Authentication and Authorization

The manila.quota Module

Quotas for shares.

class AbsoluteResource(name, flag=None)

Bases: BaseResource

Describe a non-reservable resource.

class BaseResource(name, flag=None)

Bases: object

Describe a single resource for quota checking.

property default

Return the default value of the quota.

class CountableResource(name, count, flag=None)

Bases: AbsoluteResource

Describe a countable resource.

Describe a resource where the counts aren’t based solely on the project ID.

class DbQuotaDriver

Bases: object

Database Quota driver.

Driver to perform necessary checks to enforce quotas and obtain quota information. The default driver utilizes the local database.

commit(context, reservations, project_id=None, user_id=None, share_type_id=None)

Commit reservations.

Parameters:
  • context – The request context, for access checks.

  • reservations – A list of the reservation UUIDs, as returned by the reserve() method.

  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.

  • user_id – Specify the user_id if current context is admin and admin wants to impact on common user. (Special case: user operates on resource, owned/created by different user)

destroy_all_by_project(context, project_id)

Destroy metadata associated with a project.

Destroy all quotas, usages, and reservations associated with a project.

Parameters:
  • context – The request context, for access checks.

  • project_id – The ID of the project being deleted.

destroy_all_by_project_and_share_type(context, project_id, share_type_id)

Destroy metadata associated with a project and share_type.

Destroy all quotas, usages, and reservations associated with a project and share_type.

Parameters:
  • context – The request context, for access checks.

  • project_id – The ID of the project.

  • share_type_id – The UUID of the share type.

destroy_all_by_project_and_user(context, project_id, user_id)

Destroy metadata associated with a project and user.

Destroy all quotas, usages, and reservations associated with a project and user.

Parameters:
  • context – The request context, for access checks.

  • project_id – The ID of the project being deleted.

  • user_id – The ID of the user being deleted.

expire(context)

Expire reservations.

Explores all currently existing reservations and rolls back any that have expired.

Parameters:

context – The request context, for access checks.

get_by_class(context, quota_class, resource)

Get a specific quota by quota class.

get_class_quotas(context, resources, quota_class, defaults=True)

Retrieve quotas for a quota class.

Given a list of resources, retrieve the quotas for the given quota class.

Parameters:
  • context – The request context, for access checks.

  • resources – A dictionary of the registered resources.

  • quota_class – The name of the quota class to return quotas for.

  • defaults – If True, the default value will be reported if there is no specific value for the resource.

get_defaults(context, resources)

Given a list of resources, retrieve the default quotas.

Parameters:
  • context – The request context, for access checks.

  • resources – A dictionary of the registered resources.

get_project_quotas(context, resources, project_id, quota_class=None, defaults=True, usages=True, remains=False)

Retrieve quotas for project.

Given a list of resources, retrieve the quotas for the given project.

Parameters:
  • context – The request context, for access checks.

  • resources – A dictionary of the registered resources.

  • project_id – The ID of the project to return quotas for.

  • quota_class – If project_id != context.project_id, the quota class cannot be determined. This parameter allows it to be specified. It will be ignored if project_id == context.project_id.

  • defaults – If True, the quota class value (or the default value, if there is no value from the quota class) will be reported if there is no specific value for the resource.

  • usages – If True, the current in_use and reserved counts will also be returned.

  • remains – If True, the current remains of the project will will be returned.

get_settable_quotas(context, resources, project_id, user_id=None, share_type_id=None)

Retrieve range of settable quotas.

Given a list of resources, retrieve the range of settable quotas for the given user or project.

Parameters:
  • context – The request context, for access checks.

  • resources – A dictionary of the registered resources.

  • project_id – The ID of the project to return quotas for.

  • user_id – The ID of the user to return quotas for.

  • share_type_id – The UUID of the share_type to return quotas for.

get_share_type_quotas(context, resources, project_id, share_type_id, quota_class=None, defaults=True, usages=True)

Retrieve quotas for share_type and project.

Given a list of resources, retrieve the quotas for the given share_type and project.

Parameters:
  • context – The request context, for access checks.

  • resources – A dictionary of the registered resources.

  • project_id – The UUID of the project to return quotas for.

  • share_type – UUID/name of a share type to return quotas for.

  • quota_class – If project_id != context.project_id, the quota class cannot be determined. This parameter allows it to be specified. It will be ignored if project_id == context.project_id.

  • defaults – If True, the quota class value (or the default value, if there is no value from the quota class) will be reported if there is no specific value for the resource.

  • usages – If True, the current in_use and reserved counts will also be returned.

get_user_quotas(context, resources, project_id, user_id, quota_class=None, defaults=True, usages=True)

Retrieve quotas for user and project.

Given a list of resources, retrieve the quotas for the given user and project.

Parameters:
  • context – The request context, for access checks.

  • resources – A dictionary of the registered resources.

  • project_id – The ID of the project to return quotas for.

  • user_id – The ID of the user to return quotas for.

  • quota_class – If project_id != context.project_id, the quota class cannot be determined. This parameter allows it to be specified. It will be ignored if project_id == context.project_id.

  • defaults – If True, the quota class value (or the default value, if there is no value from the quota class) will be reported if there is no specific value for the resource.

  • usages – If True, the current in_use and reserved counts will also be returned.

limit_check(context, resources, values, project_id=None)

Check simple quota limits.

For limits–those quotas for which there is no usage synchronization function–this method checks that a set of proposed values are permitted by the limit restriction.

This method will raise a QuotaResourceUnknown exception if a given resource is unknown or if it is not a simple limit resource.

If any of the proposed values is over the defined quota, an OverQuota exception will be raised with the sorted list of the resources which are too high. Otherwise, the method returns nothing.

Parameters:
  • context – The request context, for access checks.

  • resources – A dictionary of the registered resources.

  • values – A dictionary of the values to check against the quota.

  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.

reserve(context, resources, deltas, expire=None, project_id=None, user_id=None, share_type_id=None, overquota_allowed=False)

Check quotas and reserve resources.

For counting quotas–those quotas for which there is a usage synchronization function–this method checks quotas against current usage and the desired deltas.

This method will raise a QuotaResourceUnknown exception if a given resource is unknown or if it does not have a usage synchronization function.

If any of the proposed values is over the defined quota, an OverQuota exception will be raised with the sorted list of the resources which are too high. Otherwise, the method returns a list of reservation UUIDs which were created.

Parameters:
  • context – The request context, for access checks.

  • resources – A dictionary of the registered resources.

  • deltas – A dictionary of the proposed delta changes.

  • expire – An optional parameter specifying an expiration time for the reservations. If it is a simple number, it is interpreted as a number of seconds and added to the current time; if it is a datetime.timedelta object, it will also be added to the current time. A datetime.datetime object will be interpreted as the absolute expiration time. If None is specified, the default expiration time set by –default-reservation-expire will be used (this value will be treated as a number of seconds).

  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.

  • user_id – Specify the user_id if current context is admin and admin wants to impact on common user. (Special case: user operates on resource, owned/created by different user)

rollback(context, reservations, project_id=None, user_id=None, share_type_id=None)

Roll back reservations.

Parameters:
  • context – The request context, for access checks.

  • reservations – A list of the reservation UUIDs, as returned by the reserve() method.

  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.

  • user_id – Specify the user_id if current context is admin and admin wants to impact on common user. (Special case: user operates on resource, owned/created by different user)

usage_reset(context, resources)

Reset usage records.

Reset the usage records for a particular user on a list of resources. This will force that user’s usage records to be refreshed the next time a reservation is made.

Note: this does not affect the currently outstanding reservations the user has; those reservations must be committed or rolled back (or expired).

Parameters:
  • context – The request context, for access checks.

  • resources – A list of the resource names for which the usage must be reset.

class QuotaEngine(quota_driver_class=None)

Bases: object

Represent the set of recognized quotas.

commit(context, reservations, project_id=None, user_id=None, share_type_id=None)

Commit reservations.

Parameters:
  • context – The request context, for access checks.

  • reservations – A list of the reservation UUIDs, as returned by the reserve() method.

  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.

count(context, resource, *args, **kwargs)

Count a resource.

For countable resources, invokes the count() function and returns its result. Arguments following the context and resource are passed directly to the count function declared by the resource.

Parameters:
  • context – The request context, for access checks.

  • resource – The name of the resource, as a string.

destroy_all_by_project(context, project_id)

Destroy metadata associated with a project.

Destroy all quotas, usages, and reservations associated with a project.

Parameters:
  • context – The request context, for access checks.

  • project_id – The ID of the project being deleted.

destroy_all_by_project_and_share_type(context, project_id, share_type_id)

Destroy metadata associated with a project and share_type.

Destroy all quotas, usages, and reservations associated with a project and share_type.

Parameters:
  • context – The request context, for access checks.

  • project_id – The ID of the project.

  • share_type_id – The UUID of the share_type.

destroy_all_by_project_and_user(context, project_id, user_id)

Destroy metadata associated with a project and user.

Destroy all quotas, usages, and reservations associated with a project and user.

Parameters:
  • context – The request context, for access checks.

  • project_id – The ID of the project being deleted.

  • user_id – The ID of the user being deleted.

expire(context)

Expire reservations.

Explores all currently existing reservations and rolls back any that have expired.

Parameters:

context – The request context, for access checks.

get_by_class(context, quota_class, resource)

Get a specific quota by quota class.

get_class_quotas(context, quota_class, defaults=True)

Retrieve the quotas for the given quota class.

Parameters:
  • context – The request context, for access checks.

  • quota_class – The name of the quota class to return quotas for.

  • defaults – If True, the default value will be reported if there is no specific value for the resource.

get_defaults(context)

Retrieve the default quotas.

Parameters:

context – The request context, for access checks.

get_project_quotas(context, project_id, quota_class=None, defaults=True, usages=True, remains=False)

Retrieve the quotas for the given project.

Parameters:
  • context – The request context, for access checks.

  • project_id – The ID of the project to return quotas for.

  • quota_class – If project_id != context.project_id, the quota class cannot be determined. This parameter allows it to be specified.

  • defaults – If True, the quota class value (or the default value, if there is no value from the quota class) will be reported if there is no specific value for the resource.

  • usages – If True, the current in_use and reserved counts will also be returned.

  • remains – If True, the current remains of the project will will be returned.

get_settable_quotas(context, project_id, user_id=None, share_type_id=None)

Get settable quotas.

Given a list of resources, retrieve the range of settable quotas for the given user or project.

Parameters:
  • context – The request context, for access checks.

  • resources – A dictionary of the registered resources.

  • project_id – The ID of the project to return quotas for.

  • user_id – The ID of the user to return quotas for.

  • share_type_id – The UUID of the share_type to return quotas for.

get_share_type_quotas(context, project_id, share_type_id, quota_class=None, defaults=True, usages=True)

Retrieve the quotas for the given user and project.

Parameters:
  • context – The request context, for access checks.

  • project_id – The ID of the project to return quotas for.

  • share_type_id – The UUID of the user to return quotas for.

  • quota_class – If project_id != context.project_id, the quota class cannot be determined. This parameter allows it to be specified.

  • defaults – If True, the quota class value (or the default value, if there is no value from the quota class) will be reported if there is no specific value for the resource.

  • usages – If True, the current in_use and reserved counts will also be returned.

get_user_quotas(context, project_id, user_id, quota_class=None, defaults=True, usages=True)

Retrieve the quotas for the given user and project.

Parameters:
  • context – The request context, for access checks.

  • project_id – The ID of the project to return quotas for.

  • user_id – The ID of the user to return quotas for.

  • quota_class – If project_id != context.project_id, the quota class cannot be determined. This parameter allows it to be specified.

  • defaults – If True, the quota class value (or the default value, if there is no value from the quota class) will be reported if there is no specific value for the resource.

  • usages – If True, the current in_use and reserved counts will also be returned.

limit_check(context, project_id=None, **values)

Check simple quota limits.

For limits–those quotas for which there is no usage synchronization function–this method checks that a set of proposed values are permitted by the limit restriction. The values to check are given as keyword arguments, where the key identifies the specific quota limit to check, and the value is the proposed value.

This method will raise a QuotaResourceUnknown exception if a given resource is unknown or if it is not a simple limit resource.

If any of the proposed values is over the defined quota, an OverQuota exception will be raised with the sorted list of the resources which are too high. Otherwise, the method returns nothing.

Parameters:
  • context – The request context, for access checks.

  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.

register_resource(resource)

Register a resource.

register_resources(resources)

Register a list of resources.

reserve(context, expire=None, project_id=None, user_id=None, share_type_id=None, overquota_allowed=False, **deltas)

Check quotas and reserve resources.

For counting quotas–those quotas for which there is a usage synchronization function–this method checks quotas against current usage and the desired deltas. The deltas are given as keyword arguments, and current usage and other reservations are factored into the quota check.

This method will raise a QuotaResourceUnknown exception if a given resource is unknown or if it does not have a usage synchronization function.

If any of the proposed values is over the defined quota, an OverQuota exception will be raised with the sorted list of the resources which are too high. Otherwise, the method returns a list of reservation UUIDs which were created.

Parameters:
  • context – The request context, for access checks.

  • expire – An optional parameter specifying an expiration time for the reservations. If it is a simple number, it is interpreted as a number of seconds and added to the current time; if it is a datetime.timedelta object, it will also be added to the current time. A datetime.datetime object will be interpreted as the absolute expiration time. If None is specified, the default expiration time set by –default-reservation-expire will be used (this value will be treated as a number of seconds).

  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.

property resources
rollback(context, reservations, project_id=None, user_id=None, share_type_id=None)

Roll back reservations.

Parameters:
  • context – The request context, for access checks.

  • reservations – A list of the reservation UUIDs, as returned by the reserve() method.

  • project_id – Specify the project_id if current context is admin and admin wants to impact on common user’s tenant.

usage_reset(context, resources)

Reset usage records.

Reset the usage records for a particular user on a list of resources. This will force that user’s usage records to be refreshed the next time a reservation is made.

Note: this does not affect the currently outstanding reservations the user has; those reservations must be committed or rolled back (or expired).

Parameters:
  • context – The request context, for access checks.

  • resources – A list of the resource names for which the usage must be reset.

class ReservableResource(name, sync, flag=None)

Bases: BaseResource

Describe a reservable resource.

The manila.policy Module

Policy Engine For Manila

authorize(context, action, target, do_raise=True, exc=None)

Verifies that the action is valid on the target in this context.

Parameters:
  • context – manila context

  • action – string representing the action to be checked this should be colon separated for clarity. i.e. share:create,

  • target – dictionary representing the object of the action for object creation this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id}

  • do_raise – if True (the default), raises PolicyNotAuthorized; if False, returns False

  • exc – Class of the exception to raise if the check fails. Any remaining arguments passed to authorize() (both positional and keyword arguments) will be passed to the exception class. If not specified, PolicyNotAuthorized will be used.

Raises:

manila.exception.PolicyNotAuthorized – if verification fails and do_raise is True. Or if ‘exc’ is specified it will raise an exception of that type.

Returns:

returns a non-False value (not necessarily “True”) if authorized, and the exact value False if not authorized and do_raise is False.

check_is_admin(context)

Whether or not user is admin according to policy setting.

check_is_host_admin(context)

Whether or not user is host admin according to policy setting.

check_policy(context, resource, action, target_obj=None, do_raise=True)
default_target(context)
enforce(context, action, target, do_raise=True)

Verifies that the action is valid on the target in this context.

IMPORTANT ONLY for use in API extensions. This method ignores unregistered rules and applies a default rule on them; there should be no unregistered rules in first party manila APIs.

Parameters:
  • context – manila context

  • action – string representing the action to be checked, this should be colon separated for clarity. i.e. share:create,

  • target – dictionary representing the object of the action for object creation, this should be a dictionary representing the location of the object e.g. {'project_id': context.project_id}

  • do_raise – Whether to raise an exception if check fails.

Returns:

When do_raise is False, returns a value that evaluates as True or False depending on whether the policy allows action on the target.

Raises:

manila.exception.PolicyNotAuthorized if verification fails and do_raise is True.

get_enforcer()
get_rules()
init(rules=None, use_conf=True, suppress_deprecation_warnings=False)

Init an Enforcer class.

Parameters:
  • policy_file – Custom policy file to use, if none is specified, CONF.policy_file will be used.

  • rules – Default dictionary / Rules to use. It will be considered just in the first instantiation.

  • use_conf – Whether to load rules from config file.

  • suppress_deprecation_warnings – Whether to suppress policy deprecation warnings.

register_rules(enforcer)
reset()
set_rules(rules, overwrite=True, use_conf=False)

Set rules based on the provided dict of rules.

Parameters:
  • rules – New rules to use. It should be an instance of dict.

  • overwrite – Whether to overwrite current rules or update them with the new rules.

  • use_conf – Whether to reload rules from config file.

wrap_check_policy(resource)

Check policy corresponding to the wrapped methods prior to execution.

System limits

The following limits need to be defined and enforced:

  • Maximum cumulative size of shares and snapshots (GB)

  • Total number of shares

  • Total number of snapshots

  • Total number of share networks