FWaaS quota registration

Builds on prior attempts to register FWaaS resources to the quota
engine, such as commit Ia4d6b9a65acd1111a050dc73b63a1f0ce619cb55
which had to be reverted for bug 1513280 for failing gate via commit
28948f6559.

Since with router insertion a user can have a separate firewall
and policy per targeted router in their tenant, the original
fixes which had defaults of only 1 were too low.

Also added the release notes and updated the options to reflect
the quota.

Change-Id: I68a5538f7bc8df78212633c73eeca0eaae0d8455
Closes-Bug: #1399280

neutron_fwaas/extensions/firewall.py

@@ -353,13 +353,18 @@ RESOURCE_ATTRIBUTE_MAP = {
     },
 }
 
+# A tenant may have a unique firewall and policy for each router
+# when router insertion is used.
+# Set default quotas to align with default l3 quota_router of 10
+# though keep as separately controllable.
+
 firewall_quota_opts = [
     cfg.IntOpt('quota_firewall',
-               default=1,
+               default=10,
                help=_('Number of firewalls allowed per tenant. '
                       'A negative value means unlimited.')),
     cfg.IntOpt('quota_firewall_policy',
-               default=1,
+               default=10,
                help=_('Number of firewall policies allowed per tenant. '
                       'A negative value means unlimited.')),
     cfg.IntOpt('quota_firewall_rule',
@@ -403,7 +408,8 @@ class Firewall(extensions.ExtensionDescriptor):
         return resource_helper.build_resource_info(plural_mappings,
                                                    RESOURCE_ATTRIBUTE_MAP,
                                                    p_const.FIREWALL,
-                                                   action_map=action_map)
+                                                   action_map=action_map,
+                                                   register_quota=True)
 
     @classmethod
     def get_plugin_interface(cls):

neutron_fwaas/opts.py

@@ -18,3 +18,10 @@ def list_agent_opts():
         ('fwaas',
          neutron_fwaas.services.firewall.agents.firewall_agent_api.FWaaSOpts)
     ]
+
+
+def list_opts():
+    return [
+        ('quotas',
+         neutron_fwaas.extensions.firewall.firewall_quota_opts)
+    ]

neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py

@@ -63,10 +63,8 @@ class TestFirewallRouterInsertionBase(
             create=True, new=test_db_firewall.FakeAgentApi().delete_firewall)
         self.agentapi_del_fw_p.start()
 
-        plugin = None
         # the plugin without L3 support
-        if not plugin:
-            plugin = 'neutron.tests.unit.extensions.test_l3.TestNoL3NatPlugin'
+        plugin = 'neutron.tests.unit.extensions.test_l3.TestNoL3NatPlugin'
         # the L3 service plugin
         l3_plugin = ('neutron.tests.unit.extensions.test_l3.'
                      'TestL3NatServicePlugin')
@@ -641,3 +639,39 @@ class TestFirewallPluginBase(TestFirewallRouterInsertionBase,
             expected_event_type = 'firewall_policy.update.remove_rule'
             event_types = [event['event_type'] for event in notifications]
             self.assertIn(expected_event_type, event_types)
+
+    def test_firewall_quota_lower(self):
+        """Test quota using overridden value."""
+        cfg.CONF.set_override('quota_firewall', 3, group='QUOTAS')
+        with self.firewall(name='quota1'), \
+                self.firewall(name='quota2'), \
+                self.firewall(name='quota3'):
+            data = {'firewall': {'name': 'quota4',
+                                 'firewall_policy_id': None,
+                                 'tenant_id': self._tenant_id,
+                                 'shared': False}}
+            req = self.new_create_request('firewalls', data, 'json')
+            res = req.get_response(self.ext_api)
+            self.assertIn('Quota exceeded', res.body.decode('utf-8'))
+            self.assertEqual(exc.HTTPConflict.code, res.status_int)
+
+    def test_firewall_quota_default(self):
+        """Test quota using default value."""
+        with self.firewall(name='quota1'), \
+                self.firewall(name='quota2'), \
+                self.firewall(name='quota3'), \
+                self.firewall(name='quota4'), \
+                self.firewall(name='quota5'), \
+                self.firewall(name='quota6'), \
+                self.firewall(name='quota7'), \
+                self.firewall(name='quota8'), \
+                self.firewall(name='quota9'), \
+                self.firewall(name='quota10'):
+            data = {'firewall': {'name': 'quota11',
+                                 'firewall_policy_id': None,
+                                 'tenant_id': self._tenant_id,
+                                 'shared': False}}
+            req = self.new_create_request('firewalls', data, 'json')
+            res = req.get_response(self.ext_api)
+            self.assertIn('Quota exceeded', res.body.decode('utf-8'))
+            self.assertEqual(exc.HTTPConflict.code, res.status_int)

releasenotes/notes/enable-quotas-a3d0a21743bb1985.yaml

@@ -0,0 +1,20 @@
+---
+prelude: >
+    Enable quotas for FWaaS.
+features:
+  - The FWaaS extension will register quotas.
+    The default values for quota_firewall and
+    quota_firewall_policy are set to 10.
+    The default value for quota_firewall_rule
+    is set to 100.
+    Quotas can be adjusted in the conf files, including
+    -1 values to allow unlimited.
+issues:
+  - Tenants may receive a 409 Conflict error with a
+    message body containing a quota exceeded message
+    during resource creation if their quota is exceeded.
+other:
+  - Operators that increase the default limit for quota_routers
+    from 10 may want to bump FWaaS quotas as well, since with
+    router insertion a tenant can potentially have a unique
+    policy and firewall for each router.