Update project depth check
when a hierarchical limit enforcement model is deployed by keystone, the project hierarchical depth should not break the limit model as well. This patch updated the project depth check function to fix the problem. bp: strict-two-level-model Change-Id: I695fedcf83bdca2946a2c5d876052c02b0f63810
This commit is contained in:
parent
8038c70abf
commit
a7d4a9bd4c
|
@ -76,6 +76,15 @@ class Manager(manager.Manager):
|
|||
# pushing any existing hierarchies over the limit, we add one to the
|
||||
# maximum depth allowed, as specified in the configuration file.
|
||||
max_depth = CONF.max_project_tree_depth + 1
|
||||
|
||||
# NOTE(wxy): If the hierarchical limit enforcement model is used, the
|
||||
# project depth should be not greater than the model's limit as well.
|
||||
#
|
||||
# TODO(wxy): Deprecate and remove CONF.max_project_tree_depth, let the
|
||||
# depth check only based on the limit enforcement model.
|
||||
limit_model = PROVIDERS.unified_limit_api.enforcement_model
|
||||
if limit_model.MAX_PROJECT_TREE_DEPTH is not None:
|
||||
max_depth = min(max_depth, limit_model.MAX_PROJECT_TREE_DEPTH + 1)
|
||||
if self._get_hierarchy_depth(parents_list) > max_depth:
|
||||
raise exception.ForbiddenNotSecurity(
|
||||
_('Max hierarchy depth reached for %s branch.') % project_id)
|
||||
|
|
|
@ -1798,3 +1798,32 @@ class ResourceTestCase(test_v3.RestfulTestCase,
|
|||
resp = self.get('/users/%(user)s/projects' % {'user': user['id']})
|
||||
self.assertValidProjectListResponse(resp)
|
||||
self.assertEqual(project['id'], resp.result['projects'][0]['id'])
|
||||
|
||||
|
||||
class StrictTwoLevelLimitsResourceTestCase(ResourceTestCase):
|
||||
def setUp(self):
|
||||
super(StrictTwoLevelLimitsResourceTestCase, self).setUp()
|
||||
|
||||
def config_overrides(self):
|
||||
super(StrictTwoLevelLimitsResourceTestCase, self).config_overrides()
|
||||
self.config_fixture.config(group='unified_limit',
|
||||
enforcement_model='strict_two_level')
|
||||
|
||||
def _create_projects_hierarchy(self, hierarchy_size=1):
|
||||
if hierarchy_size > 1:
|
||||
self.skip_test_overrides(
|
||||
"Strict two level limit enforcement model doesn't allow the"
|
||||
"project tree depth > 2")
|
||||
return super(StrictTwoLevelLimitsResourceTestCase,
|
||||
self)._create_projects_hierarchy(hierarchy_size)
|
||||
|
||||
def test_create_hierarchical_project(self):
|
||||
projects = self._create_projects_hierarchy()
|
||||
|
||||
# create grandchild project will fail.
|
||||
new_ref = unit.new_project_ref(
|
||||
domain_id=self.domain_id,
|
||||
parent_id=projects[1]['project']['id'])
|
||||
self.post('/projects',
|
||||
body={'project': new_ref},
|
||||
expected_status=http_client.FORBIDDEN)
|
||||
|
|
|
@ -14,6 +14,9 @@ features:
|
|||
Please ensure that the previous project and limit structure deployment in
|
||||
your Keystone won't break this model before starting to use it.
|
||||
|
||||
If a newly created project results in a project tree depth greater than 2, a
|
||||
`403 Forbidden` error will be raised.
|
||||
|
||||
- >
|
||||
[`blueprint strict-two-level-model <https://blueprints.launchpad.net/keystone/+spec/strict-two-level-model>`_]
|
||||
The `project_id` filter is added for listing limits. This filter is used
|
||||
|
|
Loading…
Reference in New Issue