designate/doc/source/admin/quotas.rst
Michael Johnson 2f17dd20e2 Update Quotas documentation
This patch updates the quotas documentation to include all of the available
quota management actions available in the Designate API. It also adds
OpenStack Client command examples for each action.

Change-Id: I5eec83e8c8afb356062bd8c883285645233dd6a3
2021-10-05 18:10:19 +00:00

8.8 KiB

View and Manage Quotas

Quotas exist in Designate for various resources. You can configure quotas globally or on a per-project basis.

Viewing Quotas

The Designate plugin for the OpenStack Client allows users to query their current quota using the dns quota list command.

$ openstack dns quota list
+-------------------+-------+
| Field             | Value |
+-------------------+-------+
| api_export_size   | 1000  |
| recordset_records | 20    |
| zone_records      | 500   |
| zone_recordsets   | 500   |
| zones             | 10    |
+-------------------+-------+

Users can also view their quotas with a simple View Current Project's Quotas Designate API call:

GET /v2/quotas/ HTTP/1.1
Accept: application/json
Content-Type: application/json

Response:

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
X-Openstack-Request-Id: req-bfcd0723-624c-4ec2-bbd5-99e985efe8db

{
  "api_export_size": 1000,
  "recordset_records": 20,
  "zone_records": 500,
  "zone_recordsets": 500,
  "zones": 10
}

Administrators with a cross-project read role can query the quotas for other projects using the --project-id option to the dns quota list command or by specifying a project_id when making the View Quotas Designate API call.

$ openstack dns quota list --project-id ecd4341280d645e5959d32a4b7659da1
+-------------------+-------+
| Field             | Value |
+-------------------+-------+
| api_export_size   | 1000  |
| recordset_records | 20    |
| zone_records      | 500   |
| zone_recordsets   | 500   |
| zones             | 20    |
+-------------------+-------+
GET /v2/quotas/ecd4341280d645e5959d32a4b7659da1 HTTP/1.1
Accept: application/json
Content-Type: application/json

Modifying Quotas

You can edit Designate quotas on a per-project basis. An administrator can edit quotas for any project, but they must have an all_tenants role or use a system scoped admin token.

Administrators can set a custom quota for a project using the OpenStack Client dns quota set command.

$ openstack dns quota set --project-id ecd4341280d645e5959d32a4b7659da1 --zones 30
+-------------------+-------+
| Field             | Value |
+-------------------+-------+
| api_export_size   | 1000  |
| recordset_records | 20    |
| zone_records      | 500   |
| zone_recordsets   | 500   |
| zones             | 30    |
+-------------------+-------+

Below is an example of setting a quota using the Set Quotas Designate API.

PATCH /v2/quotas/ecd4341280d645e5959d32a4b7659da1 HTTP/1.1
Accept: application/json
Content-Type: application/json
X-Auth-All-Projects: True

{
  "zones": 30
}

The response would be:

HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
X-Openstack-Request-Id: req-ee264c7d-d9f3-4de8-92ec-7de4dc93a255

{
  "api_export_size": 1000,
  "recordset_records": 20,
  "zone_records": 500,
  "zone_recordsets": 500,
  "zones": 30
}

Resetting Quotas

You can reset custom quotas for a project to their default values by using the dns quota reset command. Administrators can reset quotas for any project, but they must have an all_tenants role or use a system scoped admin token.

$ openstack dns quota reset --project-id ecd4341280d645e5959d32a4b7659da1

Note

There is no output from a successful dns quota reset command.

Below is an example of resetting a project's quota via the Reset Quota Designate API.

DELETE /v2/quotas/ecd4341280d645e5959d32a4b7659da1 HTTP/1.1
Accept: application/json
Content-Type: application/json
X-Auth-All-Projects: True

The response would be:

HTTP/1.1 204 No Content
X-Openstack-Request-Id: req-82b85853-145d-4253-be86-b9aa3116b975

Available Quotas

The quotas available in Designate are listed below with a short description and the default values.

Zones

Quota Description Default
zones The number of zone allowed per project 10

Recordsets/Records

Quota Description Default
zone_recordsets Number of recordsets allowed per zone 500
zone_records Number of records allowed per zone 500
recordset_records Number of records allowed per recordset 20

Zone Exports

Quota Description Default
api_export_size Number of recordsets allowed in a zone export 1000

Default Quotas

You can set a default value for each quota that applies to all users by editing the [DEFAULT] configuration section of the designate.conf file, for example:

[DEFAULT]
########################
## General Configuration
########################
quota_zones = 10
quota_zone_recordsets = 500
quota_zone_records = 500
quota_recordset_records = 20
quota_api_export_size = 1000

Project ID Verification

Although Designate API can accept arbitrary strings as the Project ID to set the quota for, actual enforcement of quota will be performed only when the project ID of the quota matches the project-id in the request that attempts to create a resource.

To prevent mistakes when specifying the project-id for a quota, you can turn on project ID verification in the Designate configuration file:

[service:api]
quotas_verify_project_id = True

You must also specify how Designate connects to Keystone and locates the appropriate Keystone endpoint with which to perform requests. In the [keystone] section, ensure that the Session- and Adapter-related options are set.

Here is an example:

[keystone]
cafile = /path/to/ca/bundle
valid_interfaces = internal,public
region_name = RegionWest

See keystoneauth documentation for more details.

With project ID verification enabled, Designate will use the credentials provided with the request to attempt to verify that the project ID is valid in Keystone.

As a result of this verification, the request might return additional errors in these cases:

  • when the Keystone V3 endpoint could not be found in the service catalog (as specified in [keystone] section) - 504 error is returned
  • when the authentication with incoming token was successful but the project id was not actually found - 400 is returned

For project ID validation to be successful, the user setting quotas should have permission to list projects in Keystone. If the user does not have permission to list projects in Keystone, the validation will be skipped.