fix: 处理init/sidecar容器客户端与业务容器用户/用户组不一致的问题 --bug=130675033

.gitignore

@@ -6,4 +6,4 @@ bin
 .idea
 .vscode
 __debug_bin*
-build
+build

cmd/api-server/service/config_import.go

@@ -64,8 +64,7 @@ type configImport struct {
 }
 
 // TemplateConfigFileImport Import template config file
-//
-//nolint:funlen
+// nolint:funlen
 func (c *configImport) TemplateConfigFileImport(w http.ResponseWriter, r *http.Request) {
 	kt := kit.MustGetKit(r.Context())
 
@@ -245,6 +244,8 @@ func (c *configImport) TemplateConfigFileImport(w http.ResponseWriter, r *http.R
 			newItem.Privilege = data.GetTemplateRevision().GetSpec().GetPermission().GetPrivilege()
 			newItem.User = data.GetTemplateRevision().GetSpec().GetPermission().GetUser()
 			newItem.UserGroup = data.GetTemplateRevision().GetSpec().GetPermission().GetUserGroup()
+			newItem.Uid = data.GetTemplateRevision().GetSpec().GetPermission().GetUid()
+			newItem.Gid = data.GetTemplateRevision().GetSpec().GetPermission().GetGid()
 			exist = append(exist, newItem)
 		}
 	}
@@ -263,8 +264,7 @@ func (c *configImport) TemplateConfigFileImport(w http.ResponseWriter, r *http.R
 }
 
 // ConfigFileImport Import config file
-//
-//nolint:funlen
+// nolint:funlen
 func (c *configImport) ConfigFileImport(w http.ResponseWriter, r *http.Request) {
 
 	kt := kit.MustGetKit(r.Context())
@@ -465,6 +465,8 @@ func (c *configImport) ConfigFileImport(w http.ResponseWriter, r *http.Request)
 			newItem.Privilege = config.GetSpec().GetPermission().GetPrivilege()
 			newItem.User = config.GetSpec().GetPermission().GetUser()
 			newItem.UserGroup = config.GetSpec().GetPermission().GetUserGroup()
+			newItem.Uid = config.GetSpec().GetPermission().GetUid()
+			newItem.Gid = config.GetSpec().GetPermission().GetGid()
 			exist = append(exist, newItem)
 		}
 	}

cmd/config-server/service/app_template_binding.go

@@ -280,16 +280,16 @@ func (s *Service) ListAppBoundTmplRevisions(ctx context.Context, req *pbcs.ListA
 					TemplateRevisionMemo: r.TemplateRevisionMemo,
 					FileType:             r.FileType,
 					FileMode:             r.FileMode,
-					User:                 r.User,
-					UserGroup:            r.UserGroup,
-					Privilege:            r.Privilege,
 					Signature:            r.Signature,
 					ByteSize:             r.ByteSize,
 					Creator:              r.Creator,
 					CreateAt:             r.CreateAt,
 					FileState:            r.FileState,
 					Md5:                  r.Md5,
 					IsConflict:           r.IsConflict,
+					User:                 r.Permission.User,
+					UserGroup:            r.Permission.UserGroup,
+					Privilege:            r.Permission.Privilege,
 				})
 		}
 		if req.WithStatus {
@@ -449,9 +449,9 @@ func (s *Service) ListReleasedAppBoundTmplRevisions(ctx context.Context,
 					TemplateRevisionMemo: r.TemplateRevisionMemo,
 					FileType:             r.FileType,
 					FileMode:             r.FileMode,
-					User:                 r.User,
-					UserGroup:            r.UserGroup,
-					Privilege:            r.Privilege,
+					User:                 r.Permission.User,
+					UserGroup:            r.Permission.UserGroup,
+					Privilege:            r.Permission.Privilege,
 					Signature:            r.Signature,
 					ByteSize:             r.ByteSize,
 					OriginSignature:      r.OriginSignature,

cmd/config-server/service/config_item.go

@@ -67,6 +67,8 @@ func (s *Service) CreateConfigItem(ctx context.Context, req *pbcs.CreateConfigIt
 				User:      req.User,
 				UserGroup: req.UserGroup,
 				Privilege: req.Privilege,
+				Uid:       req.Uid,
+				Gid:       req.Gid,
 			},
 		},
 		ContentSpec: &pbcontent.ContentSpec{
@@ -121,6 +123,8 @@ func (s *Service) BatchUpsertConfigItems(ctx context.Context, req *pbcs.BatchUps
 					User:      item.User,
 					UserGroup: item.UserGroup,
 					Privilege: item.Privilege,
+					Uid:       item.Uid,
+					Gid:       item.Gid,
 				},
 			},
 			ContentSpec: &pbcontent.ContentSpec{
@@ -190,6 +194,8 @@ func (s *Service) UpdateConfigItem(ctx context.Context, req *pbcs.UpdateConfigIt
 				User:      req.User,
 				UserGroup: req.UserGroup,
 				Privilege: req.Privilege,
+				Uid:       req.Uid,
+				Gid:       req.Gid,
 			},
 		},
 	}
@@ -696,6 +702,7 @@ func (s *Service) CompareConfigItemConflicts(ctx context.Context, req *pbcs.Comp
 				TemplateRevisionId: revision.TemplateRevisionId,
 				IsLatest:           revision.IsLatest,
 				Variables:          revision.GetVariables(),
+				Permission:         revision.GetPermission(),
 			})
 		}
 		templateConfigs = append(templateConfigs, &pbcs.CompareConfigItemConflictsResp_TemplateConfig{

cmd/config-server/service/template.go

@@ -83,6 +83,8 @@ func (s *Service) CreateTemplate(ctx context.Context, req *pbcs.CreateTemplateRe
 				User:      req.User,
 				UserGroup: req.UserGroup,
 				Privilege: req.Privilege,
+				Uid:       req.Uid,
+				Gid:       req.Gid,
 			},
 			ContentSpec: &pbcontent.ContentSpec{
 				Signature: req.Sign,
@@ -529,6 +531,8 @@ func (s *Service) BatchUpsertTemplates(ctx context.Context, req *pbcs.BatchUpser
 						User:      item.User,
 						UserGroup: item.UserGroup,
 						Privilege: item.Privilege,
+						Uid:       item.Uid,
+						Gid:       item.Gid,
 					},
 					ContentSpec: &pbcontent.ContentSpec{
 						Signature: item.Sign,
@@ -544,7 +548,8 @@ func (s *Service) BatchUpsertTemplates(ctx context.Context, req *pbcs.BatchUpser
 		})
 	}
 
-	in := &pbds.BatchUpsertTemplatesReq{Items: items, TemplateSetIds: req.GetTemplateSetIds(), BizId: req.GetBizId()}
+	in := &pbds.BatchUpsertTemplatesReq{Items: items, TemplateSetIds: req.GetTemplateSetIds(), BizId: req.GetBizId(),
+		TemplateSpaceId: req.TemplateSpaceId}
 	data, err := s.client.DS.BatchUpsertTemplates(grpcKit.RpcCtx(), in)
 	if err != nil {
 		return nil, err
@@ -582,6 +587,8 @@ func (s *Service) BatchUpdateTemplatePermissions(ctx context.Context, req *pbcs.
 		TemplateSetId:      req.TemplateSetId,
 		ExclusionOperation: req.ExclusionOperation,
 		NoSetSpecified:     req.NoSetSpecified,
+		Uid:                req.Uid,
+		Gid:                req.Gid,
 	})
 
 	if err != nil {

cmd/config-server/service/template_revision.go

@@ -171,7 +171,8 @@ func (s *Service) ListTemplateRevisionsByIDs(ctx context.Context, req *pbcs.List
 	}
 
 	r := &pbds.ListTemplateRevisionsByIDsReq{
-		Ids: req.Ids,
+		Ids:   req.Ids,
+		BizId: req.BizId,
 	}
 
 	rp, err := s.client.DS.ListTemplateRevisionsByIDs(grpcKit.RpcCtx(), r)
@@ -254,6 +255,8 @@ func (s *Service) GetTemplateRevision(ctx context.Context, req *pbcs.GetTemplate
 			CreateAt:             tr.GetDetail().GetCreateAt(),
 			Md5:                  tr.GetDetail().GetMd5(),
 			IsLatest:             tr.GetDetail().GetIsLatest(),
+			Uid:                  tr.Detail.Uid,
+			Gid:                  tr.Detail.Gid,
 		},
 	}, nil
 }
@@ -293,6 +296,8 @@ func (s *Service) UpdateTemplateRevision(ctx context.Context, req *pbcs.UpdateTe
 				User:      req.User,
 				UserGroup: req.UserGroup,
 				Privilege: req.Privilege,
+				Uid:       req.Uid,
+				Gid:       req.Gid,
 			},
 			ContentSpec: &pbcontent.ContentSpec{
 				Signature: req.Sign,

cmd/config-server/service/user_group_privilege.go

@@ -0,0 +1,96 @@
+/*
+ * Tencent is pleased to support the open source community by making Blueking Container Service available.
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ * Licensed under the MIT License (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ * http://opensource.org/licenses/MIT
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package service
+
+import (
+	"context"
+
+	"github.com/TencentBlueKing/bk-bcs/bcs-services/bcs-bscp/pkg/iam/meta"
+	"github.com/TencentBlueKing/bk-bcs/bcs-services/bcs-bscp/pkg/kit"
+	pbcs "github.com/TencentBlueKing/bk-bcs/bcs-services/bcs-bscp/pkg/protocol/config-server"
+	pbds "github.com/TencentBlueKing/bk-bcs/bcs-services/bcs-bscp/pkg/protocol/data-service"
+)
+
+// DeleteUserGroupPrivilege 删除用户组权限数据
+func (s *Service) DeleteUserGroupPrivilege(ctx context.Context, req *pbcs.DeleteUserPrivilegesReq) (
+	*pbcs.DeleteUserPrivilegesResp, error) {
+	// FromGrpcContext used only to obtain Kit through grpc context.
+	kit := kit.FromGrpcContext(ctx)
+
+	res := []*meta.ResourceAttribute{
+		{Basic: meta.Basic{Type: meta.Biz, Action: meta.FindBusinessResource}, BizID: req.BizId},
+		{Basic: meta.Basic{Type: meta.App, Action: meta.Delete, ResourceID: req.AppId}, BizID: req.BizId},
+	}
+	// Authorize authorize if user has permission to the resources.
+	// If user is unauthorized, assign apply url and resources into error.
+	if err := s.authorizer.Authorize(kit, res...); err != nil {
+		return nil, err
+	}
+
+	_, err := s.client.DS.DeleteUserGroupPrivilege(kit.RpcCtx(), &pbds.DeleteUserPrivilegesReq{
+		Id:              req.Id,
+		BizId:           req.BizId,
+		AppId:           req.AppId,
+		TemplateSpaceId: req.TemplateSpaceId,
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &pbcs.DeleteUserPrivilegesResp{}, nil
+}
+
+// ListUserGroupPrivileges 获取用户组数据列表
+func (s *Service) ListUserGroupPrivileges(ctx context.Context, req *pbcs.ListUserPrivilegesReq) (
+	*pbcs.ListUserPrivilegesResp, error) {
+	// FromGrpcContext used only to obtain Kit through grpc context.
+	kit := kit.FromGrpcContext(ctx)
+
+	res := []*meta.ResourceAttribute{
+		{Basic: meta.Basic{Type: meta.Biz, Action: meta.FindBusinessResource}, BizID: req.BizId},
+		{Basic: meta.Basic{Type: meta.App, Action: meta.View, ResourceID: req.AppId}, BizID: req.BizId},
+	}
+	// Authorize authorize if user has permission to the resources.
+	// If user is unauthorized, assign apply url and resources into error.
+	if err := s.authorizer.Authorize(kit, res...); err != nil {
+		return nil, err
+	}
+
+	resp, err := s.client.DS.ListUserGroupPrivileges(kit.RpcCtx(), &pbds.ListUserPrivilegesReq{
+		BizId:           req.BizId,
+		AppId:           req.AppId,
+		TemplateSpaceId: req.TemplateSpaceId,
+		Name:            req.Name,
+		Start:           req.Start,
+		Limit:           req.Limit,
+		All:             req.All,
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	items := make([]*pbcs.ListUserPrivilegesResp_Detail, 0, len(resp.GetDetails()))
+	for _, v := range resp.GetDetails() {
+		items = append(items, &pbcs.ListUserPrivilegesResp_Detail{
+			Id:            v.GetId(),
+			Name:          v.GetName(),
+			PrivilegeType: v.GetPrivilegeType(),
+			ReadOnly:      v.GetReadOnly(),
+			Pid:           v.GetPid(),
+		})
+	}
+
+	return &pbcs.ListUserPrivilegesResp{Details: items, Count: resp.Count}, nil
+}

cmd/config-server/service/user_privilege.go

@@ -0,0 +1,96 @@
+/*
+ * Tencent is pleased to support the open source community by making Blueking Container Service available.
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ * Licensed under the MIT License (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ * http://opensource.org/licenses/MIT
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package service
+
+import (
+	"context"
+
+	"github.com/TencentBlueKing/bk-bcs/bcs-services/bcs-bscp/pkg/iam/meta"
+	"github.com/TencentBlueKing/bk-bcs/bcs-services/bcs-bscp/pkg/kit"
+	pbcs "github.com/TencentBlueKing/bk-bcs/bcs-services/bcs-bscp/pkg/protocol/config-server"
+	pbds "github.com/TencentBlueKing/bk-bcs/bcs-services/bcs-bscp/pkg/protocol/data-service"
+)
+
+// DeleteUserPrivilege 删除用户权限
+func (s *Service) DeleteUserPrivilege(ctx context.Context, req *pbcs.DeleteUserPrivilegesReq) (
+	*pbcs.DeleteUserPrivilegesResp, error) {
+	// FromGrpcContext used only to obtain Kit through grpc context.
+	kit := kit.FromGrpcContext(ctx)
+
+	res := []*meta.ResourceAttribute{
+		{Basic: meta.Basic{Type: meta.Biz, Action: meta.FindBusinessResource}, BizID: req.BizId},
+		{Basic: meta.Basic{Type: meta.App, Action: meta.Delete, ResourceID: req.AppId}, BizID: req.BizId},
+	}
+	// Authorize authorize if user has permission to the resources.
+	// If user is unauthorized, assign apply url and resources into error.
+	if err := s.authorizer.Authorize(kit, res...); err != nil {
+		return nil, err
+	}
+
+	_, err := s.client.DS.DeleteUserPrivilege(kit.RpcCtx(), &pbds.DeleteUserPrivilegesReq{
+		Id:              req.Id,
+		BizId:           req.BizId,
+		AppId:           req.AppId,
+		TemplateSpaceId: req.TemplateSpaceId,
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	return &pbcs.DeleteUserPrivilegesResp{}, nil
+}
+
+// ListUserPrivileges 获取用户权限
+func (s *Service) ListUserPrivileges(ctx context.Context, req *pbcs.ListUserPrivilegesReq) (
+	*pbcs.ListUserPrivilegesResp, error) {
+	// FromGrpcContext used only to obtain Kit through grpc context.
+	kit := kit.FromGrpcContext(ctx)
+
+	res := []*meta.ResourceAttribute{
+		{Basic: meta.Basic{Type: meta.Biz, Action: meta.FindBusinessResource}, BizID: req.BizId},
+		{Basic: meta.Basic{Type: meta.App, Action: meta.View, ResourceID: req.AppId}, BizID: req.BizId},
+	}
+	// Authorize authorize if user has permission to the resources.
+	// If user is unauthorized, assign apply url and resources into error.
+	if err := s.authorizer.Authorize(kit, res...); err != nil {
+		return nil, err
+	}
+
+	resp, err := s.client.DS.ListUserPrivileges(kit.RpcCtx(), &pbds.ListUserPrivilegesReq{
+		BizId:           req.BizId,
+		AppId:           req.AppId,
+		TemplateSpaceId: req.TemplateSpaceId,
+		Name:            req.Name,
+		Start:           req.Start,
+		Limit:           req.Limit,
+		All:             req.All,
+	})
+
+	if err != nil {
+		return nil, err
+	}
+
+	items := make([]*pbcs.ListUserPrivilegesResp_Detail, 0, len(resp.GetDetails()))
+	for _, v := range resp.GetDetails() {
+		items = append(items, &pbcs.ListUserPrivilegesResp_Detail{
+			Id:            v.GetId(),
+			Name:          v.GetName(),
+			PrivilegeType: v.GetPrivilegeType(),
+			ReadOnly:      v.GetReadOnly(),
+			Pid:           v.Pid,
+		})
+	}
+
+	return &pbcs.ListUserPrivilegesResp{Details: items, Count: resp.Count}, nil
+}