Add ratelimiting options to nova::api

nova master now has proper support for ratelimitng via the api-paste.ini This commit adds a configuration option based on 08d6932963 Change-Id: Ic29d4aa15fdf8b4613a1c3a641c60e6d8377f418
2013-09-08 17:46:42 +00:00
parent 3399678154
commit ed63b0f5f3
2 changed files with 19 additions and 4 deletions
--- a/manifests/api.pp
+++ b/manifests/api.pp
@@ -20,6 +20,8 @@
 #     enable this if you have a sanitizing proxy. (boolean value)
 #     (Optional). Defaults to false.
 # * neutron_metadata_proxy_shared_secret
+# * ratelimit
+# * ratelimit_factory
 #
 class nova::api(
  $admin_password,
@@ -40,7 +42,10 @@ class nova::api(
  $use_forwarded_for = false,
  $workers           = $::processorcount,
  $sync_db           = true,
-  $neutron_metadata_proxy_shared_secret = undef
+  $neutron_metadata_proxy_shared_secret = undef,
+  $ratelimits        = undef,
+  $ratelimits_factory =
+    'nova.api.openstack.compute.limits:RateLimitingMiddleware.factory'
 ) {

  include nova::params
@@ -133,6 +138,13 @@ class nova::api(
    }
  }

+  if ($ratelimits != undef) {
+    nova_paste_api_ini {
+      'filter:ratelimit/paste.filter_factory': value => $ratelimits_factory;
+      'filter:ratelimit/limits':               value => $ratelimits;
+    }
+  }
+
  # Added arg and if statement prevents this from being run
  # where db is not active i.e. the compute
  if $sync_db {
--- a/spec/classes/nova_api_spec.rb
+++ b/spec/classes/nova_api_spec.rb
@@ -95,25 +95,28 @@ describe 'nova::api' do
          :volume_api_class                     => 'nova.volume.cinder.API',
          :use_forwarded_for                    => false,
          :neutron_metadata_proxy_shared_secret => 'secrete',
+          :ratelimits                            => '(GET, "*", .*, 100, MINUTE);(POST, "*", .*, 200, MINUTE)'
        }
      end
      it 'should use defined params for api-paste.ini' do
        should contain_nova_paste_api_ini(
-         'filter:authtoken/auth_host').with_value('10.0.0.1')
+          'filter:authtoken/auth_host').with_value('10.0.0.1')
        should contain_nova_paste_api_ini(
          'filter:authtoken/auth_port').with_value('1234')
        should contain_nova_paste_api_ini(
          'filter:authtoken/auth_protocol').with_value('https')
        should contain_nova_paste_api_ini(
-           'filter:authtoken/auth_admin_prefix').with_value('/keystone/admin')
+          'filter:authtoken/auth_admin_prefix').with_value('/keystone/admin')
        should contain_nova_paste_api_ini(
-           'filter:authtoken/auth_uri').with_value('https://10.0.0.1:9999/')
+          'filter:authtoken/auth_uri').with_value('https://10.0.0.1:9999/')
        should contain_nova_paste_api_ini(
          'filter:authtoken/admin_tenant_name').with_value('service2')
        should contain_nova_paste_api_ini(
          'filter:authtoken/admin_user').with_value('nova2')
        should contain_nova_paste_api_ini(
          'filter:authtoken/admin_password').with_value('passw0rd2').with_secret(true)
+        should contain_nova_paste_api_ini(
+          'filter:ratelimit/limits').with_value('(GET, "*", .*, 100, MINUTE);(POST, "*", .*, 200, MINUTE)')
      end
      it { should contain_nova_config('DEFAULT/ec2_listen').with('value' => '192.168.56.210') }
      it { should contain_nova_config('DEFAULT/osapi_compute_listen').with('value' => '192.168.56.210') }