From e338df4244ca684d3b8a962341a6eab733f3e074 Mon Sep 17 00:00:00 2001 From: James Arendt Date: Sat, 13 Feb 2016 18:54:09 -0800 Subject: [PATCH] FWaaS quota registration Builds on prior attempts to register FWaaS resources to the quota engine, such as commit Ia4d6b9a65acd1111a050dc73b63a1f0ce619cb55 which had to be reverted for bug 1513280 for failing gate via commit 28948f6559711a0d861fa76f3adf65cda22768fb. Since with router insertion a user can have a separate firewall and policy per targeted router in their tenant, the original fixes which had defaults of only 1 were too low. Also added the release notes and updated the options to reflect the quota. Change-Id: I68a5538f7bc8df78212633c73eeca0eaae0d8455 Closes-Bug: #1399280 --- neutron_fwaas/extensions/firewall.py | 12 ++++-- neutron_fwaas/opts.py | 7 ++++ .../services/firewall/test_fwaas_plugin.py | 40 +++++++++++++++++-- .../notes/enable-quotas-a3d0a21743bb1985.yaml | 20 ++++++++++ 4 files changed, 73 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/enable-quotas-a3d0a21743bb1985.yaml diff --git a/neutron_fwaas/extensions/firewall.py b/neutron_fwaas/extensions/firewall.py index 3b4d57b76..3a8a32563 100644 --- a/neutron_fwaas/extensions/firewall.py +++ b/neutron_fwaas/extensions/firewall.py @@ -353,13 +353,18 @@ RESOURCE_ATTRIBUTE_MAP = { }, } +# A tenant may have a unique firewall and policy for each router +# when router insertion is used. +# Set default quotas to align with default l3 quota_router of 10 +# though keep as separately controllable. + firewall_quota_opts = [ cfg.IntOpt('quota_firewall', - default=1, + default=10, help=_('Number of firewalls allowed per tenant. ' 'A negative value means unlimited.')), cfg.IntOpt('quota_firewall_policy', - default=1, + default=10, help=_('Number of firewall policies allowed per tenant. ' 'A negative value means unlimited.')), cfg.IntOpt('quota_firewall_rule', @@ -403,7 +408,8 @@ class Firewall(extensions.ExtensionDescriptor): return resource_helper.build_resource_info(plural_mappings, RESOURCE_ATTRIBUTE_MAP, p_const.FIREWALL, - action_map=action_map) + action_map=action_map, + register_quota=True) @classmethod def get_plugin_interface(cls): diff --git a/neutron_fwaas/opts.py b/neutron_fwaas/opts.py index 4eee39665..d66db5943 100644 --- a/neutron_fwaas/opts.py +++ b/neutron_fwaas/opts.py @@ -18,3 +18,10 @@ def list_agent_opts(): ('fwaas', neutron_fwaas.services.firewall.agents.firewall_agent_api.FWaaSOpts) ] + + +def list_opts(): + return [ + ('quotas', + neutron_fwaas.extensions.firewall.firewall_quota_opts) + ] diff --git a/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py b/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py index 1105ce1c9..6ddeb9cbc 100644 --- a/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py +++ b/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py @@ -63,10 +63,8 @@ class TestFirewallRouterInsertionBase( create=True, new=test_db_firewall.FakeAgentApi().delete_firewall) self.agentapi_del_fw_p.start() - plugin = None # the plugin without L3 support - if not plugin: - plugin = 'neutron.tests.unit.extensions.test_l3.TestNoL3NatPlugin' + plugin = 'neutron.tests.unit.extensions.test_l3.TestNoL3NatPlugin' # the L3 service plugin l3_plugin = ('neutron.tests.unit.extensions.test_l3.' 'TestL3NatServicePlugin') @@ -641,3 +639,39 @@ class TestFirewallPluginBase(TestFirewallRouterInsertionBase, expected_event_type = 'firewall_policy.update.remove_rule' event_types = [event['event_type'] for event in notifications] self.assertIn(expected_event_type, event_types) + + def test_firewall_quota_lower(self): + """Test quota using overridden value.""" + cfg.CONF.set_override('quota_firewall', 3, group='QUOTAS') + with self.firewall(name='quota1'), \ + self.firewall(name='quota2'), \ + self.firewall(name='quota3'): + data = {'firewall': {'name': 'quota4', + 'firewall_policy_id': None, + 'tenant_id': self._tenant_id, + 'shared': False}} + req = self.new_create_request('firewalls', data, 'json') + res = req.get_response(self.ext_api) + self.assertIn('Quota exceeded', res.body.decode('utf-8')) + self.assertEqual(exc.HTTPConflict.code, res.status_int) + + def test_firewall_quota_default(self): + """Test quota using default value.""" + with self.firewall(name='quota1'), \ + self.firewall(name='quota2'), \ + self.firewall(name='quota3'), \ + self.firewall(name='quota4'), \ + self.firewall(name='quota5'), \ + self.firewall(name='quota6'), \ + self.firewall(name='quota7'), \ + self.firewall(name='quota8'), \ + self.firewall(name='quota9'), \ + self.firewall(name='quota10'): + data = {'firewall': {'name': 'quota11', + 'firewall_policy_id': None, + 'tenant_id': self._tenant_id, + 'shared': False}} + req = self.new_create_request('firewalls', data, 'json') + res = req.get_response(self.ext_api) + self.assertIn('Quota exceeded', res.body.decode('utf-8')) + self.assertEqual(exc.HTTPConflict.code, res.status_int) diff --git a/releasenotes/notes/enable-quotas-a3d0a21743bb1985.yaml b/releasenotes/notes/enable-quotas-a3d0a21743bb1985.yaml new file mode 100644 index 000000000..216f1ef0f --- /dev/null +++ b/releasenotes/notes/enable-quotas-a3d0a21743bb1985.yaml @@ -0,0 +1,20 @@ +--- +prelude: > + Enable quotas for FWaaS. +features: + - The FWaaS extension will register quotas. + The default values for quota_firewall and + quota_firewall_policy are set to 10. + The default value for quota_firewall_rule + is set to 100. + Quotas can be adjusted in the conf files, including + -1 values to allow unlimited. +issues: + - Tenants may receive a 409 Conflict error with a + message body containing a quota exceeded message + during resource creation if their quota is exceeded. +other: + - Operators that increase the default limit for quota_routers + from 10 may want to bump FWaaS quotas as well, since with + router insertion a tenant can potentially have a unique + policy and firewall for each router.