[openstack-dev] Quota management and enforcement across projects

Salvatore Orlando sorlando at nicira.com
Tue Nov 18 16:30:57 UTC 2014

On 18 November 2014 01:18, Kevin L. Mitchell <kevin.mitchell at rackspace.com>

> On Mon, 2014-11-17 at 18:48 -0500, Doug Hellmann wrote:
> > I’ve spent a bit of time thinking about the resource ownership issue.
> > The challenge there is we don’t currently have any libraries that
> > define tables in the schema of an application. I think that’s a good
> > pattern to maintain, since it avoids introducing a lot of tricky
> > issues like how to manage migrations for the library, how to ensure
> > they are run by the application, etc. The fact that this common quota
> > thing needs to store some data in a schema that it controls says to me
> > that it is really an app and not a library. Making the quota manager
> > an app solves the API definition issue, too, since we can describe a
> > generic way to configure quotas and other applications can then use
> > that API to define specific rules using the quota manager’s API.

My point of view is that it might be acceptable for a library to have its
own database, to an extent where the data the library manages belong to the
library itself.
If that is possible then the library can come with its own, small,
database, and its evolution could be managed with a migration timeline
specific to the library.

However, in this case the data the library handles - resource usage info -
 actually belong to the consumer application. The quota library might
expose methods for managing resource usage in an abstract way, but this
probably sounds more complex than what it should be.
Furthermore, a solution where the library "augments" the consumer
application schema sounds the "really wrong" bell to me, unless you can
convince me otherwise.
Therefore the app route at this stage looks more favorable, as Doug
suggests. I tried to devise a library which operates on an abstract data
model, which is then supplied by the consumer application, but that then
probably just shifts the problem a little, since the next issue to face is
ensuring the consumer application uses a data model which can be understood
by the library.

> >
> > I don’t know if we need a new application or if it would make sense
> > to, as with policy, add quota management features to keystone. A
> > single well-defined app has some appeal, but there’s also a certain
> > amount of extra ramp-up time needed to go that route that we wouldn’t
> > need if we added the features directly to keystone.

I think having a centralised API endpoint for quota management makes sense.
I am still not entirely sure it will make sense for quota enforcement (just
like I'm not yet sure it makes sense for authorization)

> I'll also point out that it was largely because of the storage needs
> that I chose to propose Boson[1] as a separate app, rather than as a
> library.  Further, the dimensions over which quota-covered resources
> needed to be tracked seemed to me to be complicated enough that it would
> be better to define a new app and make it support that one domain well,
> which is why I didn't propose it as something to add to Keystone.
> Consider: nova has quotas that are applied by user, other quotas that
> are applied by tenant, and even some quotas on what could be considered
> sub-resources—a limit on the number of security group rules per security
> group, for instance.

It is true that the structure of quota-tracked resource can become easily
fairly complex.
However I think that this alone, does not prove the need of implementing it
as a new service.

> My current feeling is that, if we can figure out a way to make the quota
> problem into an acceptable library, that will work; it would probably
> have to maintain its own database separate from the client app and have
> features for automatically managing the schema, since we couldn't
> necessarily rely on the client app to invoke the proper juju there.  If,
> on the other hand, that ends up failing, then the best route is probably
> to begin by developing a separate app, like Boson, as a PoC; then, after
> we have some idea of just how difficult it is to actually solve the
> problem, we can evaluate whether it makes sense to actually fold it into
> a service like Keystone, or whether it should stand on its own.
I reckon this plan makes sense. I will also look into the Boson proposal,
and report back to this thread.
The aspect that does not convince me yet is the apparent need for an
additional round trip for requests, in addition to the one we do to
Keystone for authN.
Also it's actually 2 round trips, If you consider that you'll need one for
booking quota, and another for committing/cancelling a reservation.

> (Personally, I think Boson should be created and should stand on its
> own, but I also envision using it for purposes outside of OpenStack…)

I recall several people, including me, used to claim neutron (then quantum)
could be used for purposes outside of openstack.
Fast-forward 3 years, and neutron can barely work with OpenStack only...

Summarising, it makes sense for the time being to freeze the oslo-spec
proposal for a quota library.
I guess in the meanwhile I'll use my own github account to build something
which might or might not turn into an oslo library...


> Just my $.02…
> [1] https://wiki.openstack.org/wiki/Boson
> --
> Kevin L. Mitchell <kevin.mitchell at rackspace.com>
> Rackspace
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20141118/e2717e12/attachment.html>

More information about the OpenStack-dev mailing list