Update project depth check

when a hierarchical limit enforcement model is deployed
by keystone, the project hierarchical depth should
not break the limit model as well.

This patch updated the project depth check function
to fix the problem.

bp: strict-two-level-model
Change-Id: I695fedcf83bdca2946a2c5d876052c02b0f63810

keystone/resource/core.py

@@ -76,6 +76,15 @@ class Manager(manager.Manager):
         # pushing any existing hierarchies over the limit, we add one to the
         # maximum depth allowed, as specified in the configuration file.
         max_depth = CONF.max_project_tree_depth + 1
+
+        # NOTE(wxy): If the hierarchical limit enforcement model is used, the
+        # project depth should be not greater than the model's limit as well.
+        #
+        # TODO(wxy): Deprecate and remove CONF.max_project_tree_depth, let the
+        # depth check only based on the limit enforcement model.
+        limit_model = PROVIDERS.unified_limit_api.enforcement_model
+        if limit_model.MAX_PROJECT_TREE_DEPTH is not None:
+            max_depth = min(max_depth, limit_model.MAX_PROJECT_TREE_DEPTH + 1)
         if self._get_hierarchy_depth(parents_list) > max_depth:
             raise exception.ForbiddenNotSecurity(
                 _('Max hierarchy depth reached for %s branch.') % project_id)

keystone/tests/unit/test_v3_resource.py

@@ -1798,3 +1798,32 @@ class ResourceTestCase(test_v3.RestfulTestCase,
         resp = self.get('/users/%(user)s/projects' % {'user': user['id']})
         self.assertValidProjectListResponse(resp)
         self.assertEqual(project['id'], resp.result['projects'][0]['id'])
+
+
+class StrictTwoLevelLimitsResourceTestCase(ResourceTestCase):
+    def setUp(self):
+        super(StrictTwoLevelLimitsResourceTestCase, self).setUp()
+
+    def config_overrides(self):
+        super(StrictTwoLevelLimitsResourceTestCase, self).config_overrides()
+        self.config_fixture.config(group='unified_limit',
+                                   enforcement_model='strict_two_level')
+
+    def _create_projects_hierarchy(self, hierarchy_size=1):
+        if hierarchy_size > 1:
+            self.skip_test_overrides(
+                "Strict two level limit enforcement model doesn't allow the"
+                "project tree depth > 2")
+        return super(StrictTwoLevelLimitsResourceTestCase,
+                     self)._create_projects_hierarchy(hierarchy_size)
+
+    def test_create_hierarchical_project(self):
+        projects = self._create_projects_hierarchy()
+
+        # create grandchild project will fail.
+        new_ref = unit.new_project_ref(
+            domain_id=self.domain_id,
+            parent_id=projects[1]['project']['id'])
+        self.post('/projects',
+                  body={'project': new_ref},
+                  expected_status=http_client.FORBIDDEN)

releasenotes/notes/bp-strict-two-level-model.yaml

@@ -14,6 +14,9 @@ features:
    Please ensure that the previous project and limit structure deployment in
    your Keystone won't break this model before starting to use it.
 
+   If a newly created project results in a project tree depth greater than 2, a
+   `403 Forbidden` error will be raised.
+
  - >
    [`blueprint strict-two-level-model <https://blueprints.launchpad.net/keystone/+spec/strict-two-level-model>`_]
    The `project_id` filter is added for listing limits. This filter is used