Update Quota Blueprint Spec with New Details
Changes to spec to treat configured project values as a REST object. This implies some changes on how to handle specific CRUD operations. Change the data model to move away from previous generic design to a Barbican quota specific model. Changes for specific use cases based on reviews, discussion, and and community consensus. Change-Id: Ie46eb9e7918c4e719437af7fc31d76db7aa8abb5 Relates-to: blueprint quota-support-on-barbican-resources
This commit is contained in:
parent
f31ceb754f
commit
15ebc25606
@ -48,7 +48,8 @@ Proposed Change
|
|||||||
===============
|
===============
|
||||||
|
|
||||||
Introduce quotas for all Barbican resources. The quotas should have
|
Introduce quotas for all Barbican resources. The quotas should have
|
||||||
reasonably high values as defaults. The following resources will
|
unlimited values as defaults, to ensure backwards compatibility with
|
||||||
|
the current code that supports no quotas. The following resources will
|
||||||
have quota support:
|
have quota support:
|
||||||
|
|
||||||
* secrets
|
* secrets
|
||||||
@ -60,7 +61,7 @@ have quota support:
|
|||||||
*Note:*
|
*Note:*
|
||||||
|
|
||||||
This proposal is a simpler subset of the quota implementation done
|
This proposal is a simpler subset of the quota implementation done
|
||||||
by oslo.common.quota.py. Barbican does not have any reservable resources
|
by Nova and Cinder. Barbican does not have any reservable resources
|
||||||
and so the quotas are much simpler in that there is no usage tracking and
|
and so the quotas are much simpler in that there is no usage tracking and
|
||||||
reservations. Also, project-user level quota enforcement is not covered
|
reservations. Also, project-user level quota enforcement is not covered
|
||||||
by this spec.
|
by this spec.
|
||||||
@ -93,32 +94,38 @@ quota limits:
|
|||||||
|
|
||||||
::
|
::
|
||||||
|
|
||||||
|
# ====================== Quota Options ===============================
|
||||||
|
|
||||||
[quotas]
|
[quotas]
|
||||||
enabled = true
|
# For each resource, the default maximum number that can be used for
|
||||||
|
# a project is set below. This value can be overridden for each
|
||||||
|
# project through the API. A negative value means no limit. A zero
|
||||||
|
# value effectively disables creation of the resource.
|
||||||
|
|
||||||
# number of secrets allowed per project
|
# default number of secrets allowed per project
|
||||||
quota_secrets = 500
|
quota_secrets = -1
|
||||||
|
|
||||||
# number of orders allowed per project
|
# default number of orders allowed per project
|
||||||
quota_orders = 100
|
quota_orders = -1
|
||||||
|
|
||||||
# number of containers allowed per project
|
# default number of containers allowed per project
|
||||||
quota_containers = -1
|
quota_containers = -1
|
||||||
# Note, a negative value signifies unlimited
|
|
||||||
|
|
||||||
# number of transport_keys allowed per project
|
# default number of transport_keys allowed per project
|
||||||
quota_transport_keys = 100
|
quota_transport_keys = -1
|
||||||
|
|
||||||
|
# default number of consumers allowed per project
|
||||||
|
quota_consumers = -1
|
||||||
|
|
||||||
# number of consumers allowed per project
|
|
||||||
quota_consumers = 100
|
|
||||||
|
|
||||||
A number >=0 for the quota_<value> indicates the max
|
A number >=0 for the quota_<value> indicates the max
|
||||||
limit for that resource and a negative value means unlimited. A value
|
limit for that resource and a negative value means unlimited. A value
|
||||||
of zero indicates a maximum of zero instances of that resource, effectively
|
of zero indicates a maximum of zero instances of that resource, effectively
|
||||||
disabling creation of that entity.
|
disabling creation of that entity. To ensure backwards compatibility, the
|
||||||
|
provided default for the defaults will be -1 (unlimited) for each resource.
|
||||||
|
|
||||||
While these generic quotas apply to all projects, there will
|
While these generic quotas apply to all projects, there will
|
||||||
also be support to enforce quotas per project.
|
also be support to define and enforce quotas per project.
|
||||||
The priority in which the quotas are enforced is then:
|
The priority in which the quotas are enforced is then:
|
||||||
[per project quotas] => [default quotas]
|
[per project quotas] => [default quotas]
|
||||||
|
|
||||||
@ -137,8 +144,8 @@ A REST API for Barbican administrators for the quota CRUD operations will be
|
|||||||
implemented as well. Non-admin users will be provided with a REST API to get
|
implemented as well. Non-admin users will be provided with a REST API to get
|
||||||
their own effective quotas for various resources. Keystone RBAC checks will
|
their own effective quotas for various resources. Keystone RBAC checks will
|
||||||
be employed to decide if a caller has the required admin role to perform
|
be employed to decide if a caller has the required admin role to perform
|
||||||
these admin-only operations. The admin endpoint of Barbican will not be used.
|
these admin-only operations. The details of this is discussed in a later
|
||||||
The details of this is discussed in a later section below.
|
section below.
|
||||||
|
|
||||||
|
|
||||||
Alternatives
|
Alternatives
|
||||||
@ -148,7 +155,8 @@ An attempt was made to create an oslo.common library with quota support
|
|||||||
for all OpenStack projects. The first attempt was committed to oslo, however
|
for all OpenStack projects. The first attempt was committed to oslo, however
|
||||||
it has been deprecated and has not been adopted by any projects. A second
|
it has been deprecated and has not been adopted by any projects. A second
|
||||||
attempt was started, but has been put on hold with no current plans to restart.
|
attempt was started, but has been put on hold with no current plans to restart.
|
||||||
There is no other common OpenStack library implementing quotas for Barbican to adopt.
|
There is no other common OpenStack library implementing quotas for Barbican
|
||||||
|
to adopt.
|
||||||
|
|
||||||
The quota configuration and logic will be derived by looking at quota
|
The quota configuration and logic will be derived by looking at quota
|
||||||
implementations done by other OpenStack projects like nova, cinder
|
implementations done by other OpenStack projects like nova, cinder
|
||||||
@ -168,21 +176,26 @@ The following new data models will be added:
|
|||||||
|
|
||||||
* ProjectQuota
|
* ProjectQuota
|
||||||
|
|
||||||
Represents a single quota override for a project.
|
Represents quotas override for a project.
|
||||||
|
|
||||||
If there is no row for a given project id and resource, then the
|
If there is no row for a given project id, then the
|
||||||
default for the deployment is used. If the row is present but the hard
|
default for the deployment is used. If the quota value for a resource
|
||||||
limit is "-1" (no quotes), then the resource is unlimited.
|
is null, then the default for that resource for the deployment is used.
|
||||||
|
If the quota value for a resource is 0, creation of that resource is
|
||||||
|
disabled. If the quota value for a resource is -1, creation of that
|
||||||
|
resource is not limited by quota enforcement logic.
|
||||||
|
|
||||||
Schema: (table name: **project_quota**)
|
Schema: (table name: **project_quotas**)
|
||||||
|
|
||||||
* id: Integer, Primary Key
|
* project_id: String(36) ForeignKey projects.id, nullable=False
|
||||||
* project_id: String(255)
|
* secrets: Integer, nullable=True
|
||||||
* resource: String(255), nullable=False, one of "secrets","orders",
|
* orders: Integer, nullable=True
|
||||||
"containers","transport_keys", "consumers"
|
* containers: Integer, nullable=True
|
||||||
* hard_limit: Integer
|
* transport_keys: Integer, nullable=True
|
||||||
|
* consumers: Integer, nullable=True
|
||||||
|
|
||||||
**Constraints**: project_id + resource should be unique
|
**Constraints**: project_id must be unique
|
||||||
|
project_id must exist as projects.id
|
||||||
|
|
||||||
|
|
||||||
* Changes to existing models:
|
* Changes to existing models:
|
||||||
@ -212,9 +225,9 @@ other APIs require the caller to have admin role.
|
|||||||
|
|
||||||
* Expected error http response code(s)
|
* Expected error http response code(s)
|
||||||
|
|
||||||
* 401 Unauthorized - If the auth token is not present or invalid
|
* 401 Unauthorized - If the auth token is not present or invalid.
|
||||||
* 404 Not Found - If using unauthenticated context and X-Project-Id
|
Also, if using the unauthenticated context and
|
||||||
header is not present in the request
|
the X-Project-Id header is not present in the request.
|
||||||
|
|
||||||
* Required request headers
|
* Required request headers
|
||||||
|
|
||||||
@ -281,10 +294,13 @@ other APIs require the caller to have admin role.
|
|||||||
|
|
||||||
* List all project quotas (admin only)
|
* List all project quotas (admin only)
|
||||||
|
|
||||||
* Lists all project level resource quotas across all users for all
|
* Lists all configured project level resource quotas across all users for all
|
||||||
projects. If there are only project specific quotas for few resources
|
projects. If a project does not have project specific quotas configured,
|
||||||
for a project, this call will return defaults for other resources in that
|
that project is not included in the returned list.
|
||||||
project.
|
If there are only project specific quotas for a subset of resources
|
||||||
|
for a project, this call will return null for those resources without a
|
||||||
|
configured value in that project. The returned list will be sorted
|
||||||
|
by create date, and support standard limit/offset paging.
|
||||||
|
|
||||||
* GET /v1/project-quotas?limit=x&offset=y (Admin only)
|
* GET /v1/project-quotas?limit=x&offset=y (Admin only)
|
||||||
|
|
||||||
@ -293,15 +309,14 @@ other APIs require the caller to have admin role.
|
|||||||
|
|
||||||
* Expected error http response code(s)
|
* Expected error http response code(s)
|
||||||
|
|
||||||
* 401 Unauthorized - If the auth token is not present or invalid
|
* 401 Unauthorized - If the auth token is not present or invalid.
|
||||||
* 404 Not Found - If using unauthenticated context and X-Project-Id
|
Also, if using the unauthenticated context and
|
||||||
header is not present in the request
|
the X-Project-Id header is not present in the request.
|
||||||
|
|
||||||
* Required request headers
|
* Required request headers
|
||||||
|
|
||||||
X-Auth-Token, if using keystone auth
|
X-Auth-Token, if using keystone auth
|
||||||
|
|
||||||
|
|
||||||
* Parameters
|
* Parameters
|
||||||
|
|
||||||
limit(optional), integer, maximum number of records retrieved
|
limit(optional), integer, maximum number of records retrieved
|
||||||
@ -364,10 +379,10 @@ other APIs require the caller to have admin role.
|
|||||||
"project_id": "1234",
|
"project_id": "1234",
|
||||||
"project_quotas": {
|
"project_quotas": {
|
||||||
"secrets": 2000,
|
"secrets": 2000,
|
||||||
"orders": 1000,
|
"orders": 0,
|
||||||
"containers": 500,
|
"containers": -1,
|
||||||
"transport_keys": 100,
|
"transport_keys": 100,
|
||||||
"consumers": 10000
|
"consumers": null
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
@ -375,9 +390,9 @@ other APIs require the caller to have admin role.
|
|||||||
"project_quotas": {
|
"project_quotas": {
|
||||||
"secrets": 200,
|
"secrets": 200,
|
||||||
"orders": 100,
|
"orders": 100,
|
||||||
"containers": 100,
|
"containers": -1,
|
||||||
"transport_keys": 50,
|
"transport_keys": 0,
|
||||||
"consumers": 500
|
"consumers": null
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
]
|
]
|
||||||
@ -386,9 +401,12 @@ other APIs require the caller to have admin role.
|
|||||||
|
|
||||||
* Get quotas for a specific project (admin only)
|
* Get quotas for a specific project (admin only)
|
||||||
|
|
||||||
* Returns a list of all resource quotas for the specified project. If there
|
* Returns a set of configured resource quotas for the specified project.
|
||||||
are only project specific quotas for few resources for a project, this call
|
If no project specific quota values have been configured (or if the
|
||||||
will return defaults for other resources in that project.
|
project does not exist), the API responds with Not Found. If there are
|
||||||
|
only project specific quotas for a subset of resources for a project, this
|
||||||
|
call will return null for those resources without a configured value in
|
||||||
|
that project.
|
||||||
|
|
||||||
* GET /v1/project-quotas/{project_id}
|
* GET /v1/project-quotas/{project_id}
|
||||||
|
|
||||||
@ -397,9 +415,11 @@ other APIs require the caller to have admin role.
|
|||||||
|
|
||||||
* Expected error http response code(s)
|
* Expected error http response code(s)
|
||||||
|
|
||||||
* 401 Unauthorized - If the auth token is not present or invalid
|
* 401 Unauthorized - If the auth token is not present or invalid.
|
||||||
* 404 Not Found - If using unauthenticated context and X-Project-Id
|
Also, if using the unauthenticated context and
|
||||||
header is not present in the request
|
the X-Project-Id header is not present in the request.
|
||||||
|
* 404 Not Found - If there are no project quota settings to delete
|
||||||
|
for the specified project.
|
||||||
|
|
||||||
* Required request headers
|
* Required request headers
|
||||||
|
|
||||||
@ -447,8 +467,8 @@ other APIs require the caller to have admin role.
|
|||||||
"project_quotas": {
|
"project_quotas": {
|
||||||
"secrets": 10,
|
"secrets": 10,
|
||||||
"orders": 20,
|
"orders": 20,
|
||||||
"containers": 10,
|
"containers": -1,
|
||||||
"transport_keys": 5,
|
"transport_keys": null,
|
||||||
"consumers": 10
|
"consumers": 10
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -456,21 +476,23 @@ other APIs require the caller to have admin role.
|
|||||||
|
|
||||||
* Update/Set quotas for a specific project (admin only)
|
* Update/Set quotas for a specific project (admin only)
|
||||||
|
|
||||||
* Updates and returns a list of resource quotas for the specified project.
|
* Creates or updates the configured resource quotas for the specified
|
||||||
It is not required to specify limits for all Barbican resources. If a
|
project. It is not required to specify limits for all Barbican resources.
|
||||||
resource is not specified, the default limits are used for that
|
If a value for a resource is not specified, the default limits will be
|
||||||
resource.
|
used for that resource. If the specified project is not previously
|
||||||
|
known to Barbican, a new entry to the projects table will be created.
|
||||||
|
|
||||||
* PUT /v1/project-quotas/{project_id}
|
* PUT /v1/project-quotas/{project_id}
|
||||||
|
|
||||||
* Normal http response code(s)
|
* Normal http response code(s)
|
||||||
|
|
||||||
204 No Content
|
204 No Content
|
||||||
|
|
||||||
* Expected error http response code(s)
|
* Expected error http response code(s)
|
||||||
|
|
||||||
* 401 Unauthorized - If the auth token is not present or invalid
|
* 401 Unauthorized - If the auth token is not present or invalid.
|
||||||
* 404 Not Found - If using unauthenticated context and X-Project-Id
|
Also, if using the unauthenticated context and
|
||||||
header is not present in the request
|
the X-Project-Id header is not present in the request.
|
||||||
* 400 Bad Request - If the request payload doesn't confirm to schema
|
* 400 Bad Request - If the request payload doesn't confirm to schema
|
||||||
|
|
||||||
* Required request headers
|
* Required request headers
|
||||||
@ -525,24 +547,16 @@ other APIs require the caller to have admin role.
|
|||||||
|
|
||||||
Response:
|
Response:
|
||||||
|
|
||||||
200 OK
|
204 OK
|
||||||
|
|
||||||
{
|
|
||||||
"project_quotas": {
|
|
||||||
"secrets": 10,
|
|
||||||
"orders": 20,
|
|
||||||
"containers": 10,
|
|
||||||
"transport_keys": 5,
|
|
||||||
"consumers": 10
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
* Delete quotas for a specific project (admin only)
|
* Delete quotas for a specific project (admin only)
|
||||||
|
|
||||||
* Deletes project specific resource quotas for the specified project.
|
* Deletes the configured resource quotas for the specified
|
||||||
After this call succeeds, the default resource quotas will be
|
project. After this call succeeds, the default resource quotas will be
|
||||||
returned for subsequent calls by the user to list effective quotas.
|
returned for subsequent calls by the user to list effective quotas. If
|
||||||
|
there are no project specific quota configuration, or the project is
|
||||||
|
not previously known in Barbican, Not Found is returned.
|
||||||
|
|
||||||
* DELETE v1/project-quotas/{project_id}
|
* DELETE v1/project-quotas/{project_id}
|
||||||
|
|
||||||
@ -554,9 +568,12 @@ other APIs require the caller to have admin role.
|
|||||||
|
|
||||||
* Expected error http response code(s)
|
* Expected error http response code(s)
|
||||||
|
|
||||||
* 401 Unauthorized - If the auth token is not present or invalid
|
* 401 Unauthorized - If the auth token is not present or invalid.
|
||||||
* 404 Not Found - If using unauthenticated context and X-Project-Id
|
Also, if using the unauthenticated context and
|
||||||
header is not present in the request
|
the X-Project-Id header is not present in the request.
|
||||||
|
* 404 Not Found - If there are no project quota settings to delete
|
||||||
|
for the specified project or the project is unknown
|
||||||
|
to Barbican.
|
||||||
|
|
||||||
* Required request headers
|
* Required request headers
|
||||||
|
|
||||||
@ -728,8 +745,7 @@ TBD
|
|||||||
|
|
||||||
Testing
|
Testing
|
||||||
=======
|
=======
|
||||||
|
New unit tests and functional tests need to be added.
|
||||||
New unit tests, functional tests, and tempest tests need to be added. Details TBD
|
|
||||||
|
|
||||||
|
|
||||||
Documentation Impact
|
Documentation Impact
|
||||||
|
Loading…
Reference in New Issue
Block a user