Child project's default quota not enforced

Bug #1531502 reported by Ryan McNair on 2016-01-06
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Cinder
High
Ryan McNair

Bug Description

When a child project is created, it correctly shows itself as having a quota of 0 all around.

vagrant@vagrant:/opt/stack/cinder$ cinder quota-show 06a8c218aa4149b29560b251141ae6f1
+-----------------------+-------+
| Property | Value |
+-----------------------+-------+
| backup_gigabytes | 0 |
| backups | 0 |
| gigabytes | 0 |
| gigabytes_lvmdriver-1 | 0 |
| per_volume_gigabytes | 0 |
| snapshots | 0 |
| snapshots_lvmdriver-1 | 0 |
| volumes | 0 |
| volumes_lvmdriver-1 | 0 |
+-----------------------+-------+

However you can still create volume's without any issues, verifying the child quota is not getting enforced.

vagrant@vagrant:/opt/stack/cinder$ cinder quota-usage 06a8c218aa4149b29560b251141ae6f1
+-----------------------+--------+----------+-------+
| Type | In_use | Reserved | Limit |
+-----------------------+--------+----------+-------+
| backup_gigabytes | 0 | 0 | 0 |
| backups | 0 | 0 | 0 |
| gigabytes | 1 | 0 | 0 |
| gigabytes_lvmdriver-1 | 1 | 0 | 0 |
| per_volume_gigabytes | 0 | 0 | 0 |
| snapshots | 0 | 0 | 0 |
| snapshots_lvmdriver-1 | 0 | 0 | 0 |
| volumes | 1 | 0 | 0 |
| volumes_lvmdriver-1 | 1 | 0 | 0 |
+-----------------------+--------+----------+-------+

You can also see this by adding the following test case to test_quotas.py:
        context = self.req.environ['cinder.context']
        context.project_id = self.B.id
        self.volume_type_name = CONF.default_volume_type
        self.volume_type = db.volume_type_create(
            context,
            dict(name=self.volume_type_name))
        self.addCleanup(db.volume_type_destroy, context,
                        self.volume_type['id'])
        volume = {'name': 'my_vol_name',
                  'id': 'my_vol_id',
                  'size': 1,
                  'project_id': 'vol_project_id',
                  }
        quota_utils.get_volume_type_reservation(context,
                                                volume,
                                                self.volume_type.id,
                                                reserve_vol_type_only=True)

This issue seems to be caused by "parent_project_id" only getting passed in from the 'quota show' path and not as part of the 'create_volume' path, causing the non-child defaults to be used instead of the child default values.

Ryan McNair (rdmcnair) on 2016-01-06
Changed in cinder:
assignee: nobody → Ryan McNair (rdmcnair)
Jay Bryant (jsbryant) on 2016-01-12
Changed in cinder:
importance: Undecided → High
Ryan McNair (rdmcnair) wrote :

To summarize, the issue is that we *can't* enforce child default quotas. The reason for this is because during actions like volume create (where we need to enforce quotas), we do not grab the parent_id for the project. However, since create volume is a non-admin action, we can't simply ask Keystone for the current project to get it's parent_project_id.

To solve this we are looking into the following (in preference order):
   1) Adding parent_project_id to the Keystone token
   2) Adding non-admin command in Keystone to retrieve parent_project_id
   3) Use Cinder's "service" user

We will also discuss the general design for NestedQuotas to see if there's any changes we think should be made

Lin Hua Cheng (lin-hua-cheng) wrote :

Adding the parent_project_id seems like a reasonable ask, I think this was discussed before but just didn't got enough steam.

I'll raise the question on the next keystone meeting.

Ryan McNair (rdmcnair) wrote :

Keystone portion is being worked on in https://review.openstack.org/#/c/270057/2, and I'm actively working to get the remaining Cinder support in

Changed in cinder:
status: New → In Progress

Reviewed: https://review.openstack.org/274825
Committed: https://git.openstack.org/cgit/openstack/cinder/commit/?id=7ebd4904b977d29c97447b53fbd718bccfa39969
Submitter: Jenkins
Branch: master

commit 7ebd4904b977d29c97447b53fbd718bccfa39969
Author: Ryan McNair <email address hidden>
Date: Sat Jan 30 16:24:32 2016 +0000

    Split out NestedQuotas into a separate driver

    Fixes the following issues with NestedQuotas:
      * Requires conf setting change to use nested quota driver
      * Enforces default child quota value with volume creation
      * Disables the use of -1 to be set for child quotas
      * Adds an admin only API command which can be used to validate
        the current setup for nested quotas, and can update existing
        allocated quotas in the DB which have been incorrectly set
        by previous use of child limits with -1

    There will be follow-up patches with the following improvements:
      * make -1 limits functional for child projects
      * cache the Keystone project heirarchies to improve efficiency

    Note: ideally validation of nested quotas would occur in the setup
    of the nested quota driver, but doing the validation requires a
    view of ALL projects present in Keystone, so unless we require Keystone
    change to allow "cinder" service user to be able to list/get projects,
    we need the admin-only API for validation that should be called by
    cloud-admin.

    DocImpact

    Change-Id: Ibbd6f47c370d8f10c08cba358574b55e3059dcd1
    Closes-Bug: #1531502
    Partial-Bug: #1537189
    Related-Bug: #1535878

Changed in cinder:
status: In Progress → Fix Released

This issue was fixed in the openstack/cinder 8.0.0.0b3 development milestone.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers