def check_security_group_rule_quota(
cls, proj_dict, db_conn, rule_count):
quota_counter = cls.server.quota_counter
obj_type = 'security_group_rule'
quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type)
if (rule_count and quota_limit >= 0):
path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + proj_dict['uuid']
path = path_prefix + "/" + obj_type
if not quota_counter.get(path):
# Init quota counter for security group rule
QuotaHelper._zk_quota_counter_init(
path_prefix,
{obj_type: quota_limit},
proj_dict['uuid'],
db_conn,
quota_counter)
ok, result = QuotaHelper.verify_quota(
obj_type, quota_limit, quota_counter[path],
count=rule_count)
if not ok:
msg = "security_group_entries: %d" % quota_limit
return False, (QUOTA_OVER_ERROR_CODE, msg)
def undo():
# Revert back quota count
quota_counter[path] -= rule_count
get_context().push_undo(undo)
return True, ""
def check_security_group_rule_quota(cls, proj_dict, db_conn, rule_count):
quota_counter = cls.server.quota_counter
obj_type = 'security_group_rule'
quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type)
if (rule_count and quota_limit >= 0):
path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + proj_dict['uuid']
path = path_prefix + "/" + obj_type
if not quota_counter.get(path):
# Init quota counter for security group rule
QuotaHelper._zk_quota_counter_init(path_prefix,
{obj_type: quota_limit},
proj_dict['uuid'], db_conn,
quota_counter)
ok, result = QuotaHelper.verify_quota(obj_type,
quota_limit,
quota_counter[path],
count=rule_count)
if not ok:
msg = "security_group_entries: %d" % quota_limit
return False, (QUOTA_OVER_ERROR_CODE, msg)
def undo():
# Revert back quota count
quota_counter[path] -= rule_count
get_context().push_undo(undo)
return True, ""
def pre_dbe_delete(cls, id, obj_dict, db_conn):
ok, result = cls.dbe_read(db_conn, 'security_group', id)
if not ok:
return ok, result, None
sg_dict = result
if sg_dict['id_perms'].get('user_visible', True) is not False:
ok, result = QuotaHelper.get_project_dict_for_quota(
sg_dict['parent_uuid'], db_conn)
if not ok:
return False, result, None
proj_dict = result
obj_type = 'security_group_rule'
quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type)
if 'security_group_entries' in obj_dict and quota_limit >= 0:
rule_count = len(
obj_dict['security_group_entries']['policy_rule'])
path_prefix = (_DEFAULT_ZK_COUNTER_PATH_PREFIX +
proj_dict['uuid'])
path = path_prefix + "/" + obj_type
quota_counter = cls.server.quota_counter
# If the SG has been created before R3, there is no
# path in ZK. It is created on next update and we
# can ignore it for now
if quota_counter.get(path):
quota_counter[path] -= rule_count
def undo():
# Revert back quota count
quota_counter[path] += rule_count
get_context().push_undo(undo)
return True, "", None
def pre_dbe_delete(cls, id, obj_dict, db_conn):
ok, result = cls.dbe_read(db_conn, 'security_group', id)
if not ok:
return ok, result, None
sg_dict = result
if sg_dict['id_perms'].get('user_visible', True) is not False:
ok, result = QuotaHelper.get_project_dict_for_quota(
sg_dict['parent_uuid'], db_conn)
if not ok:
return False, result, None
proj_dict = result
obj_type = 'security_group_rule'
quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type)
if 'security_group_entries' in obj_dict and quota_limit >= 0:
rule_count = len(
obj_dict['security_group_entries']['policy_rule'])
path_prefix = (_DEFAULT_ZK_COUNTER_PATH_PREFIX +
proj_dict['uuid'])
path = path_prefix + "/" + obj_type
quota_counter = cls.server.quota_counter
# If the SG has been created before R3, there is no
# path in ZK. It is created on next update and we
# can ignore it for now
if quota_counter.get(path):
quota_counter[path] -= rule_count
def undo():
# Revert back quota count
quota_counter[path] += rule_count
get_context().push_undo(undo)
return True, "", None
def pre_dbe_delete(cls, id, obj_dict, db_conn):
cls.addr_mgmt.net_delete_req(obj_dict)
if obj_dict['id_perms'].get('user_visible', True) is not False:
ok, result = QuotaHelper.get_project_dict_for_quota(
obj_dict['parent_uuid'], db_conn)
if not ok:
return False, result, None
proj_dict = result
ok, (subnet_count, counter) =\
cls.addr_mgmt.get_subnet_quota_counter(obj_dict, proj_dict)
if subnet_count:
counter -= subnet_count
def undo_subnet():
ok, (subnet_count, counter) =\
cls.addr_mgmt.get_subnet_quota_counter(obj_dict, proj_dict)
if subnet_count:
counter += subnet_count
get_context().push_undo(undo_subnet)
def undo():
cls.addr_mgmt.net_create_req(obj_dict)
get_context().push_undo(undo)
return True, "", None
def pre_dbe_create(cls, tenant_name, obj_dict, db_conn):
ok, response = check_policy_rules(
obj_dict.get('security_group_entries'))
if not ok:
return ok, response
# Does not authorize to set the security group ID as it's allocated
# by the vnc server
if obj_dict.get('security_group_id') is not None:
return (False, (403, "Cannot set the security group ID"))
if obj_dict['id_perms'].get('user_visible', True):
ok, result = QuotaHelper.get_project_dict_for_quota(
obj_dict['parent_uuid'], db_conn)
if not ok:
return False, result
proj_dict = result
rule_count = len(cls.get_nested_key_as_list(obj_dict,
'security_group_entries', 'policy_rule'))
ok, result = cls.check_security_group_rule_quota(
proj_dict, db_conn, rule_count)
if not ok:
return ok, result
# Allocate security group ID if necessary
return cls._set_configured_security_group_id(obj_dict)
def pre_dbe_create(cls, tenant_name, obj_dict, db_conn):
ok, response = check_policy_rules(
obj_dict.get('security_group_entries'))
if not ok:
return ok, response
# Does not authorize to set the security group ID as it's allocated
# by the vnc server
if obj_dict.get('security_group_id') is not None:
return (False, (403, "Cannot set the security group ID"))
if obj_dict['id_perms'].get('user_visible', True):
ok, result = QuotaHelper.get_project_dict_for_quota(
obj_dict['parent_uuid'], db_conn)
if not ok:
return False, result
proj_dict = result
rule_count = len(
cls.get_nested_key_as_list(obj_dict, 'security_group_entries',
'policy_rule'))
ok, result = cls.check_security_group_rule_quota(
proj_dict, db_conn, rule_count)
if not ok:
return ok, result
# Allocate security group ID if necessary
return cls._set_configured_security_group_id(obj_dict)
def get_quota_for_resource(cls, obj_type, obj_dict, db_conn):
user_visible = obj_dict['id_perms'].get('user_visible', True)
if not user_visible or obj_type not in QuotaType.attr_fields:
return True, -1, None
proj_uuid = cls.get_project_id_for_resource(obj_dict, obj_type,
db_conn)
if proj_uuid is None:
return True, -1, None
ok, result = QuotaHelper.get_project_dict_for_quota(proj_uuid, db_conn)
if not ok:
return False, result
proj_dict = result
quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type)
return True, quota_limit, proj_uuid
def dbe_update_notification(cls, obj_id, extra_dict=None):
quota_counter = cls.server.quota_counter
db_conn = cls.server._db_conn
ok, result = QuotaHelper.get_project_dict_for_quota(obj_id, db_conn)
if not ok:
return False, result
proj_dict = result
quota_limits = QuotaHelper.get_quota_limits(proj_dict)
for obj_type, quota_limit in list(quota_limits.items()):
path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + obj_id
path = path_prefix + "/" + obj_type
if (quota_counter.get(path)
and (quota_limit == -1 or quota_limit is None)):
# free the counter from cache for resources updated
# with unlimted quota
del quota_counter[path]
return True, ''
def check_openstack_firewall_group_quota(cls, obj_dict, deleted=False):
obj_type = 'firewall_group'
if (not obj_dict['id_perms'].get('user_visible', True) or
obj_dict.get('parent_type') != Project.object_type):
return True, ''
ok, result = QuotaHelper.get_project_dict_for_quota(
obj_dict['parent_uuid'], cls.db_conn)
if not ok:
return False, result
project = result
quota_limit = QuotaHelper.get_quota_limit(project, obj_type)
if quota_limit < 0:
return True, ''
quota_count = 1
if deleted:
quota_count = -1
path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + project['uuid']
path = path_prefix + "/" + obj_type
if not cls.server.quota_counter.get(path):
QuotaHelper._zk_quota_counter_init(
path_prefix,
{obj_type: quota_limit},
project['uuid'],
cls.db_conn,
cls.server.quota_counter)
return QuotaHelper.verify_quota(
obj_type, quota_limit, cls.server.quota_counter[path], quota_count)
def undo():
# revert back counter in case of any failure during creation
if not deleted:
cls.server.quota_counter[path] -= 1
else:
cls.server.quota_counter[path] += 1
get_context().push_undo(undo)
return True, ''
def pre_dbe_update(cls, id, fq_name, obj_dict, db_conn, **kwargs):
deallocated_security_group_id = None
ok, result = cls.dbe_read(db_conn, 'security_group', id)
if not ok:
return ok, result
sg_dict = result
# Does not authorize to update the security group ID as it's allocated
# by the vnc server
new_sg_id = obj_dict.get('security_group_id')
if (new_sg_id is not None
and int(new_sg_id) != sg_dict['security_group_id']):
return (False, (403, "Cannot update the security group ID"))
# Update the configured security group ID
if 'configured_security_group_id' in obj_dict:
actual_sg_id = sg_dict['security_group_id']
sg_dict['configured_security_group_id'] =\
obj_dict['configured_security_group_id']
ok, result = cls._set_configured_security_group_id(sg_dict)
if not ok:
return ok, result
if actual_sg_id != sg_dict['security_group_id']:
deallocated_security_group_id = actual_sg_id
obj_dict['security_group_id'] = sg_dict['security_group_id']
ok, result = check_policy_rules(obj_dict.get('security_group_entries'))
if not ok:
return ok, result
if sg_dict['id_perms'].get('user_visible', True):
ok, result = QuotaHelper.get_project_dict_for_quota(
sg_dict['parent_uuid'], db_conn)
if not ok:
return False, result
proj_dict = result
new_rule_count = len(
cls.get_nested_key_as_list(obj_dict, 'security_group_entries',
'policy_rule'))
existing_rule_count = len(
cls.get_nested_key_as_list(sg_dict, 'security_group_entries',
'policy_rule'))
rule_count = (new_rule_count - existing_rule_count)
ok, result = cls.check_security_group_rule_quota(
proj_dict, db_conn, rule_count)
if not ok:
return ok, result
return True, {
'deallocated_security_group_id': deallocated_security_group_id,
}
def pre_dbe_update(cls, id, fq_name, obj_dict, db_conn, **kwargs):
deallocated_security_group_id = None
ok, result = cls.dbe_read(db_conn, 'security_group', id)
if not ok:
return ok, result
sg_dict = result
# Does not authorize to update the security group ID as it's allocated
# by the vnc server
new_sg_id = obj_dict.get('security_group_id')
if (new_sg_id is not None and
int(new_sg_id) != sg_dict['security_group_id']):
return (False, (403, "Cannot update the security group ID"))
# Update the configured security group ID
if 'configured_security_group_id' in obj_dict:
actual_sg_id = sg_dict['security_group_id']
sg_dict['configured_security_group_id'] =\
obj_dict['configured_security_group_id']
ok, result = cls._set_configured_security_group_id(sg_dict)
if not ok:
return ok, result
if actual_sg_id != sg_dict['security_group_id']:
deallocated_security_group_id = actual_sg_id
obj_dict['security_group_id'] = sg_dict['security_group_id']
ok, result = check_policy_rules(
obj_dict.get('security_group_entries'))
if not ok:
return ok, result
if sg_dict['id_perms'].get('user_visible', True):
ok, result = QuotaHelper.get_project_dict_for_quota(
sg_dict['parent_uuid'], db_conn)
if not ok:
return False, result
proj_dict = result
new_rule_count = len(cls.get_nested_key_as_list(
obj_dict, 'security_group_entries', 'policy_rule'))
existing_rule_count = len(cls.get_nested_key_as_list(
sg_dict, 'security_group_entries', 'policy_rule'))
rule_count = (new_rule_count - existing_rule_count)
ok, result = cls.check_security_group_rule_quota(
proj_dict, db_conn, rule_count)
if not ok:
return ok, result
return True, {
'deallocated_security_group_id': deallocated_security_group_id,
}
def dbe_update_notification(cls, obj_id, extra_dict=None):
quota_counter = cls.server.quota_counter
db_conn = cls.server._db_conn
ok, result = QuotaHelper.get_project_dict_for_quota(obj_id, db_conn)
if not ok:
return False, result
proj_dict = result
for obj_type, quota_limit in proj_dict.get('quota', {}).items():
path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + obj_id
path = path_prefix + "/" + obj_type
if (quota_counter.get(path) and (quota_limit == -1 or
quota_limit is None)):
# free the counter from cache for resources updated
# with unlimted quota
del quota_counter[path]
return True, ''
