bc7a9f0da7
Partial-Bug: #1250515 backport: havana Change-Id: I9675dffd130c8aa6343143d9806adb4e0b74a55d author: diane fleming
186 lines
8.2 KiB
XML
186 lines
8.2 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
|
xml:id="configuring-compute-API">
|
|
<title>Configure the Compute API</title>
|
|
<para>The Compute API, run by the <systemitem class="service"
|
|
>nova-api</systemitem> daemon, is the component of
|
|
OpenStack Compute that receives and responds to user requests,
|
|
whether they be direct API calls, or via the CLI tools or
|
|
dashboard.</para>
|
|
<simplesect>
|
|
<title>Configure Compute API password handling</title>
|
|
<para>The OpenStack Compute API enables users to specify an
|
|
administrative password when they create or rebuild a
|
|
server instance. If the user does not specify a password,
|
|
a random password is generated and returned in the API
|
|
response.</para>
|
|
<para>In practice, how the admin password is handled depends
|
|
on the hypervisor in use and might require additional
|
|
configuration of the instance. For example, you might have
|
|
to install an agent to handle the password setting. If the
|
|
hypervisor and instance configuration do not support
|
|
setting a password at server create time, the password
|
|
that is returned by the create API call is misleading
|
|
because it was ignored.</para>
|
|
<para>To prevent this confusion, use the
|
|
<option>enable_instance_password</option>
|
|
configuration option to disable the return of the admin
|
|
password for installations that do not support setting
|
|
instance passwords.</para>
|
|
</simplesect>
|
|
<simplesect>
|
|
<title>Configure Compute API rate limiting</title>
|
|
<para>OpenStack Compute supports API rate limiting for the
|
|
OpenStack API. The rate limiting allows an administrator
|
|
to configure limits on the type and number of API calls
|
|
that can be made in a specific time interval.</para>
|
|
<para>When API rate limits are exceeded, HTTP requests return
|
|
an error with a status code of <errorcode>413</errorcode>
|
|
<errortext>Request entity too large</errortext>, and
|
|
includes an HTTP <literal>Retry-After</literal> header.
|
|
The response body includes the error details and the delay
|
|
before you should retry the request.</para>
|
|
<para>Rate limiting is not available for the EC2 API.</para>
|
|
</simplesect>
|
|
<simplesect>
|
|
<title>Define limits</title>
|
|
<para>To define limits, set these values:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>The <emphasis role="bold">HTTP method</emphasis>
|
|
used in the API call, typically one of GET, PUT,
|
|
POST, or DELETE.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>A <emphasis role="bold">human readable
|
|
URI</emphasis> that is used as a friendly
|
|
description of where the limit is applied.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>A <emphasis role="bold">regular
|
|
expression</emphasis>. The limit is applied to
|
|
all URIs that match the regular expression and
|
|
HTTP method.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>A <emphasis role="bold">limit value </emphasis>
|
|
that specifies the maximum count of units before
|
|
the limit takes effect.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>An <emphasis role="bold">interval</emphasis>
|
|
that specifies time frame to which the limit is
|
|
applied. The interval can be SECOND, MINUTE, HOUR,
|
|
or DAY.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>Rate limits are applied in relative order to the HTTP
|
|
method, going from least to most specific. For example,
|
|
although the default threshold for POST to */servers is 50
|
|
each day, you cannot POST to */servers more than 10 times
|
|
in a single minute because the rate limits for any POST is
|
|
10 each minute.</para>
|
|
</simplesect>
|
|
<simplesect>
|
|
<title>Default limits</title>
|
|
<para>Normally, you install OpenStack Compute with the
|
|
following limits enabled:</para>
|
|
<table rules="all">
|
|
<caption>Default API rate limits</caption>
|
|
<thead>
|
|
<tr>
|
|
<td>HTTP method</td>
|
|
<td>API URI</td>
|
|
<td>API regular expression</td>
|
|
<td>Limit</td>
|
|
</tr>
|
|
</thead>
|
|
<tbody>
|
|
<tr>
|
|
<td>POST</td>
|
|
<td>any URI (*)</td>
|
|
<td>.*</td>
|
|
<td>10 per minute</td>
|
|
</tr>
|
|
<tr>
|
|
<td>POST</td>
|
|
<td>/servers</td>
|
|
<td>^/servers</td>
|
|
<td>50 per day</td>
|
|
</tr>
|
|
<tr>
|
|
<td>PUT</td>
|
|
<td>any URI (*)</td>
|
|
<td>.*</td>
|
|
<td>10 per minute</td>
|
|
</tr>
|
|
<tr>
|
|
<td>GET</td>
|
|
<td>*changes-since*</td>
|
|
<td>.*changes-since.*</td>
|
|
<td>3 per minute</td>
|
|
</tr>
|
|
<tr>
|
|
<td>DELETE</td>
|
|
<td>any URI (*)</td>
|
|
<td>.*</td>
|
|
<td>100 per minute</td>
|
|
</tr>
|
|
</tbody>
|
|
</table>
|
|
</simplesect>
|
|
<simplesect>
|
|
<title>Configure and change limits</title>
|
|
<para>As part of the WSGI pipeline, the
|
|
<filename>etc/nova/api-paste.ini</filename> file
|
|
defines the actual limits.</para>
|
|
<para>To enable limits, include the
|
|
<option>ratelimit</option>' filter in the API pipeline
|
|
specification. If the <option>ratelimit</option> filter is
|
|
removed from the pipeline, limiting is disabled. You must
|
|
also define the rate limit filter. The lines appear as
|
|
follows:</para>
|
|
<programlisting language="ini">[pipeline:openstack_compute_api_v2]
|
|
pipeline = faultwrap authtoken keystonecontext ratelimit osapi_compute_app_v2
|
|
|
|
[pipeline:openstack_volume_api_v1]
|
|
pipeline = faultwrap authtoken keystonecontext ratelimit osapi_volume_app_v1
|
|
|
|
[filter:ratelimit]
|
|
paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory</programlisting>
|
|
<para>To modify the limits, add a <literal>limits</literal>
|
|
specification to the <literal>[filter:ratelimit]</literal>
|
|
section of the file. Specify the limits in this
|
|
order:</para>
|
|
<orderedlist>
|
|
<listitem>
|
|
<para>HTTP method</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>friendly URI</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>regex</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>limit</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>interval</para>
|
|
</listitem>
|
|
</orderedlist>
|
|
<para>The following example shows the default rate-limiting
|
|
values:</para>
|
|
<programlisting language="ini">[filter:ratelimit]
|
|
paste.filter_factory = nova.api.openstack.compute.limits:RateLimitingMiddleware.factory
|
|
limits =(POST, "*", .*, 10, MINUTE);(POST, "*/servers", ^/servers, 50, DAY);(PUT, "*", .*, 10, MINUTE);(GET, "*changes-since*", .*changes-since.*, 3, MINUTE);(DELETE, "*", .*, 100, MINUTE)</programlisting>
|
|
</simplesect>
|
|
<simplesect xml:id="compute_config_options">
|
|
<title>Configuration reference</title>
|
|
<para>The following table lists the Compute API configuration options:</para>
|
|
<xi:include href="tables/nova-api.xml"/>
|
|
</simplesect>
|
|
</section>
|