Per-user quotas not scoped correctly when creating a server

Bug #1893284 reported by melanie witt on 2020-08-27
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Compute (nova)
Low
melanie witt
Pike
Low
Unassigned
Queens
Low
Unassigned
Rocky
Low
Unassigned
Stein
Low
Unassigned
Train
Low
Unassigned
Ussuri
Low
melanie witt

Bug Description

While looking into an issue reported on the ML [1] around per-user quotas not working properly, I found a bug where quota checking is not scoped correctly when creating a server.

This causes per-user quota limits not to be honored during these API requests.

The problem is in a utility function we use for checking quota when creating servers:

https://github.com/openstack/nova/blob/f521f4dbace0e35bedd089369da6f6969da5ca32/nova/compute/utils.py#L1104-L1120

The Quotas.check_deltas method needs a user_id keyword arg in order to scope a quota check to a particular user. However, when we call check_num_instances_quota we don't pass a project_id or user_id because at the time of the quota check, we have not yet created an instance record and thus will not use that to determine the appropriate project and user. Instead, we should rely on the RequestContext.project_id and RequestContext.user_id as defaults in this case, but check_num_instances_quota only defaults project_id and not user_id.

check_num_instances_quota should also default user_id to the RequestContext.user_id when user_id is not explicitly passed.

[1] http://lists.openstack.org/pipermail/openstack-discuss/2020-August/016861.html

melanie witt (melwitt) on 2020-08-27
summary: - Per-user quotas not scoped correctly when creating or restoring a server
+ Per-user quotas not scoped correctly when creating a server
description: updated
description: updated

Fix proposed to branch: master
Review: https://review.opendev.org/748550

Changed in nova:
status: New → In Progress
melanie witt (melwitt) wrote :

Changing this to Low considering this has been broken and regressed since Pike (it is latent) :(

Changed in nova:
importance: Medium → Low

Reviewed: https://review.opendev.org/748779
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=38bc8b871a4b954f6de84f10dc1e8beb21a7c9ed
Submitter: Zuul
Branch: master

commit 38bc8b871a4b954f6de84f10dc1e8beb21a7c9ed
Author: melanie witt <email address hidden>
Date: Fri Aug 28 20:56:51 2020 +0000

    Add regression test for bug 1893284

    This adds a regression test for a bug where quota limit checking during
    server creates is not properly scoped per-user when per-user quota has
    been defined.

    As a result, users who should be able to create a server are rejected
    with a 403 "quota exceeded" error when they should be allowed to create
    a server because servers owned by other users in the project are
    incorrectly being counted for the current user.

    Related-Bug: #1893284

    Change-Id: I615ada45ffcbac081474c0a0cf005afdb8eec953

Reviewed: https://review.opendev.org/748550
Committed: https://git.openstack.org/cgit/openstack/nova/commit/?id=4c11d5467a30506a82dd5d32dd22b8958a187c0b
Submitter: Zuul
Branch: master

commit 4c11d5467a30506a82dd5d32dd22b8958a187c0b
Author: melanie witt <email address hidden>
Date: Thu Aug 27 23:34:18 2020 +0000

    Default user_id when not specified in check_num_instances_quota

    The Quotas.check_deltas method needs a user_id keyword arg in order to
    scope a quota check to a particular user. However, when we call
    check_num_instances_quota we don't pass a project_id or user_id because
    at the time of the quota check, we have not yet created an instance
    record and thus will not use that to determine the appropriate project
    and user.

    Instead, we should rely on the RequestContext.project_id and
    RequestContext.user_id as defaults in this case, but
    check_num_instances_quota only defaults project_id and not user_id.

    check_num_instances_quota should also default user_id to the
    RequestContext.user_id when user_id is not explicitly passed.

    check_num_instances_quota should also check whether any per-user quota
    limits are defined for instance-related resources before passing along
    the user_id to scope resource counting and limit checking. Counting
    resources across a user is costly, so we should avoid it if it's not
    needed.

    Closes-Bug: #1893284

    Change-Id: I3cfb1edc30b0bda4671e0d2cc2a8993055dcc9ff

Changed in nova:
status: In Progress → Fix Released

This issue was fixed in the openstack/nova 21.2.0 release.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers