Authentication and Authorization

Authentication and Authorization

The manila.quota Module

Quotas for shares.

class AbsoluteResource(name, flag=None)

Bases: manila.quota.BaseResource

Describe a non-reservable resource.

class BaseResource(name, flag=None)

Bases: object

Describe a single resource for quota checking.

default

Return the default value of the quota.

quota(driver, context, **kwargs)

Obtain quota for a resource.

Given a driver and context, obtain the quota for this resource.

Parameters:
  • driver – A quota driver.
  • context – The request context.
  • project_id – The project to obtain the quota value for. If not provided, it is taken from the context. If it is given as None, no project-specific quota will be searched for.
  • quota_class – The quota class corresponding to the project, or for which the quota is to be looked up. If not provided, it is taken from the context. If it is given as None, no quota class-specific quota will be searched for. Note that the quota class defaults to the value in the context, which may not correspond to the project if project_id is not the same as the one in the context.
class CountableResource(name, count, flag=None)

Bases: manila.quota.AbsoluteResource

Describe a countable resource.

Describe a resource where the counts aren’t based solely on the project ID.

class DbQuotaDriver

Bases: object

Database Quota driver.

Driver to perform necessary checks to enforce quotas and obtain quota information. The default driver utilizes the local database.

commit(context, reservations, project_id=None, user_id=None)

Commit reservations.

Parameters:
  • context – The request context, for access checks.
  • reservations – A list of the reservation UUIDs, as returned by the reserve() method.
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
  • user_id – Specify the user_id if current context is admin and admin wants to impact on common user. (Special case: user operates on resource, owned/created by different user)
destroy_all_by_project(context, project_id)

Destroy metadata associated with a project.

Destroy all quotas, usages, and reservations associated with a project.

Parameters:
  • context – The request context, for access checks.
  • project_id – The ID of the project being deleted.
destroy_all_by_project_and_user(context, project_id, user_id)

Destroy metadata associated with a project and user.

Destroy all quotas, usages, and reservations associated with a project and user.

Parameters:
  • context – The request context, for access checks.
  • project_id – The ID of the project being deleted.
  • user_id – The ID of the user being deleted.
expire(context)

Expire reservations.

Explores all currently existing reservations and rolls back any that have expired.

Parameters:context – The request context, for access checks.
get_by_class(context, quota_class, resource)

Get a specific quota by quota class.

get_by_project(context, project_id, resource)

Get a specific quota by project.

get_by_project_and_user(context, project_id, user_id, resource)

Get a specific quota by project and user.

get_class_quotas(context, resources, quota_class, defaults=True)

Retrieve quotas for a quota class.

Given a list of resources, retrieve the quotas for the given quota class.

Parameters:
  • context – The request context, for access checks.
  • resources – A dictionary of the registered resources.
  • quota_class – The name of the quota class to return quotas for.
  • defaults – If True, the default value will be reported if there is no specific value for the resource.
get_defaults(context, resources)

Given a list of resources, retrieve the default quotas.

Parameters:
  • context – The request context, for access checks.
  • resources – A dictionary of the registered resources.
get_project_quotas(context, resources, project_id, quota_class=None, defaults=True, usages=True, remains=False)

Retrieve quotas for project.

Given a list of resources, retrieve the quotas for the given project.

Parameters:
  • context – The request context, for access checks.
  • resources – A dictionary of the registered resources.
  • project_id – The ID of the project to return quotas for.
  • quota_class – If project_id != context.project_id, the quota class cannot be determined. This parameter allows it to be specified. It will be ignored if project_id == context.project_id.
  • defaults – If True, the quota class value (or the default value, if there is no value from the quota class) will be reported if there is no specific value for the resource.
  • usages – If True, the current in_use and reserved counts will also be returned.
  • remains – If True, the current remains of the project will will be returned.
get_settable_quotas(context, resources, project_id, user_id=None)

Retrieve range of settable quotas.

Given a list of resources, retrieve the range of settable quotas for the given user or project.

Parameters:
  • context – The request context, for access checks.
  • resources – A dictionary of the registered resources.
  • project_id – The ID of the project to return quotas for.
  • user_id – The ID of the user to return quotas for.
get_user_quotas(context, resources, project_id, user_id, quota_class=None, defaults=True, usages=True)

Retrieve quotas for user and project.

Given a list of resources, retrieve the quotas for the given user and project.

Parameters:
  • context – The request context, for access checks.
  • resources – A dictionary of the registered resources.
  • project_id – The ID of the project to return quotas for.
  • user_id – The ID of the user to return quotas for.
  • quota_class – If project_id != context.project_id, the quota class cannot be determined. This parameter allows it to be specified. It will be ignored if project_id == context.project_id.
  • defaults – If True, the quota class value (or the default value, if there is no value from the quota class) will be reported if there is no specific value for the resource.
  • usages – If True, the current in_use and reserved counts will also be returned.
limit_check(context, resources, values, project_id=None, user_id=None)

Check simple quota limits.

For limits–those quotas for which there is no usage synchronization function–this method checks that a set of proposed values are permitted by the limit restriction.

This method will raise a QuotaResourceUnknown exception if a given resource is unknown or if it is not a simple limit resource.

If any of the proposed values is over the defined quota, an OverQuota exception will be raised with the sorted list of the resources which are too high. Otherwise, the method returns nothing.

Parameters:
  • context – The request context, for access checks.
  • resources – A dictionary of the registered resources.
  • values – A dictionary of the values to check against the quota.
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
  • user_id – Specify the user_id if current context is admin and admin wants to impact on common user. (Special case: user operates on resource, owned/created by different user)
reserve(context, resources, deltas, expire=None, project_id=None, user_id=None)

Check quotas and reserve resources.

For counting quotas–those quotas for which there is a usage synchronization function–this method checks quotas against current usage and the desired deltas.

This method will raise a QuotaResourceUnknown exception if a given resource is unknown or if it does not have a usage synchronization function.

If any of the proposed values is over the defined quota, an OverQuota exception will be raised with the sorted list of the resources which are too high. Otherwise, the method returns a list of reservation UUIDs which were created.

Parameters:
  • context – The request context, for access checks.
  • resources – A dictionary of the registered resources.
  • deltas – A dictionary of the proposed delta changes.
  • expire – An optional parameter specifying an expiration time for the reservations. If it is a simple number, it is interpreted as a number of seconds and added to the current time; if it is a datetime.timedelta object, it will also be added to the current time. A datetime.datetime object will be interpreted as the absolute expiration time. If None is specified, the default expiration time set by –default-reservation-expire will be used (this value will be treated as a number of seconds).
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
  • user_id – Specify the user_id if current context is admin and admin wants to impact on common user. (Special case: user operates on resource, owned/created by different user)
rollback(context, reservations, project_id=None, user_id=None)

Roll back reservations.

Parameters:
  • context – The request context, for access checks.
  • reservations – A list of the reservation UUIDs, as returned by the reserve() method.
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
  • user_id – Specify the user_id if current context is admin and admin wants to impact on common user. (Special case: user operates on resource, owned/created by different user)
usage_reset(context, resources)

Reset usage records.

Reset the usage records for a particular user on a list of resources. This will force that user’s usage records to be refreshed the next time a reservation is made.

Note: this does not affect the currently outstanding reservations the user has; those reservations must be committed or rolled back (or expired).

Parameters:
  • context – The request context, for access checks.
  • resources – A list of the resource names for which the usage must be reset.
class QuotaEngine(quota_driver_class=None)

Bases: object

Represent the set of recognized quotas.

commit(context, reservations, project_id=None, user_id=None)

Commit reservations.

Parameters:
  • context – The request context, for access checks.
  • reservations – A list of the reservation UUIDs, as returned by the reserve() method.
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
count(context, resource, *args, **kwargs)

Count a resource.

For countable resources, invokes the count() function and returns its result. Arguments following the context and resource are passed directly to the count function declared by the resource.

Parameters:
  • context – The request context, for access checks.
  • resource – The name of the resource, as a string.
destroy_all_by_project(context, project_id)

Destroy metadata associated with a project.

Destroy all quotas, usages, and reservations associated with a project.

Parameters:
  • context – The request context, for access checks.
  • project_id – The ID of the project being deleted.
destroy_all_by_project_and_user(context, project_id, user_id)

Destroy metadata associated with a project and user.

Destroy all quotas, usages, and reservations associated with a project and user.

Parameters:
  • context – The request context, for access checks.
  • project_id – The ID of the project being deleted.
  • user_id – The ID of the user being deleted.
expire(context)

Expire reservations.

Explores all currently existing reservations and rolls back any that have expired.

Parameters:context – The request context, for access checks.
get_by_class(context, quota_class, resource)

Get a specific quota by quota class.

get_by_project(context, project_id, resource)

Get a specific quota by project.

get_by_project_and_user(context, project_id, user_id, resource)

Get a specific quota by project and user.

get_class_quotas(context, quota_class, defaults=True)

Retrieve the quotas for the given quota class.

Parameters:
  • context – The request context, for access checks.
  • quota_class – The name of the quota class to return quotas for.
  • defaults – If True, the default value will be reported if there is no specific value for the resource.
get_defaults(context)

Retrieve the default quotas.

Parameters:context – The request context, for access checks.
get_project_quotas(context, project_id, quota_class=None, defaults=True, usages=True, remains=False)

Retrieve the quotas for the given project.

Parameters:
  • context – The request context, for access checks.
  • project_id – The ID of the project to return quotas for.
  • quota_class – If project_id != context.project_id, the quota class cannot be determined. This parameter allows it to be specified.
  • defaults – If True, the quota class value (or the default value, if there is no value from the quota class) will be reported if there is no specific value for the resource.
  • usages – If True, the current in_use and reserved counts will also be returned.
  • remains – If True, the current remains of the project will will be returned.
get_settable_quotas(context, project_id, user_id=None)

Get settable quotas.

Given a list of resources, retrieve the range of settable quotas for the given user or project.

Parameters:
  • context – The request context, for access checks.
  • resources – A dictionary of the registered resources.
  • project_id – The ID of the project to return quotas for.
  • user_id – The ID of the user to return quotas for.
get_user_quotas(context, project_id, user_id, quota_class=None, defaults=True, usages=True)

Retrieve the quotas for the given user and project.

Parameters:
  • context – The request context, for access checks.
  • project_id – The ID of the project to return quotas for.
  • user_id – The ID of the user to return quotas for.
  • quota_class – If project_id != context.project_id, the quota class cannot be determined. This parameter allows it to be specified.
  • defaults – If True, the quota class value (or the default value, if there is no value from the quota class) will be reported if there is no specific value for the resource.
  • usages – If True, the current in_use and reserved counts will also be returned.
limit_check(context, project_id=None, user_id=None, **values)

Check simple quota limits.

For limits–those quotas for which there is no usage synchronization function–this method checks that a set of proposed values are permitted by the limit restriction. The values to check are given as keyword arguments, where the key identifies the specific quota limit to check, and the value is the proposed value.

This method will raise a QuotaResourceUnknown exception if a given resource is unknown or if it is not a simple limit resource.

If any of the proposed values is over the defined quota, an OverQuota exception will be raised with the sorted list of the resources which are too high. Otherwise, the method returns nothing.

Parameters:
  • context – The request context, for access checks.
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
  • user_id – Specify the user_id if current context is admin and admin wants to impact on common user. (Special case: user operates on resource, owned/created by different user)
register_resource(resource)

Register a resource.

register_resources(resources)

Register a list of resources.

reserve(context, expire=None, project_id=None, user_id=None, **deltas)

Check quotas and reserve resources.

For counting quotas–those quotas for which there is a usage synchronization function–this method checks quotas against current usage and the desired deltas. The deltas are given as keyword arguments, and current usage and other reservations are factored into the quota check.

This method will raise a QuotaResourceUnknown exception if a given resource is unknown or if it does not have a usage synchronization function.

If any of the proposed values is over the defined quota, an OverQuota exception will be raised with the sorted list of the resources which are too high. Otherwise, the method returns a list of reservation UUIDs which were created.

Parameters:
  • context – The request context, for access checks.
  • expire – An optional parameter specifying an expiration time for the reservations. If it is a simple number, it is interpreted as a number of seconds and added to the current time; if it is a datetime.timedelta object, it will also be added to the current time. A datetime.datetime object will be interpreted as the absolute expiration time. If None is specified, the default expiration time set by –default-reservation-expire will be used (this value will be treated as a number of seconds).
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
resources
rollback(context, reservations, project_id=None, user_id=None)

Roll back reservations.

Parameters:
  • context – The request context, for access checks.
  • reservations – A list of the reservation UUIDs, as returned by the reserve() method.
  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.
usage_reset(context, resources)

Reset usage records.

Reset the usage records for a particular user on a list of resources. This will force that user’s usage records to be refreshed the next time a reservation is made.

Note: this does not affect the currently outstanding reservations the user has; those reservations must be committed or rolled back (or expired).

Parameters:
  • context – The request context, for access checks.
  • resources – A list of the resource names for which the usage must be reset.
class ReservableResource(name, sync, flag=None)

Bases: manila.quota.BaseResource

Describe a reservable resource.

The manila.policy Module

Policy Engine For Manila

check_is_admin(roles)

Whether or not roles contain ‘admin’ role according to policy setting.

check_policy(context, resource, action, target_obj=None)
enforce(context, action, target, do_raise=True)

Verifies that the action is valid on the target in this context.

Parameters:
  • context – manila context
  • action – string representing the action to be checked, this should be colon separated for clarity. i.e. compute:create_instance, compute:attach_volume, volume:attach_volume
  • target – dictionary representing the object of the action for object creation, this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id}
  • do_raise – Whether to raise an exception if check fails.
Returns:

When do_raise is False, returns a value that evaluates as True or False depending on whether the policy allows action on the target.

Raises:

manila.exception.PolicyNotAuthorized if verification fails and do_raise is True.

init(policy_path=None)
reset()
wrap_check_policy(resource)

Check policy corresponding to the wrapped methods prior to execution.

Tests

The test_quota Module

class BaseResourceTestCase(*args, **kwds)

Bases: manila.test.TestCase

test_no_flag()
test_quota_no_project_no_class()
test_quota_no_project_with_class()
test_quota_override_project_with_class()
test_quota_with_project_no_class()
test_quota_with_project_override_class()
test_quota_with_project_with_class()
test_with_flag()
test_with_flag_no_quota()
class DbQuotaDriverTestCase(*args, **kwds)

Bases: manila.test.TestCase

expected_all_context = {‘share_networks’: {‘in_use’: 0, ‘limit’: 10, ‘reserved’: 0}, ‘snapshots’: {‘in_use’: 4, ‘limit’: 10, ‘reserved’: 0}, ‘snapshot_gigabytes’: {‘in_use’: 20, ‘limit’: 50, ‘reserved’: 0}, ‘shares’: {‘in_use’: 2, ‘limit’: 10, ‘reserved’: 0}, ‘gigabytes’: {‘in_use’: 10, ‘limit’: 50, ‘reserved’: 0}}
setUp()
tearDown()
test_delete_by_project()
test_get_class_quotas()
test_get_class_quotas_no_defaults()
test_get_defaults()
test_get_project_quotas()
test_get_project_quotas_alt_context_no_class()
test_get_project_quotas_alt_context_with_class()
test_get_project_quotas_no_defaults()
test_get_project_quotas_no_usages()
test_get_project_quotas_with_remains()
test_get_quotas_has_sync()
test_get_quotas_has_sync_no_sync_resource()
test_get_quotas_has_sync_unknown()
test_get_quotas_no_sync_has_sync_resource()
test_get_quotas_no_sync_unknown()
test_get_settable_quotas_with_user()
test_get_settable_quotas_without_user()
test_get_user_quotas()
test_get_user_quotas_alt_context_no_class()
test_get_user_quotas_alt_context_with_class()
test_get_user_quotas_no_defaults()
test_get_user_quotas_no_usages()
test_reserve_bad_expire()
test_reserve_datetime_expire()
test_reserve_default_expire()
test_reserve_int_expire()
test_reserve_max_age()
test_reserve_timedelta_expire()
test_reserve_until_refresh()
class FakeContext(project_id, quota_class)

Bases: object

elevated()
class FakeDriver(by_project=None, by_class=None, reservations=None)

Bases: object

commit(context, reservations, project_id=None, user_id=None)
destroy_all_by_project(context, project_id)
destroy_all_by_project_and_user(context, project_id, user_id)
expire(context)
get_by_class(context, quota_class, resource)
get_by_project(context, project_id, resource)
get_class_quotas(context, resources, quota_class, defaults=True)
get_defaults(context, resources)
get_project_quotas(context, resources, project_id, quota_class=None, defaults=True, usages=True, remains=False)
limit_check(context, resources, values, project_id=None, user_id=None)
reserve(context, resources, deltas, expire=None, project_id=None, user_id=None)
rollback(context, reservations, project_id=None, user_id=None)
class FakeSession

Bases: object

add(instance)
begin()
class FakeUsage(**kwargs)

Bases: manila.db.sqlalchemy.models.QuotaUsage

created_at
deleted
deleted_at
id
in_use
project_id
reserved
resource
save(*args, **kwargs)
until_refresh
updated_at
user_id
class QuotaEngineTestCase(*args, **kwds)

Bases: manila.test.TestCase

test_commit()
test_count()
test_count_no_resource()
test_count_wrong_resource()
test_destroy_all_by_project()
test_destroy_all_by_project_and_user()
test_expire()
test_get_by_class()
test_get_by_project()
test_get_class_quotas()
test_get_defaults()
test_get_project_quotas()
test_init()
test_init_override_obj()
test_init_override_string()
test_limit_check()
test_register_resource()
test_register_resources()
test_reserve()
test_resources()
test_rollback()
test_sync_multi()
test_sync_predeclared()
class QuotaIntegrationTestCase(*args, **kwds)

Bases: manila.test.TestCase

setUp()
test_too_many_gigabytes(*args, **kwargs)
test_too_many_shares(*args, **kwargs)
class QuotaReserveSqlAlchemyTestCase(*args, **kwds)

Bases: manila.test.TestCase

compare_reservation(reservations, expected)
compare_usage(usage_dict, expected)
init_usage(project_id, user_id, resource, in_use, reserved, until_refresh=None, created_at=None, updated_at=None)
setUp()
tearDown()
test_quota_reserve_create_usages()
test_quota_reserve_max_age()
test_quota_reserve_negative_in_use()
test_quota_reserve_no_refresh()
test_quota_reserve_overs()
test_quota_reserve_reduction()
test_quota_reserve_unders()
test_quota_reserve_until_refresh()

The test_policy Module

Test of Policy Engine For Manila.

class ContextIsAdminPolicyTestCase(*args, **kwds)

Bases: manila.test.TestCase

setUp()
test_context_is_admin_undefined()
test_custom_admin_role_is_admin()
test_default_admin_role_is_admin()
class DefaultPolicyTestCase(*args, **kwds)

Bases: manila.test.TestCase

setUp()
tearDown()
test_default_not_found()
test_not_found_policy_calls_default()
test_policy_called()
class PolicyFileTestCase(*args, **kwds)

Bases: manila.test.TestCase

setUp()
test_modified_policy_reloads()
class PolicyTestCase(*args, **kwds)

Bases: manila.test.TestCase

setUp()
tearDown()
test_early_AND_enforcement()
test_early_OR_enforcement()
test_enforce_bad_action_throws()
test_enforce_good_action()
test_enforce_nonexistent_action_throws()
test_ignore_case_role_check()
test_templatized_enforcement()

System limits

The following limits need to be defined and enforced:

  • Maximum cumulative size of shares and snapshots (GB)
  • Total number of shares
  • Total number of snapshots
  • Total number of share networks
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.