How to setup storage quota for OpenStack tenant (project) and user?

Introduction:

This chapter will show you how to setup the storage quota in the OpenStack for your backup users.

If you are new to OpenStack, you should check with their documentation on general setup available at http://docs.openstack.org/

If you already have a running OpenStack, you can follow our steps to setup the storage quota.



Assumptions:

Here are the OpenStack version used in the following examples:


Here are the values used in the following examples:


Note: The value of the Keystone admin token can be found in the variable name "admin_token" defined inside the keystone configuration file at /etc/keystone/keystone.conf .



Requirements and preparations:

Please setup the following variables in bash profile and filters in the proxy-server.conf before you setup a tenant (project), user, roles and storage quota etc.

Step 1: Add the environment variable in the .bash_profile

Example (/root/.bash_profile)
----------------------------------------------------------------------------------------------------
    :
    :
  Trimmed
    :
    :
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_TENANT_NAME=mybackup
export OS_AUTH_URL=http://10.7.54.7:5000/v2.0
export OS_SERVICE_ENDPOINT=http://10.7.54.7:35357/v2.0
export OS_SERVICE_TOKEN=7b05dab9722d44e7b9a82dc0d1ff74ea
    :
    :
  Trimmed
    :
    :
----------------------------------------------------------------------------------------------------

Please login again for profile to take effect.

Note: The value of the OS_SERVICE_TOKEN can be found in the variable name "admin_token" defined inside the keystone configuration file at /etc/keystone/keystone.conf .



Step 2: Enable quota restriction in swift-proxy (/etc/swift/proxy-server.conf)

Edit the file proxy-server.conf , add the contents that are highlighted in red in the below example.

Example (/etc/swift/proxy-server.conf)
----------------------------------------------------------------------------------------------------
    :
    :
    :
  Trimmed
    :
    :
    :

[pipeline:main]
pipeline = healthcheck cache authtoken keystone container-quotas account-quotas proxy-server

    :
    :
    :
  Trimmed
    :
    :
    :

[filter:keystone]
use = egg:swift#keystoneauth
operator_roles = admin, SwiftOperator, ResellerAdmin
is_admin = true

[filter:container-quotas]
use = egg:swift#container_quotas

[filter:account-quotas]
use = egg:swift#account_quotas
----------------------------------------------------------------------------------------------------


Step 3: Restart the proxy services

Restart the proxy service after you have modified the config file /etc/swift/proxy-server.conf .

Example
----------------------------------------------------------------------------------------------------
[root@os ~]# swift-init proxy restart
Signal proxy-server  pid: 13453  signal: 15
proxy-server (13453) appears to have stopped
Starting proxy-server...(/etc/swift/proxy-server.conf)
WARNING: SSL should only be enabled for testing purposes. Use external SSL termination for a production deployment.

[root@os ~]#
----------------------------------------------------------------------------------------------------


Step 4: Create ResellerAdmin role

Create a role called ResellerAdmin for user that can change the quota of an account. You need to create a role with keystone and add this to your admin user.

Usage: keystone role-create --name <role-name>

Example
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone role-create --name ResellerAdmin 
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | 464e592192554bdd8201b367997886f1 |
|   name   |          ResellerAdmin           |
+----------+----------------------------------+
[root@os ~]#
----------------------------------------------------------------------------------------------------


Please verify the role setup by the following command:

Usage: keystone role-list

Example
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone role-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+-----------------+
|                id                |       name      |
+----------------------------------+-----------------+
| 464e592192554bdd8201b367997886f1 |  ResellerAdmin  |
| e34c3a339a924180b07e2099842c727f |  SwiftOperator  |
| 9fe2ff9ee4384b1894a90878d3e92bab |     _member_    |
| 3e61686683c94fd9a24beab378dfef81 |      admin      |
+----------------------------------+-----------------+
[root@os ~]#
----------------------------------------------------------------------------------------------------


If you want to remove the role:

Usage: keystone role-delete <role>

Example
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone role-delete ResellerAdmin
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
[root@os ~]#
----------------------------------------------------------------------------------------------------


Step 5: Assign the ResellerAdmin role to admin

Usage: keystone user-role-add --user <user> --role <role> --tenant <tenant>

Example
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone user-role-add --user admin --role ResellerAdmin --tenant mybackup
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
[root@os ~]#
----------------------------------------------------------------------------------------------------


Please verify the setup by the following command:

Usage: keystone user-role-list --user <user> --tenant <tenant>

Example
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone user-role-list --user admin --tenant mybackup
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+----------------------------------+-----------------+----------------------------------+----------------------------------+
|                id                |       name      |             user_id              |            tenant_id             |
+----------------------------------+-----------------+----------------------------------+----------------------------------+
| 464e592192554bdd8201b367997886f1 |  ResellerAdmin  | 70a0cf53001d4798b02aae61e935e5df | 49f2482ecff9431bae1d32fa2a004026 |
| 3e61686683c94fd9a24beab378dfef81 |      admin      | 70a0cf53001d4798b02aae61e935e5df | 49f2482ecff9431bae1d32fa2a004026 |
+----------------------------------+-----------------+----------------------------------+----------------------------------+
[root@os ~]#
----------------------------------------------------------------------------------------------------


If you want to remove the assigned role:

Usage: keystone user-role-remove --user <user> --role <role> --tentant <tentant>

Example
----------------------------------------------------------------------------------------------------
[root@os ~]# keystone user-role-remove --user admin --role ResellerAdmin --tenant mybackup
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
[root@os ~]#
----------------------------------------------------------------------------------------------------


Step 6: Setup a storage quota for this tenant (project):

In this example, we will apply 10GB for this tenant (project). All containers within this project will share this quota.

Usage: swift post -m quota-bytes:<value>

Example
----------------------------------------------------------------------------------------------------
[root@os ~]# swift post -m quota-bytes:10737418240
[root@os ~]#
----------------------------------------------------------------------------------------------------


Please verify the storage quota setup by the following command:

Usage: swift stat

Example

----------------------------------------------------------------------------------------------------
[root@os ~]# swift stat
       Account: AUTH_49f2482ecff9431bae1d32fa2a004026
    Containers: 4
       Objects: 260
         Bytes: 694896
Meta Quota-Bytes: 10737418240
   X-Timestamp: 1412574345.10669
  Content-Type: text/plain; charset=utf-8
 Accept-Ranges: bytes
[root@os ~]#
----------------------------------------------------------------------------------------------------


If you want to remove a storage quota for this tenant (project):

Usage: swift post -m quota-bytes:

Example
----------------------------------------------------------------------------------------------------
[root@os ~]# swift post -m quota-bytes:
[root@os ~]# 
----------------------------------------------------------------------------------------------------


Step 7: Setup a storage quota for this container

To setup a storage quota for this user to use this container, eg: applying 2GB for user1

Usage: swift post <container name> -H "X-Container-Meta-Quota-Bytes: <size in bytes>"

Example
----------------------------------------------------------------------------------------------------
[root@os ~]# swift post user1 -H "X-Container-Meta-Quota-Bytes: 2147483648"
[root@os ~]#
----------------------------------------------------------------------------------------------------


Please verify the container quota setup:

Usage: swift stat <container name>

Example
----------------------------------------------------------------------------------------------------
[root@os ~]# swift stat user1
       Account: AUTH_49f2482ecff9431bae1d32fa2a004026
     Container: user1
       Objects: 0
         Bytes: 0
      Read ACL: mybackup:user1
     Write ACL: mybackup:user1
       Sync To:
      Sync Key:
Meta Quota-Bytes: 2147483648
 Accept-Ranges: bytes
   X-Timestamp: 1412578586.50844
  Content-Type: text/plain; charset=utf-8
[root@os ~]#
----------------------------------------------------------------------------------------------------


If you want to remove a storage quota for a user:

Usage: swift post <container name> -H "X-Container-Meta-Quota-Bytes:"

Example
----------------------------------------------------------------------------------------------------
[root@os ~]# swift post user6 -H "X-Container-Meta-Quota-Bytes:"
[root@os ~]#
----------------------------------------------------------------------------------------------------