def check_security_group_rule_quota(
            cls, proj_dict, db_conn, rule_count):
        quota_counter = cls.server.quota_counter
        obj_type = 'security_group_rule'
        quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type)

        if (rule_count and quota_limit >= 0):
            path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + proj_dict['uuid']
            path = path_prefix + "/" + obj_type
            if not quota_counter.get(path):
                # Init quota counter for security group rule
                QuotaHelper._zk_quota_counter_init(
                    path_prefix,
                    {obj_type: quota_limit},
                    proj_dict['uuid'],
                    db_conn,
                    quota_counter)
            ok, result = QuotaHelper.verify_quota(
                obj_type, quota_limit, quota_counter[path],
                count=rule_count)
            if not ok:
                msg = "security_group_entries: %d" % quota_limit
                return False, (QUOTA_OVER_ERROR_CODE, msg)

            def undo():
                # Revert back quota count
                quota_counter[path] -= rule_count
            get_context().push_undo(undo)

        return True, ""
    def check_security_group_rule_quota(cls, proj_dict, db_conn, rule_count):
        quota_counter = cls.server.quota_counter
        obj_type = 'security_group_rule'
        quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type)

        if (rule_count and quota_limit >= 0):
            path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + proj_dict['uuid']
            path = path_prefix + "/" + obj_type
            if not quota_counter.get(path):
                # Init quota counter for security group rule
                QuotaHelper._zk_quota_counter_init(path_prefix,
                                                   {obj_type: quota_limit},
                                                   proj_dict['uuid'], db_conn,
                                                   quota_counter)
            ok, result = QuotaHelper.verify_quota(obj_type,
                                                  quota_limit,
                                                  quota_counter[path],
                                                  count=rule_count)
            if not ok:
                msg = "security_group_entries: %d" % quota_limit
                return False, (QUOTA_OVER_ERROR_CODE, msg)

            def undo():
                # Revert back quota count
                quota_counter[path] -= rule_count

            get_context().push_undo(undo)

        return True, ""
    def pre_dbe_delete(cls, id, obj_dict, db_conn):
        ok, result = cls.dbe_read(db_conn, 'security_group', id)
        if not ok:
            return ok, result, None
        sg_dict = result

        if sg_dict['id_perms'].get('user_visible', True) is not False:
            ok, result = QuotaHelper.get_project_dict_for_quota(
                sg_dict['parent_uuid'], db_conn)
            if not ok:
                return False, result, None
            proj_dict = result
            obj_type = 'security_group_rule'
            quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type)

            if 'security_group_entries' in obj_dict and quota_limit >= 0:
                rule_count = len(
                    obj_dict['security_group_entries']['policy_rule'])
                path_prefix = (_DEFAULT_ZK_COUNTER_PATH_PREFIX +
                               proj_dict['uuid'])
                path = path_prefix + "/" + obj_type
                quota_counter = cls.server.quota_counter
                # If the SG has been created before R3, there is no
                # path in ZK. It is created on next update and we
                # can ignore it for now
                if quota_counter.get(path):
                    quota_counter[path] -= rule_count

                    def undo():
                        # Revert back quota count
                        quota_counter[path] += rule_count
                    get_context().push_undo(undo)

        return True, "", None
    def pre_dbe_delete(cls, id, obj_dict, db_conn):
        ok, result = cls.dbe_read(db_conn, 'security_group', id)
        if not ok:
            return ok, result, None
        sg_dict = result

        if sg_dict['id_perms'].get('user_visible', True) is not False:
            ok, result = QuotaHelper.get_project_dict_for_quota(
                sg_dict['parent_uuid'], db_conn)
            if not ok:
                return False, result, None
            proj_dict = result
            obj_type = 'security_group_rule'
            quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type)

            if 'security_group_entries' in obj_dict and quota_limit >= 0:
                rule_count = len(
                    obj_dict['security_group_entries']['policy_rule'])
                path_prefix = (_DEFAULT_ZK_COUNTER_PATH_PREFIX +
                               proj_dict['uuid'])
                path = path_prefix + "/" + obj_type
                quota_counter = cls.server.quota_counter
                # If the SG has been created before R3, there is no
                # path in ZK. It is created on next update and we
                # can ignore it for now
                if quota_counter.get(path):
                    quota_counter[path] -= rule_count

                    def undo():
                        # Revert back quota count
                        quota_counter[path] += rule_count

                    get_context().push_undo(undo)

        return True, "", None
    def pre_dbe_delete(cls, id, obj_dict, db_conn):
        cls.addr_mgmt.net_delete_req(obj_dict)
        if obj_dict['id_perms'].get('user_visible', True) is not False:
            ok, result = QuotaHelper.get_project_dict_for_quota(
                obj_dict['parent_uuid'], db_conn)
            if not ok:
                return False, result, None
            proj_dict = result
            ok, (subnet_count, counter) =\
                cls.addr_mgmt.get_subnet_quota_counter(obj_dict, proj_dict)
            if subnet_count:
                counter -= subnet_count

            def undo_subnet():
                ok, (subnet_count, counter) =\
                    cls.addr_mgmt.get_subnet_quota_counter(obj_dict, proj_dict)
                if subnet_count:
                    counter += subnet_count

            get_context().push_undo(undo_subnet)

        def undo():
            cls.addr_mgmt.net_create_req(obj_dict)

        get_context().push_undo(undo)
        return True, "", None
    def pre_dbe_create(cls, tenant_name, obj_dict, db_conn):

        ok, response = check_policy_rules(
            obj_dict.get('security_group_entries'))
        if not ok:
            return ok, response

        # Does not authorize to set the security group ID as it's allocated
        # by the vnc server
        if obj_dict.get('security_group_id') is not None:
            return (False, (403, "Cannot set the security group ID"))

        if obj_dict['id_perms'].get('user_visible', True):
            ok, result = QuotaHelper.get_project_dict_for_quota(
                obj_dict['parent_uuid'], db_conn)
            if not ok:
                return False, result
            proj_dict = result

            rule_count = len(cls.get_nested_key_as_list(obj_dict,
                             'security_group_entries', 'policy_rule'))
            ok, result = cls.check_security_group_rule_quota(
                proj_dict, db_conn, rule_count)
            if not ok:
                return ok, result

        # Allocate security group ID if necessary
        return cls._set_configured_security_group_id(obj_dict)
    def pre_dbe_create(cls, tenant_name, obj_dict, db_conn):

        ok, response = check_policy_rules(
            obj_dict.get('security_group_entries'))
        if not ok:
            return ok, response

        # Does not authorize to set the security group ID as it's allocated
        # by the vnc server
        if obj_dict.get('security_group_id') is not None:
            return (False, (403, "Cannot set the security group ID"))

        if obj_dict['id_perms'].get('user_visible', True):
            ok, result = QuotaHelper.get_project_dict_for_quota(
                obj_dict['parent_uuid'], db_conn)
            if not ok:
                return False, result
            proj_dict = result

            rule_count = len(
                cls.get_nested_key_as_list(obj_dict, 'security_group_entries',
                                           'policy_rule'))
            ok, result = cls.check_security_group_rule_quota(
                proj_dict, db_conn, rule_count)
            if not ok:
                return ok, result

        # Allocate security group ID if necessary
        return cls._set_configured_security_group_id(obj_dict)
示例#8
0
    def get_quota_for_resource(cls, obj_type, obj_dict, db_conn):
        user_visible = obj_dict['id_perms'].get('user_visible', True)
        if not user_visible or obj_type not in QuotaType.attr_fields:
            return True, -1, None

        proj_uuid = cls.get_project_id_for_resource(obj_dict, obj_type,
                                                    db_conn)

        if proj_uuid is None:
            return True, -1, None

        ok, result = QuotaHelper.get_project_dict_for_quota(proj_uuid, db_conn)
        if not ok:
            return False, result
        proj_dict = result

        quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type)
        return True, quota_limit, proj_uuid
示例#9
0
    def dbe_update_notification(cls, obj_id, extra_dict=None):
        quota_counter = cls.server.quota_counter
        db_conn = cls.server._db_conn
        ok, result = QuotaHelper.get_project_dict_for_quota(obj_id, db_conn)
        if not ok:
            return False, result
        proj_dict = result

        quota_limits = QuotaHelper.get_quota_limits(proj_dict)
        for obj_type, quota_limit in list(quota_limits.items()):
            path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + obj_id
            path = path_prefix + "/" + obj_type
            if (quota_counter.get(path)
                    and (quota_limit == -1 or quota_limit is None)):
                # free the counter from cache for resources updated
                # with unlimted quota
                del quota_counter[path]

        return True, ''
    def check_openstack_firewall_group_quota(cls, obj_dict, deleted=False):
        obj_type = 'firewall_group'
        if (not obj_dict['id_perms'].get('user_visible', True) or
                obj_dict.get('parent_type') != Project.object_type):
            return True, ''

        ok, result = QuotaHelper.get_project_dict_for_quota(
            obj_dict['parent_uuid'], cls.db_conn)
        if not ok:
            return False, result
        project = result
        quota_limit = QuotaHelper.get_quota_limit(project, obj_type)
        if quota_limit < 0:
            return True, ''

        quota_count = 1
        if deleted:
            quota_count = -1

        path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + project['uuid']
        path = path_prefix + "/" + obj_type
        if not cls.server.quota_counter.get(path):
            QuotaHelper._zk_quota_counter_init(
                path_prefix,
                {obj_type: quota_limit},
                project['uuid'],
                cls.db_conn,
                cls.server.quota_counter)
        return QuotaHelper.verify_quota(
            obj_type, quota_limit, cls.server.quota_counter[path], quota_count)

        def undo():
            # revert back counter in case of any failure during creation
            if not deleted:
                cls.server.quota_counter[path] -= 1
            else:
                cls.server.quota_counter[path] += 1
        get_context().push_undo(undo)

        return True, ''
    def pre_dbe_update(cls, id, fq_name, obj_dict, db_conn, **kwargs):
        deallocated_security_group_id = None
        ok, result = cls.dbe_read(db_conn, 'security_group', id)
        if not ok:
            return ok, result
        sg_dict = result

        # Does not authorize to update the security group ID as it's allocated
        # by the vnc server
        new_sg_id = obj_dict.get('security_group_id')
        if (new_sg_id is not None
                and int(new_sg_id) != sg_dict['security_group_id']):
            return (False, (403, "Cannot update the security group ID"))

        # Update the configured security group ID
        if 'configured_security_group_id' in obj_dict:
            actual_sg_id = sg_dict['security_group_id']
            sg_dict['configured_security_group_id'] =\
                obj_dict['configured_security_group_id']
            ok, result = cls._set_configured_security_group_id(sg_dict)
            if not ok:
                return ok, result
            if actual_sg_id != sg_dict['security_group_id']:
                deallocated_security_group_id = actual_sg_id
            obj_dict['security_group_id'] = sg_dict['security_group_id']

        ok, result = check_policy_rules(obj_dict.get('security_group_entries'))
        if not ok:
            return ok, result

        if sg_dict['id_perms'].get('user_visible', True):
            ok, result = QuotaHelper.get_project_dict_for_quota(
                sg_dict['parent_uuid'], db_conn)
            if not ok:
                return False, result
            proj_dict = result
            new_rule_count = len(
                cls.get_nested_key_as_list(obj_dict, 'security_group_entries',
                                           'policy_rule'))
            existing_rule_count = len(
                cls.get_nested_key_as_list(sg_dict, 'security_group_entries',
                                           'policy_rule'))
            rule_count = (new_rule_count - existing_rule_count)
            ok, result = cls.check_security_group_rule_quota(
                proj_dict, db_conn, rule_count)
            if not ok:
                return ok, result

        return True, {
            'deallocated_security_group_id': deallocated_security_group_id,
        }
    def pre_dbe_update(cls, id, fq_name, obj_dict, db_conn, **kwargs):
        deallocated_security_group_id = None
        ok, result = cls.dbe_read(db_conn, 'security_group', id)
        if not ok:
            return ok, result
        sg_dict = result

        # Does not authorize to update the security group ID as it's allocated
        # by the vnc server
        new_sg_id = obj_dict.get('security_group_id')
        if (new_sg_id is not None and
                int(new_sg_id) != sg_dict['security_group_id']):
            return (False, (403, "Cannot update the security group ID"))

        # Update the configured security group ID
        if 'configured_security_group_id' in obj_dict:
            actual_sg_id = sg_dict['security_group_id']
            sg_dict['configured_security_group_id'] =\
                obj_dict['configured_security_group_id']
            ok, result = cls._set_configured_security_group_id(sg_dict)
            if not ok:
                return ok, result
            if actual_sg_id != sg_dict['security_group_id']:
                deallocated_security_group_id = actual_sg_id
            obj_dict['security_group_id'] = sg_dict['security_group_id']

        ok, result = check_policy_rules(
            obj_dict.get('security_group_entries'))
        if not ok:
            return ok, result

        if sg_dict['id_perms'].get('user_visible', True):
            ok, result = QuotaHelper.get_project_dict_for_quota(
                sg_dict['parent_uuid'], db_conn)
            if not ok:
                return False, result
            proj_dict = result
            new_rule_count = len(cls.get_nested_key_as_list(
                obj_dict, 'security_group_entries', 'policy_rule'))
            existing_rule_count = len(cls.get_nested_key_as_list(
                sg_dict, 'security_group_entries', 'policy_rule'))
            rule_count = (new_rule_count - existing_rule_count)
            ok, result = cls.check_security_group_rule_quota(
                proj_dict, db_conn, rule_count)
            if not ok:
                return ok, result

        return True, {
            'deallocated_security_group_id': deallocated_security_group_id,
        }
示例#13
0
    def dbe_update_notification(cls, obj_id, extra_dict=None):
        quota_counter = cls.server.quota_counter
        db_conn = cls.server._db_conn
        ok, result = QuotaHelper.get_project_dict_for_quota(obj_id, db_conn)
        if not ok:
            return False, result
        proj_dict = result

        for obj_type, quota_limit in proj_dict.get('quota', {}).items():
            path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + obj_id
            path = path_prefix + "/" + obj_type
            if (quota_counter.get(path) and (quota_limit == -1 or
                                             quota_limit is None)):
                # free the counter from cache for resources updated
                # with unlimted quota
                del quota_counter[path]

        return True, ''