openstack-manuals/doc/common/section_compute_config-api.xml

188 lines
8.2 KiB
XML
Raw Normal View History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="configuring-compute-API">
<title>Configure the Compute API</title>
<para>The Compute API, run by the <systemitem class="service"
>nova-api</systemitem> daemon, is the component of
OpenStack Compute that receives and responds to user requests,
whether they be direct API calls, or via the CLI tools or
dashboard.</para>
<simplesect>
<title>Configure Compute API password handling</title>
<para>The OpenStack Compute API enables users to specify an
administrative password when they create or rebuild a
server instance. If the user does not specify a password,
a random password is generated and returned in the API
response.</para>
<para>In practice, how the admin password is handled depends
on the hypervisor in use and might require additional
configuration of the instance. For example, you might have
to install an agent to handle the password setting. If the
hypervisor and instance configuration do not support
setting a password at server create time, the password
that is returned by the create API call is misleading
because it was ignored.</para>
<para>To prevent this confusion, use the
<option>enable_instance_password</option>
configuration option to disable the return of the admin
password for installations that do not support setting
instance passwords.</para>
</simplesect>
<simplesect>
<title>Configure Compute API rate limiting</title>
<para>OpenStack Compute supports API rate limiting for the
OpenStack API. The rate limiting allows an administrator
to configure limits on the type and number of API calls
that can be made in a specific time interval.</para>
<para>When API rate limits are exceeded, HTTP requests return
an error with a status code of <errorcode>413</errorcode>
<errortext>Request entity too large</errortext>, and
includes an HTTP <literal>Retry-After</literal> header.
The response body includes the error details and the delay
before you should retry the request.</para>
<para>Rate limiting is not available for the EC2 API.</para>
</simplesect>
<simplesect>
<title>Define limits</title>
<para>To define limits, set these values:</para>
<itemizedlist>
<listitem>
<para>The <emphasis role="bold">HTTP method</emphasis>
used in the API call, typically one of GET, PUT,
POST, or DELETE.</para>
</listitem>
<listitem>
<para>A <emphasis role="bold">human readable
URI</emphasis> that is used as a friendly
description of where the limit is applied.</para>
</listitem>
<listitem>
<para>A <emphasis role="bold">regular
expression</emphasis>. The limit is applied to
all URIs that match the regular expression and
HTTP method.</para>
</listitem>
<listitem>
<para>A <emphasis role="bold">limit value </emphasis>
that specifies the maximum count of units before
the limit takes effect.</para>
</listitem>
<listitem>
<para>An <emphasis role="bold">interval</emphasis>
that specifies time frame to which the limit is
applied. The interval can be SECOND, MINUTE, HOUR,
or DAY.</para>
</listitem>
</itemizedlist>
<para>Rate limits are applied in relative order to the HTTP
method, going from least to most specific.</para>
</simplesect>
<simplesect>
<title>Default limits</title>
<para>Normally, you install OpenStack Compute with the
following limits enabled:</para>
<table rules="all">
<caption>Default API rate limits</caption>
<thead>
<tr>
<th>HTTP method</th>
<th>API URI</th>
<th>API regular expression</th>
<th>Limit</th>
</tr>
</thead>
<tbody>
<tr>
<td>POST</td>
<td>any URI (*)</td>
<td>.*</td>
<td>120 per minute</td>
</tr>
<tr>
<td>POST</td>
<td>/servers</td>
<td>^/servers</td>
<td>120 per minute</td>
</tr>
<tr>
<td>PUT</td>
<td>any URI (*)</td>
<td>.*</td>
<td>120 per minute</td>
</tr>
<tr>
<td>GET</td>
<td>*changes-since*</td>
<td>.*changes-since.*</td>
<td>120 per minute</td>
</tr>
<tr>
<td>DELETE</td>
<td>any URI (*)</td>
<td>.*</td>
<td>120 per minute</td>
</tr>
<tr>
<td>GET</td>
<td>*/os-fping</td>
<td>^/os-fping</td>
<td>12 per minute</td>
</tr>
</tbody>
</table>
</simplesect>
<simplesect>
<title>Configure and change limits</title>
<para>As part of the WSGI pipeline, the
<filename>etc/nova/api-paste.ini</filename> file
defines the actual limits.</para>
<para>To enable limits, include the
<option>ratelimit</option>' filter in the API pipeline
specification. If the <option>ratelimit</option> filter is
removed from the pipeline, limiting is disabled. You must
also define the rate limit filter. The lines appear as
follows:</para>
<programlisting language="ini">[pipeline:openstack_compute_api_v2]
pipeline = faultwrap authtoken keystonecontext ratelimit osapi_compute_app_v2
[pipeline:openstack_volume_api_v1]
pipeline = faultwrap authtoken keystonecontext ratelimit osapi_volume_app_v1
[filter:ratelimit]
paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory</programlisting>
<para>To modify the limits, add a <literal>limits</literal>
specification to the <literal>[filter:ratelimit]</literal>
section of the file. Specify the limits in this
order:</para>
<orderedlist>
<listitem>
<para>HTTP method</para>
</listitem>
<listitem>
<para>friendly URI</para>
</listitem>
<listitem>
<para>regex</para>
</listitem>
<listitem>
<para>limit</para>
</listitem>
<listitem>
<para>interval</para>
</listitem>
</orderedlist>
<para>The following example shows the default rate-limiting
values:</para>
<programlisting language="ini">[filter:ratelimit]
paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory
limits =(POST, "*", .*, 120, MINUTE);(POST, "*/servers", ^/servers, 120, MINUTE);(PUT, "*", .*, 120, MINUTE);(GET, "*changes-since*", .*changes-since.*, 120, MINUTE);(DELETE, "*", .*, 120, MINUTE);(GET, "*/os-fping", ^/os-fping, 12, MINUTE)</programlisting>
</simplesect>
<simplesect xml:id="compute_config_options">
<title>Configuration reference</title>
<para>The Compute API configuration options are documented in <xref
linkend="config_table_nova_api"/>.</para>
</simplesect>
</section>