Skip to content

Commit

Permalink
Merge pull request #571 from TencentBlueKing/feature-v3-rbac
Browse files Browse the repository at this point in the history
Feature v3 rbac
  • Loading branch information
owenlxu authored Oct 16, 2023
2 parents c6ad6ef + 3ece392 commit 1a9a9a1
Show file tree
Hide file tree
Showing 94 changed files with 6,130 additions and 1,077 deletions.
18 changes: 18 additions & 0 deletions scripts/build-images.sh
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ ALL=1
GATEWAY=0
BACKEND=0
INIT=0
INIT_RBAC=0
VERSION=latest
PUSH=0
ALL_IN_ONE=0
Expand Down Expand Up @@ -41,6 +42,7 @@ usage () {
[ --all-in-one [可选] 打包all in one镜像]
[ --slim-package-path [可选] slim包路径,打包all in one镜像需要]
[ --init [可选] 打包init镜像 ]
[ --init-rbac [可选] 打包init-rbac镜像 ]
[ -v, --version [可选] 镜像版本tag, 默认latest ]
[ -p, --push [可选] 推送镜像到docker远程仓库,默认不推送 ]
[ -l, --latest [可选] 是否更新并推送latest tag ]
Expand Down Expand Up @@ -91,6 +93,10 @@ while (( $# > 0 )); do
ALL=0
INIT=1
;;
--init-rbac )
ALL=0
INIT_RBAC=1
;;
-v | --version )
shift
VERSION=$1
Expand Down Expand Up @@ -213,4 +219,16 @@ if [[ $ALL -eq 1 || $INIT -eq 1 ]] ; then
fi
fi

# 构建init-rbac镜像
if [[ $ALL -eq 1 || $INIT_RBAC -eq 1 ]] ; then
log "构建init-rbac镜像..."
rm -rf $tmp_dir/*
mkdir -p $tmp_dir/support-files/bkiam
cp -rf $ROOT_DIR/support-files/bkiam/* $tmp_dir/support-files/bkiam
docker build -f init/init-rbac.Dockerfile -t $REGISTRY/bkrepo-init-rbac:$VERSION $tmp_dir --no-cache --network=host
if [[ $PUSH -eq 1 ]] ; then
docker push $REGISTRY/bkrepo-init-rbac:$VERSION
fi
fi

echo "BUILD SUCCESSFUL!"
1 change: 0 additions & 1 deletion src/backend/auth/api-auth/build.gradle.kts
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,6 @@
* SOFTWARE.
*/
dependencies {
api(fileTree(mapOf("dir" to "lib", "include" to listOf("*.jar"))))
implementation(project(":common:common-api"))
api(project(":common:common-operate:operate-annotation"))
compileOnly("org.springframework.cloud:spring-cloud-openfeign-core")
Expand Down
Binary file removed src/backend/auth/api-auth/lib/iam-sdk-1.0.0.jar
Binary file not shown.
Original file line number Diff line number Diff line change
@@ -0,0 +1,89 @@
/*
* Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
*
* Copyright (C) 2022 THL A29 Limited, a Tencent company. All rights reserved.
*
* BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
*
* A copy of the MIT License is included in this file.
*
*
* Terms of the MIT License:
* ---------------------------------------------------
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
* documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all copies or substantial portions of
* the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
* LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
* NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
* WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/

package com.tencent.bkrepo.auth.api

import com.tencent.bkrepo.auth.constant.AUTH_SERVICE_BKIAMV3_PREFIX
import com.tencent.bkrepo.common.api.constant.AUTH_SERVICE_NAME
import com.tencent.bkrepo.common.api.pojo.Response
import io.swagger.annotations.Api
import io.swagger.annotations.ApiOperation
import io.swagger.annotations.ApiParam
import org.springframework.cloud.openfeign.FeignClient
import org.springframework.context.annotation.Primary
import org.springframework.web.bind.annotation.DeleteMapping
import org.springframework.web.bind.annotation.PathVariable
import org.springframework.web.bind.annotation.PostMapping
import org.springframework.web.bind.annotation.RequestBody
import org.springframework.web.bind.annotation.RequestMapping
import org.springframework.web.bind.annotation.RequestParam

@Api(tags = ["SERVICE_BKIAMV3"], description = "蓝鲸权限v3接口")
@Primary
@FeignClient(AUTH_SERVICE_NAME, contextId = "ServiceBkiamV3Resource")
@RequestMapping(AUTH_SERVICE_BKIAMV3_PREFIX)
interface ServiceBkiamV3ResourceClient {
@ApiOperation("创建项目管理员")
@PostMapping("/create/project/manage/{projectId}")
fun createProjectManage(
@ApiParam(value = "用户id")
@RequestParam userId: String,
@ApiParam(value = "项目名称")
@PathVariable projectId: String
): Response<String?>

@ApiOperation("创建2级仓库管理员")
@PostMapping("/create/repo/manage/{projectId}/{repoName}")
fun createRepoManage(
@ApiParam(value = "用户id")
@RequestParam userId: String,
@ApiParam(value = "项目名称")
@PathVariable projectId: String,
@ApiParam(value = "仓库名称")
@PathVariable repoName: String
): Response<String?>

@ApiOperation("删除仓库相关用户组")
@DeleteMapping("/delete/repo/manage/{projectId}/{repoName}")
fun deleteRepoManageGroup(
@ApiParam(value = "用户id")
@RequestParam userId: String,
@ApiParam(value = "项目名称")
@PathVariable projectId: String,
@ApiParam(value = "仓库名称")
@PathVariable repoName: String
): Response<Boolean>


@ApiOperation("检查项目默认的rbac项目组是否已经存在")
@PostMapping("/rbac/group/check")
fun getExistRbacDefaultGroupProjectIds(
@ApiParam(value = "项目ID列表")
@RequestBody projectIdList: List<String> = emptyList()
): Response<Map<String, Boolean>>

}
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
/*
* Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
*
* Copyright (C) 2022 THL A29 Limited, a Tencent company. All rights reserved.
*
* BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
*
* A copy of the MIT License is included in this file.
*
*
* Terms of the MIT License:
* ---------------------------------------------------
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
* documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all copies or substantial portions of
* the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
* LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
* NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
* WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/

package com.tencent.bkrepo.auth.constant

const val AUTH_CONFIG_PREFIX = "auth"
const val AUTH_CONFIG_TYPE_NAME = "realm"
const val AUTH_CONFIG_TYPE_VALUE_DEVOPS = "devops"
const val AUTH_CONFIG_TYPE_VALUE_LOCAL = "local"
const val AUTH_CONFIG_TYPE_VALUE_BKIAMV3 = "bkiamv3"

const val BKIAMV3_CHECK = "bkiamv3Check"

const val CUSTOM = "custom"
const val PIPELINE = "pipeline"
const val REPORT = "report"
const val LOG = "log"
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,10 @@ const val AUTH_CLUSTER_PERMISSION_PREFIX = "/cluster/permission"
const val AUTH_API_ROLE_PREFIX = "/api/role"
const val AUTH_SERVICE_ROLE_PREFIX = "/service/role"


const val AUTH_SERVICE_BKIAMV3_PREFIX = "/service/bkiamv3"


const val AUTH_API_USER_PREFIX = "/api/user"
const val AUTH_SERVICE_USER_PREFIX = "/service/user"
const val AUTH_CLUSTER_USER_PREFIX = "/cluster/permission"
Expand All @@ -99,6 +103,7 @@ const val AUTH_API_PERMISSION_USER_PREFIX = "api/permission/user"
const val AUTH_API_USER_UPDATE_PREFIX = "api/user/update/info"
const val AUTH_API_USER_DELETE_PREFIX = "api/user/delete"
const val AUTH_API_USER_ASSET_USER_GROUP_PREFIX = "api/user/group"
const val AUTH_API_USER_BKIAMV3_PREFIX = "api/user/auth"

const val AUTH_CLUSTER_TOKEN_INFO_PREFIX = "/cluster/temporary/token/info"
const val AUTH_CLUSTER_TOKEN_DELETE_PREFIX = "/cluster/temporary/token/delete"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
/*
* Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
*
* Copyright (C) 2022 THL A29 Limited, a Tencent company. All rights reserved.
*
* BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
*
* A copy of the MIT License is included in this file.
*
*
* Terms of the MIT License:
* ---------------------------------------------------
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
* documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all copies or substantial portions of
* the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
* LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
* NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
* WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/

package com.tencent.bkrepo.auth.pojo.enums

/**
* 权限中心v3 action映射关系
*/
enum class ActionTypeMapping(val resType: String, val pAction: String) {
PROJECT_MANAGE(ResourceType.PROJECT.name, PermissionAction.MANAGE.name),
PROJECT_VIEW(ResourceType.PROJECT.name, PermissionAction.READ.name),
PROJECT_EDIT(ResourceType.PROJECT.name, PermissionAction.UPDATE.name),
REPO_CREATE(ResourceType.PROJECT.name, PermissionAction.WRITE.name),
REPO_MANAGE(ResourceType.REPO.name, PermissionAction.MANAGE.name),
REPO_VIEW(ResourceType.REPO.name, PermissionAction.READ.name),
REPO_EDIT(ResourceType.REPO.name, PermissionAction.UPDATE.name),
REPO_DELETE(ResourceType.REPO.name, PermissionAction.DELETE.name),
NODE_CREATE(ResourceType.REPO.name, PermissionAction.WRITE.name),
NODE_VIEW(ResourceType.NODE.name, PermissionAction.VIEW.name),
NODE_DOWNLOAD(ResourceType.NODE.name, PermissionAction.READ.name),
NODE_EDIT(ResourceType.NODE.name, PermissionAction.UPDATE.name),
NODE_WRITE(ResourceType.NODE.name, PermissionAction.WRITE.name),
NODE_DELETE(ResourceType.NODE.name, PermissionAction.DELETE.name);

fun id() = this.name.toLowerCase()

companion object {

fun lookup(resType: String, pAction: String): ActionTypeMapping {
return values().find { it.resType == resType && it.pAction == pAction }
?: throw IllegalArgumentException("No enum for resType $resType and pAction $pAction!")
}
}
}
Original file line number Diff line number Diff line change
@@ -0,0 +1,62 @@
/*
* Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
*
* Copyright (C) 2022 THL A29 Limited, a Tencent company. All rights reserved.
*
* BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
*
* A copy of the MIT License is included in this file.
*
*
* Terms of the MIT License:
* ---------------------------------------------------
* Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
* documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
* rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all copies or substantial portions of
* the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
* LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
* NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
* WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
* SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/

package com.tencent.bkrepo.auth.pojo.enums

/**
* 默认用户组
*/
enum class DefaultGroupType(val value: String, val displayName: String) {
PROJECT_MANAGER("project_manager", "项目管理组"), // 管理员
PROJECT_UPLOAD_DELETE("project_upload_delete", "项目操作组"), // 上传下载删除权限
PROJECT_DOWNLOAD("project_download", "项目访问组"), // 下载权限
REPO_MANAGER("repo_manager", "仓库管理组"), // 管理员
REPO_UPLOAD_DELETE("repo_upload_delete", "仓库操作组"),
REPO_DOWNLOAD("repo_download", "仓库访问组"); // 下载权限
companion object {
fun get(value: String): DefaultGroupType {
values().forEach {
if (value == it.value) return it
}
throw IllegalArgumentException("No enum for constant $value")
}

fun contains(value: String): Boolean {
values().forEach {
if (value == it.value) return true
}
return false
}

fun containsDisplayName(displayName: String): Boolean {
values().forEach {
if (displayName == it.displayName) return true
}
return false
}
}
}
Loading

0 comments on commit 1a9a9a1

Please sign in to comment.