From d7ea7979b1addc1a3476791ca7213811e3f7f21b Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 11 Jul 2023 11:47:37 +0800 Subject: [PATCH 01/12] =?UTF-8?q?=E5=AE=9E=E7=8E=B0openapi=20RBAC=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=89=88=E6=9C=AC=20=E9=A1=B9=E7=9B=AE=E4=B8=8B?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=BB=84=E6=B7=BB=E5=8A=A0=E6=88=90=E5=91=98?= =?UTF-8?q?=20#9093?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../service/ServiceProjectAuthResourceImpl.kt | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/service/ServiceProjectAuthResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/service/ServiceProjectAuthResourceImpl.kt index 3bb7637f917..012f79eb286 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/service/ServiceProjectAuthResourceImpl.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/service/ServiceProjectAuthResourceImpl.kt @@ -129,6 +129,23 @@ class ServiceProjectAuthResourceImpl @Autowired constructor( ) } + override fun batchCreateProjectUser( + token: String, + userId: String, + projectCode: String, + roleCode: String, + members: List + ): Result { + return Result( + permissionProjectService.batchCreateProjectUser( + userId = userId, + projectCode = projectCode, + roleCode = roleCode, + members = members + ) + ) + } + override fun getProjectRoles( token: String, projectCode: String, From bbd966f9f3a4868f9edf4ee3b27bf85cbd77ca31 Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 11 Jul 2023 11:52:12 +0800 Subject: [PATCH 02/12] =?UTF-8?q?=E5=AE=9E=E7=8E=B0openapi=20RBAC=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=89=88=E6=9C=AC=20=E9=A1=B9=E7=9B=AE=E4=B8=8B?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=BB=84=E6=B7=BB=E5=8A=A0=E6=88=90=E5=91=98?= =?UTF-8?q?=20#9093?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../service/PermissionGradeManagerService.kt | 4 +- .../service/RbacPermissionProjectService.kt | 84 ++++++++++++++++--- .../RbacPermissionResourceGroupService.kt | 2 + .../service/iam/PermissionProjectService.kt | 7 ++ .../iam/impl/AbsPermissionProjectService.kt | 7 ++ .../SampleAuthPermissionProjectService.kt | 7 ++ .../StreamPermissionProjectServiceImpl.kt | 7 ++ .../common/auth/api/pojo/BkAuthGroup.kt | 27 ++++-- 8 files changed, 122 insertions(+), 23 deletions(-) diff --git a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/PermissionGradeManagerService.kt b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/PermissionGradeManagerService.kt index c9a15b49587..910e15345e6 100644 --- a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/PermissionGradeManagerService.kt +++ b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/PermissionGradeManagerService.kt @@ -496,19 +496,19 @@ class PermissionGradeManagerService @Autowired constructor( actionType = CANCEL_ITSM_APPLICATION_ACTION ) ) - logger.info("cancel create gradle manager|${callbackRecord.callbackId}|${callbackRecord.sn}") + logger.info("cancel create gradle manager|${callbackRecord.callbackId}|${callbackRecord.sn}") return iamV2ManagerService.cancelCallbackApplication(callbackRecord.callbackId) } fun listGroup( gradeManagerId: String, + searchGroupDTO: SearchGroupDTO, page: Int, pageSize: Int ): List { val pageInfoDTO = V2PageInfoDTO() pageInfoDTO.page = page pageInfoDTO.pageSize = pageSize - val searchGroupDTO = SearchGroupDTO.builder().inherit(false).build() val iamGroupInfoList = iamV2ManagerService.getGradeManagerRoleGroupV2( gradeManagerId, searchGroupDTO, diff --git a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt index 656b6d89960..46a713aea41 100644 --- a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt +++ b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt @@ -28,16 +28,20 @@ package com.tencent.devops.auth.service +import com.github.benmanes.caffeine.cache.Caffeine import com.tencent.bk.sdk.iam.config.IamConfiguration import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum import com.tencent.bk.sdk.iam.dto.InstanceDTO import com.tencent.bk.sdk.iam.dto.PageInfoDTO -import com.tencent.bk.sdk.iam.dto.V2PageInfoDTO +import com.tencent.bk.sdk.iam.dto.manager.ManagerMember +import com.tencent.bk.sdk.iam.dto.manager.dto.ManagerMemberGroupDTO import com.tencent.bk.sdk.iam.dto.manager.dto.SearchGroupDTO import com.tencent.bk.sdk.iam.helper.AuthHelper import com.tencent.bk.sdk.iam.service.v2.V2ManagerService +import com.tencent.devops.auth.constant.AuthMessageCode import com.tencent.devops.auth.dao.AuthResourceGroupDao import com.tencent.devops.auth.service.iam.PermissionProjectService +import com.tencent.devops.common.api.exception.ErrorCodeException import com.tencent.devops.common.auth.api.AuthPermission import com.tencent.devops.common.auth.api.AuthResourceType import com.tencent.devops.common.auth.api.pojo.BKAuthProjectRolesResources @@ -46,6 +50,7 @@ import com.tencent.devops.common.auth.api.pojo.BkAuthGroupAndUserList import com.tencent.devops.common.auth.utils.RbacAuthUtils import org.jooq.DSLContext import org.slf4j.LoggerFactory +import java.util.concurrent.TimeUnit @Suppress("LongParameterList") class RbacPermissionProjectService( @@ -55,13 +60,22 @@ class RbacPermissionProjectService( private val iamConfiguration: IamConfiguration, private val authResourceGroupDao: AuthResourceGroupDao, private val dslContext: DSLContext, - private val rbacCacheService: RbacCacheService + private val rbacCacheService: RbacCacheService, + private val permissionGradeManagerService: PermissionGradeManagerService ) : PermissionProjectService { companion object { private val logger = LoggerFactory.getLogger(RbacPermissionProjectService::class.java) + private const val expiredAt = 365L + private const val USER_TYPE = "user" } + /*获取项目对应的ci管理员id*/ + private val projectCode2CiManagerGroupId = Caffeine.newBuilder() + .maximumSize(500) + .expireAfterWrite(7L, TimeUnit.DAYS) + .build() + override fun getProjectUsers(projectCode: String, group: BkAuthGroup?): List { return when (group) { // 新的rbac版本中,没有ci管理员组,不可以调用此接口来获取ci管理员组的成员 @@ -92,17 +106,13 @@ class RbacPermissionProjectService( resourceType = AuthResourceType.PROJECT.value, resourceCode = projectCode ).relationId - // 2、获取分级管理员下所有的用户组 - val v2PageInfoDTO = V2PageInfoDTO().apply { - page = 1 - pageSize = 1000 - } val searchGroupDTO = SearchGroupDTO.builder().inherit(false).build() - val groupInfoList = iamV2ManagerService.getGradeManagerRoleGroupV2( - gradeManagerId, - searchGroupDTO, - v2PageInfoDTO - ).results + val groupInfoList = permissionGradeManagerService.listGroup( + gradeManagerId = gradeManagerId, + searchGroupDTO = searchGroupDTO, + page = 1, + pageSize = 1000 + ) logger.info( "[RBAC-IAM] getProjectGroupAndUserList: projectCode = $projectCode |" + " gradeManagerId = $gradeManagerId | groupInfoList: $groupInfoList" @@ -206,6 +216,56 @@ class RbacPermissionProjectService( return true } + override fun batchCreateProjectUser( + userId: String, + projectCode: String, + roleCode: String, + members: List + ): Boolean { + // 由于v0迁移过来的ci管理员没有存储在用户组表中,需要去iam搜索 + val iamGroupId = if (roleCode == BkAuthGroup.CI_MANAGER.value) { + projectCode2CiManagerGroupId.getIfPresent(projectCode)?.run { + val gradeManagerId = authResourceService.get( + projectCode = projectCode, + resourceType = AuthResourceType.PROJECT.value, + resourceCode = projectCode + ).relationId + val searchGroupDTO = SearchGroupDTO.builder().inherit(false) + .name(BkAuthGroup.CI_MANAGER.groupName).build() + val ciMangerGroupId = permissionGradeManagerService.listGroup( + gradeManagerId = gradeManagerId, + searchGroupDTO = searchGroupDTO, + page = 1, + pageSize = 1000 + ).firstOrNull { it.name == BkAuthGroup.CI_MANAGER.groupName }?.id?.toString() + ?: throw ErrorCodeException( + errorCode = AuthMessageCode.ERROR_AUTH_GROUP_NOT_EXIST, + params = arrayOf(roleCode), + defaultMessage = "group $roleCode not exist" + ) + projectCode2CiManagerGroupId.put(projectCode, ciMangerGroupId) + ciMangerGroupId + } + } else { + authResourceGroupDao.get( + dslContext = dslContext, + projectCode = projectCode, + resourceType = AuthResourceType.PROJECT.value, + resourceCode = projectCode, + groupCode = roleCode + )?.relationId ?: throw ErrorCodeException( + errorCode = AuthMessageCode.ERROR_AUTH_GROUP_NOT_EXIST, + params = arrayOf(roleCode), + defaultMessage = "group $roleCode not exist" + ) + } + val iamMemberInfos = members.map { ManagerMember(USER_TYPE, it) } + val expiredTime = System.currentTimeMillis() / 1000 + TimeUnit.DAYS.toSeconds(expiredAt) + val managerMemberGroup = ManagerMemberGroupDTO.builder().members(iamMemberInfos).expiredAt(expiredTime).build() + iamV2ManagerService.createRoleGroupMemberV2(iamGroupId!!.toInt(), managerMemberGroup) + return true + } + override fun getProjectRoles(projectCode: String, projectId: String): List { return emptyList() } diff --git a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionResourceGroupService.kt b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionResourceGroupService.kt index 6d626a50cf2..27cd9608a04 100644 --- a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionResourceGroupService.kt +++ b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionResourceGroupService.kt @@ -92,8 +92,10 @@ class RbacPermissionResourceGroupService @Autowired constructor( val validPage = PageUtil.getValidPage(page) val validPageSize = PageUtil.getValidPageSize(pageSize) val iamGroupInfoList = if (resourceType == AuthResourceType.PROJECT.value) { + val searchGroupDTO = SearchGroupDTO.builder().inherit(false).build() permissionGradeManagerService.listGroup( gradeManagerId = resourceInfo.relationId, + searchGroupDTO = searchGroupDTO, page = validPage, pageSize = validPageSize ) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionProjectService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionProjectService.kt index 02f25692fc5..19abac2b8b9 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionProjectService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionProjectService.kt @@ -47,5 +47,12 @@ interface PermissionProjectService { fun createProjectUser(userId: String, projectCode: String, roleCode: String): Boolean + fun batchCreateProjectUser( + userId: String, + projectCode: String, + roleCode: String, + members: List + ): Boolean + fun getProjectRoles(projectCode: String, projectId: String): List } diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/impl/AbsPermissionProjectService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/impl/AbsPermissionProjectService.kt index 19f3db94c28..577dc790798 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/impl/AbsPermissionProjectService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/impl/AbsPermissionProjectService.kt @@ -178,6 +178,13 @@ abstract class AbsPermissionProjectService @Autowired constructor( return true } + override fun batchCreateProjectUser( + userId: String, + projectCode: String, + roleCode: String, + members: List + ): Boolean = true + override fun getProjectRoles(projectCode: String, projectId: String): List { val roleInfos = permissionRoleService.getPermissionRole(projectId.toInt()) logger.info("[IAM] getProjectRoles : roleInfos = $roleInfos") diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/sample/SampleAuthPermissionProjectService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/sample/SampleAuthPermissionProjectService.kt index 7f549c163ec..b4a8c5f0a54 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/sample/SampleAuthPermissionProjectService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/sample/SampleAuthPermissionProjectService.kt @@ -34,6 +34,13 @@ class SampleAuthPermissionProjectService : PermissionProjectService { return true } + override fun batchCreateProjectUser( + userId: String, + projectCode: String, + roleCode: String, + members: List + ): Boolean = true + override fun getProjectRoles(projectCode: String, projectId: String): List { return emptyList() } diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/stream/StreamPermissionProjectServiceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/stream/StreamPermissionProjectServiceImpl.kt index fbf9706ceaf..6d59e4a0de9 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/stream/StreamPermissionProjectServiceImpl.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/stream/StreamPermissionProjectServiceImpl.kt @@ -79,6 +79,13 @@ class StreamPermissionProjectServiceImpl @Autowired constructor( return false } + override fun batchCreateProjectUser( + userId: String, + projectCode: String, + roleCode: String, + members: List + ): Boolean = true + override fun getProjectRoles( projectCode: String, projectId: String diff --git a/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt b/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt index 7e40598b283..b350e80b91c 100644 --- a/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt +++ b/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt @@ -32,16 +32,18 @@ package com.tencent.devops.common.auth.api.pojo */ enum class BkAuthGroup( val value: String, - val groupName: String + val groupName: String, + /*用于兼容v0的角色ID*/ + val roleId: Int ) { - CIADMIN("ciAdmin", "CI管理员"), // CI管理员 - MANAGER("manager", "管理员"), // 管理员 - DEVELOPER("developer", "开发人员"), // 开发人员 - MAINTAINER("maintainer", "运维人员"), // 运维人员 - TESTER("tester", "测试人员"), // 测试人员 - PM("pm", "产品人员"), // 产品人员 - QC("qc", "质量管理员"), // 质量管理员 - CI_MANAGER("ci_manager", "CI管理员,流水线组使用"); // CI 管理员 + CIADMIN("ciAdmin", "CI管理员", 1), // CI管理员 + MANAGER("manager", "管理员", 2), // 管理员 + DEVELOPER("developer", "开发人员", 4), // 开发人员 + MAINTAINER("maintainer", "运维人员", 5), // 运维人员 + TESTER("tester", "测试人员", 8), // 测试人员 + PM("pm", "产品人员", 6), // 产品人员 + QC("qc", "质量管理员", 7), // 质量管理员 + CI_MANAGER("ci_manager", "CI管理员,流水线组使用", 9); // CI 管理员 companion object { fun get(value: String): BkAuthGroup { @@ -57,5 +59,12 @@ enum class BkAuthGroup( } return false } + + fun getByRoleId(roleId: Int): BkAuthGroup { + values().forEach { + if (roleId == it.roleId) return it + } + throw IllegalArgumentException("No enum for constant $roleId") + } } } From 69587b833df057f9431b3670a887fa11d93a1bb6 Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 11 Jul 2023 12:02:39 +0800 Subject: [PATCH 03/12] =?UTF-8?q?=E5=AE=9E=E7=8E=B0openapi=20RBAC=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=89=88=E6=9C=AC=20=E9=A1=B9=E7=9B=AE=E4=B8=8B?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=BB=84=E6=B7=BB=E5=8A=A0=E6=88=90=E5=91=98?= =?UTF-8?q?=20#9093?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../api/service/ServiceProjectAuthResource.kt | 22 ++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/service/ServiceProjectAuthResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/service/ServiceProjectAuthResource.kt index fe21f5bb66e..58c5d3219af 100644 --- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/service/ServiceProjectAuthResource.kt +++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/service/ServiceProjectAuthResource.kt @@ -166,7 +166,7 @@ interface ServiceProjectAuthResource { @POST @Path("/{projectCode}/createUser") - @ApiOperation("添加用户到指定项目指定分组") + @ApiOperation("添加单个用户到指定项目指定分组") fun createProjectUser( @HeaderParam(AUTH_HEADER_DEVOPS_BK_TOKEN) @ApiParam("认证token", required = true) @@ -182,6 +182,26 @@ interface ServiceProjectAuthResource { roleCode: String ): Result + @POST + @Path("/{projectCode}/batchCreateProjectUser/{roleCode}") + @ApiOperation("批量添加用户到指定项目指定分组") + fun batchCreateProjectUser( + @HeaderParam(AUTH_HEADER_DEVOPS_BK_TOKEN) + @ApiParam("认证token", required = true) + token: String, + @ApiParam(name = "用户名", required = true) + @HeaderParam(AUTH_HEADER_USER_ID) + userId: String, + @ApiParam(name = "项目Code", required = true) + @PathParam("projectCode") + projectCode: String, + @ApiParam(name = "用户组Code", required = true) + @PathParam("roleCode") + roleCode: String, + @ApiParam("添加用户集合", required = true) + members: List + ): Result + @GET @Path("/{projectCode}/roles") @ApiOperation("获取项目角色") From f2f4a987967a6cc49a2b3fff75ca568e75979812 Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 11 Jul 2023 12:09:48 +0800 Subject: [PATCH 04/12] =?UTF-8?q?=E5=AE=9E=E7=8E=B0openapi=20RBAC=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=89=88=E6=9C=AC=20=E9=A1=B9=E7=9B=AE=E4=B8=8B?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=BB=84=E6=B7=BB=E5=8A=A0=E6=88=90=E5=91=98?= =?UTF-8?q?=20#9093?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../com/tencent/devops/auth/config/RbacAuthConfiguration.kt | 6 ++++-- .../com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt | 3 ++- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/config/RbacAuthConfiguration.kt b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/config/RbacAuthConfiguration.kt index 3999188971e..17fe0183d09 100644 --- a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/config/RbacAuthConfiguration.kt +++ b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/config/RbacAuthConfiguration.kt @@ -215,7 +215,8 @@ class RbacAuthConfiguration { iamConfiguration: IamConfiguration, authResourceGroupDao: AuthResourceGroupDao, dslContext: DSLContext, - rbacCacheService: RbacCacheService + rbacCacheService: RbacCacheService, + permissionGradeManagerService: PermissionGradeManagerService ) = RbacPermissionProjectService( authHelper = authHelper, authResourceService = authResourceService, @@ -223,7 +224,8 @@ class RbacAuthConfiguration { iamConfiguration = iamConfiguration, authResourceGroupDao = authResourceGroupDao, dslContext = dslContext, - rbacCacheService = rbacCacheService + rbacCacheService = rbacCacheService, + permissionGradeManagerService = permissionGradeManagerService ) @Bean diff --git a/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt b/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt index b350e80b91c..717e65f345d 100644 --- a/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt +++ b/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt @@ -43,7 +43,8 @@ enum class BkAuthGroup( TESTER("tester", "测试人员", 8), // 测试人员 PM("pm", "产品人员", 6), // 产品人员 QC("qc", "质量管理员", 7), // 质量管理员 - CI_MANAGER("ci_manager", "CI管理员,流水线组使用", 9); // CI 管理员 + CI_MANAGER("ci_manager", "CI管理员,流水线组使用", 9), // CI 管理员 + GRADE_ADMIN("gradeAdmin", "分级管理员", 0); // 分级管理员 companion object { fun get(value: String): BkAuthGroup { From f4293f3306e78e90f660a0598b4681f6245e4d6f Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 11 Jul 2023 15:46:49 +0800 Subject: [PATCH 05/12] =?UTF-8?q?=E5=AE=9E=E7=8E=B0openapi=20RBAC=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=89=88=E6=9C=AC=20=E9=A1=B9=E7=9B=AE=E4=B8=8B?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=BB=84=E6=B7=BB=E5=8A=A0=E6=88=90=E5=91=98?= =?UTF-8?q?=20#9093?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt b/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt index 717e65f345d..8d16b915749 100644 --- a/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt +++ b/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt @@ -51,7 +51,7 @@ enum class BkAuthGroup( values().forEach { if (value == it.value) return it } - throw IllegalArgumentException("No enum for constant $value") + throw IllegalArgumentException("roleName($value) does not exist!") } fun contains(value: String): Boolean { @@ -65,7 +65,7 @@ enum class BkAuthGroup( values().forEach { if (roleId == it.roleId) return it } - throw IllegalArgumentException("No enum for constant $roleId") + throw IllegalArgumentException("roleId($roleId) does not exist!") } } } From d7206610e597c7e07072299e8f20d90b171d3063 Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 11 Jul 2023 15:47:49 +0800 Subject: [PATCH 06/12] =?UTF-8?q?=E5=AE=9E=E7=8E=B0openapi=20RBAC=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=89=88=E6=9C=AC=20=E9=A1=B9=E7=9B=AE=E4=B8=8B?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=BB=84=E6=B7=BB=E5=8A=A0=E6=88=90=E5=91=98?= =?UTF-8?q?=20#9093?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt b/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt index 8d16b915749..681b7d4de3a 100644 --- a/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt +++ b/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/BkAuthGroup.kt @@ -43,7 +43,7 @@ enum class BkAuthGroup( TESTER("tester", "测试人员", 8), // 测试人员 PM("pm", "产品人员", 6), // 产品人员 QC("qc", "质量管理员", 7), // 质量管理员 - CI_MANAGER("ci_manager", "CI管理员,流水线组使用", 9), // CI 管理员 + CI_MANAGER("ci_manager", "CI管理员", 9), // CI 管理员,流水线组及v0会使用到,新版RBAC废除 GRADE_ADMIN("gradeAdmin", "分级管理员", 0); // 分级管理员 companion object { From 83d67d64eddacc2f71ff102977da25676729fd6d Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 11 Jul 2023 17:47:30 +0800 Subject: [PATCH 07/12] =?UTF-8?q?=E5=AE=9E=E7=8E=B0openapi=20RBAC=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=89=88=E6=9C=AC=20=E9=A1=B9=E7=9B=AE=E4=B8=8B?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=BB=84=E6=B7=BB=E5=8A=A0=E6=88=90=E5=91=98?= =?UTF-8?q?=20#9093?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../devops/auth/service/RbacPermissionProjectService.kt | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt index 46a713aea41..ea6586f3c36 100644 --- a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt +++ b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt @@ -223,8 +223,9 @@ class RbacPermissionProjectService( members: List ): Boolean { // 由于v0迁移过来的ci管理员没有存储在用户组表中,需要去iam搜索 + logger.info("batchCreateProjectUser:$userId|$projectCode|$roleCode|$members") val iamGroupId = if (roleCode == BkAuthGroup.CI_MANAGER.value) { - projectCode2CiManagerGroupId.getIfPresent(projectCode)?.run { + projectCode2CiManagerGroupId.getIfPresent(projectCode) ?: run { val gradeManagerId = authResourceService.get( projectCode = projectCode, resourceType = AuthResourceType.PROJECT.value, @@ -236,7 +237,7 @@ class RbacPermissionProjectService( gradeManagerId = gradeManagerId, searchGroupDTO = searchGroupDTO, page = 1, - pageSize = 1000 + pageSize = 10 ).firstOrNull { it.name == BkAuthGroup.CI_MANAGER.groupName }?.id?.toString() ?: throw ErrorCodeException( errorCode = AuthMessageCode.ERROR_AUTH_GROUP_NOT_EXIST, From 23603531ddea6a0956e2f55876017defcf31e9ef Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 11 Jul 2023 17:47:58 +0800 Subject: [PATCH 08/12] =?UTF-8?q?=E5=AE=9E=E7=8E=B0openapi=20RBAC=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=89=88=E6=9C=AC=20=E9=A1=B9=E7=9B=AE=E4=B8=8B?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=BB=84=E6=B7=BB=E5=8A=A0=E6=88=90=E5=91=98?= =?UTF-8?q?=20#9093?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../tencent/devops/auth/service/RbacPermissionProjectService.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt index ea6586f3c36..dd66851ff79 100644 --- a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt +++ b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt @@ -263,7 +263,7 @@ class RbacPermissionProjectService( val iamMemberInfos = members.map { ManagerMember(USER_TYPE, it) } val expiredTime = System.currentTimeMillis() / 1000 + TimeUnit.DAYS.toSeconds(expiredAt) val managerMemberGroup = ManagerMemberGroupDTO.builder().members(iamMemberInfos).expiredAt(expiredTime).build() - iamV2ManagerService.createRoleGroupMemberV2(iamGroupId!!.toInt(), managerMemberGroup) + iamV2ManagerService.createRoleGroupMemberV2(iamGroupId.toInt(), managerMemberGroup) return true } From 29e606003677f8c21560f735b72f147e7d6e36d5 Mon Sep 17 00:00:00 2001 From: greysonfang Date: Mon, 17 Jul 2023 19:44:49 +0800 Subject: [PATCH 09/12] =?UTF-8?q?=E5=AE=9E=E7=8E=B0openapi=20RBAC=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=89=88=E6=9C=AC=20=E9=A1=B9=E7=9B=AE=E4=B8=8B?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=BB=84=E6=B7=BB=E5=8A=A0=E6=88=90=E5=91=98?= =?UTF-8?q?=20#9093?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../service/RbacPermissionProjectService.kt | 42 ++++++------------- 1 file changed, 13 insertions(+), 29 deletions(-) diff --git a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt index dd66851ff79..caa42983347 100644 --- a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt +++ b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt @@ -222,31 +222,15 @@ class RbacPermissionProjectService( roleCode: String, members: List ): Boolean { - // 由于v0迁移过来的ci管理员没有存储在用户组表中,需要去iam搜索 logger.info("batchCreateProjectUser:$userId|$projectCode|$roleCode|$members") val iamGroupId = if (roleCode == BkAuthGroup.CI_MANAGER.value) { - projectCode2CiManagerGroupId.getIfPresent(projectCode) ?: run { - val gradeManagerId = authResourceService.get( - projectCode = projectCode, - resourceType = AuthResourceType.PROJECT.value, - resourceCode = projectCode - ).relationId - val searchGroupDTO = SearchGroupDTO.builder().inherit(false) - .name(BkAuthGroup.CI_MANAGER.groupName).build() - val ciMangerGroupId = permissionGradeManagerService.listGroup( - gradeManagerId = gradeManagerId, - searchGroupDTO = searchGroupDTO, - page = 1, - pageSize = 10 - ).firstOrNull { it.name == BkAuthGroup.CI_MANAGER.groupName }?.id?.toString() - ?: throw ErrorCodeException( - errorCode = AuthMessageCode.ERROR_AUTH_GROUP_NOT_EXIST, - params = arrayOf(roleCode), - defaultMessage = "group $roleCode not exist" - ) - projectCode2CiManagerGroupId.put(projectCode, ciMangerGroupId) - ciMangerGroupId - } + authResourceGroupDao.getByGroupName( + dslContext = dslContext, + projectCode = projectCode, + resourceType = AuthResourceType.PROJECT.value, + resourceCode = projectCode, + groupName = BkAuthGroup.CI_MANAGER.groupName + )?.relationId } else { authResourceGroupDao.get( dslContext = dslContext, @@ -254,12 +238,12 @@ class RbacPermissionProjectService( resourceType = AuthResourceType.PROJECT.value, resourceCode = projectCode, groupCode = roleCode - )?.relationId ?: throw ErrorCodeException( - errorCode = AuthMessageCode.ERROR_AUTH_GROUP_NOT_EXIST, - params = arrayOf(roleCode), - defaultMessage = "group $roleCode not exist" - ) - } + )?.relationId + } ?: throw ErrorCodeException( + errorCode = AuthMessageCode.ERROR_AUTH_GROUP_NOT_EXIST, + params = arrayOf(roleCode), + defaultMessage = "group $roleCode not exist" + ) val iamMemberInfos = members.map { ManagerMember(USER_TYPE, it) } val expiredTime = System.currentTimeMillis() / 1000 + TimeUnit.DAYS.toSeconds(expiredAt) val managerMemberGroup = ManagerMemberGroupDTO.builder().members(iamMemberInfos).expiredAt(expiredTime).build() From 19f58af3838a5e6cecac8e3faafa3d3eaa3bbfb7 Mon Sep 17 00:00:00 2001 From: greysonfang Date: Mon, 17 Jul 2023 21:09:14 +0800 Subject: [PATCH 10/12] =?UTF-8?q?=E5=AE=9E=E7=8E=B0openapi=20RBAC=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=89=88=E6=9C=AC=20=E9=A1=B9=E7=9B=AE=E4=B8=8B?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=BB=84=E6=B7=BB=E5=8A=A0=E6=88=90=E5=91=98?= =?UTF-8?q?=20#9093?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../service/RbacPermissionProjectService.kt | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt index caa42983347..a251f931582 100644 --- a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt +++ b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt @@ -61,6 +61,7 @@ class RbacPermissionProjectService( private val authResourceGroupDao: AuthResourceGroupDao, private val dslContext: DSLContext, private val rbacCacheService: RbacCacheService, + private val deptService: DeptService, private val permissionGradeManagerService: PermissionGradeManagerService ) : PermissionProjectService { @@ -70,12 +71,6 @@ class RbacPermissionProjectService( private const val USER_TYPE = "user" } - /*获取项目对应的ci管理员id*/ - private val projectCode2CiManagerGroupId = Caffeine.newBuilder() - .maximumSize(500) - .expireAfterWrite(7L, TimeUnit.DAYS) - .build() - override fun getProjectUsers(projectCode: String, group: BkAuthGroup?): List { return when (group) { // 新的rbac版本中,没有ci管理员组,不可以调用此接口来获取ci管理员组的成员 @@ -223,6 +218,16 @@ class RbacPermissionProjectService( members: List ): Boolean { logger.info("batchCreateProjectUser:$userId|$projectCode|$roleCode|$members") + members.forEach { + deptService.getUserInfo( + userId = "admin", + name = it + ) ?: throw ErrorCodeException( + errorCode = AuthMessageCode.USER_NOT_EXIST, + params = arrayOf(it), + defaultMessage = "user $it not exist" + ) + } val iamGroupId = if (roleCode == BkAuthGroup.CI_MANAGER.value) { authResourceGroupDao.getByGroupName( dslContext = dslContext, From e1045c553e126287287991110d4283472eaddc5e Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 18 Jul 2023 10:16:24 +0800 Subject: [PATCH 11/12] =?UTF-8?q?=E5=AE=9E=E7=8E=B0openapi=20RBAC=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=89=88=E6=9C=AC=20=E9=A1=B9=E7=9B=AE=E4=B8=8B?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=BB=84=E6=B7=BB=E5=8A=A0=E6=88=90=E5=91=98?= =?UTF-8?q?=20#9093?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../tencent/devops/auth/service/RbacPermissionProjectService.kt | 1 - 1 file changed, 1 deletion(-) diff --git a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt index a251f931582..3cc13d99e75 100644 --- a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt +++ b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/RbacPermissionProjectService.kt @@ -28,7 +28,6 @@ package com.tencent.devops.auth.service -import com.github.benmanes.caffeine.cache.Caffeine import com.tencent.bk.sdk.iam.config.IamConfiguration import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum import com.tencent.bk.sdk.iam.dto.InstanceDTO From 18826cef58ec267118560d6456efc77f168d6bd6 Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 18 Jul 2023 11:57:43 +0800 Subject: [PATCH 12/12] =?UTF-8?q?=E5=AE=9E=E7=8E=B0openapi=20RBAC=E6=9D=83?= =?UTF-8?q?=E9=99=90=E7=89=88=E6=9C=AC=20=E9=A1=B9=E7=9B=AE=E4=B8=8B?= =?UTF-8?q?=E7=94=A8=E6=88=B7=E7=BB=84=E6=B7=BB=E5=8A=A0=E6=88=90=E5=91=98?= =?UTF-8?q?=20#9093?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../com/tencent/devops/auth/config/RbacAuthConfiguration.kt | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/config/RbacAuthConfiguration.kt b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/config/RbacAuthConfiguration.kt index 17fe0183d09..8917de25c5f 100644 --- a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/config/RbacAuthConfiguration.kt +++ b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/config/RbacAuthConfiguration.kt @@ -216,6 +216,7 @@ class RbacAuthConfiguration { authResourceGroupDao: AuthResourceGroupDao, dslContext: DSLContext, rbacCacheService: RbacCacheService, + deptService: DeptService, permissionGradeManagerService: PermissionGradeManagerService ) = RbacPermissionProjectService( authHelper = authHelper, @@ -225,6 +226,7 @@ class RbacAuthConfiguration { authResourceGroupDao = authResourceGroupDao, dslContext = dslContext, rbacCacheService = rbacCacheService, + deptService = deptService, permissionGradeManagerService = permissionGradeManagerService )