To the best of my knowledge Neutron is unable to enforce tenant quotas using the tenant name; this should be "undocumented". What Kevin suggests also goes in this direction, even if we have to be careful as we're making assumptions on how tenant ids are represented (if the deployment is not using Keystone, for instance, they could be anything).
Quotas are enforce by checking the tenant_id for which a resource is being created is not already using all its quota of this resource. Neutron does not have any logic for resolving the tenant name into its identifier in this process. The validation of the tenant identifier is something that goes beyond quota management. Users with admin credentials can create networks and other resources for random tenants that do not exist. Validation of the tenant id might make sense, but, as Kevin said, must be performed by Keystone. Therefore in order to avoid an extra round trip I would personally try and perform this task in the keystonemiddleware step (the one that does authentication too). Nevertheless there is a deferred nova spec [1] and patch [2] aiming at performing exactly what's asked for here - validating the tenant id when setting up quotas. I personally think we should seek a solution for validating the tenant_id for every request (if the operator wishes to do so). Salvatore [1] http://specs.openstack.org/openstack/nova-specs/specs/kilo/approved/validate-tenant-user-with-keystone.html [2] https://review.openstack.org/#/c/143934/ On 30 July 2015 at 07:44, Kevin Benton <[email protected]> wrote: > >Dev lessons learned: we need to validate better our inputs and refuse to > update a tenant-id that does not exist. > > This is something that has come up in Neutron discussions before. There > are two issues here: > 1. Performance: it will require a round-trip to Keystone on every request. > 2. If the Neutron keystone user in unprivileged and the request context is > unprivileged, we might not actually be allowed to tell if the tenant exists. > > The first we can deal with, but the second is going to be an issue that we > might not be able to get around. > > How about as a temporary solution, we just confirm that the input is a > UUID so names don't get used? > > On Wed, Jul 29, 2015 at 10:19 PM, Bruno L <[email protected]> wrote: > >> This is probably affecting other people as well, so hopefully message >> will avoid some headaches. >> >> [nova,cinder,neutron] will allow you to do a quota-update using the >> tenant-name (instead of tenant-id). They will also allow you to do a >> quota-show tenant-name and get the expected values back. >> >> Then you go to the tenant and end up surprised that the quotas have not >> been applied and you can still do things you were not supposed to. >> >> It turns out that [nova,cinder,neutron] just created an entry on the >> quota table, inserting the tenant-name on the tenant-id field. >> >> "Surprise, surprise!" >> >> Ops lessons learned: use the tenant-id! >> >> Dev lessons learned: we need to validate better our inputs and refuse to >> update a tenant-id that does not exist. >> >> I have documented this behaviour on >> https://bugs.launchpad.net/neutron/+bug/1399065 and >> https://bugs.launchpad.net/neutron/+bug/1317515. I can reproduce it in >> IceHouse. >> >> Could someone please confirm if this is still the case on master? If not, >> which version of OpenStack addressed that? >> >> Thanks, >> Bruno >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> [email protected]?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> >> > > > -- > Kevin Benton > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
