openstack
/
barbican-specs
Code Issues Proposed changes

Update Quota Blueprint Spec with New Details 

Changes to spec to treat configured project values as a REST object.
This implies some changes on how to handle specific CRUD operations.

Change the data model to move away from previous generic design
to a Barbican quota specific model.

Changes for specific use cases based on reviews, discussion, and and
community consensus.

Change-Id: Ie46eb9e7918c4e719437af7fc31d76db7aa8abb5
Relates-to: blueprint quota-support-on-barbican-resources
This commit is contained in:
Dave McCowan 2015-07-20 10:38:44 -04:00
parent f31ceb754f
commit 15ebc25606
1 changed files with 96 additions and 80 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

176
specs/liberty/quota-support-for-barbican-resources.rst
View File

@ -48,7 +48,8 @@ Proposed Change
=============== ===============
Introduce quotas for all Barbican resources. The quotas should have Introduce quotas for all Barbican resources. The quotas should have
reasonably high values as defaults. The following resources will unlimited values as defaults, to ensure backwards compatibility with
the current code that supports no quotas. The following resources will
have quota support: have quota support:
* secrets * secrets
@ -60,7 +61,7 @@ have quota support:
*Note:* *Note:*
This proposal is a simpler subset of the quota implementation done This proposal is a simpler subset of the quota implementation done
by oslo.common.quota.py. Barbican does not have any reservable resources by Nova and Cinder. Barbican does not have any reservable resources
and so the quotas are much simpler in that there is no usage tracking and and so the quotas are much simpler in that there is no usage tracking and
reservations. Also, project-user level quota enforcement is not covered reservations. Also, project-user level quota enforcement is not covered
by this spec. by this spec.
@ -93,32 +94,38 @@ quota limits:
:: ::
# ====================== Quota Options ===============================
[quotas] [quotas]
enabled = true # For each resource, the default maximum number that can be used for
# a project is set below. This value can be overridden for each
# project through the API. A negative value means no limit. A zero
# value effectively disables creation of the resource.
# number of secrets allowed per project # default number of secrets allowed per project
quota_secrets = 500 quota_secrets = -1
# number of orders allowed per project # default number of orders allowed per project
quota_orders = 100 quota_orders = -1
# number of containers allowed per project # default number of containers allowed per project
quota_containers = -1 quota_containers = -1
# Note, a negative value signifies unlimited
# number of transport_keys allowed per project # default number of transport_keys allowed per project
quota_transport_keys = 100 quota_transport_keys = -1
# default number of consumers allowed per project
quota_consumers = -1
# number of consumers allowed per project
quota_consumers = 100
A number >=0 for the quota_<value> indicates the max A number >=0 for the quota_<value> indicates the max
limit for that resource and a negative value means unlimited. A value limit for that resource and a negative value means unlimited. A value
of zero indicates a maximum of zero instances of that resource, effectively of zero indicates a maximum of zero instances of that resource, effectively
disabling creation of that entity. disabling creation of that entity. To ensure backwards compatibility, the
provided default for the defaults will be -1 (unlimited) for each resource.
While these generic quotas apply to all projects, there will While these generic quotas apply to all projects, there will
also be support to enforce quotas per project. also be support to define and enforce quotas per project.
The priority in which the quotas are enforced is then: The priority in which the quotas are enforced is then:
[per project quotas] => [default quotas] [per project quotas] => [default quotas]
@ -137,8 +144,8 @@ A REST API for Barbican administrators for the quota CRUD operations will be
implemented as well. Non-admin users will be provided with a REST API to get implemented as well. Non-admin users will be provided with a REST API to get
their own effective quotas for various resources. Keystone RBAC checks will their own effective quotas for various resources. Keystone RBAC checks will
be employed to decide if a caller has the required admin role to perform be employed to decide if a caller has the required admin role to perform
these admin-only operations. The admin endpoint of Barbican will not be used. these admin-only operations. The details of this is discussed in a later
The details of this is discussed in a later section below. section below.
Alternatives Alternatives
@ -148,7 +155,8 @@ An attempt was made to create an oslo.common library with quota support
for all OpenStack projects. The first attempt was committed to oslo, however for all OpenStack projects. The first attempt was committed to oslo, however
it has been deprecated and has not been adopted by any projects. A second it has been deprecated and has not been adopted by any projects. A second
attempt was started, but has been put on hold with no current plans to restart. attempt was started, but has been put on hold with no current plans to restart.
There is no other common OpenStack library implementing quotas for Barbican to adopt. There is no other common OpenStack library implementing quotas for Barbican
to adopt.
The quota configuration and logic will be derived by looking at quota The quota configuration and logic will be derived by looking at quota
implementations done by other OpenStack projects like nova, cinder implementations done by other OpenStack projects like nova, cinder
@ -168,21 +176,26 @@ The following new data models will be added:
* ProjectQuota * ProjectQuota
Represents a single quota override for a project. Represents quotas override for a project.
If there is no row for a given project id and resource, then the If there is no row for a given project id, then the
default for the deployment is used. If the row is present but the hard default for the deployment is used. If the quota value for a resource
limit is "-1" (no quotes), then the resource is unlimited. is null, then the default for that resource for the deployment is used.
If the quota value for a resource is 0, creation of that resource is
disabled. If the quota value for a resource is -1, creation of that
resource is not limited by quota enforcement logic.
Schema: (table name: **project_quota**) Schema: (table name: **project_quotas**)
* id: Integer, Primary Key * project_id: String(36) ForeignKey projects.id, nullable=False
* project_id: String(255) * secrets: Integer, nullable=True
* resource: String(255), nullable=False, one of "secrets","orders", * orders: Integer, nullable=True
"containers","transport_keys", "consumers" * containers: Integer, nullable=True
* hard_limit: Integer * transport_keys: Integer, nullable=True
* consumers: Integer, nullable=True
**Constraints**: project_id + resource should be unique **Constraints**: project_id must be unique
project_id must exist as projects.id
* Changes to existing models: * Changes to existing models:
@ -212,9 +225,9 @@ other APIs require the caller to have admin role.
* Expected error http response code(s) * Expected error http response code(s)
* 401 Unauthorized - If the auth token is not present or invalid * 401 Unauthorized - If the auth token is not present or invalid.
* 404 Not Found - If using unauthenticated context and X-Project-Id Also, if using the unauthenticated context and
header is not present in the request the X-Project-Id header is not present in the request.
* Required request headers * Required request headers
@ -281,10 +294,13 @@ other APIs require the caller to have admin role.
* List all project quotas (admin only) * List all project quotas (admin only)
* Lists all project level resource quotas across all users for all * Lists all configured project level resource quotas across all users for all
projects. If there are only project specific quotas for few resources projects. If a project does not have project specific quotas configured,
for a project, this call will return defaults for other resources in that that project is not included in the returned list.
project. If there are only project specific quotas for a subset of resources
for a project, this call will return null for those resources without a
configured value in that project. The returned list will be sorted
by create date, and support standard limit/offset paging.
* GET /v1/project-quotas?limit=x&offset=y (Admin only) * GET /v1/project-quotas?limit=x&offset=y (Admin only)
@ -293,15 +309,14 @@ other APIs require the caller to have admin role.
* Expected error http response code(s) * Expected error http response code(s)
* 401 Unauthorized - If the auth token is not present or invalid * 401 Unauthorized - If the auth token is not present or invalid.
* 404 Not Found - If using unauthenticated context and X-Project-Id Also, if using the unauthenticated context and
header is not present in the request the X-Project-Id header is not present in the request.
* Required request headers * Required request headers
X-Auth-Token, if using keystone auth X-Auth-Token, if using keystone auth
* Parameters * Parameters
limit(optional), integer, maximum number of records retrieved limit(optional), integer, maximum number of records retrieved
@ -364,10 +379,10 @@ other APIs require the caller to have admin role.
"project_id": "1234", "project_id": "1234",
"project_quotas": { "project_quotas": {
"secrets": 2000, "secrets": 2000,
"orders": 1000, "orders": 0,
"containers": 500, "containers": -1,
"transport_keys": 100, "transport_keys": 100,
"consumers": 10000 "consumers": null
} }
}, },
{ {
@ -375,9 +390,9 @@ other APIs require the caller to have admin role.
"project_quotas": { "project_quotas": {
"secrets": 200, "secrets": 200,
"orders": 100, "orders": 100,
"containers": 100, "containers": -1,
"transport_keys": 50, "transport_keys": 0,
"consumers": 500 "consumers": null
} }
}, },
] ]
@ -386,9 +401,12 @@ other APIs require the caller to have admin role.
* Get quotas for a specific project (admin only) * Get quotas for a specific project (admin only)
* Returns a list of all resource quotas for the specified project. If there * Returns a set of configured resource quotas for the specified project.
are only project specific quotas for few resources for a project, this call If no project specific quota values have been configured (or if the
will return defaults for other resources in that project. project does not exist), the API responds with Not Found. If there are
only project specific quotas for a subset of resources for a project, this
call will return null for those resources without a configured value in
that project.
* GET /v1/project-quotas/{project_id} * GET /v1/project-quotas/{project_id}
@ -397,9 +415,11 @@ other APIs require the caller to have admin role.
* Expected error http response code(s) * Expected error http response code(s)
* 401 Unauthorized - If the auth token is not present or invalid * 401 Unauthorized - If the auth token is not present or invalid.
* 404 Not Found - If using unauthenticated context and X-Project-Id Also, if using the unauthenticated context and
header is not present in the request the X-Project-Id header is not present in the request.
* 404 Not Found - If there are no project quota settings to delete
for the specified project.
* Required request headers * Required request headers
@ -447,8 +467,8 @@ other APIs require the caller to have admin role.
"project_quotas": { "project_quotas": {
"secrets": 10, "secrets": 10,
"orders": 20, "orders": 20,
"containers": 10, "containers": -1,
"transport_keys": 5, "transport_keys": null,
"consumers": 10 "consumers": 10
} }
} }
@ -456,21 +476,23 @@ other APIs require the caller to have admin role.
* Update/Set quotas for a specific project (admin only) * Update/Set quotas for a specific project (admin only)
* Updates and returns a list of resource quotas for the specified project. * Creates or updates the configured resource quotas for the specified
It is not required to specify limits for all Barbican resources. If a project. It is not required to specify limits for all Barbican resources.
resource is not specified, the default limits are used for that If a value for a resource is not specified, the default limits will be
resource. used for that resource. If the specified project is not previously
known to Barbican, a new entry to the projects table will be created.
* PUT /v1/project-quotas/{project_id} * PUT /v1/project-quotas/{project_id}
* Normal http response code(s) * Normal http response code(s)
204 No Content 204 No Content
* Expected error http response code(s) * Expected error http response code(s)
* 401 Unauthorized - If the auth token is not present or invalid * 401 Unauthorized - If the auth token is not present or invalid.
* 404 Not Found - If using unauthenticated context and X-Project-Id Also, if using the unauthenticated context and
header is not present in the request the X-Project-Id header is not present in the request.
* 400 Bad Request - If the request payload doesn't confirm to schema * 400 Bad Request - If the request payload doesn't confirm to schema
* Required request headers * Required request headers
@ -525,24 +547,16 @@ other APIs require the caller to have admin role.
Response: Response:
200 OK 204 OK
{
"project_quotas": {
"secrets": 10,
"orders": 20,
"containers": 10,
"transport_keys": 5,
"consumers": 10
}
}
* Delete quotas for a specific project (admin only) * Delete quotas for a specific project (admin only)
* Deletes project specific resource quotas for the specified project. * Deletes the configured resource quotas for the specified
After this call succeeds, the default resource quotas will be project. After this call succeeds, the default resource quotas will be
returned for subsequent calls by the user to list effective quotas. returned for subsequent calls by the user to list effective quotas. If
there are no project specific quota configuration, or the project is
not previously known in Barbican, Not Found is returned.
* DELETE v1/project-quotas/{project_id} * DELETE v1/project-quotas/{project_id}
@ -554,9 +568,12 @@ other APIs require the caller to have admin role.
* Expected error http response code(s) * Expected error http response code(s)
* 401 Unauthorized - If the auth token is not present or invalid * 401 Unauthorized - If the auth token is not present or invalid.
* 404 Not Found - If using unauthenticated context and X-Project-Id Also, if using the unauthenticated context and
header is not present in the request the X-Project-Id header is not present in the request.
* 404 Not Found - If there are no project quota settings to delete
for the specified project or the project is unknown
to Barbican.
* Required request headers * Required request headers
@ -728,8 +745,7 @@ TBD
Testing Testing
======= =======
New unit tests and functional tests need to be added.
New unit tests, functional tests, and tempest tests need to be added. Details TBD
Documentation Impact Documentation Impact