Merge "FWaaS quota registration"

openstack · Feb 26, 2016 · 8dc85b4 · 8dc85b4
2 parents 2353a43 + e338df4
commit 8dc85b4
Show file tree

Hide file tree

Showing 4 changed files with 73 additions and 6 deletions.
diff --git a/neutron_fwaas/extensions/firewall.py b/neutron_fwaas/extensions/firewall.py
@@ -353,13 +353,18 @@ def _validate_ip_or_subnet_or_none(data, valid_values=None):
     },
 }
 
+# A tenant may have a unique firewall and policy for each router
+# when router insertion is used.
+# Set default quotas to align with default l3 quota_router of 10
+# though keep as separately controllable.
+
 firewall_quota_opts = [
     cfg.IntOpt('quota_firewall',
-               default=1,
+               default=10,
                help=_('Number of firewalls allowed per tenant. '
                       'A negative value means unlimited.')),
     cfg.IntOpt('quota_firewall_policy',
-               default=1,
+               default=10,
                help=_('Number of firewall policies allowed per tenant. '
                       'A negative value means unlimited.')),
     cfg.IntOpt('quota_firewall_rule',
@@ -403,7 +408,8 @@ def get_resources(cls):
         return resource_helper.build_resource_info(plural_mappings,
                                                    RESOURCE_ATTRIBUTE_MAP,
                                                    p_const.FIREWALL,
-                                                   action_map=action_map)
+                                                   action_map=action_map,
+                                                   register_quota=True)
 
     @classmethod
     def get_plugin_interface(cls):

diff --git a/neutron_fwaas/opts.py b/neutron_fwaas/opts.py
@@ -18,3 +18,10 @@ def list_agent_opts():
         ('fwaas',
          neutron_fwaas.services.firewall.agents.firewall_agent_api.FWaaSOpts)
     ]
+
+
+def list_opts():
+    return [
+        ('quotas',
+         neutron_fwaas.extensions.firewall.firewall_quota_opts)
+    ]
diff --git a/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py b/neutron_fwaas/tests/unit/services/firewall/test_fwaas_plugin.py
@@ -63,10 +63,8 @@ def setUp(self, core_plugin=None, fw_plugin=None, ext_mgr=None):
             create=True, new=test_db_firewall.FakeAgentApi().delete_firewall)
         self.agentapi_del_fw_p.start()
 
-        plugin = None
         # the plugin without L3 support
-        if not plugin:
-            plugin = 'neutron.tests.unit.extensions.test_l3.TestNoL3NatPlugin'
+        plugin = 'neutron.tests.unit.extensions.test_l3.TestNoL3NatPlugin'
         # the L3 service plugin
         l3_plugin = ('neutron.tests.unit.extensions.test_l3.'
                      'TestL3NatServicePlugin')
@@ -641,3 +639,39 @@ def test_remove_rule_notif(self):
             expected_event_type = 'firewall_policy.update.remove_rule'
             event_types = [event['event_type'] for event in notifications]
             self.assertIn(expected_event_type, event_types)
+
+    def test_firewall_quota_lower(self):
+        """Test quota using overridden value."""
+        cfg.CONF.set_override('quota_firewall', 3, group='QUOTAS')
+        with self.firewall(name='quota1'), \
+                self.firewall(name='quota2'), \
+                self.firewall(name='quota3'):
+            data = {'firewall': {'name': 'quota4',
+                                 'firewall_policy_id': None,
+                                 'tenant_id': self._tenant_id,
+                                 'shared': False}}
+            req = self.new_create_request('firewalls', data, 'json')
+            res = req.get_response(self.ext_api)
+            self.assertIn('Quota exceeded', res.body.decode('utf-8'))
+            self.assertEqual(exc.HTTPConflict.code, res.status_int)
+
+    def test_firewall_quota_default(self):
+        """Test quota using default value."""
+        with self.firewall(name='quota1'), \
+                self.firewall(name='quota2'), \
+                self.firewall(name='quota3'), \
+                self.firewall(name='quota4'), \
+                self.firewall(name='quota5'), \
+                self.firewall(name='quota6'), \
+                self.firewall(name='quota7'), \
+                self.firewall(name='quota8'), \
+                self.firewall(name='quota9'), \
+                self.firewall(name='quota10'):
+            data = {'firewall': {'name': 'quota11',
+                                 'firewall_policy_id': None,
+                                 'tenant_id': self._tenant_id,
+                                 'shared': False}}
+            req = self.new_create_request('firewalls', data, 'json')
+            res = req.get_response(self.ext_api)
+            self.assertIn('Quota exceeded', res.body.decode('utf-8'))
+            self.assertEqual(exc.HTTPConflict.code, res.status_int)
diff --git a/releasenotes/notes/enable-quotas-a3d0a21743bb1985.yaml b/releasenotes/notes/enable-quotas-a3d0a21743bb1985.yaml
@@ -0,0 +1,20 @@
+---
+prelude: >
+    Enable quotas for FWaaS.
+features:
+  - The FWaaS extension will register quotas.
+    The default values for quota_firewall and
+    quota_firewall_policy are set to 10.
+    The default value for quota_firewall_rule
+    is set to 100.
+    Quotas can be adjusted in the conf files, including
+    -1 values to allow unlimited.
+issues:
+  - Tenants may receive a 409 Conflict error with a
+    message body containing a quota exceeded message
+    during resource creation if their quota is exceeded.
+other:
+  - Operators that increase the default limit for quota_routers
+    from 10 may want to bump FWaaS quotas as well, since with
+    router insertion a tenant can potentially have a unique
+    policy and firewall for each router.