FWaaS quota registration

Builds on prior attempts to register FWaaS resources to the quota
engine, such as commit Ia4d6b9a65acd1111a050dc73b63a1f0ce619cb55
which had to be reverted for bug 1513280 for failing gate via commit
28948f6559.

Since with router insertion a user can have a separate firewall
and policy per targeted router in their tenant, the original
fixes which had defaults of only 1 were too low.

Also added the release notes and updated the options to reflect
the quota.

Change-Id: I68a5538f7bc8df78212633c73eeca0eaae0d8455
Closes-Bug: #1399280
This commit is contained in:
James Arendt 2016-02-13 18:54:09 -08:00
parent a0c93fd8df
commit e338df4244
4 changed files with 73 additions and 6 deletions

View File

@ -353,13 +353,18 @@ RESOURCE_ATTRIBUTE_MAP = {
},
}
# A tenant may have a unique firewall and policy for each router
# when router insertion is used.
# Set default quotas to align with default l3 quota_router of 10
# though keep as separately controllable.
firewall_quota_opts = [
cfg.IntOpt('quota_firewall',
default=1,
default=10,
help=_('Number of firewalls allowed per tenant. '
'A negative value means unlimited.')),
cfg.IntOpt('quota_firewall_policy',
default=1,
default=10,
help=_('Number of firewall policies allowed per tenant. '
'A negative value means unlimited.')),
cfg.IntOpt('quota_firewall_rule',
@ -403,7 +408,8 @@ class Firewall(extensions.ExtensionDescriptor):
return resource_helper.build_resource_info(plural_mappings,
RESOURCE_ATTRIBUTE_MAP,
p_const.FIREWALL,
action_map=action_map)
action_map=action_map,
register_quota=True)
@classmethod
def get_plugin_interface(cls):

View File

@ -18,3 +18,10 @@ def list_agent_opts():
('fwaas',
neutron_fwaas.services.firewall.agents.firewall_agent_api.FWaaSOpts)
]
def list_opts():
return [
('quotas',
neutron_fwaas.extensions.firewall.firewall_quota_opts)
]

View File

@ -63,10 +63,8 @@ class TestFirewallRouterInsertionBase(
create=True, new=test_db_firewall.FakeAgentApi().delete_firewall)
self.agentapi_del_fw_p.start()
plugin = None
# the plugin without L3 support
if not plugin:
plugin = 'neutron.tests.unit.extensions.test_l3.TestNoL3NatPlugin'
plugin = 'neutron.tests.unit.extensions.test_l3.TestNoL3NatPlugin'
# the L3 service plugin
l3_plugin = ('neutron.tests.unit.extensions.test_l3.'
'TestL3NatServicePlugin')
@ -641,3 +639,39 @@ class TestFirewallPluginBase(TestFirewallRouterInsertionBase,
expected_event_type = 'firewall_policy.update.remove_rule'
event_types = [event['event_type'] for event in notifications]
self.assertIn(expected_event_type, event_types)
def test_firewall_quota_lower(self):
"""Test quota using overridden value."""
cfg.CONF.set_override('quota_firewall', 3, group='QUOTAS')
with self.firewall(name='quota1'), \
self.firewall(name='quota2'), \
self.firewall(name='quota3'):
data = {'firewall': {'name': 'quota4',
'firewall_policy_id': None,
'tenant_id': self._tenant_id,
'shared': False}}
req = self.new_create_request('firewalls', data, 'json')
res = req.get_response(self.ext_api)
self.assertIn('Quota exceeded', res.body.decode('utf-8'))
self.assertEqual(exc.HTTPConflict.code, res.status_int)
def test_firewall_quota_default(self):
"""Test quota using default value."""
with self.firewall(name='quota1'), \
self.firewall(name='quota2'), \
self.firewall(name='quota3'), \
self.firewall(name='quota4'), \
self.firewall(name='quota5'), \
self.firewall(name='quota6'), \
self.firewall(name='quota7'), \
self.firewall(name='quota8'), \
self.firewall(name='quota9'), \
self.firewall(name='quota10'):
data = {'firewall': {'name': 'quota11',
'firewall_policy_id': None,
'tenant_id': self._tenant_id,
'shared': False}}
req = self.new_create_request('firewalls', data, 'json')
res = req.get_response(self.ext_api)
self.assertIn('Quota exceeded', res.body.decode('utf-8'))
self.assertEqual(exc.HTTPConflict.code, res.status_int)

View File

@ -0,0 +1,20 @@
---
prelude: >
Enable quotas for FWaaS.
features:
- The FWaaS extension will register quotas.
The default values for quota_firewall and
quota_firewall_policy are set to 10.
The default value for quota_firewall_rule
is set to 100.
Quotas can be adjusted in the conf files, including
-1 values to allow unlimited.
issues:
- Tenants may receive a 409 Conflict error with a
message body containing a quota exceeded message
during resource creation if their quota is exceeded.
other:
- Operators that increase the default limit for quota_routers
from 10 may want to bump FWaaS quotas as well, since with
router insertion a tenant can potentially have a unique
policy and firewall for each router.