From ed63b0f5f3de4fb0fb1908959c42f70a14339851 Mon Sep 17 00:00:00 2001 From: Seif Lotfy Date: Sun, 8 Sep 2013 17:46:42 +0000 Subject: [PATCH] Add ratelimiting options to nova::api nova master now has proper support for ratelimitng via the api-paste.ini This commit adds a configuration option based on https://github.com/openstack/nova/commit/08d6932963c9cbbd605833933bf5ea0f66127dc4 Change-Id: Ic29d4aa15fdf8b4613a1c3a641c60e6d8377f418 --- manifests/api.pp | 14 +++++++++++++- spec/classes/nova_api_spec.rb | 9 ++++++--- 2 files changed, 19 insertions(+), 4 deletions(-) diff --git a/manifests/api.pp b/manifests/api.pp index 5e61b10de..efd1771c9 100644 --- a/manifests/api.pp +++ b/manifests/api.pp @@ -20,6 +20,8 @@ # enable this if you have a sanitizing proxy. (boolean value) # (Optional). Defaults to false. # * neutron_metadata_proxy_shared_secret +# * ratelimit +# * ratelimit_factory # class nova::api( $admin_password, @@ -40,7 +42,10 @@ class nova::api( $use_forwarded_for = false, $workers = $::processorcount, $sync_db = true, - $neutron_metadata_proxy_shared_secret = undef + $neutron_metadata_proxy_shared_secret = undef, + $ratelimits = undef, + $ratelimits_factory = + 'nova.api.openstack.compute.limits:RateLimitingMiddleware.factory' ) { include nova::params @@ -133,6 +138,13 @@ class nova::api( } } + if ($ratelimits != undef) { + nova_paste_api_ini { + 'filter:ratelimit/paste.filter_factory': value => $ratelimits_factory; + 'filter:ratelimit/limits': value => $ratelimits; + } + } + # Added arg and if statement prevents this from being run # where db is not active i.e. the compute if $sync_db { diff --git a/spec/classes/nova_api_spec.rb b/spec/classes/nova_api_spec.rb index b8c98436f..1c7ddf064 100644 --- a/spec/classes/nova_api_spec.rb +++ b/spec/classes/nova_api_spec.rb @@ -95,25 +95,28 @@ describe 'nova::api' do :volume_api_class => 'nova.volume.cinder.API', :use_forwarded_for => false, :neutron_metadata_proxy_shared_secret => 'secrete', + :ratelimits => '(GET, "*", .*, 100, MINUTE);(POST, "*", .*, 200, MINUTE)' } end it 'should use defined params for api-paste.ini' do should contain_nova_paste_api_ini( - 'filter:authtoken/auth_host').with_value('10.0.0.1') + 'filter:authtoken/auth_host').with_value('10.0.0.1') should contain_nova_paste_api_ini( 'filter:authtoken/auth_port').with_value('1234') should contain_nova_paste_api_ini( 'filter:authtoken/auth_protocol').with_value('https') should contain_nova_paste_api_ini( - 'filter:authtoken/auth_admin_prefix').with_value('/keystone/admin') + 'filter:authtoken/auth_admin_prefix').with_value('/keystone/admin') should contain_nova_paste_api_ini( - 'filter:authtoken/auth_uri').with_value('https://10.0.0.1:9999/') + 'filter:authtoken/auth_uri').with_value('https://10.0.0.1:9999/') should contain_nova_paste_api_ini( 'filter:authtoken/admin_tenant_name').with_value('service2') should contain_nova_paste_api_ini( 'filter:authtoken/admin_user').with_value('nova2') should contain_nova_paste_api_ini( 'filter:authtoken/admin_password').with_value('passw0rd2').with_secret(true) + should contain_nova_paste_api_ini( + 'filter:ratelimit/limits').with_value('(GET, "*", .*, 100, MINUTE);(POST, "*", .*, 200, MINUTE)') end it { should contain_nova_config('DEFAULT/ec2_listen').with('value' => '192.168.56.210') } it { should contain_nova_config('DEFAULT/osapi_compute_listen').with('value' => '192.168.56.210') }