2015-10-22 16:42:41 |
Erickson Filipe Guedes dos Santos |
description |
We have discovered in Cinder that the sum of the subprojects quotas can be greater than the parent project quota. The reason is that create volumes calls limit_check (see https://github.com/openstack/cinder/blob/master/cinder/volume/flows/api/create_volume.py#L541) and there is no checking regarding the allocated values of the parent project in the limit_check method of the DBQuotaDriver (see https://github.com/openstack/cinder/blob/master/cinder/quota.py#L290-L333).
Steps to reproduce:
1. openstack project create A
#grant the role admin to the user in this project.
2. openstack role add admin --project A --user admin
#create a subproject of A
3. openstack project create B --property parent_id=<project id of A>
#grant the role admin to the user in this project.
4. openstack role add admin --project B --user admin
#allocate all volume quota of project A to project B
5. openstack quota set <project id of B> --volumes 10
#create a volume in project A, it should not be allowed since it was allocated all the quota of project A to project B.
6. openstack volume create --project <project id of A> --size 5 test_volume
In the step 6, the volume isn't expected to be created because project A doesn't have any more free quota. But, in the current implementation, Cinder is allowing the creation of the volume. |
We have discovered in Cinder that the sum of the allocated quotas and in_usage quotas can be greater than the the hard_limit quota of a project. The reason is that, by creating resources, first, Cinder tries to reserve the quota. Then, the method db.quota_reserve is called and there is no checking regarding the allocated values of the project (see https://github.com/openstack/cinder/blob/master/cinder/db/sqlalchemy/api.py#L872-L874).
Steps to reproduce:
1. openstack project create A
#grant the role admin to the user in this project.
2. openstack role add admin --project A --user admin
#create a subproject of A
3. openstack project create B --property parent_id=<project id of A>
#grant the role admin to the user in this project.
4. openstack role add admin --project B --user admin
#allocate all volume quota of project A to project B
5. openstack quota set <project id of B> --volumes 10
#create a volume in project A, it should not be allowed since it was allocated all the quota of project A to project B.
6. openstack volume create --size 1 test_volume
In the step 6, the volume isn't expected to be created because project A doesn't have any more free quota. But, in the current implementation, Cinder is allowing the creation of the volume. |
|