Description of problem: When using the nova client to create key-pairs user quotas, the entry in the database is using the user name as the user id, therefore never actually enforcing the quota. Version-Release number of selected component (if applicable): 16.2 How reproducible: Always reproducible Steps to Reproduce: 1. Create project, create user, assign member role to user: (admin@admin) [stack.lab ~]$ openstack project show -c id -c name keypair-quota-test +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 4fb96e87d5614e979950f635d8ccc8b2 | | name | keypair-quota-test | +-------+----------------------------------+ 2. Default key pairs quota of 100 applies to the project: (admin@admin) [stack.lab ~]$ openstack quota list --compute --detail --project 4fb96e87d5614e979950f635d8ccc8b2 +----------------------+--------+----------+-------+ | Resource | In Use | Reserved | Limit | +----------------------+--------+----------+-------+ | cores | 0 | 0 | 20 | | instances | 0 | 0 | 10 | | key_pairs | 0 | 0 | 100 | | metadata_items | 0 | 0 | 128 | | ram | 0 | 0 | 51200 | | server_group_members | 0 | 0 | 10 | | server_groups | 0 | 0 | 10 | +----------------------+--------+----------+-------+ (admin@admin) [stack.lab ~]$ 3. Must use the nova client because the openstack cli does not allow for a user quota to be setup: (admin@admin) [stack.lab ~]$ openstack quota set --help | grep user (admin@admin) [stack.lab ~]$ (admin@admin) [stack.lab ~]$ nova quota-update usage: nova quota-update [--user <user-id>] [--instances <instances>] [--cores <cores>] [--ram <ram>] [--metadata-items <metadata-items>] [--key-pairs <key-pairs>] [--server-groups <server-groups>] [--server-group-members <server-group-members>] [--force] <tenant-id> error: the following arguments are required: <tenant-id> Try 'nova help quota-update' for more information. (admin@admin) [stack.lab ~]$ 4. Create a user quota by user "name" in the project mentioned above: (admin@admin) [stack.lab ~]$ nova quota-update --user quotauser --key-pairs 10 4fb96e87d5614e979950f635d8ccc8b2 (admin@admin) [stack.lab ~]$ 5. Test quota limit by creating key pairs: (admin@admin) [stack.lab ~]$ source quotauser-keypair-quota-test-rc (quotauser@keypair-quota-test) [stack.lab ~]$ (quotauser@keypair-quota-test) [stack.lab ~]$ for x in $(seq 1 20) ;do > openstack keypair create keypair-$x > /dev/null || break > done (quotauser@keypair-quota-test) [stack.lab ~]$ openstack keypair list -c Name -f value | wc -l 20 (quotauser@keypair-quota-test) [stack.lab ~]$ Actual results: The limit is not enforced. Expected results: The limit should be enforced. Example, when using the user "id" instead of the name, quota limit is correctly enforced: 1. Delete all current quotas (quotauser@keypair-quota-test) [stack.lab ~]$ openstack keypair list -c Name -f value | while read x ;do openstack keypair delete $x; done (quotauser@keypair-quota-test) [stack.lab ~]$ 2. Source admin credentials and get user id: (quotauser@keypair-quota-test) [stack.lab ~]$ source overcloudrc (admin@admin) [stack.lab ~]$ (admin@admin) [stack.lab ~]$ openstack user show -c id quotauser +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 77007fc9f4c140e4bb86a5eae3f2ab0b | +-------+----------------------------------+ (admin@admin) [stack.lab ~]$ 3. Create quota limit by user id: (admin@admin) [stack.lab ~]$ nova quota-update --user 77007fc9f4c140e4bb86a5eae3f2ab0b --key-pairs 10 4fb96e87d5614e979950f635d8ccc8b2 (admin@admin) [stack.lab ~]$ 4. Test key pair creation again: (admin@admin) [stack.lab ~]$ source quotauser-keypair-quota-test-rc (quotauser@keypair-quota-test) [stack.lab ~]$ for x in $(seq 1 20) ;do > openstack keypair create keypair-$x > /dev/null || break > done Quota exceeded, too many key pairs. (HTTP 403) (Request-ID: req-39609d13-7131-4d40-bb26-3d7f1b3364a5) (quotauser@keypair-quota-test) [stack.lab ~]$ (quotauser@keypair-quota-test) [stack.lab ~]$ openstack keypair list -c Name -f value | wc -l 10 (quotauser@keypair-quota-test) [stack.lab ~]$ Additional info: The database shows that in the first case the user name is used as user_id: MariaDB [nova_api]> select * from project_user_quotas where project_id="4fb96e87d5614e979950f635d8ccc8b2"; +----+---------------------+------------+----------------------------------+----------------------------------+-----------+------------+ | id | created_at | updated_at | user_id | project_id | resource | hard_limit | +----+---------------------+------------+----------------------------------+----------------------------------+-----------+------------+ | 47 | 2023-08-11 10:04:15 | NULL | quotauser | 4fb96e87d5614e979950f635d8ccc8b2 | key_pairs | 10 | | 50 | 2023-08-11 10:08:46 | NULL | 77007fc9f4c140e4bb86a5eae3f2ab0b | 4fb96e87d5614e979950f635d8ccc8b2 | key_pairs | 10 | +----+---------------------+------------+----------------------------------+----------------------------------+-----------+------------+ 2 rows in set (0.000 sec) I know that the nova client help clearly says "--user <user-id>" (and not user name), but so does the --project parameter, and that one has a check to block wrong requests when using the project name: (admin@admin) [stack.lab ~]$ nova quota-update --user 77007fc9f4c140e4bb86a5eae3f2ab0b --key-pairs 20 keypair-quota-test ERROR (BadRequest): Project ID keypair-quota-test is not a valid project. (HTTP 400) (Request-ID: req-4ec1c846-4360-4b2e-bce8-beefa70ab461) (admin@admin) [stack.lab ~]$
Even our documentation is showing user name instead of id [0], so customers can successfully create quotas with user names instead of user ids, but they are never actually enforced. [0] https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/16.2/html/users_and_identity_management_guide/quota_management#proc_updating-user-quotas_managing-quotas