diff options
author | John Garbutt <john@johngarbutt.com> | 2020-03-10 10:25:42 +0000 |
---|---|---|
committer | melanie witt <melwittt@gmail.com> | 2022-02-24 16:21:02 +0000 |
commit | 4207493829a1b1877f643c4a49cd2e079f23859d (patch) | |
tree | 548c2128e594b957caa62a295a0d770d371cc8a7 /nova/api | |
parent | 3b69f959a848bad257f186f491111658b25f24c7 (diff) | |
download | nova-4207493829a1b1877f643c4a49cd2e079f23859d.tar.gz |
Enforce api and db limits
When using unified limits, we add enforcement of those limits on all
related API calls. Note: we do not yet correctly report the configured
limits to users via the quota APIs, that is in a future patch.
Note the unified limits calls are made alongside the existing legacy
quota calls. The old quota calls will be handed by the quota engine
driver, that is basically a no-op. This is to make it easier to remove
the legacy code paths in the future.
Note, over quota exceptions raised with unified limits use the standard
(improved) exception message as those raised by oslo.limit. They
however do use the existing exception code to ease integration. The
user of the API will see the same return codes, no matter which code is
enabled to enforce the limits.
Finally, this also adds test coverage where it was missing. Coverage
for "quota recheck" behavior in KeypairAPI is added where all other
KeypairAPI testing is located. Duplicate coverage is removed from
nova/api/openstack/compute/test_keypairs.py at the same time.
blueprint unified-limits-nova
Change-Id: I36e82a17579158063396d7e55b495ccff4959ceb
Diffstat (limited to 'nova/api')
-rw-r--r-- | nova/api/openstack/compute/server_groups.py | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/nova/api/openstack/compute/server_groups.py b/nova/api/openstack/compute/server_groups.py index f490eaabb5..91e5633e4d 100644 --- a/nova/api/openstack/compute/server_groups.py +++ b/nova/api/openstack/compute/server_groups.py @@ -30,6 +30,7 @@ import nova.conf from nova import context as nova_context import nova.exception from nova.i18n import _ +from nova.limit import local as local_limit from nova import objects from nova.objects import service from nova.policies import server_groups as sg_policies @@ -191,6 +192,10 @@ class ServerGroupController(wsgi.Controller): try: objects.Quotas.check_deltas(context, {'server_groups': 1}, project_id, context.user_id) + local_limit.enforce_db_limit(context, local_limit.SERVER_GROUPS, + entity_scope=project_id, delta=1) + except nova.exception.ServerGroupLimitExceeded as e: + raise exc.HTTPForbidden(explanation=str(e)) except nova.exception.OverQuota: msg = _("Quota exceeded, too many server groups.") raise exc.HTTPForbidden(explanation=msg) @@ -231,6 +236,16 @@ class ServerGroupController(wsgi.Controller): objects.Quotas.check_deltas(context, {'server_groups': 0}, project_id, context.user_id) + # TODO(johngarbutt): decide if we need this recheck + # The quota rechecking of limits is really just to protect + # against denial of service attacks that aim to fill up the + # database. Its usefulness could be debated. + local_limit.enforce_db_limit(context, + local_limit.SERVER_GROUPS, + project_id, delta=0) + except nova.exception.ServerGroupLimitExceeded as e: + sg.destroy() + raise exc.HTTPForbidden(explanation=str(e)) except nova.exception.OverQuota: sg.destroy() msg = _("Quota exceeded, too many server groups.") |