OpenStack Swift quota
Hello OpenStack community, Right now, because we tend to limit each user's individual storage capacity, we're trying to implement account and container-level quotas on our OpenStack Swift cluster (Yoga version). Every time we tried to execute a command like "swift post -m quota-bytes: 500" using the Swift CLI client to implement account quotas, it returned a 403 error saying "403 Forbidden [first 60 chars of response] <html><h1>Forbidden</h1><p>Access was denied to this resourc", even if we are using an account already with the reseller/ResellerAdmin role, and both quotas added to the [pipeline:main] on our proxy server. Could you help us identify what could be behind this issue and how to resolve it? Also, it seems like default OpenStack Swift only supports account-level and container-level quota implementation. Is it possible to implement not only user-level but also project-level and domain-level quotas? I'm looking forward to hearing back from you. Thank you very much! Yours sincerely, Wei Xu, M.S. Research Assistant Department of ECpE, Iowa State University
On 4/21/23 06:52, Xu, Wei [E CPE] wrote:
Also, it seems like default OpenStack Swift only supports account-level and container-level quota implementation. Is it possible to implement not only user-level but also project-level and domain-level quotas?
Hi, When Swift says "account level", it really is about an OpenStack project, not about an OpenStack user. Cheers, Thomas Goirand (zigo)
Hello Thomas, Thank you very much for the clarification! Right now, this is exactly what we have been trying to do. I mentioned the authentication issue (Getting 403 forbidden error when attempting to implement account quota even already with Reseller/ResellerAdmin role) in the previous email. Do you have any clues about it? Are there any possible solutions? I'm looking forward to hearing from you! Yours sincerely, Wei Xu, M.S. Research Assistant Department of ECpE, Iowa State University ________________________________ From: Thomas Goirand <zigo@debian.org> Sent: Monday, April 24, 2023 3:47 AM To: Xu, Wei [E CPE] <weixu@iastate.edu>; openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Cc: Babu, Sarath [E CPE] <sarath4@IASTATE.EDU> Subject: Re: OpenStack Swift quota On 4/21/23 06:52, Xu, Wei [E CPE] wrote:
Also, it seems like default OpenStack Swift only supports account-level and container-level quota implementation. Is it possible to implement not only user-level but also project-level and domain-level quotas?
Hi, When Swift says "account level", it really is about an OpenStack project, not about an OpenStack user. Cheers, Thomas Goirand (zigo)
On 4/24/23 20:34, Xu, Wei [E CPE] wrote:
Hello Thomas,
Thank you very much for the clarification! Right now, this is exactly what we have been trying to do.
I mentioned the authentication issue (Getting 403 forbidden error when attempting to implement account quota even already with Reseller/ResellerAdmin role) in the previous email. Do you have any clues about it? Are there any possible solutions?
I'm looking forward to hearing from you!
Yours sincerely,
Hi, As admin, use: swift --os-storage-url https://<proxy-url>/v1/AUTH_<PROJECT-ID> \ post -m quota-bytes:<value> I hope this helps, Thomas Goirand (zigo)
Hello Thomas, We have just tried the command you provided, however it is showing the exact same error we had before. Is it likely to be some configuration error? Or there're some other roles that this admin user must obtain? [cid:9f3afe5e-0b85-4bae-830e-4378c7483b6b] [cid:7a469a71-b579-446a-bde3-587a69ea3a83] We'll be looking forward to hearing from you. Thanks again! Yours sincerely, Wei Xu, M.S. Research Assistant Department of ECpE, Iowa State University ________________________________ From: Thomas Goirand <zigo@debian.org> Sent: Tuesday, April 25, 2023 9:49 AM To: Xu, Wei [E CPE] <weixu@iastate.edu>; openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Cc: Babu, Sarath [E CPE] <sarath4@IASTATE.EDU> Subject: Re: OpenStack Swift quota On 4/24/23 20:34, Xu, Wei [E CPE] wrote:
Hello Thomas,
Thank you very much for the clarification! Right now, this is exactly what we have been trying to do.
I mentioned the authentication issue (Getting 403 forbidden error when attempting to implement account quota even already with Reseller/ResellerAdmin role) in the previous email. Do you have any clues about it? Are there any possible solutions?
I'm looking forward to hearing from you!
Yours sincerely,
Hi, As admin, use: swift --os-storage-url https://<proxy-url>/v1/AUTH_<PROJECT-ID> \ post -m quota-bytes:<value> I hope this helps, Thomas Goirand (zigo)
On 4/25/23 22:39, Xu, Wei [E CPE] wrote:
Hello Thomas,
We have just tried the command you provided, however it is showing the exact same error we had before. Is it likely to be some configuration error? Or there're some other roles that this admin user must obtain?
It's likely that the error message is right by saying "forbidden", ie, you don't have enough right (so, the 2nd possibility...). Cheers, Thomas Goirand (zigo)
Hello Thomas, According to what we read from the OpenStack Swift quota documentation, only users with ResellerAdmin role can change the project quota settings. Right now for our Admin user we have already obtained the ResellerAdmin role (See the screenshot below), and yet we are still receiving the same 403 forbidden error. I believe the command itself is not having any errors and the Swift log did not record all these 403 errors. I doubt could it be somewhere in the Keystone that is buggy? [cid:f7b30b2d-dfa0-4bc7-a813-74413b09ef55] Yours sincerely, Wei ________________________________ From: Thomas Goirand <zigo@debian.org> Sent: Wednesday, April 26, 2023 1:38 AM To: Xu, Wei [E CPE] <weixu@iastate.edu>; openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Cc: Babu, Sarath [E CPE] <sarath4@IASTATE.EDU> Subject: Re: OpenStack Swift quota On 4/25/23 22:39, Xu, Wei [E CPE] wrote:
Hello Thomas,
We have just tried the command you provided, however it is showing the exact same error we had before. Is it likely to be some configuration error? Or there're some other roles that this admin user must obtain?
It's likely that the error message is right by saying "forbidden", ie, you don't have enough right (so, the 2nd possibility...). Cheers, Thomas Goirand (zigo)
On 4/26/23 21:51, Xu, Wei [E CPE] wrote:
Hello Thomas,
According to what we read from the OpenStack Swift quota documentation, only users with ResellerAdmin role can change the project quota settings. Right now for our Admin user we have already obtained the ResellerAdmin role (See the screenshot below), and yet we are still receiving the same 403 forbidden error. I believe the command itself is not having any errors and the Swift log did not record all these 403 errors. I doubt could it be somewhere in the Keystone that is buggy?
Hi, Please avoid HTML and screenshots when sending to mailing lists. Have you checked that you have the quota middleware activated (and at the correct position) in your swift proxy pipeline? Cheers, Thomas Goirand (zigo)
Hello Thomas, We have just figured out what caused the authentication issue. Before doing any quota-related operations we need to manually assign the ResellerAdmin role to our user. By default, even if it's an admin user it does not have the ResellerAdmin role assigned. Right now we have successfully executed both "swift post -m quota-bytes:5000" and "swift --os-storage-url https://<proxy-url>/v1/AUTH_<PROJECT-ID> post -m quota-bytes:5000". But after this step we can still upload files that are much larger than 5000 bytes to containers. Are there any other prerequisites that we miss? In order to let the project level quota work, what else do we need to implement? I'm looking forward to hearing from you! Thanks again! Wei Xu, M.S. Research Assistant Department of ECpE, Iowa State University ________________________________ From: Thomas Goirand <zigo@debian.org> Sent: Wednesday, April 26, 2023 2:59 PM To: Xu, Wei [E CPE] <weixu@iastate.edu>; openstack-discuss@lists.openstack.org <openstack-discuss@lists.openstack.org> Cc: Babu, Sarath [E CPE] <sarath4@IASTATE.EDU> Subject: Re: OpenStack Swift quota On 4/26/23 21:51, Xu, Wei [E CPE] wrote:
Hello Thomas,
According to what we read from the OpenStack Swift quota documentation, only users with ResellerAdmin role can change the project quota settings. Right now for our Admin user we have already obtained the ResellerAdmin role (See the screenshot below), and yet we are still receiving the same 403 forbidden error. I believe the command itself is not having any errors and the Swift log did not record all these 403 errors. I doubt could it be somewhere in the Keystone that is buggy?
Hi, Please avoid HTML and screenshots when sending to mailing lists. Have you checked that you have the quota middleware activated (and at the correct position) in your swift proxy pipeline? Cheers, Thomas Goirand (zigo)
On Fri, 21 Apr 2023 04:52:39 +0000 "Xu, Wei [E CPE]" <weixu@iastate.edu> wrote:
Also, it seems like default OpenStack Swift only supports account-level and container-level quota implementation. Is it possible to implement not only user-level but also project-level and domain-level quotas?
I'm pretty sure what Swift considers user-level quotes are actually project-level ones in OpenStack terms. Remember that "tenant_id" is used to identify accounts (and form their URL bases). This "tenant" is the old name for "projects". -- P
participants (3)
-
Pete Zaitcev
-
Thomas Goirand
-
Xu, Wei [E CPE]