Add regression test for bug 1893284

melwitt · melwitt · commit 38bc8b871a4b · 2020-08-28T23:22:35.000Z
This adds a regression test for a bug where quota limit checking during
server creates is not properly scoped per-user when per-user quota has
been defined.

As a result, users who should be able to create a server are rejected
with a 403 "quota exceeded" error when they should be allowed to create
a server because servers owned by other users in the project are
incorrectly being counted for the current user.

Related-Bug: #1893284

Change-Id: I615ada45ffcbac081474c0a0cf005afdb8eec953
diff --git a/nova/tests/functional/api/client.py b/nova/tests/functional/api/client.py
@@ -539,16 +539,20 @@ def put_service_force_down(self, service_id, forced_down):
     def get_server_diagnostics(self, server_id):
         return self.api_get('/servers/%s/diagnostics' % server_id).body
 
-    def get_quota_detail(self, project_id=None):
+    def get_quota_detail(self, project_id=None, user_id=None):
         if not project_id:
             project_id = self.project_id
-        return self.api_get(
-            '/os-quota-sets/%s/detail' % project_id).body['quota_set']
+        url = '/os-quota-sets/%s/detail'
+        if user_id:
+            url += '?user_id=%s' % user_id
+        return self.api_get(url % project_id).body['quota_set']
 
-    def update_quota(self, quotas, project_id=None):
+    def update_quota(self, quotas, project_id=None, user_id=None):
         if not project_id:
             project_id = self.project_id
+        url = '/os-quota-sets/%s'
+        if user_id:
+            url += '?user_id=%s' % user_id
         body = {'quota_set': {}}
         body['quota_set'].update(quotas)
-        return self.api_put(
-            '/os-quota-sets/%s' % project_id, body).body['quota_set']
+        return self.api_put(url % project_id, body).body['quota_set']
diff --git a/nova/tests/functional/regressions/test_bug_1893284.py b/nova/tests/functional/regressions/test_bug_1893284.py
@@ -0,0 +1,96 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License. You may obtain
+# a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations
+# under the License.
+
+from nova import test
+from nova.tests import fixtures as nova_fixtures
+from nova.tests.functional.api import client as api_client
+from nova.tests.functional import fixtures as func_fixtures
+from nova.tests.functional import integrated_helpers
+from nova.tests.unit.image import fake as fake_image
+from nova.tests.unit import policy_fixture
+
+
+class TestServersPerUserQuota(test.TestCase,
+                              integrated_helpers.InstanceHelperMixin):
+    """This tests a regression introduced in the Pike release.
+
+    In Pike we started counting resources for quota limit checking instead of
+    tracking usages in a separate database table. As part of that change,
+    per-user quota functionality was broken for server creates.
+
+    When mulitple users in the same project have per-user quota, they are meant
+    to be allowed to create resources such that may not exceed their
+    per-user quota nor their project quota.
+
+    If a project has an 'instances' quota of 10 and user A has a quota of 1
+    and user B has a quota of 1, both users should each be able to create 1
+    server.
+
+    Because of the bug, in this scenario user A will succeed in creating a
+    server but user B will fail to create a server with a 403 "quota exceeded"
+    error because the 'instances' resource count isn't being correctly scoped
+    per-user.
+    """
+    def setUp(self):
+        super(TestServersPerUserQuota, self).setUp()
+        self.useFixture(policy_fixture.RealPolicyFixture())
+        self.useFixture(nova_fixtures.NeutronFixture(self))
+        self.useFixture(func_fixtures.PlacementFixture())
+
+        api_fixture = self.useFixture(nova_fixtures.OSAPIFixture(
+            api_version='v2.1'))
+        self.api = api_fixture.api
+        self.admin_api = api_fixture.admin_api
+        self.api.microversion = '2.37'  # so we can specify networks='none'
+        self.admin_api.microversion = '2.37'
+
+        fake_image.stub_out_image_service(self)
+        self.addCleanup(fake_image.FakeImageService_reset)
+
+        self.start_service('conductor')
+        self.start_service('scheduler')
+        self.start_service('compute')
+
+    def test_create_server_with_per_user_quota(self):
+        # Set per-user quota for the non-admin user to allow 1 instance.
+        # The default quota for the project is 10 instances.
+        quotas = {'instances': 1}
+        self.admin_api.update_quota(
+            quotas, project_id=self.api.project_id, user_id=self.api.auth_user)
+        # Verify that the non-admin user has a quota limit of 1 instance.
+        quotas = self.api.get_quota_detail(user_id=self.api.auth_user)
+        self.assertEqual(1, quotas['instances']['limit'])
+        # Verify that the admin user has a quota limit of 10 instances.
+        quotas = self.api.get_quota_detail(user_id=self.admin_api.auth_user)
+        self.assertEqual(10, quotas['instances']['limit'])
+        # Boot one instance into the default project as the admin user.
+        # This results in usage of 1 instance for the project and 1 instance
+        # for the admin user.
+        self._create_server(
+            image_uuid=fake_image.AUTO_DISK_CONFIG_ENABLED_IMAGE_UUID,
+            networks='none', api=self.admin_api)
+        # Now try to boot an instance as the non-admin user.
+        # This should succeed because the non-admin user has 0 instances and
+        # the project limit allows 10 instances.
+        server_req = self._build_server(
+            image_uuid=fake_image.AUTO_DISK_CONFIG_ENABLED_IMAGE_UUID,
+            networks='none')
+        # FIXME(melwitt): Uncomment this when the bug is fixed. Because of the
+        # the bug, the first request by the non-admin user will fail.
+        # server = self.api.post_server({'server': server_req})
+        # self._wait_for_state_change(server, 'ACTIVE')
+        # A request to boot a second instance should fail because the
+        # non-admin has already booted 1 allowed instance.
+        ex = self.assertRaises(
+            api_client.OpenStackApiException, self.api.post_server,
+            {'server': server_req})
+        self.assertEqual(403, ex.response.status_code)
