From 5244f1679374bbb335ace9ce58eaa5f81c6357a2 Mon Sep 17 00:00:00 2001 From: greysonfang Date: Thu, 29 Jun 2023 16:31:22 +0800 Subject: [PATCH] =?UTF-8?q?feat=EF=BC=9ARbac=E6=9D=83=E9=99=90=E4=B8=AD?= =?UTF-8?q?=E5=BF=83=E5=AF=B9=E6=8E=A5codecc=E8=BF=81=E7=A7=BB=E6=8E=A5?= =?UTF-8?q?=E5=8F=A3=20#9001?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../auth/api/migrate/OpAuthMigrateResource.kt | 14 +++--- .../service/migrate/MigrateResourceService.kt | 17 +++---- .../migrate/RbacPermissionMigrateService.kt | 45 +++++++++---------- .../resources/OpAuthMigrateResourceImpl.kt | 14 ++++++ .../service/iam/PermissionMigrateService.kt | 19 ++++---- .../sample/SamplePermissionMigrateService.kt | 18 ++++---- .../api/pojo/MigrateProjectConditionDTO.kt | 4 -- .../tencent/devops/project/dao/ProjectDao.kt | 13 ++---- 8 files changed, 76 insertions(+), 68 deletions(-) diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/migrate/OpAuthMigrateResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/migrate/OpAuthMigrateResource.kt index 56632efe158..b43d75131ff 100644 --- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/migrate/OpAuthMigrateResource.kt +++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/migrate/OpAuthMigrateResource.kt @@ -66,11 +66,6 @@ interface OpAuthMigrateResource { @ApiOperation("权限全部升级到rbac权限") fun allToRbacAuth(): Result - /** - * 按条件升级到rbac权限,该接口默认只用于迁移未升级的项目; - * 若需要使用该接口来重复迁移已升级的项目,可指定该接口的参数 migrateProjectCodes; - * 其他条件仅在迁移未升级的项目有效 - */ @POST @Path("/toRbacAuthByCondition") @ApiOperation("按条件升级到rbac权限") @@ -87,4 +82,13 @@ interface OpAuthMigrateResource { @PathParam("projectCode") projectCode: String ): Result + + @POST + @Path("/migrateResource/{projectCode}") + @ApiOperation("迁移特定资源类型资源") + fun migrateResource( + projectCode: String, + resourceType: String, + projectCreator: String + ): Result } diff --git a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/migrate/MigrateResourceService.kt b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/migrate/MigrateResourceService.kt index 74483df1616..af9e14d5ac8 100644 --- a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/migrate/MigrateResourceService.kt +++ b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/migrate/MigrateResourceService.kt @@ -79,18 +79,15 @@ class MigrateResourceService @Autowired constructor( @Suppress("SpreadOperator") fun migrateResource( projectCode: String, - projectCreator: String, - migrateResourceType: String? + projectCreator: String ) { val startEpoch = System.currentTimeMillis() logger.info("start to migrate resource:$projectCode") try { - // 根据传递的资源类型是否为空,决定迁移什么资源 - val resourceTypes = - migrateResourceType?.let { listOf(it) } - ?: rbacCacheService.listResourceTypes() - .map { it.resourceType } - .filterNot { noNeedToMigrateResourceType.contains(it) } + val resourceTypes = rbacCacheService.listResourceTypes() + .map { it.resourceType } + .filterNot { noNeedToMigrateResourceType.contains(it) } + logger.info("MigrateResourceService|resourceTypes:$resourceTypes") // 迁移各个资源类型下的资源 val traceId = MDC.get(TraceTag.BIZID) @@ -98,7 +95,7 @@ class MigrateResourceService @Autowired constructor( CompletableFuture.supplyAsync( { MDC.put(TraceTag.BIZID, traceId) - migrateResourceByResourceType( + migrateResource( projectCode = projectCode, resourceType = resourceType, projectCreator = projectCreator @@ -123,7 +120,7 @@ class MigrateResourceService @Autowired constructor( } } - private fun migrateResourceByResourceType( + fun migrateResource( projectCode: String, resourceType: String, projectCreator: String diff --git a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/migrate/RbacPermissionMigrateService.kt b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/migrate/RbacPermissionMigrateService.kt index aaa1e4d6fcf..b6aa879f896 100644 --- a/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/migrate/RbacPermissionMigrateService.kt +++ b/src/backend/ci/core/auth/biz-auth-rbac/src/main/kotlin/com/tencent/devops/auth/service/migrate/RbacPermissionMigrateService.kt @@ -85,10 +85,7 @@ class RbacPermissionMigrateService constructor( @Value("\${auth.migrateProjectTag:#{null}}") private val migrateProjectTag: String = "" - override fun v3ToRbacAuth( - projectCodes: List, - migrateResourceType: String? - ): Boolean { + override fun v3ToRbacAuth(projectCodes: List): Boolean { logger.info("migrate $projectCodes auth from v3 to rbac") if (projectCodes.isEmpty()) return true val projectVos = @@ -110,18 +107,14 @@ class RbacPermissionMigrateService constructor( migrateToRbacAuth( projectCode = projectCode, migrateTaskId = 0, - authType = AuthSystemType.V3_AUTH_TYPE, - migrateResourceType = migrateResourceType + authType = AuthSystemType.V3_AUTH_TYPE ) } } return true } - override fun v0ToRbacAuth( - projectCodes: List, - migrateResourceType: String? - ): Boolean { + override fun v0ToRbacAuth(projectCodes: List): Boolean { logger.info("migrate $projectCodes auth from v0 to rbac") if (projectCodes.isEmpty()) return true // 1. 启动迁移任务 @@ -135,8 +128,7 @@ class RbacPermissionMigrateService constructor( migrateToRbacAuth( projectCode = projectCode, migrateTaskId = migrateTaskId, - authType = AuthSystemType.V0_AUTH_TYPE, - migrateResourceType = migrateResourceType + authType = AuthSystemType.V0_AUTH_TYPE ) } } @@ -175,14 +167,8 @@ class RbacPermissionMigrateService constructor( .map { it.englishName } logger.info("migrate project to rbac|v0MigrateProjects:$v0MigrateProjectCodes") // 2.迁移项目 - v3ToRbacAuth( - projectCodes = v3MigrateProjectCodes, - migrateResourceType = migrateProjectConditionDTO.migrateResourceType - ) - v0ToRbacAuth( - projectCodes = v0MigrateProjectCodes, - migrateResourceType = migrateProjectConditionDTO.migrateResourceType - ) + v3ToRbacAuth(projectCodes = v3MigrateProjectCodes) + v0ToRbacAuth(projectCodes = v0MigrateProjectCodes) offset += limit } while (migrateProjects.size == limit) } @@ -202,12 +188,24 @@ class RbacPermissionMigrateService constructor( return true } + override fun migrateResource( + projectCode: String, + resourceType: String, + projectCreator: String + ): Boolean { + migrateResourceService.migrateResource( + projectCode = projectCode, + resourceType = resourceType, + projectCreator = projectCreator + ) + return true + } + @Suppress("LongMethod", "ReturnCount", "ComplexMethod") private fun migrateToRbacAuth( projectCode: String, migrateTaskId: Int, - authType: AuthSystemType, - migrateResourceType: String? + authType: AuthSystemType ): Boolean { logger.info("Start migrate $projectCode from $authType to rbac") val startEpoch = System.currentTimeMillis() @@ -274,8 +272,7 @@ class RbacPermissionMigrateService constructor( watcher.start("migrateResource") migrateResourceService.migrateResource( projectCode = projectCode, - projectCreator = projectCreator, - migrateResourceType = migrateResourceType + projectCreator = projectCreator ) when (authType) { diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthMigrateResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthMigrateResourceImpl.kt index f6a6b03beff..21471a55355 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthMigrateResourceImpl.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthMigrateResourceImpl.kt @@ -63,4 +63,18 @@ class OpAuthMigrateResourceImpl @Autowired constructor( override fun compareResult(projectCode: String): Result { return Result(permissionMigrateService.compareResult(projectCode = projectCode)) } + + override fun migrateResource( + projectCode: String, + resourceType: String, + projectCreator: String + ): Result { + return Result( + permissionMigrateService.migrateResource( + projectCode = projectCode, + resourceType = resourceType, + projectCreator + ) + ) + } } diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionMigrateService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionMigrateService.kt index f10a1fabf26..985e39af5a5 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionMigrateService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionMigrateService.kt @@ -38,18 +38,12 @@ interface PermissionMigrateService { /** * v3批量迁移到rbac */ - fun v3ToRbacAuth( - projectCodes: List, - migrateResourceType: String? = null - ): Boolean + fun v3ToRbacAuth(projectCodes: List): Boolean /** * v0批量迁移到rbac */ - fun v0ToRbacAuth( - projectCodes: List, - migrateResourceType: String? = null - ): Boolean + fun v0ToRbacAuth(projectCodes: List): Boolean /** * 全部迁移到rbac @@ -65,4 +59,13 @@ interface PermissionMigrateService { * 对比迁移鉴权结果 */ fun compareResult(projectCode: String): Boolean + + /** + * 迁移特定资源类型资源 + */ + fun migrateResource( + projectCode: String, + resourceType: String, + projectCreator: String + ): Boolean } diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/sample/SamplePermissionMigrateService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/sample/SamplePermissionMigrateService.kt index 158cd3f39f8..cedb72d6611 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/sample/SamplePermissionMigrateService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/sample/SamplePermissionMigrateService.kt @@ -32,17 +32,11 @@ import com.tencent.devops.auth.service.iam.PermissionMigrateService import com.tencent.devops.common.auth.api.pojo.MigrateProjectConditionDTO class SamplePermissionMigrateService : PermissionMigrateService { - override fun v3ToRbacAuth( - migrateProjects: List, - migrateResourceType: String? - ): Boolean { + override fun v3ToRbacAuth(projectCodes: List): Boolean { return true } - override fun v0ToRbacAuth( - migrateProjects: List, - migrateResourceType: String? - ): Boolean { + override fun v0ToRbacAuth(projectCodes: List): Boolean { return true } @@ -57,4 +51,12 @@ class SamplePermissionMigrateService : PermissionMigrateService { override fun compareResult(projectCode: String): Boolean { return true } + + override fun migrateResource( + projectCode: String, + resourceType: String, + projectCreator: String + ): Boolean { + return true + } } diff --git a/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/MigrateProjectConditionDTO.kt b/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/MigrateProjectConditionDTO.kt index c24d3bbbea0..c9b72450248 100644 --- a/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/MigrateProjectConditionDTO.kt +++ b/src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/MigrateProjectConditionDTO.kt @@ -11,10 +11,6 @@ data class MigrateProjectConditionDTO( val deptId: Long? = null, @ApiModelProperty("项目创建人") val projectCreator: String? = null, - @ApiModelProperty("迁移项目Code--可包含已迁移的项目") - val migrateProjectCodes: List? = null, - @ApiModelProperty("迁移的资源类型") - val migrateResourceType: String? = null, @ApiModelProperty("排除项目code") val excludedProjectCodes: List? = null ) diff --git a/src/backend/ci/core/project/biz-project/src/main/kotlin/com/tencent/devops/project/dao/ProjectDao.kt b/src/backend/ci/core/project/biz-project/src/main/kotlin/com/tencent/devops/project/dao/ProjectDao.kt index 9f229f13d10..974e4243d42 100644 --- a/src/backend/ci/core/project/biz-project/src/main/kotlin/com/tencent/devops/project/dao/ProjectDao.kt +++ b/src/backend/ci/core/project/biz-project/src/main/kotlin/com/tencent/devops/project/dao/ProjectDao.kt @@ -129,21 +129,16 @@ class ProjectDao { ): Result { val centerId = migrateProjectConditionDTO.centerId val deptId = migrateProjectConditionDTO.deptId - val migrateProjectCodes = migrateProjectConditionDTO.migrateProjectCodes val excludedProjectCodes = migrateProjectConditionDTO.excludedProjectCodes val creator = migrateProjectConditionDTO.projectCreator return with(TProject.T_PROJECT) { dslContext.selectFrom(this) .where(APPROVAL_STATUS.notIn(UNSUCCESSFUL_CREATE_STATUS)) .and(CHANNEL.eq(ProjectChannelCode.BS.name)) - // 如果传递的是项目列表,可以查询出已迁移的项目 - .let { - if (!migrateProjectCodes.isNullOrEmpty()) it else it.and( - ROUTER_TAG.notContains(AuthSystemType.RBAC_AUTH_TYPE.value) - .or(ROUTER_TAG.isNull) - ) - } - .let { if (migrateProjectCodes.isNullOrEmpty()) it else it.and(ENGLISH_NAME.`in`(migrateProjectCodes)) } + .and( + ROUTER_TAG.notContains(AuthSystemType.RBAC_AUTH_TYPE.value) + .or(ROUTER_TAG.isNull) + ) .let { if (centerId == null) it else it.and(CENTER_ID.eq(centerId)) } .let { if (deptId == null) it else it.and(DEPT_ID.eq(deptId)) } .let { if (creator == null) it else it.and(CREATOR.eq(creator)) }