ -40,6 +40,8 @@ class QuotaSetsController(object): 'instances': quota_set['instances'], 'injected_files': quota_set['injected_files'], 'cores': quota_set['cores'], + 'security_groups': quota_set['security_groups'], + 'security_group_rules': quota_set['security_group_rules'], }} def show(self, req, id): @@ -56,7 +58,8 @@ class QuotaSetsController(object): project_id = id resources = ['metadata_items', 'injected_file_content_bytes', 'volumes', 'gigabytes', 'ram', 'floating_ips', 'instances', - 'injected_files', 'cores'] + 'injected_files', 'cores', 'security_groups', + 'security_group_rules'] for key in body['quota_set'].keys(): if key in resources: value = int(body['quota_set'][key]) diff --git a/nova/api/openstack/contrib/security_groups.py b/nova/api/openstack/contrib/security_groups.py index e8f1f2c..78d4881 100644 --- a/nova/api/openstack/contrib/security_groups.py +++ b/nova/api/openstack/contrib/security_groups.py @@ -26,6 +26,7 @@ from nova import flags from nova import log as logging from nova import rpc from nova import utils +from nova import quota from nova.api.openstack import common from nova.api.openstack import extensions from nova.api.openstack import wsgi @@ -136,6 +137,10 @@ class SecurityGroupController(object): group_name = group_name.strip() group_description = group_description.strip() + if quota.allowed_security_groups(context, 1) < 1: + msg = _("Quota exceeded, too many security groups.") + raise exc.HTTPBadRequest(explanation=msg) + LOG.audit(_("Create Security Group %s"), group_name, context=context) self.compute_api.ensure_default_security_group(context) if db.security_group_exists(context, context.project_id, group_name): @@ -219,6 +224,13 @@ class SecurityGroupRulesController(SecurityGroupController): msg = _('This rule already exists in group %s') % parent_group_id raise exc.HTTPBadRequest(explanation=msg) + allowed = quota.allowed_security_group_rules(context, + parent_group_id, + 1) + if allowed < 1: + msg = _("Quota exceeded, too many security group rules.") + raise exc.HTTPBadRequest(explanation=msg) + security_group_rule = db.security_group_rule_create(context, values) self.compute_api.trigger_security_group_rules_refresh(context, diff --git a/nova/db/api.py b/nova/db/api.py index c0e44d2..7d241e5 100644 --- a/nova/db/api.py +++ b/nova/db/api.py @@ -1098,6 +1098,11 @@ def security_group_destroy_all(context): return IMPL.security_group_destroy_all(context) +def security_group_count_by_project(context, project_id): + """Count number of security groups in a project.""" + return IMPL.security_group_count_by_project(context, project_id) + + #################### @@ -1129,6 +1134,11 @@ def security_group_rule_get(context, security_group_rule_id): return IMPL.security_group_rule_get(context, security_group_rule_id) +def security_group_rule_count_by_group(context, security_group_id): + """Count rules in a given security group.""" + return IMPL.security_group_rule_count_by_group(context, security_group_id) + + ################### diff --git a/nova/db/sqlalchemy/api.py b/nova/db/sqlalchemy/api.py index 6108585..b060926 100644 --- a/nova/db/sqlalchemy/api.py +++ b/nova/db/sqlalchemy/api.py @@ -2803,6 +2803,16 @@ def security_group_destroy_all(context, session=None): 'updated_at': literal_column('updated_at')}) +@require_context +def security_group_count_by_project(context, project_id): + authorize_project_context(context, project_id) + session = get_session() + return session.query(models.SecurityGroup).\ + filter_by(deleted=False).\ + filter_by(project_id=project_id).\ + count() + + ################### @@ -2884,6 +2894,15 @@ def security_group_rule_destroy(context, security_group_rule_id): security_group_rule.delete(session=session) +@require_context +def security_group_rule_count_by_group(context, security_group_id): + session = get_session() + return session.query(models.SecurityGroupIngressRule).\ + filter_by(deleted=False).\ + filter_by(parent_group_id=security_group_id).\ + count() + + ################### diff --git a/nova/quota.py b/nova/quota.py index 7714777..d491f4a 100644 --- a/nova/quota.py +++ b/nova/quota.py @@ -44,6 +44,10 @@ flags.DEFINE_integer('quota_max_injected_file_content_bytes', 10 * 1024, 'number of bytes allowed per injected file') flags.DEFINE_integer('quota_max_injected_file_path_bytes', 255, 'number of bytes allowed per injected file path') +flags.DEFINE_integer('quota_security_groups', 10, + 'number of security groups per project') +flags.DEFINE_integer('quota_security_group_rules', 20, + 'number of security rules per security group') def _get_default_quotas(): @@ -58,6 +62,8 @@ def _get_default_quotas(): 'injected_files': FLAGS.quota_max_injected_files, 'injected_file_content_bytes': FLAGS.quota_max_injected_file_content_bytes, + 'security_groups': FLAGS.quota_security_groups, + 'security_group_rules': FLAGS.quota_security_group_rules, } # -1 in the quota flags means unlimited for key in defaults.keys(): @@ -134,6 +140,32 @@ def allowed_floating_ips(context, requested_floating_ips): return min(requested_floating_ips, allowed_floating_ips) +def allowed_security_groups(context, requested_security_groups): + """Check quota and return min(requested, allowed) security groups.""" + project_id = context.project_id + context = context.elevated() + used_sec_groups = db.security_group_count_by_project(context, project_id) + quota = get_project_quotas(context, project_id) + allowed_sec_groups = _get_request_allotment(requested_security_groups, + used_sec_groups, + quota['security_groups']) + return min(requested_security_groups, allowed_sec_groups) + + +def allowed_security_group_rules(context, security_group_id, + requested_rules): + """Check quota and return min(requested, allowed) sec group rules.""" + project_id = context.project_id + context = context.elevated() + used_rules = db.security_group_rule_count_by_group(context, + security_group_id) + quota = get_project_quotas(context, project_id) + allowed_rules = _get_request_allotment(requested_rules, + used_rules, + quota['security_group_rules']) + return min(requested_rules, allowed_rules) + + def _calculate_simple_quota(context, resource, requested): """Check quota for resource; return min(requested, allowed).""" quota = get_project_quotas(context, context.project_id) diff --git a/nova/tests/api/openstack/contrib/test_quotas.py b/nova/tests/api/openstack/contrib/test_quotas.py index e391e5f..fe0a165 100644 --- a/nova/tests/api/openstack/contrib/test_quotas.py +++ b/nova/tests/api/openstack/contrib/test_quotas.py @@ -29,7 +29,8 @@ def quota_set(id): return {'quota_set': {'id': id, 'metadata_items': 128, 'volumes': 10, 'gigabytes': 1000, 'ram': 51200, 'floating_ips': 10, 'instances': 10, 'injected_files': 5, 'cores': 20, - 'injected_file_content_bytes': 10240}} + 'injected_file_content_bytes': 10240, + 'security_groups': 10, 'security_group_rules': 20}} def quota_set_list(): @@ -60,7 +61,9 @@ class QuotaSetsTest(test.TestCase): 'metadata_items': 128, 'gigabytes': 1000, 'injected_files': 5, - 'injected_file_content_bytes': 10240} + 'injected_file_content_bytes': 10240, + 'security_groups': 10, + 'security_group_rules': 20} quota_set = QuotaSetsController()._format_quota_set('1234', raw_quota_set) @@ -95,7 +98,9 @@ class QuotaSetsTest(test.TestCase): 'floating_ips': 10, 'metadata_items': 128, 'injected_files': 5, - 'injected_file_content_bytes': 10240}} + 'injected_file_content_bytes': 10240, + 'security_groups': 10, + 'security_group_rules': 20}} self.assertEqual(json.loads(res.body), expected) @@ -123,7 +128,10 @@ class QuotaSetsTest(test.TestCase): 'cores': 50, 'ram': 51200, 'volumes': 10, 'gigabytes': 1000, 'floating_ips': 10, 'metadata_items': 128, 'injected_files': 5, - 'injected_file_content_bytes': 10240}} + 'injected_file_content_bytes': 10240, + 'security_groups': 40, + 'security_group_rules': 80 + }} req = webob.Request.blank('/v1.1/fake/os-quota-sets/update_me') req.method = 'PUT' diff --git a/nova/tests/api/openstack/contrib/test_security_groups.py b/nova/tests/api/openstack/contrib/test_security_groups.py index d0b25e0..839f442 100644 --- a/nova/tests/api/openstack/contrib/test_security_groups.py +++ b/nova/tests/api/openstack/contrib/test_security_groups.py @@ -22,10 +22,13 @@ import webob from xml.dom import minidom from nova import exception +from nova import flags from nova import test from nova.api.openstack.contrib import security_groups from nova.tests.api.openstack import fakes +FLAGS = flags.FLAGS + def _get_create_request_json(body_dict): req = webob.Request.blank('/v1.1/fake/os-security-groups') @@ -257,6 +260,19 @@ class TestSecurityGroups(test.TestCase): response = _create_security_group_json(security_group) self.assertEquals(response.status_int, 400) + def test_create_security_group_quota_limit(self): + security_group = {} + for num in range(1, FLAGS.quota_security_groups): + security_group['name'] = "test%i" % num + security_group['description'] = "test%i" % num + response = _create_security_group_json(security_group) + self.assertEquals(response.status_int, 200) + + security_group['name'] = "test_to_many" + security_group['description'] = "test_to_many" + response = _create_security_group_json(security_group) + self.assertEquals(response.status_int, 400) + def test_get_security_group_list(self): security_group = {} security_group['name'] = "test" @@ -918,6 +934,34 @@ class TestSecurityGroupRules(test.TestCase): response = self._create_security_group_rule_json(rules) self.assertEquals(response.status_int, 400) + def test_create_rule_quota_limit(self): + #NOTE: subtract 1 because we create 1 rule in setup + for num in range(100, (100 + FLAGS.quota_security_group_rules) - 1): + rule = { + "security_group_rule": { + "ip_protocol": "tcp", + "from_port": num, + "to_port": num, + "parent_group_id": "%s" + % self.parent_security_group['id'], + } + } + response = self._create_security_group_rule_json(rule) + print response.body + self.assertEquals(response.status_int, 200) + + rule = { + "security_group_rule": { + "ip_protocol": "tcp", + "from_port": "121", + "to_port": "121", + "parent_group_id": "%s" + % self.parent_security_group['id'], + } + } + response = self._create_security_group_rule_json(rule) + self.assertEquals(response.status_int, 400) + def test_delete(self): response = self._delete_security_group_rule( self.security_group_rule['id']) diff --git a/nova/tests/test_cloud.py b/nova/tests/test_cloud.py index fa45974..c6fe41b 100644 --- a/nova/tests/test_cloud.py +++ b/nova/tests/test_cloud.py @@ -256,6 +256,31 @@ class CloudTestCase(test.TestCase): delete = self.cloud.delete_security_group self.assertRaises(exception.ApiError, delete, self.context) + def test_security_group_ingress_quota_limit(self): + self.flags(quota_security_group_rules=20) + kwargs = {'project_id': self.context.project_id, 'name': 'test'} + sec_group = db.security_group_create(self.context, kwargs) + authz = self.cloud.authorize_security_group_ingress + for i in range(100, 120): + kwargs = {'to_port': i, 'from_port': i, 'ip_protocol': 'tcp'} + authz(self.context, group_id=sec_group['id'], **kwargs) + + kwargs = {'to_port': 121, 'from_port': 121, 'ip_protocol': 'tcp'} + self.assertRaises(exception.ApiError, authz, self.context, + group_id=sec_group['id'], **kwargs) + + def test_security_group_quota_limit(self): + self.flags(quota_security_groups=10) + for i in range(1, 10): + name = 'test name %i' % i + descript = 'test description %i' % i + create = self.cloud.create_security_group + result = create(self.context, name, descript) + + # 11'th group should fail + self.assertRaises(exception.ApiError, + create, self.context, 'foo', 'bar') + def test_authorize_security_group_ingress(self): kwargs = {'project_id': self.context.project_id, 'name': 'test'} sec = db.security_group_create(self.context, kwargs) diff --git a/nova/tests/test_quota.py b/nova/tests/test_quota.py index f4b481e..9541a13 100644 --- a/nova/tests/test_quota.py +++ b/nova/tests/test_quota.py @@ -43,7 +43,9 @@ class QuotaTestCase(test.TestCase): quota_cores=4, quota_volumes=2, quota_gigabytes=20, - quota_floating_ips=1) + quota_floating_ips=1, + quota_security_groups=10, + quota_security_group_rules=20) self.network = self.network = self.start_service('network') self.user_id = 'admin' @@ -185,6 +187,34 @@ class QuotaTestCase(test.TestCase): floating_ips = quota.allowed_floating_ips(self.context, 101) self.assertEqual(floating_ips, 101) + def test_unlimited_security_groups(self): + self.flags(quota_security_groups=10) + security_groups = quota.allowed_security_groups(self.context, 100) + self.assertEqual(security_groups, 10) + db.quota_create(self.context, self.project_id, 'security_groups', None) + security_groups = quota.allowed_security_groups(self.context, 100) + self.assertEqual(security_groups, 100) + security_groups = quota.allowed_security_groups(self.context, 101) + self.assertEqual(security_groups, 101) + + def test_unlimited_security_group_rules(self): + + def fake_security_group_rule_count_by_group(context, sec_group_id): + return 0 + + self.stubs.Set(db, 'security_group_rule_count_by_group', + fake_security_group_rule_count_by_group) + + self.flags(quota_security_group_rules=20) + rules = quota.allowed_security_group_rules(self.context, 1234, 100) + self.assertEqual(rules, 20) + db.quota_create(self.context, self.project_id, 'security_group_rules', + None) + rules = quota.allowed_security_group_rules(self.context, 1234, 100) + self.assertEqual(rules, 100) + rules = quota.allowed_security_group_rules(self.context, 1234, 101) + self.assertEqual(rules, 101) + def test_unlimited_metadata_items(self): self.flags(quota_metadata_items=10) items = quota.allowed_metadata_items(self.context, 100)