Re: [openstack-dev] [nova] no user/project validation in "nova quota-show"?

[Matt Riedemann]

On 12/7/2015 6:55 PM, Alex Xu wrote:



2015-12-08 8:38 GMT+08:00 Kevin L. Mitchell
mailto:kevin.mitch...@rackspace.com>>:

On Mon, 2015-12-07 at 18:21 -0600, Chris Friesen wrote:
> Can someone explain why nova doesn't seem to be doing any validation in 
the
> "nova quota-show" command?  (At least in kilo/stable.)
>
> If I run:
> nova --debug quota-show  --tenant aprojectdoesnotexist --user nosuchuser
>
> the debug info shows:
>
> DEBUG (connectionpool:383) "GET
> 
/v2/ceddf233621f4772a8b4f17de3d45e31/os-quota-sets/aprojectdoesnotexist?user_id=nosuchuser
> HTTP/1.1" 200 359
>
> and it returns a reasonable-looking set of quota information.
>
>
>
> Shouldn't nova be complaining that the specified tenant/user don't 
actually exist?

1. Nova doesn't know what tenants and users exist; that's something only
Keystone knows.

2. There are defaults for quotas, which is how nova determines what
quotas to apply to a tenant when there's no specific quota for that
tenant in its database.  That's why you're getting a reasonable-looking
set of quota information.



yes, but I found one spec we approved before
https://specs.openstack.org/openstack/nova-specs/specs/kilo/approved/validate-tenant-user-with-keystone.html

But it doesn't finish.

--
Kevin L. Mitchell mailto:kevin.mitch...@rackspace.com>>
Rackspace


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



I can't seem to find the mailing list thread on this, if there ever was 
one, but I remember talking about this same problem a few months ago - 
related to how the quotas API will create new quotas for you on update 
if they don't yet exist [1]. Chatting in IRC some of us were talking 
about adding a new create method to the API so that could be explicit.


The same thing exists in nova-manage also [2].

There are several bugs related to the blueprint Alex pointed out [3].

I also found some discussion in a nova meeting [4]. That has most of the 
details (there might be more in one of the bugs related to the 
blueprint) if someone wants to take a run at this for the N release.


[1] 
https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/quota_sets.py#L140

[2] https://github.com/openstack/nova/blob/master/nova/cmd/manage.py#L283
[3] 
https://blueprints.launchpad.net/nova/+spec/validate-project-with-keystone
[4] 
http://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2015-10-06.log.html#t2015-10-06T17:21:45


--

Thanks,

Matt Riedemann


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] no user/project validation in "nova quota-show"?

[Matt Riedemann]

On 12/7/2015 6:55 PM, Alex Xu wrote:



2015-12-08 8:38 GMT+08:00 Kevin L. Mitchell
mailto:kevin.mitch...@rackspace.com>>:

On Mon, 2015-12-07 at 18:21 -0600, Chris Friesen wrote:
> Can someone explain why nova doesn't seem to be doing any validation in 
the
> "nova quota-show" command?  (At least in kilo/stable.)
>
> If I run:
> nova --debug quota-show  --tenant aprojectdoesnotexist --user nosuchuser
>
> the debug info shows:
>
> DEBUG (connectionpool:383) "GET
> 
/v2/ceddf233621f4772a8b4f17de3d45e31/os-quota-sets/aprojectdoesnotexist?user_id=nosuchuser
> HTTP/1.1" 200 359
>
> and it returns a reasonable-looking set of quota information.
>
>
>
> Shouldn't nova be complaining that the specified tenant/user don't 
actually exist?

1. Nova doesn't know what tenants and users exist; that's something only
Keystone knows.

2. There are defaults for quotas, which is how nova determines what
quotas to apply to a tenant when there's no specific quota for that
tenant in its database.  That's why you're getting a reasonable-looking
set of quota information.



yes, but I found one spec we approved before
https://specs.openstack.org/openstack/nova-specs/specs/kilo/approved/validate-tenant-user-with-keystone.html

But it doesn't finish.

--
Kevin L. Mitchell mailto:kevin.mitch...@rackspace.com>>
Rackspace


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe:
openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



I can't seem to find the mailing list thread on this, if there ever was 
one, but I remember talking about this same problem a few months ago - 
related to how the quotas API will create new quotas for you on update 
if they don't yet exist [1]. Chatting in IRC some of us were talking 
about adding a new create method to the API so that could be explicit.


The same thing exists in nova-manage also [2].

There are several bugs related to the blueprint Alex pointed out [3].

I also found some discussion in a nova meeting [4]. That has most of the 
details (there might be more in one of the bugs related to the 
blueprint) if someone wants to take a run at this for the N release.


[1] 
https://github.com/openstack/nova/blob/master/nova/api/openstack/compute/quota_sets.py#L140

[2] https://github.com/openstack/nova/blob/master/nova/cmd/manage.py#L283
[3] 
https://blueprints.launchpad.net/nova/+spec/validate-project-with-keystone
[4] 
http://eavesdrop.openstack.org/irclogs/%23openstack-nova/%23openstack-nova.2015-10-06.log.html#t2015-10-06T17:21:45


--

Thanks,

Matt Riedemann


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] no user/project validation in "nova quota-show"?

[Alex Xu]

2015-12-08 8:38 GMT+08:00 Kevin L. Mitchell :

> On Mon, 2015-12-07 at 18:21 -0600, Chris Friesen wrote:
> > Can someone explain why nova doesn't seem to be doing any validation in
> the
> > "nova quota-show" command?  (At least in kilo/stable.)
> >
> > If I run:
> > nova --debug quota-show  --tenant aprojectdoesnotexist --user nosuchuser
> >
> > the debug info shows:
> >
> > DEBUG (connectionpool:383) "GET
> >
> /v2/ceddf233621f4772a8b4f17de3d45e31/os-quota-sets/aprojectdoesnotexist?user_id=nosuchuser
> > HTTP/1.1" 200 359
> >
> > and it returns a reasonable-looking set of quota information.
> >
> >
> >
> > Shouldn't nova be complaining that the specified tenant/user don't
> actually exist?
>
> 1. Nova doesn't know what tenants and users exist; that's something only
> Keystone knows.
>
> 2. There are defaults for quotas, which is how nova determines what
> quotas to apply to a tenant when there's no specific quota for that
> tenant in its database.  That's why you're getting a reasonable-looking
> set of quota information.
>


yes, but I found one spec we approved before
https://specs.openstack.org/openstack/nova-specs/specs/kilo/approved/validate-tenant-user-with-keystone.html

But it doesn't finish.


> --
> Kevin L. Mitchell 
> Rackspace
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] no user/project validation in "nova quota-show"?

[Kevin L. Mitchell]

On Mon, 2015-12-07 at 18:21 -0600, Chris Friesen wrote:
> Can someone explain why nova doesn't seem to be doing any validation in the 
> "nova quota-show" command?  (At least in kilo/stable.)
> 
> If I run:
> nova --debug quota-show  --tenant aprojectdoesnotexist --user nosuchuser
> 
> the debug info shows:
> 
> DEBUG (connectionpool:383) "GET 
> /v2/ceddf233621f4772a8b4f17de3d45e31/os-quota-sets/aprojectdoesnotexist?user_id=nosuchuser
>  
> HTTP/1.1" 200 359
> 
> and it returns a reasonable-looking set of quota information.
> 
> 
> 
> Shouldn't nova be complaining that the specified tenant/user don't actually 
> exist?

1. Nova doesn't know what tenants and users exist; that's something only
Keystone knows.

2. There are defaults for quotas, which is how nova determines what
quotas to apply to a tenant when there's no specific quota for that
tenant in its database.  That's why you're getting a reasonable-looking
set of quota information.
-- 
Kevin L. Mitchell 
Rackspace


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [nova] no user/project validation in "nova quota-show"?

[Chris Friesen]

Can someone explain why nova doesn't seem to be doing any validation in the 
"nova quota-show" command?  (At least in kilo/stable.)


If I run:
nova --debug quota-show  --tenant aprojectdoesnotexist --user nosuchuser

the debug info shows:

DEBUG (connectionpool:383) "GET 
/v2/ceddf233621f4772a8b4f17de3d45e31/os-quota-sets/aprojectdoesnotexist?user_id=nosuchuser 
HTTP/1.1" 200 359


and it returns a reasonable-looking set of quota information.



Shouldn't nova be complaining that the specified tenant/user don't actually 
exist?

Thanks,
Chris

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev