def check_security_group_rule_quota( cls, proj_dict, db_conn, rule_count): quota_counter = cls.server.quota_counter obj_type = 'security_group_rule' quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type) if (rule_count and quota_limit >= 0): path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + proj_dict['uuid'] path = path_prefix + "/" + obj_type if not quota_counter.get(path): # Init quota counter for security group rule QuotaHelper._zk_quota_counter_init( path_prefix, {obj_type: quota_limit}, proj_dict['uuid'], db_conn, quota_counter) ok, result = QuotaHelper.verify_quota( obj_type, quota_limit, quota_counter[path], count=rule_count) if not ok: msg = "security_group_entries: %d" % quota_limit return False, (QUOTA_OVER_ERROR_CODE, msg) def undo(): # Revert back quota count quota_counter[path] -= rule_count get_context().push_undo(undo) return True, ""
def check_security_group_rule_quota(cls, proj_dict, db_conn, rule_count): quota_counter = cls.server.quota_counter obj_type = 'security_group_rule' quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type) if (rule_count and quota_limit >= 0): path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + proj_dict['uuid'] path = path_prefix + "/" + obj_type if not quota_counter.get(path): # Init quota counter for security group rule QuotaHelper._zk_quota_counter_init(path_prefix, {obj_type: quota_limit}, proj_dict['uuid'], db_conn, quota_counter) ok, result = QuotaHelper.verify_quota(obj_type, quota_limit, quota_counter[path], count=rule_count) if not ok: msg = "security_group_entries: %d" % quota_limit return False, (QUOTA_OVER_ERROR_CODE, msg) def undo(): # Revert back quota count quota_counter[path] -= rule_count get_context().push_undo(undo) return True, ""
def pre_dbe_delete(cls, id, obj_dict, db_conn): ok, result = cls.dbe_read(db_conn, 'security_group', id) if not ok: return ok, result, None sg_dict = result if sg_dict['id_perms'].get('user_visible', True) is not False: ok, result = QuotaHelper.get_project_dict_for_quota( sg_dict['parent_uuid'], db_conn) if not ok: return False, result, None proj_dict = result obj_type = 'security_group_rule' quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type) if 'security_group_entries' in obj_dict and quota_limit >= 0: rule_count = len( obj_dict['security_group_entries']['policy_rule']) path_prefix = (_DEFAULT_ZK_COUNTER_PATH_PREFIX + proj_dict['uuid']) path = path_prefix + "/" + obj_type quota_counter = cls.server.quota_counter # If the SG has been created before R3, there is no # path in ZK. It is created on next update and we # can ignore it for now if quota_counter.get(path): quota_counter[path] -= rule_count def undo(): # Revert back quota count quota_counter[path] += rule_count get_context().push_undo(undo) return True, "", None
def pre_dbe_delete(cls, id, obj_dict, db_conn): cls.addr_mgmt.net_delete_req(obj_dict) if obj_dict['id_perms'].get('user_visible', True) is not False: ok, result = QuotaHelper.get_project_dict_for_quota( obj_dict['parent_uuid'], db_conn) if not ok: return False, result, None proj_dict = result ok, (subnet_count, counter) =\ cls.addr_mgmt.get_subnet_quota_counter(obj_dict, proj_dict) if subnet_count: counter -= subnet_count def undo_subnet(): ok, (subnet_count, counter) =\ cls.addr_mgmt.get_subnet_quota_counter(obj_dict, proj_dict) if subnet_count: counter += subnet_count get_context().push_undo(undo_subnet) def undo(): cls.addr_mgmt.net_create_req(obj_dict) get_context().push_undo(undo) return True, "", None
def pre_dbe_create(cls, tenant_name, obj_dict, db_conn): ok, response = check_policy_rules( obj_dict.get('security_group_entries')) if not ok: return ok, response # Does not authorize to set the security group ID as it's allocated # by the vnc server if obj_dict.get('security_group_id') is not None: return (False, (403, "Cannot set the security group ID")) if obj_dict['id_perms'].get('user_visible', True): ok, result = QuotaHelper.get_project_dict_for_quota( obj_dict['parent_uuid'], db_conn) if not ok: return False, result proj_dict = result rule_count = len(cls.get_nested_key_as_list(obj_dict, 'security_group_entries', 'policy_rule')) ok, result = cls.check_security_group_rule_quota( proj_dict, db_conn, rule_count) if not ok: return ok, result # Allocate security group ID if necessary return cls._set_configured_security_group_id(obj_dict)
def pre_dbe_create(cls, tenant_name, obj_dict, db_conn): ok, response = check_policy_rules( obj_dict.get('security_group_entries')) if not ok: return ok, response # Does not authorize to set the security group ID as it's allocated # by the vnc server if obj_dict.get('security_group_id') is not None: return (False, (403, "Cannot set the security group ID")) if obj_dict['id_perms'].get('user_visible', True): ok, result = QuotaHelper.get_project_dict_for_quota( obj_dict['parent_uuid'], db_conn) if not ok: return False, result proj_dict = result rule_count = len( cls.get_nested_key_as_list(obj_dict, 'security_group_entries', 'policy_rule')) ok, result = cls.check_security_group_rule_quota( proj_dict, db_conn, rule_count) if not ok: return ok, result # Allocate security group ID if necessary return cls._set_configured_security_group_id(obj_dict)
def get_quota_for_resource(cls, obj_type, obj_dict, db_conn): user_visible = obj_dict['id_perms'].get('user_visible', True) if not user_visible or obj_type not in QuotaType.attr_fields: return True, -1, None proj_uuid = cls.get_project_id_for_resource(obj_dict, obj_type, db_conn) if proj_uuid is None: return True, -1, None ok, result = QuotaHelper.get_project_dict_for_quota(proj_uuid, db_conn) if not ok: return False, result proj_dict = result quota_limit = QuotaHelper.get_quota_limit(proj_dict, obj_type) return True, quota_limit, proj_uuid
def dbe_update_notification(cls, obj_id, extra_dict=None): quota_counter = cls.server.quota_counter db_conn = cls.server._db_conn ok, result = QuotaHelper.get_project_dict_for_quota(obj_id, db_conn) if not ok: return False, result proj_dict = result quota_limits = QuotaHelper.get_quota_limits(proj_dict) for obj_type, quota_limit in list(quota_limits.items()): path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + obj_id path = path_prefix + "/" + obj_type if (quota_counter.get(path) and (quota_limit == -1 or quota_limit is None)): # free the counter from cache for resources updated # with unlimted quota del quota_counter[path] return True, ''
def check_openstack_firewall_group_quota(cls, obj_dict, deleted=False): obj_type = 'firewall_group' if (not obj_dict['id_perms'].get('user_visible', True) or obj_dict.get('parent_type') != Project.object_type): return True, '' ok, result = QuotaHelper.get_project_dict_for_quota( obj_dict['parent_uuid'], cls.db_conn) if not ok: return False, result project = result quota_limit = QuotaHelper.get_quota_limit(project, obj_type) if quota_limit < 0: return True, '' quota_count = 1 if deleted: quota_count = -1 path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + project['uuid'] path = path_prefix + "/" + obj_type if not cls.server.quota_counter.get(path): QuotaHelper._zk_quota_counter_init( path_prefix, {obj_type: quota_limit}, project['uuid'], cls.db_conn, cls.server.quota_counter) return QuotaHelper.verify_quota( obj_type, quota_limit, cls.server.quota_counter[path], quota_count) def undo(): # revert back counter in case of any failure during creation if not deleted: cls.server.quota_counter[path] -= 1 else: cls.server.quota_counter[path] += 1 get_context().push_undo(undo) return True, ''
def pre_dbe_update(cls, id, fq_name, obj_dict, db_conn, **kwargs): deallocated_security_group_id = None ok, result = cls.dbe_read(db_conn, 'security_group', id) if not ok: return ok, result sg_dict = result # Does not authorize to update the security group ID as it's allocated # by the vnc server new_sg_id = obj_dict.get('security_group_id') if (new_sg_id is not None and int(new_sg_id) != sg_dict['security_group_id']): return (False, (403, "Cannot update the security group ID")) # Update the configured security group ID if 'configured_security_group_id' in obj_dict: actual_sg_id = sg_dict['security_group_id'] sg_dict['configured_security_group_id'] =\ obj_dict['configured_security_group_id'] ok, result = cls._set_configured_security_group_id(sg_dict) if not ok: return ok, result if actual_sg_id != sg_dict['security_group_id']: deallocated_security_group_id = actual_sg_id obj_dict['security_group_id'] = sg_dict['security_group_id'] ok, result = check_policy_rules(obj_dict.get('security_group_entries')) if not ok: return ok, result if sg_dict['id_perms'].get('user_visible', True): ok, result = QuotaHelper.get_project_dict_for_quota( sg_dict['parent_uuid'], db_conn) if not ok: return False, result proj_dict = result new_rule_count = len( cls.get_nested_key_as_list(obj_dict, 'security_group_entries', 'policy_rule')) existing_rule_count = len( cls.get_nested_key_as_list(sg_dict, 'security_group_entries', 'policy_rule')) rule_count = (new_rule_count - existing_rule_count) ok, result = cls.check_security_group_rule_quota( proj_dict, db_conn, rule_count) if not ok: return ok, result return True, { 'deallocated_security_group_id': deallocated_security_group_id, }
def pre_dbe_update(cls, id, fq_name, obj_dict, db_conn, **kwargs): deallocated_security_group_id = None ok, result = cls.dbe_read(db_conn, 'security_group', id) if not ok: return ok, result sg_dict = result # Does not authorize to update the security group ID as it's allocated # by the vnc server new_sg_id = obj_dict.get('security_group_id') if (new_sg_id is not None and int(new_sg_id) != sg_dict['security_group_id']): return (False, (403, "Cannot update the security group ID")) # Update the configured security group ID if 'configured_security_group_id' in obj_dict: actual_sg_id = sg_dict['security_group_id'] sg_dict['configured_security_group_id'] =\ obj_dict['configured_security_group_id'] ok, result = cls._set_configured_security_group_id(sg_dict) if not ok: return ok, result if actual_sg_id != sg_dict['security_group_id']: deallocated_security_group_id = actual_sg_id obj_dict['security_group_id'] = sg_dict['security_group_id'] ok, result = check_policy_rules( obj_dict.get('security_group_entries')) if not ok: return ok, result if sg_dict['id_perms'].get('user_visible', True): ok, result = QuotaHelper.get_project_dict_for_quota( sg_dict['parent_uuid'], db_conn) if not ok: return False, result proj_dict = result new_rule_count = len(cls.get_nested_key_as_list( obj_dict, 'security_group_entries', 'policy_rule')) existing_rule_count = len(cls.get_nested_key_as_list( sg_dict, 'security_group_entries', 'policy_rule')) rule_count = (new_rule_count - existing_rule_count) ok, result = cls.check_security_group_rule_quota( proj_dict, db_conn, rule_count) if not ok: return ok, result return True, { 'deallocated_security_group_id': deallocated_security_group_id, }
def dbe_update_notification(cls, obj_id, extra_dict=None): quota_counter = cls.server.quota_counter db_conn = cls.server._db_conn ok, result = QuotaHelper.get_project_dict_for_quota(obj_id, db_conn) if not ok: return False, result proj_dict = result for obj_type, quota_limit in proj_dict.get('quota', {}).items(): path_prefix = _DEFAULT_ZK_COUNTER_PATH_PREFIX + obj_id path = path_prefix + "/" + obj_type if (quota_counter.get(path) and (quota_limit == -1 or quota_limit is None)): # free the counter from cache for resources updated # with unlimted quota del quota_counter[path] return True, ''