OpenStack Compute (nova)

Per-user quotas not scoped correctly when creating a server

Bug #1893284 reported by melanie witt
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Fix Released
Low
melanie witt
Pike
New
Low
Unassigned
Queens
New
Low
Unassigned
Rocky
New
Low
Unassigned
Stein
New
Low
Unassigned
Train
New
Low
Unassigned
Ussuri
Fix Released
Low
melanie witt

Bug Description

While looking into an issue reported on the ML [1] around per-user quotas not working properly, I found a bug where quota checking is not scoped correctly when creating a server.

This causes per-user quota limits not to be honored during these API requests.

The problem is in a utility function we use for checking quota when creating servers:

https://github.com/openstack/nova/blob/f521f4dbace0e35bedd089369da6f6969da5ca32/nova/compute/utils.py#L1104-L1120

The Quotas.check_deltas method needs a user_id keyword arg in order to scope a quota check to a particular user. However, when we call check_num_instances_quota we don't pass a project_id or user_id because at the time of the quota check, we have not yet created an instance record and thus will not use that to determine the appropriate project and user. Instead, we should rely on the RequestContext.project_id and RequestContext.user_id as defaults in this case, but check_num_instances_quota only defaults project_id and not user_id.

check_num_instances_quota should also default user_id to the RequestContext.user_id when user_id is not explicitly passed.

[1] http://lists.openstack.org/pipermail/openstack-discuss/2020-August/016861.html

See original description
Tags: quotas
melanie witt (melwitt)
summary: - Per-user quotas not scoped correctly when creating or restoring a server
+ Per-user quotas not scoped correctly when creating a server
description: updated
description: updated
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to nova (master)

Fix proposed to branch: master
Review: https://review.opendev.org/748550

Changed in nova:
status: New → In Progress
Revision history for this message
melanie witt (melwitt) wrote :

Changing this to Low considering this has been broken and regressed since Pike (it is latent) :(

Changed in nova:
importance: Medium → Low
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix proposed to nova (master)

Related fix proposed to branch: master
Review: https://review.opendev.org/748779

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Related fix merged to nova (master)

Reviewed: https://review.opendev.org/748779
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=38bc8b871a4b954f6de84f10dc1e8beb21a7c9ed
Submitter: Zuul
Branch: master

commit 38bc8b871a4b954f6de84f10dc1e8beb21a7c9ed
Author: melanie witt <email address hidden>
Date: Fri Aug 28 20:56:51 2020 +0000

    Add regression test for bug 1893284

    This adds a regression test for a bug where quota limit checking during
    server creates is not properly scoped per-user when per-user quota has
    been defined.

    As a result, users who should be able to create a server are rejected
    with a 403 "quota exceeded" error when they should be allowed to create
    a server because servers owned by other users in the project are
    incorrectly being counted for the current user.

    Related-Bug: #1893284

    Change-Id: I615ada45ffcbac081474c0a0cf005afdb8eec953

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to nova (master)

Reviewed: https://review.opendev.org/748550
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=4c11d5467a30506a82dd5d32dd22b8958a187c0b
Submitter: Zuul
Branch: master

commit 4c11d5467a30506a82dd5d32dd22b8958a187c0b
Author: melanie witt <email address hidden>
Date: Thu Aug 27 23:34:18 2020 +0000

    Default user_id when not specified in check_num_instances_quota

    The Quotas.check_deltas method needs a user_id keyword arg in order to
    scope a quota check to a particular user. However, when we call
    check_num_instances_quota we don't pass a project_id or user_id because
    at the time of the quota check, we have not yet created an instance
    record and thus will not use that to determine the appropriate project
    and user.

    Instead, we should rely on the RequestContext.project_id and
    RequestContext.user_id as defaults in this case, but
    check_num_instances_quota only defaults project_id and not user_id.

    check_num_instances_quota should also default user_id to the
    RequestContext.user_id when user_id is not explicitly passed.

    check_num_instances_quota should also check whether any per-user quota
    limits are defined for instance-related resources before passing along
    the user_id to scope resource counting and limit checking. Counting
    resources across a user is costly, so we should avoid it if it's not
    needed.

    Closes-Bug: #1893284

    Change-Id: I3cfb1edc30b0bda4671e0d2cc2a8993055dcc9ff

Changed in nova:
status: In Progress → Fix Released
Revision history for this message
melanie witt (melwitt) wrote :

Proposed to stable/ussuri:

https://review.opendev.org/c/openstack/nova/+/777216
https://review.opendev.org/c/openstack/nova/+/777217

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix included in openstack/nova 21.2.0

This issue was fixed in the openstack/nova 21.2.0 release.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.