feat：同步并分表存储资源组权限数据 #10964

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt

@@ -179,8 +179,7 @@ class RbacAuthConfiguration {
         dslContext: DSLContext,
         authResourceGroupConfigDao: AuthResourceGroupConfigDao,
         authResourceGroupMemberDao: AuthResourceGroupMemberDao,
-        resourceGroupSyncService: PermissionResourceGroupSyncService,
-        objectMapper: ObjectMapper
+        resourceGroupSyncService: PermissionResourceGroupSyncService
     ) = RbacPermissionResourceGroupService(
         iamV2ManagerService = iamV2ManagerService,
         authResourceService = authResourceService,
@@ -189,8 +188,7 @@ class RbacAuthConfiguration {
         dslContext = dslContext,
         authResourceGroupConfigDao = authResourceGroupConfigDao,
         authResourceGroupMemberDao = authResourceGroupMemberDao,
-        resourceGroupSyncService = resourceGroupSyncService,
-        objectMapper = objectMapper
+        resourceGroupSyncService = resourceGroupSyncService
     )
 
     @Bean
@@ -229,7 +227,8 @@ class RbacAuthConfiguration {
         iamV2ManagerService: V2ManagerService,
         authAuthorizationScopesService: AuthAuthorizationScopesService,
         authActionDao: AuthActionDao,
-        authResourceGroupConfigDao: AuthResourceGroupConfigDao
+        authResourceGroupConfigDao: AuthResourceGroupConfigDao,
+        objectMapper: ObjectMapper
     ) = RbacPermissionResourceGroupPermissionService(
         v2ManagerService = v2ManagerService,
         rbacCacheService = rbacCacheService,
@@ -242,7 +241,8 @@ class RbacAuthConfiguration {
         iamV2ManagerService = iamV2ManagerService,
         authAuthorizationScopesService = authAuthorizationScopesService,
         authActionDao = authActionDao,
-        authResourceGroupConfigDao = authResourceGroupConfigDao
+        authResourceGroupConfigDao = authResourceGroupConfigDao,
+        objectMapper = objectMapper
     )
 
     @Bean

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupPermissionService.kt

@@ -29,7 +29,12 @@
 package com.tencent.devops.auth.provider.rbac.service
 
 import com.fasterxml.jackson.core.type.TypeReference
+import com.fasterxml.jackson.databind.ObjectMapper
 import com.tencent.bk.sdk.iam.dto.InstancesDTO
+import com.tencent.bk.sdk.iam.dto.manager.Action
+import com.tencent.bk.sdk.iam.dto.manager.AuthorizationScopes
+import com.tencent.bk.sdk.iam.dto.manager.ManagerPath
+import com.tencent.bk.sdk.iam.dto.manager.ManagerResources
 import com.tencent.bk.sdk.iam.service.v2.V2ManagerService
 import com.tencent.devops.auth.constant.AuthI18nConstants
 import com.tencent.devops.auth.constant.AuthMessageCode
@@ -76,7 +81,8 @@ class RbacPermissionResourceGroupPermissionService(
     private val iamV2ManagerService: V2ManagerService,
     private val authAuthorizationScopesService: AuthAuthorizationScopesService,
     private val authActionDao: AuthActionDao,
-    private val authResourceGroupConfigDao: AuthResourceGroupConfigDao
+    private val authResourceGroupConfigDao: AuthResourceGroupConfigDao,
+    private val objectMapper: ObjectMapper
 ) : PermissionResourceGroupPermissionService {
     @Value("\${auth.iamSystem:}")
     private val systemId = ""
@@ -129,6 +135,34 @@ class RbacPermissionResourceGroupPermissionService(
         return true
     }
 
+    override fun buildProjectPermissions(
+        projectCode: String,
+        projectName: String,
+        actions: List<String>
+    ): String {
+        val resourceType2Actions = actions.groupBy { it.substringBeforeLast("_") }
+        val authorizationScopes = resourceType2Actions.map { (resourceType, actions) ->
+            val projectPath = ManagerPath().apply {
+                system = systemId
+                id = projectCode
+                name = projectName
+                type = AuthResourceType.PROJECT.value
+            }
+            val resources = ManagerResources.builder()
+                .system(systemId)
+                .type(resourceType)
+                .paths(listOf(listOf(projectPath)))
+                .build()
+            val iamActions = actions.map { Action(it) }
+            AuthorizationScopes().also {
+                it.resources = listOf(resources)
+                it.actions = iamActions
+                it.system = systemId
+            }
+        }
+        return objectMapper.writeValueAsString(authorizationScopes)
+    }
+
     override fun getGroupPolices(
         userId: String,
         projectCode: String,

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupService.kt

@@ -28,13 +28,8 @@
 
 package com.tencent.devops.auth.provider.rbac.service
 
-import com.fasterxml.jackson.databind.ObjectMapper
 import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
 import com.tencent.bk.sdk.iam.dto.V2PageInfoDTO
-import com.tencent.bk.sdk.iam.dto.manager.Action
-import com.tencent.bk.sdk.iam.dto.manager.AuthorizationScopes
-import com.tencent.bk.sdk.iam.dto.manager.ManagerPath
-import com.tencent.bk.sdk.iam.dto.manager.ManagerResources
 import com.tencent.bk.sdk.iam.dto.manager.ManagerRoleGroup
 import com.tencent.bk.sdk.iam.dto.manager.dto.ManagerRoleGroupDTO
 import com.tencent.bk.sdk.iam.dto.manager.dto.SearchGroupDTO
@@ -55,7 +50,6 @@ import com.tencent.devops.auth.pojo.dto.ListGroupConditionDTO
 import com.tencent.devops.auth.pojo.dto.RenameGroupDTO
 import com.tencent.devops.auth.pojo.enum.GroupMemberStatus
 import com.tencent.devops.auth.pojo.request.CustomGroupCreateReq
-import com.tencent.devops.auth.pojo.vo.GroupPermissionDetailVo
 import com.tencent.devops.auth.pojo.vo.IamGroupInfoVo
 import com.tencent.devops.auth.pojo.vo.IamGroupMemberInfoVo
 import com.tencent.devops.auth.service.iam.PermissionResourceGroupPermissionService
@@ -84,8 +78,7 @@ class RbacPermissionResourceGroupService @Autowired constructor(
     private val authResourceGroupDao: AuthResourceGroupDao,
     private val authResourceGroupConfigDao: AuthResourceGroupConfigDao,
     private val authResourceGroupMemberDao: AuthResourceGroupMemberDao,
-    private val resourceGroupSyncService: PermissionResourceGroupSyncService,
-    private val objectMapper: ObjectMapper
+    private val resourceGroupSyncService: PermissionResourceGroupSyncService
 ) : PermissionResourceGroupService {
     companion object {
         private val logger = LoggerFactory.getLogger(RbacPermissionResourceGroupService::class.java)
@@ -535,20 +528,18 @@ class RbacPermissionResourceGroupService @Autowired constructor(
         )
         if (resourceGroupInfo != null)
             return resourceGroupInfo.relationId.toInt()
-        val authorizationScopes = buildProjectPermissions(
+        val authorizationScopes = permissionResourceGroupPermissionService.buildProjectPermissions(
             projectCode = projectInfo.projectCode,
             projectName = projectInfo.resourceName,
             actions = customGroupCreateReq.actions
         )
-        val iamGroupId = createProjectGroupToIam(
-            projectCode = projectId,
-            projectName = projectInfo.resourceName,
-            relationId = projectInfo.relationId.toInt(),
-            groupCode = CUSTOM_GROUP_CODE,
+        val iamGroupId = createGroupToIam(
+            resourceType = AuthResourceType.PROJECT.value,
+            managerId = projectInfo.relationId.toInt(),
             groupName = customGroupCreateReq.groupName,
             description = customGroupCreateReq.groupDesc
         )
-        permissionGroupPoliciesService.grantGroupPermission(
+        permissionResourceGroupPermissionService.grantGroupPermission(
             authorizationScopesStr = authorizationScopes,
             projectCode = projectId,
             projectName = projectInfo.resourceName,
@@ -561,87 +552,6 @@ class RbacPermissionResourceGroupService @Autowired constructor(
         return iamGroupId
     }
 
-    private fun buildProjectPermissions(
-        projectCode: String,
-        projectName: String,
-        actions: List<String>
-    ): String {
-        val resourceType2Actions = actions.groupBy { it.substringBeforeLast("_") }
-        val authorizationScopes = resourceType2Actions.map { (resourceType, actions) ->
-            val projectPath = ManagerPath().apply {
-                system = systemId
-                id = projectCode
-                name = projectName
-                type = AuthResourceType.PROJECT.value
-            }
-            val resources = ManagerResources.builder()
-                .system(systemId)
-                .type(resourceType)
-                .paths(listOf(listOf(projectPath)))
-                .build()
-            val iamActions = actions.map { Action(it) }
-            AuthorizationScopes().also {
-                it.resources = listOf(resources)
-                it.actions = iamActions
-                it.system = systemId
-            }
-        }
-        return objectMapper.writeValueAsString(authorizationScopes)
-    }
-
-    private fun getGroupPermissionDetailBySystem(iamSystemId: String, groupId: Int): List<GroupPermissionDetailVo> {
-        val iamGroupPermissionDetailList = try {
-            v2ManagerService.getGroupPermissionDetail(groupId, iamSystemId)
-        } catch (e: Exception) {
-            throw ErrorCodeException(
-                errorCode = AuthMessageCode.GET_GROUP_PERMISSION_DETAIL_FAIL,
-                params = arrayOf(groupId.toString()),
-                defaultMessage = "Failed to get group($groupId) permission info"
-            )
-        }
-        val pageInfoDTO = V2PageInfoDTO()
-        pageInfoDTO.page = PageUtil.DEFAULT_PAGE
-        pageInfoDTO.pageSize = PageUtil.DEFAULT_PAGE_SIZE
-        val iamGroupInfoList = if (resourceType == AuthResourceType.PROJECT.value) {
-            val searchGroupDTO = SearchGroupDTO.builder().inherit(false).build()
-            iamV2ManagerService.getGradeManagerRoleGroupV2(
-                managerId.toString(),
-                searchGroupDTO,
-                pageInfoDTO
-            )
-        } else {
-            iamV2ManagerService.getSubsetManagerRoleGroup(
-                managerId,
-                pageInfoDTO
-            )
-        }
-        iamGroupInfoList.results.forEach { iamGroupInfo ->
-            authResourceGroupDao.create(
-                dslContext = dslContext,
-                projectCode = projectCode,
-                resourceType = resourceType,
-                resourceCode = resourceCode,
-                resourceName = resourceName,
-                iamResourceCode = iamResourceCode,
-                groupCode = DefaultGroupType.MANAGER.value,
-                groupName = iamGroupInfo.name,
-                defaultGroup = true,
-                relationId = iamGroupInfo.id.toString()
-            )
-            // 同步拥有者组里面的成员
-            resourceGroupSyncService.syncIamGroupMember(
-                projectCode = projectCode,
-                iamGroupId = iamGroupInfo.id
-            )
-            // 同步组权限
-            permissionResourceGroupPermissionService.syncGroupPermissions(
-                projectCode = projectCode,
-                iamGroupId = iamGroupInfo.id
-            )
-        }
-        return true
-    }
-
     override fun syncManagerGroup(
         projectCode: String,
         managerId: Int,

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceGroupPermissionService.kt

@@ -46,6 +46,12 @@ class SamplePermissionResourceGroupPermissionService : PermissionResourceGroupPe
         registerMonitorPermission: Boolean
     ): Boolean = true
 
+    override fun buildProjectPermissions(
+        projectCode: String,
+        projectName: String,
+        actions: List<String>
+    ) = ""
+
     override fun getGroupPolices(
         userId: String,
         projectCode: String,

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceGroupService.kt

@@ -90,7 +90,9 @@ class SamplePermissionResourceGroupService : PermissionResourceGroupService {
         projectId: String,
         resourceType: String,
         resourceCode: String,
-        groupCode: String
+        groupCode: String,
+        groupName: String?,
+        groupDesc: String?
     ): Int = 0
 
     override fun createCustomGroupAndPermissions(

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceGroupPermissionService.kt

@@ -45,6 +45,12 @@ interface PermissionResourceGroupPermissionService {
         registerMonitorPermission: Boolean = true
     ): Boolean
 
+    fun buildProjectPermissions(
+        projectCode: String,
+        projectName: String,
+        actions: List<String>
+    ): String
+
     fun getGroupPolices(
         userId: String,
         projectCode: String,

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceGroupService.kt

@@ -85,7 +85,9 @@ interface PermissionResourceGroupService {
         projectId: String,
         resourceType: String = AuthResourceType.PROJECT.value,
         resourceCode: String,
-        groupCode: String
+        groupCode: String,
+        groupName: String? = null,
+        groupDesc: String? = null
     ): Int
 
     fun syncManagerGroup(
@@ -108,10 +110,8 @@ interface PermissionResourceGroupService {
         projectCode: String,
         resourceType: String,
         resourceCode: String,
-        resourceName: String,
-        groupName: String? = null,
-        groupDesc: String? = null
-    ): Int
+        resourceName: String
+    ): Boolean
 
     fun createCustomGroupAndPermissions(
         projectId: String,