Bug 2231353
| Summary: | Nova client creates incorrect user quota when using user name instead of user id | ||
|---|---|---|---|
| Product: | Red Hat OpenStack | Reporter: | Eric Nothen <enothen> |
| Component: | python-novaclient | Assignee: | OSP DFG:Compute <osp-dfg-compute> |
| Status: | NEW --- | QA Contact: | OSP DFG:Compute <osp-dfg-compute> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 16.2 (Train) | CC: | apevec, dasmith, eglynn, jhakimra, kchamart, sbauza, sgordon, vromanso |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | Bug | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
Even our documentation is showing user name instead of id [0], so customers can successfully create quotas with user names instead of user ids, but they are never actually enforced. [0] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.2/html/users_and_identity_management_guide/quota_management#proc_updating-user-quotas_managing-quotas |
Description of problem: When using the nova client to create key-pairs user quotas, the entry in the database is using the user name as the user id, therefore never actually enforcing the quota. Version-Release number of selected component (if applicable): 16.2 How reproducible: Always reproducible Steps to Reproduce: 1. Create project, create user, assign member role to user: (admin@admin) [stack.lab ~]$ openstack project show -c id -c name keypair-quota-test +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 4fb96e87d5614e979950f635d8ccc8b2 | | name | keypair-quota-test | +-------+----------------------------------+ 2. Default key pairs quota of 100 applies to the project: (admin@admin) [stack.lab ~]$ openstack quota list --compute --detail --project 4fb96e87d5614e979950f635d8ccc8b2 +----------------------+--------+----------+-------+ | Resource | In Use | Reserved | Limit | +----------------------+--------+----------+-------+ | cores | 0 | 0 | 20 | | instances | 0 | 0 | 10 | | key_pairs | 0 | 0 | 100 | | metadata_items | 0 | 0 | 128 | | ram | 0 | 0 | 51200 | | server_group_members | 0 | 0 | 10 | | server_groups | 0 | 0 | 10 | +----------------------+--------+----------+-------+ (admin@admin) [stack.lab ~]$ 3. Must use the nova client because the openstack cli does not allow for a user quota to be setup: (admin@admin) [stack.lab ~]$ openstack quota set --help | grep user (admin@admin) [stack.lab ~]$ (admin@admin) [stack.lab ~]$ nova quota-update usage: nova quota-update [--user <user-id>] [--instances <instances>] [--cores <cores>] [--ram <ram>] [--metadata-items <metadata-items>] [--key-pairs <key-pairs>] [--server-groups <server-groups>] [--server-group-members <server-group-members>] [--force] <tenant-id> error: the following arguments are required: <tenant-id> Try 'nova help quota-update' for more information. (admin@admin) [stack.lab ~]$ 4. Create a user quota by user "name" in the project mentioned above: (admin@admin) [stack.lab ~]$ nova quota-update --user quotauser --key-pairs 10 4fb96e87d5614e979950f635d8ccc8b2 (admin@admin) [stack.lab ~]$ 5. Test quota limit by creating key pairs: (admin@admin) [stack.lab ~]$ source quotauser-keypair-quota-test-rc (quotauser@keypair-quota-test) [stack.lab ~]$ (quotauser@keypair-quota-test) [stack.lab ~]$ for x in $(seq 1 20) ;do > openstack keypair create keypair-$x > /dev/null || break > done (quotauser@keypair-quota-test) [stack.lab ~]$ openstack keypair list -c Name -f value | wc -l 20 (quotauser@keypair-quota-test) [stack.lab ~]$ Actual results: The limit is not enforced. Expected results: The limit should be enforced. Example, when using the user "id" instead of the name, quota limit is correctly enforced: 1. Delete all current quotas (quotauser@keypair-quota-test) [stack.lab ~]$ openstack keypair list -c Name -f value | while read x ;do openstack keypair delete $x; done (quotauser@keypair-quota-test) [stack.lab ~]$ 2. Source admin credentials and get user id: (quotauser@keypair-quota-test) [stack.lab ~]$ source overcloudrc (admin@admin) [stack.lab ~]$ (admin@admin) [stack.lab ~]$ openstack user show -c id quotauser +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 77007fc9f4c140e4bb86a5eae3f2ab0b | +-------+----------------------------------+ (admin@admin) [stack.lab ~]$ 3. Create quota limit by user id: (admin@admin) [stack.lab ~]$ nova quota-update --user 77007fc9f4c140e4bb86a5eae3f2ab0b --key-pairs 10 4fb96e87d5614e979950f635d8ccc8b2 (admin@admin) [stack.lab ~]$ 4. Test key pair creation again: (admin@admin) [stack.lab ~]$ source quotauser-keypair-quota-test-rc (quotauser@keypair-quota-test) [stack.lab ~]$ for x in $(seq 1 20) ;do > openstack keypair create keypair-$x > /dev/null || break > done Quota exceeded, too many key pairs. (HTTP 403) (Request-ID: req-39609d13-7131-4d40-bb26-3d7f1b3364a5) (quotauser@keypair-quota-test) [stack.lab ~]$ (quotauser@keypair-quota-test) [stack.lab ~]$ openstack keypair list -c Name -f value | wc -l 10 (quotauser@keypair-quota-test) [stack.lab ~]$ Additional info: The database shows that in the first case the user name is used as user_id: MariaDB [nova_api]> select * from project_user_quotas where project_id="4fb96e87d5614e979950f635d8ccc8b2"; +----+---------------------+------------+----------------------------------+----------------------------------+-----------+------------+ | id | created_at | updated_at | user_id | project_id | resource | hard_limit | +----+---------------------+------------+----------------------------------+----------------------------------+-----------+------------+ | 47 | 2023-08-11 10:04:15 | NULL | quotauser | 4fb96e87d5614e979950f635d8ccc8b2 | key_pairs | 10 | | 50 | 2023-08-11 10:08:46 | NULL | 77007fc9f4c140e4bb86a5eae3f2ab0b | 4fb96e87d5614e979950f635d8ccc8b2 | key_pairs | 10 | +----+---------------------+------------+----------------------------------+----------------------------------+-----------+------------+ 2 rows in set (0.000 sec) I know that the nova client help clearly says "--user <user-id>" (and not user name), but so does the --project parameter, and that one has a check to block wrong requests when using the project name: (admin@admin) [stack.lab ~]$ nova quota-update --user 77007fc9f4c140e4bb86a5eae3f2ab0b --key-pairs 20 keypair-quota-test ERROR (BadRequest): Project ID keypair-quota-test is not a valid project. (HTTP 400) (Request-ID: req-4ec1c846-4360-4b2e-bce8-beefa70ab461) (admin@admin) [stack.lab ~]$