Re: [openstack-dev] [nova] keypair quota usage info for user

[Ghanshyam Mann]

  On Sat, 28 Jul 2018 04:21:53 +0900 Matt Riedemann  
wrote  
 > On 7/27/2018 2:14 PM, Matt Riedemann wrote:
 > >>  From checking the history and review discussion on [3], it seems that 
 > >> it was like that from staring. key_pair quota is being counted when 
 > >> actually creating the keypair but it is not shown in API 'in_use' field.
 > > 
 > > Just so I'm clear which API we're talking about, you mean there is no 
 > > totalKeypairsUsed entry in 
 > > https://developer.openstack.org/api-ref/compute/#show-rate-and-absolute-limits
 > >  
 > > correct?
 > 
 > Nevermind I see it now:
 > 
 > https://developer.openstack.org/api-ref/compute/#show-the-detail-of-quota

Yeah, 'is_use' field under 'keypair' of this API. 

 > 
 > We have too many quota-related APIs.
 > 
 > -- 
 > 
 > Thanks,
 > 
 > Matt
 > 
 > __
 > OpenStack Development Mailing List (not for usage questions)
 > Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
 > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
 > 



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[Alex Xu]

Oh, right, sorry, I'm keeping to think about its about the user in specific
tenant usage just like other resources. You are right, Keypair has nothing
about the tenant, only about the user. Thanks.

2018-07-26 23:22 GMT+08:00 Chris Friesen :

> On 07/25/2018 06:22 PM, Alex Xu wrote:
>
>>
>>
>> 2018-07-26 1:43 GMT+08:00 Chris Friesen > >:
>>
>
> Keypairs are weird in that they're owned by users, not projects.  This
>> is
>> arguably wrong, since it can cause problems if a user boots an
>> instance with
>> their keypair and then gets removed from a project.
>>
>> Nova microversion 2.54 added support for modifying the keypair
>> associated
>> with an instance when doing a rebuild.  Before that there was no
>> clean way
>> to do it.
>>
>>
>> I don't understand this, we didn't count the keypair usage with the
>> instance
>> together, we just count the keypair usage for specific user.
>>
>
>
> I was giving an example of why it's strange that keypairs are owned by
> users rather than projects.  (When instances are owned by projects, and
> keypairs are used to access instances.)
>
>
> Chris
>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[Jeremy Stanley]

On 2018-07-27 14:20:01 -0500 (-0500), Matt Riedemann wrote:
[...]
> Note the entries in there about how several deployments don't rely
> on nova's keypair interface because of its clunky nature, and
> other ideas about getting nova out of the keypair business
> altogether and instead let barbican manage that and nova just
> references a key resource in barbican. Before we'd consider making
> incremental changes to nova's keypair interface and user/project
> scoping, I think we would need to think through that barbican
> route and what it could look like and how it might benefit
> everyone.

If the Nova team is interested in taking it in that direction, I'll
gladly lobby to convert the "A Castellan-compatible key store" entry
at
https://governance.openstack.org/tc/reference/base-services.html#current-list-of-base-services
to a full on "Barbican" entry (similar to the "Keystone" entry). The
only thing previously standing in the way was a use case for a
fundamental feature from the trademark programs' interoperability
set.
-- 
Jeremy Stanley


signature.asc
Description: PGP signature
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[Jay Pipes]

On 07/27/2018 03:21 PM, Matt Riedemann wrote:

On 7/27/2018 2:14 PM, Matt Riedemann wrote:
 From checking the history and review discussion on [3], it seems 
that it was like that from staring. key_pair quota is being counted 
when actually creating the keypair but it is not shown in API 
'in_use' field.


Just so I'm clear which API we're talking about, you mean there is no 
totalKeypairsUsed entry in 
https://developer.openstack.org/api-ref/compute/#show-rate-and-absolute-limits 
correct?


Nevermind I see it now:

https://developer.openstack.org/api-ref/compute/#show-the-detail-of-quota

We have too many quota-related APIs.


Yes. Yes we do.

-jay

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[Matt Riedemann]

On 7/27/2018 2:14 PM, Matt Riedemann wrote:
 From checking the history and review discussion on [3], it seems that 
it was like that from staring. key_pair quota is being counted when 
actually creating the keypair but it is not shown in API 'in_use' field.


Just so I'm clear which API we're talking about, you mean there is no 
totalKeypairsUsed entry in 
https://developer.openstack.org/api-ref/compute/#show-rate-and-absolute-limits 
correct?


Nevermind I see it now:

https://developer.openstack.org/api-ref/compute/#show-the-detail-of-quota

We have too many quota-related APIs.

--

Thanks,

Matt

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[Matt Riedemann]

On 7/25/2018 12:43 PM, Chris Friesen wrote:
Keypairs are weird in that they're owned by users, not projects.  This 
is arguably wrong, since it can cause problems if a user boots an 
instance with their keypair and then gets removed from a project.


Nova microversion 2.54 added support for modifying the keypair 
associated with an instance when doing a rebuild.  Before that there was 
no clean way to do it.


While discussing what eventually became microversion 2.54, sdague sent a 
nice summary of several discussions related to this:


http://lists.openstack.org/pipermail/openstack-dev/2017-October/123071.html

Note the entries in there about how several deployments don't rely on 
nova's keypair interface because of its clunky nature, and other ideas 
about getting nova out of the keypair business altogether and instead 
let barbican manage that and nova just references a key resource in 
barbican. Before we'd consider making incremental changes to nova's 
keypair interface and user/project scoping, I think we would need to 
think through that barbican route and what it could look like and how it 
might benefit everyone.


--

Thanks,

Matt

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[Matt Riedemann]

On 7/25/2018 4:44 AM, Ghanshyam Mann wrote:

 From checking the history and review discussion on [3], it seems that it was 
like that from staring. key_pair quota is being counted when actually creating 
the keypair but it is not shown in API 'in_use' field.


Just so I'm clear which API we're talking about, you mean there is no 
totalKeypairsUsed entry in 
https://developer.openstack.org/api-ref/compute/#show-rate-and-absolute-limits 
correct?


--

Thanks,

Matt

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[melanie witt]

On Thu, 26 Jul 2018 09:19:38 -0600, Chris Friesen wrote:

On 07/25/2018 06:21 PM, Alex Xu wrote:



2018-07-26 0:29 GMT+08:00 William M Edmonds mailto:edmon...@us.ibm.com>>:


 Ghanshyam Mann mailto:gm...@ghanshyammann.com>>
 wrote on 07/25/2018 05:44:46 AM:
 ... snip ...
 > 1. is it ok to show the keypair used info via API ? any original
 > rational not to do so or it was just like that from starting.

 keypairs aren't tied to a tenant/project, so how could nova track/report a
 quota for them on a given tenant/project? Which is how the API is
 constructed... note the "tenant_id" in GET 
/os-quota-sets/{tenant_id}/detail


Keypairs usage is only value for the API 'GET
/os-quota-sets/{tenant_id}/detail?user_id={user_id}'


The objection is that keypairs are tied to the user, not the tenant, so it
doesn't make sense to specify a tenant_id in the above query.

And for Pike at least I think the above command does not actually show how many
keypairs have been created by that user...it still shows zero.


Yes, for Pike during the re-architecting of quotas to count resources 
instead of tracking usage separately, we kept the "always zero" count 
for usage of keypairs, server group members, and security group rules, 
so as not to change the behavior. It's been my understanding that we 
would need a microversion to change any of those to actually return a 
count. It's true the counts would not make sense under the 'tenant_id' 
part of the URL though.


-melanie




__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[Chris Friesen]

On 07/25/2018 06:22 PM, Alex Xu wrote:



2018-07-26 1:43 GMT+08:00 Chris Friesen mailto:chris.frie...@windriver.com>>:



Keypairs are weird in that they're owned by users, not projects.  This is
arguably wrong, since it can cause problems if a user boots an instance with
their keypair and then gets removed from a project.

Nova microversion 2.54 added support for modifying the keypair associated
with an instance when doing a rebuild.  Before that there was no clean way
to do it.


I don't understand this, we didn't count the keypair usage with the instance
together, we just count the keypair usage for specific user.



I was giving an example of why it's strange that keypairs are owned by users 
rather than projects.  (When instances are owned by projects, and keypairs are 
used to access instances.)


Chris



__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[Chris Friesen]

On 07/25/2018 06:21 PM, Alex Xu wrote:



2018-07-26 0:29 GMT+08:00 William M Edmonds mailto:edmon...@us.ibm.com>>:


Ghanshyam Mann mailto:gm...@ghanshyammann.com>>
wrote on 07/25/2018 05:44:46 AM:
... snip ...
> 1. is it ok to show the keypair used info via API ? any original
> rational not to do so or it was just like that from starting.

keypairs aren't tied to a tenant/project, so how could nova track/report a
quota for them on a given tenant/project? Which is how the API is
constructed... note the "tenant_id" in GET /os-quota-sets/{tenant_id}/detail


Keypairs usage is only value for the API 'GET
/os-quota-sets/{tenant_id}/detail?user_id={user_id}'


The objection is that keypairs are tied to the user, not the tenant, so it 
doesn't make sense to specify a tenant_id in the above query.


And for Pike at least I think the above command does not actually show how many 
keypairs have been created by that user...it still shows zero.


Chris


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[Alex Xu]

2018-07-26 1:43 GMT+08:00 Chris Friesen :

> On 07/25/2018 10:29 AM, William M Edmonds wrote:
>
>>
>> Ghanshyam Mann  wrote on 07/25/2018 05:44:46 AM:
>> ... snip ...
>>  > 1. is it ok to show the keypair used info via API ? any original
>>  > rational not to do so or it was just like that from starting.
>>
>> keypairs aren't tied to a tenant/project, so how could nova track/report
>> a quota
>> for them on a given tenant/project? Which is how the API is
>> constructed... note
>> the "tenant_id" in GET /os-quota-sets/{tenant_id}/detail
>>
>>  > 2. Because this change will show the keypair used quota information
>>  > in API's existing filed 'in_use', it is API behaviour change (not
>>  > interface signature change in backward incompatible way) which can
>>  > cause interop issue. Should we bump microversion for this change?
>>
>> If we find a meaningful way to return in_use data for keypairs, then yes,
>> I
>> would expect a microversion bump so that callers can distinguish between
>> a)
>> talking to an older installation where in_use is always 0 vs. b) talking
>> to a
>> newer installation where in_use is 0 because there are really none in
>> use. Or if
>> we remove keypairs from the response, which at a glance seems to make more
>> sense, that should also have a microversion bump so that someone who
>> expects the
>> old response format will still get it.
>>
>
> Keypairs are weird in that they're owned by users, not projects.  This is
> arguably wrong, since it can cause problems if a user boots an instance
> with their keypair and then gets removed from a project.
>
> Nova microversion 2.54 added support for modifying the keypair associated
> with an instance when doing a rebuild.  Before that there was no clean way
> to do it.


I don't understand this, we didn't count the keypair usage with the
instance together, we just count the keypair usage for specific user.


>
>
> Chris
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[Alex Xu]

2018-07-26 0:29 GMT+08:00 William M Edmonds :

>
> Ghanshyam Mann  wrote on 07/25/2018 05:44:46 AM:
> ... snip ...
> > 1. is it ok to show the keypair used info via API ? any original
> > rational not to do so or it was just like that from starting.
>
> keypairs aren't tied to a tenant/project, so how could nova track/report a
> quota for them on a given tenant/project? Which is how the API is
> constructed... note the "tenant_id" in GET /os-quota-sets/{tenant_id}/
> detail
>

Keypairs usage is only value for the API 'GET
/os-quota-sets/{tenant_id}/detail?user_id={user_id}'

>
>
> > 2. Because this change will show the keypair used quota information
> > in API's existing filed 'in_use', it is API behaviour change (not
> > interface signature change in backward incompatible way) which can
> > cause interop issue. Should we bump microversion for this change?
>
> If we find a meaningful way to return in_use data for keypairs, then yes,
> I would expect a microversion bump so that callers can distinguish between
> a) talking to an older installation where in_use is always 0 vs. b) talking
> to a newer installation where in_use is 0 because there are really none in
> use. Or if we remove keypairs from the response, which at a glance seems to
> make more sense, that should also have a microversion bump so that someone
> who expects the old response format will still get it.
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[Alex Xu]

2018-07-25 17:44 GMT+08:00 Ghanshyam Mann :

> Hi All,
>
> During today API office hour, we were discussing about keypair quota usage
> bug (newton) [1]. key_pair 'in_use' quota is always 0 even when request per
> user which is because it is being set as 0 always [2].
>
> From checking the history and review discussion on [3], it seems that it
> was like that from staring. key_pair quota is being counted when actually
> creating the keypair but it is not shown in API 'in_use' field. Vishakha
> (assignee of this bug) is currently planing to work on this bug and before
> that we have few queries:
>
> 1. is it ok to show the keypair used info via API ? any original rational
> not to do so or it was just like that from starting.
>

It doesn't make sense to show the usage when the user queries project
quota, but it makes sense to show the usage when the user queries specific
user quota. And we have no way to show usage for the
server_group_memebers/security_group_rules, since they are the limit for a
specific server group and security group, we have no way to express that in
our quota API.



>
> 2. Because this change will show the keypair used quota information in
> API's existing filed 'in_use', it is API behaviour change (not interface
> signature change in backward incompatible way) which can cause interop
> issue. Should we bump microversion for this change?
>

If we are going to bump microversion, I prefer to set the usage to -1 for
server_group_member/security_group_rules usage, since 0 is really confuse
for the end user.


>
> [1] https://bugs.launchpad.net/nova/+bug/1644457
> [2] https://github.com/openstack/nova/blob/bf497cc47497d3a5603bf60de65205
> 4ac5ae1993/nova/quota.py#L189
> [3] https://review.openstack.org/#/c/446239/
>
> -gmann
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[Chris Friesen]

On 07/25/2018 10:29 AM, William M Edmonds wrote:


Ghanshyam Mann  wrote on 07/25/2018 05:44:46 AM:
... snip ...
 > 1. is it ok to show the keypair used info via API ? any original
 > rational not to do so or it was just like that from starting.

keypairs aren't tied to a tenant/project, so how could nova track/report a quota
for them on a given tenant/project? Which is how the API is constructed... note
the "tenant_id" in GET /os-quota-sets/{tenant_id}/detail

 > 2. Because this change will show the keypair used quota information
 > in API's existing filed 'in_use', it is API behaviour change (not
 > interface signature change in backward incompatible way) which can
 > cause interop issue. Should we bump microversion for this change?

If we find a meaningful way to return in_use data for keypairs, then yes, I
would expect a microversion bump so that callers can distinguish between a)
talking to an older installation where in_use is always 0 vs. b) talking to a
newer installation where in_use is 0 because there are really none in use. Or if
we remove keypairs from the response, which at a glance seems to make more
sense, that should also have a microversion bump so that someone who expects the
old response format will still get it.


Keypairs are weird in that they're owned by users, not projects.  This is 
arguably wrong, since it can cause problems if a user boots an instance with 
their keypair and then gets removed from a project.


Nova microversion 2.54 added support for modifying the keypair associated with 
an instance when doing a rebuild.  Before that there was no clean way to do it.


Chris

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [nova] keypair quota usage info for user

[William M Edmonds]

Ghanshyam Mann  wrote on 07/25/2018 05:44:46 AM:
... snip ...
> 1. is it ok to show the keypair used info via API ? any original
> rational not to do so or it was just like that from starting.

keypairs aren't tied to a tenant/project, so how could nova track/report a
quota for them on a given tenant/project? Which is how the API is
constructed... note the "tenant_id" in
GET /os-quota-sets/{tenant_id}/detail

> 2. Because this change will show the keypair used quota information
> in API's existing filed 'in_use', it is API behaviour change (not
> interface signature change in backward incompatible way) which can
> cause interop issue. Should we bump microversion for this change?

If we find a meaningful way to return in_use data for keypairs, then yes, I
would expect a microversion bump so that callers can distinguish between a)
talking to an older installation where in_use is always 0 vs. b) talking to
a newer installation where in_use is 0 because there are really none in
use. Or if we remove keypairs from the response, which at a glance seems to
make more sense, that should also have a microversion bump so that someone
who expects the old response format will still get it.
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

[openstack-dev] [nova] keypair quota usage info for user

[Ghanshyam Mann]

Hi All,

During today API office hour, we were discussing about keypair quota usage bug 
(newton) [1]. key_pair 'in_use' quota is always 0 even when request per user 
which is because it is being set as 0 always [2].

From checking the history and review discussion on [3], it seems that it was 
like that from staring. key_pair quota is being counted when actually creating 
the keypair but it is not shown in API 'in_use' field. Vishakha (assignee of 
this bug) is currently planing to work on this bug and before that we have few 
queries:

1. is it ok to show the keypair used info via API ? any original rational not 
to do so or it was just like that from starting.  

2. Because this change will show the keypair used quota information in API's 
existing filed 'in_use', it is API behaviour change (not interface signature 
change in backward incompatible way) which can cause interop issue. Should we 
bump microversion for this change? 

[1] https://bugs.launchpad.net/nova/+bug/1644457 
[2] 
https://github.com/openstack/nova/blob/bf497cc47497d3a5603bf60de652054ac5ae1993/nova/quota.py#L189
 
[3] https://review.openstack.org/#/c/446239/

-gmann


__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev