From ffc1a6bfa8eee0ed06007c142395e624cb9a8bcf Mon Sep 17 00:00:00 2001 From: owenlxu Date: Thu, 24 Oct 2024 17:29:28 +0800 Subject: [PATCH 1/8] =?UTF-8?q?feat:=20=E6=9D=83=E9=99=90=E6=8E=A5?= =?UTF-8?q?=E5=85=A5=E4=B8=8E=E8=93=9D=E9=B2=B8=E6=9D=83=E9=99=90=E4=B8=AD?= =?UTF-8?q?=E5=BF=83=E8=81=94=E5=8A=A8=20#2698?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../bkrepo/auth/config/BkiamConfiguration.kt | 7 +- .../ServiceBkiamV3ResourceController.kt | 6 +- .../bkdevops/DevopsPermissionServiceImpl.kt | 4 +- .../bkiamv3/BkIamV3PermissionServiceImpl.kt | 18 +-- .../service/bkiamv3/BkIamV3ServiceImpl.kt | 24 ++-- .../auth/service/bkiamv3/IamEsbClient.kt | 131 ------------------ 6 files changed, 23 insertions(+), 167 deletions(-) delete mode 100644 src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/IamEsbClient.kt diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/config/BkiamConfiguration.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/config/BkiamConfiguration.kt index 223f3b390d..f5e92ad134 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/config/BkiamConfiguration.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/config/BkiamConfiguration.kt @@ -43,10 +43,8 @@ import com.tencent.bk.sdk.iam.service.impl.TokenServiceImpl import com.tencent.bk.sdk.iam.service.v2.impl.V2ManagerServiceImpl import com.tencent.bk.sdk.iam.service.v2.impl.V2PolicyServiceImpl import com.tencent.bkrepo.auth.condition.MultipleAuthCondition -import com.tencent.bkrepo.auth.service.bkiamv3.IamEsbClient import org.springframework.beans.factory.annotation.Autowired import org.springframework.beans.factory.annotation.Value -import org.springframework.boot.autoconfigure.condition.ConditionalOnMissingBean import org.springframework.context.annotation.Bean import org.springframework.context.annotation.Conditional import org.springframework.context.annotation.Configuration @@ -98,10 +96,7 @@ class BkiamConfiguration { @Autowired defaultHttpClientServiceImpl: DefaultHttpClientServiceImpl, @Autowired iamConfiguration: IamConfiguration ) = GrantServiceImpl(defaultHttpClientServiceImpl, iamConfiguration) - - @Bean - @ConditionalOnMissingBean - fun iamEsbService() = IamEsbClient() + // 接入V3(RBAC) /** diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServiceBkiamV3ResourceController.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServiceBkiamV3ResourceController.kt index 73baa310d3..f1a06d8b6b 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServiceBkiamV3ResourceController.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServiceBkiamV3ResourceController.kt @@ -55,7 +55,7 @@ class ServiceBkiamV3ResourceController : ServiceBkiamV3ResourceClient { override fun createRepoManage(userId: String, projectId: String, repoName: String): Response { bkIamV3Service?.let { val repoGradeId = lockAction(projectId) { - bkIamV3Service!!.createGradeManager(userId, projectId, repoName) + bkIamV3Service!!.createGradeManager(userId, projectId, repoName) } return ResponseBuilder.success(repoGradeId) } ?: return ResponseBuilder.success() @@ -67,9 +67,9 @@ class ServiceBkiamV3ResourceController : ServiceBkiamV3ResourceClient { } ?: return ResponseBuilder.success(true) } - override fun getExistRbacDefaultGroupProjectIds(projectIds: List): Response> { + override fun getExistRbacDefaultGroupProjectIds(projectIdList: List): Response> { bkIamV3Service?.let { - return ResponseBuilder.success(bkIamV3Service!!.getExistRbacDefaultGroupProjectIds(projectIds)) + return ResponseBuilder.success(bkIamV3Service!!.getExistRbacDefaultGroupProjectIds(projectIdList)) } ?: return ResponseBuilder.success(emptyMap()) } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt index 04d4d6f9c2..0b2f4fa524 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt @@ -105,8 +105,8 @@ class DevopsPermissionServiceImpl constructor( // bkiamv3权限校验 if (matchBkiamv3Cond(request)) { - // 当有v3权限时,返回成功;如没有v3权限则按devops账号体系继续进行判断 - if (checkBkIamV3Permission(request)) return true + // 开启iamv3 + return checkBkIamV3Permission(request) } return checkDevopsPermission(request) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt index c7c7a0ec5d..03c4181602 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt @@ -107,14 +107,14 @@ open class BkIamV3PermissionServiceImpl( val resourceId = bkiamV3Service.getResourceId( resourceType, projectId, repoName, path ) ?: StringPool.EMPTY - return if (checkDefaultRepository(resourceType, resourceId, repoName)) { + return if (checkDefaultRepository(resourceType, repoName)) { checkBkIamV3ProjectPermission(projectId!!, uid, action) } else { bkiamV3Service.validateResourcePermission( userId = uid, projectId = projectId!!, repoName = repoName, - resourceType = resourceType.toLowerCase(), + resourceType = resourceType.lowercase(), action = convertActionType(resourceType, action), resourceId = resourceId, appId = appId @@ -126,14 +126,9 @@ open class BkIamV3PermissionServiceImpl( /** * 针对默认创建的4个仓库不开启v3-rbac校验,只校验项目权限 */ - private fun checkDefaultRepository(resourceType: String, resourceId: String, repoName: String?): Boolean { + private fun checkDefaultRepository(resourceType: String, repoName: String?): Boolean { return when (resourceType) { - ResourceType.SYSTEM.toString() -> false - ResourceType.PROJECT.toString() -> false - ResourceType.REPO.toString() -> { - defaultRepoList.contains(resourceId) - } - ResourceType.NODE.toString() -> { + ResourceType.NODE.toString(), ResourceType.REPO.toString() -> { defaultRepoList.contains(repoName) } else -> false @@ -184,10 +179,7 @@ open class BkIamV3PermissionServiceImpl( } } - private fun mergeResult( - list: List, - v3list: List - ): List { + private fun mergeResult(list: List, v3list: List): List { val set = mutableSetOf() set.addAll(list) set.addAll(v3list) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt index c776ff7442..d0c0872d33 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt @@ -92,7 +92,7 @@ class BkIamV3ServiceImpl( private val managerService: V2ManagerService, private val managerServiceV1: ManagerService, private val authManagerRepository: BkIamAuthManagerRepository, - val mongoTemplate: MongoTemplate + mongoTemplate: MongoTemplate ) : BkIamV3Service, BkiamV3BaseService(mongoTemplate) { @@ -155,8 +155,8 @@ class BkIamV3ServiceImpl( ): String? { logger.debug( "v3 getPermissionUrl, userId: ${request.uid}, projectId: ${request.projectId}, " + - "repoName: ${request.repoName} resourceType: ${request.resourceType}, " + - "action: ${request.action}, path: ${request.path}" + "repoName: ${request.repoName} resourceType: ${request.resourceType}, " + + "action: ${request.action}, path: ${request.path}" ) if (!checkIamConfiguration()) return null return if (request.projectId.isNullOrEmpty() && request.repoName.isNullOrEmpty()) { @@ -177,7 +177,7 @@ class BkIamV3ServiceImpl( resourceType, projectId, repoName, path ) val action = BkIamV3Utils.convertActionType(request.resourceType, request.action) - val resourceType = request.resourceType.toLowerCase() + val resourceType = request.resourceType.lowercase() if (repoName != null && !checkBkiamv3Config(projectId, repoName)) return null authManagerRepository.findByTypeAndResourceIdAndParentResId( ResourceType.PROJECT, projectId!!, null @@ -228,7 +228,7 @@ class BkIamV3ServiceImpl( } catch (e: Exception) { logger.error( "v3 getPermissionUrl with userId: $uid, action: $action," + - " pUrlRequest: $pUrlRequest\" error: ${e.message}" + " pUrlRequest: $pUrlRequest\" error: ${e.message}" ) StringPool.EMPTY } @@ -247,7 +247,7 @@ class BkIamV3ServiceImpl( ): Boolean { logger.debug( "v3 validateResourcePermission, userId: $userId, projectId: $projectId, repoName: $repoName" + - " resourceType: $resourceType, action: $action, resourceId: $resourceId, appId: $appId" + " resourceType: $resourceType, action: $action, resourceId: $resourceId, appId: $appId" ) if (!checkIamConfiguration()) return false val instanceDTO = InstanceDTO() @@ -286,7 +286,7 @@ class BkIamV3ServiceImpl( } catch (e: Exception) { logger.error( "try bkiamv3 check with userId: $userId, action: $action," + - " instanceDTO: $instanceDTO\" error: ${e.message}" + " instanceDTO: $instanceDTO\" error: ${e.message}" ) allowed = false } @@ -314,7 +314,7 @@ class BkIamV3ServiceImpl( ): List { logger.debug( "v3 listPermissionResources, userId: $userId, projectId: $projectId" + - " resourceType: $resourceType, action: $action" + " resourceType: $resourceType, action: $action" ) if (!checkIamConfiguration()) return emptyList() val actionDto = ActionDTO() @@ -521,14 +521,14 @@ class BkIamV3ServiceImpl( } logger.debug( "v3 create grade manager for repo [${projectInfo.name}|$repoName]," + - " projectManagerId: $projectManagerId" + " projectManagerId: $projectManagerId" ) val secondManagerMembers = mutableSetOf() secondManagerMembers.add(userId) val createRepoManagerDTO = CreateSubsetManagerDTO.builder() .name( "$SYSTEM_DEFAULT_NAME-$PROJECT_DEFAULT_NAME-${projectInfo.displayName}" + - "-$REPO_DEFAULT_NAME-${repoDetail.name}" + "-$REPO_DEFAULT_NAME-${repoDetail.name}" ) .description( IamGroupUtils.buildManagerDescription( @@ -680,13 +680,13 @@ class BkIamV3ServiceImpl( // 赋予权限 try { createRoleGroupMember(defaultGroupType, roleId, members) - val actions = DefaultGroupTypeAndActions.get(defaultGroupType.name.toLowerCase()).actions + val actions = DefaultGroupTypeAndActions.get(defaultGroupType.name.lowercase()).actions grantGroupPermission(projectResInfo, repoResInfo, roleId, actions) } catch (e: Exception) { managerService.deleteRoleGroupV2(roleId) logger.error( "v3 create iam group permission fail : $projectResInfo|$repoResInfo" + - " iamRoleId = $roleId | groupInfo = ${defaultGroupType.value}", + " iamRoleId = $roleId | groupInfo = ${defaultGroupType.value}", e ) } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/IamEsbClient.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/IamEsbClient.kt deleted file mode 100644 index 5c18599f32..0000000000 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/IamEsbClient.kt +++ /dev/null @@ -1,131 +0,0 @@ -/* - * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available. - * - * Copyright (C) 2022 THL A29 Limited, a Tencent company. All rights reserved. - * - * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license. - * - * A copy of the MIT License is included in this file. - * - * - * Terms of the MIT License: - * --------------------------------------------------- - * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated - * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the - * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all copies or substantial portions of - * the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT - * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN - * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE - * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - */ - -package com.tencent.bkrepo.auth.service.bkiamv3 - -import com.fasterxml.jackson.module.kotlin.readValue -import com.tencent.bkrepo.auth.pojo.iam.IamBaseReq -import com.tencent.bkrepo.auth.pojo.iam.IamCreateApiReq -import com.tencent.bkrepo.auth.pojo.iam.IamPermissionUrlReq -import com.tencent.bkrepo.auth.util.HttpUtils -import com.tencent.bkrepo.common.api.util.JsonUtils.objectMapper -import okhttp3.MediaType.Companion.toMediaTypeOrNull -import okhttp3.Request -import okhttp3.RequestBody -import org.slf4j.LoggerFactory -import org.springframework.beans.factory.annotation.Value -import java.security.cert.CertificateException -import java.util.concurrent.TimeUnit -import javax.net.ssl.SSLContext -import javax.net.ssl.SSLSocketFactory -import javax.net.ssl.TrustManager -import javax.net.ssl.X509TrustManager - -class IamEsbClient { - @Value("\${esb.code:}") - private val appCode: String = "" - @Value("\${esb.secret:}") - private val appSecret: String = "" - @Value("\${esb.iam.url:}") - private val iamUrl: String = "" - - fun createRelationResource(iamCreateApiReq: IamCreateApiReq) { - logger.info("createRelationResource, iamCreateApiReq: $iamCreateApiReq") - val url = buildUrl("api/c/compapi/v2/iam/authorization/resource_creator_action/") - logger.debug("createRelationResource, url[$url]") - val content = objectMapper.writeValueAsString(setCredentials(iamCreateApiReq, appCode, appSecret)) - logger.debug("v3 createRelationResource body[$content]") - val requestBody = RequestBody.create("application/json; charset=utf-8".toMediaTypeOrNull(), content) - val request = Request.Builder().url(url).post(requestBody).build() - val apiResponse = HttpUtils.doRequest(okHttpClient, request, 1) - val iamApiRes = objectMapper.readValue>(apiResponse.content) - if (iamApiRes["code"] != 0 || iamApiRes["result"] == false) { - throw RuntimeException("esbiam request failed, response: ${apiResponse.content}") - } - } - - fun getPermissionUrl(iamPermissionUrl: IamPermissionUrlReq): String? { - logger.info("getPermissionUrl, iamPermissionUrl: $iamPermissionUrl") - val url = buildUrl("/api/c/compapi/v2/iam/application/") - logger.info("getPermissionUrl, url:$url") - val content = objectMapper.writeValueAsString(setCredentials(iamPermissionUrl, appCode, appSecret)) - logger.info("getPermissionUrl, content:$content") - val requestBody = RequestBody.create("application/json; charset=utf-8".toMediaTypeOrNull(), content) - val request = Request.Builder().url(url).post(requestBody).build() - val apiResponse = HttpUtils.doRequest(okHttpClient, request, 1) - val iamApiRes = objectMapper.readValue>(apiResponse.content) - if (iamApiRes["code"] != 0 || iamApiRes["result"] == false) { - throw RuntimeException("esbiam request failed, response: ${apiResponse.content}") - } - return iamApiRes["data"].toString().substringAfter("url=").substringBeforeLast("}") - } - - private fun setCredentials(iamBaseReq: IamBaseReq, appCode: String, appSecret: String): IamBaseReq { - iamBaseReq.bk_app_code = appCode - iamBaseReq.bk_app_secret = appSecret - return iamBaseReq - } - - private fun buildUrl(uri: String) = "${iamUrl.removeSuffix("/")}/${uri.removePrefix("/")}" - - private val trustAllCerts = arrayOf(object : X509TrustManager { - @Throws(CertificateException::class) - override fun checkClientTrusted(chain: Array, authType: String) { - // no-op - } - - @Throws(CertificateException::class) - override fun checkServerTrusted(chain: Array, authType: String) { - // no-op - } - - override fun getAcceptedIssuers(): Array { - return arrayOf() - } - }) - - private fun sslSocketFactory(): SSLSocketFactory { - try { - val sslContext = SSLContext.getInstance("SSL") - sslContext.init(null, trustAllCerts, java.security.SecureRandom()) - return sslContext.socketFactory - } catch (e: Exception) { - throw RuntimeException(e.message) - } - } - - private val okHttpClient = okhttp3.OkHttpClient.Builder() - .connectTimeout(5L, TimeUnit.SECONDS) - .readTimeout(30L, TimeUnit.SECONDS) - .writeTimeout(30L, TimeUnit.SECONDS) - .sslSocketFactory(sslSocketFactory(), trustAllCerts[0] as X509TrustManager) - .build() - - companion object { - private val logger = LoggerFactory.getLogger(IamEsbClient::class.java) - } -} From 75e0402fc586ab9814d2395e8b645ebc5cbf01f1 Mon Sep 17 00:00:00 2001 From: owenlxu Date: Fri, 25 Oct 2024 16:52:14 +0800 Subject: [PATCH 2/8] =?UTF-8?q?feat:=20=E6=9D=83=E9=99=90=E6=8E=A5?= =?UTF-8?q?=E5=85=A5=E4=B8=8E=E8=93=9D=E9=B2=B8=E6=9D=83=E9=99=90=E4=B8=AD?= =?UTF-8?q?=E5=BF=83=E8=81=94=E5=8A=A8=20#2698?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../auth/pojo/enums/ActionTypeMapping.kt | 5 +- .../controller/user/RepoModeController.kt | 44 ++++++++-- .../bkdevops/DevopsPermissionServiceImpl.kt | 8 +- .../bkiamv3/BkIamV3PermissionServiceImpl.kt | 50 +++-------- .../auth/service/bkiamv3/BkIamV3Service.kt | 15 +--- .../service/bkiamv3/BkIamV3ServiceImpl.kt | 40 ++------- .../callback/BkiamRepoResourceService.kt | 4 +- .../callback/BkiamResourceBaseService.kt | 7 +- .../tencent/bkrepo/auth/util/BkIamV3Utils.kt | 87 ------------------- .../common/metadata/dao/repo/RepositoryDao.kt | 1 + 10 files changed, 79 insertions(+), 182 deletions(-) diff --git a/src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/enums/ActionTypeMapping.kt b/src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/enums/ActionTypeMapping.kt index 922401ec8d..3ef08833b5 100644 --- a/src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/enums/ActionTypeMapping.kt +++ b/src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/enums/ActionTypeMapping.kt @@ -49,13 +49,12 @@ enum class ActionTypeMapping(val resType: String, val pAction: String) { NODE_WRITE(ResourceType.NODE.name, PermissionAction.WRITE.name), NODE_DELETE(ResourceType.NODE.name, PermissionAction.DELETE.name); - fun id() = this.name.toLowerCase() + fun id() = this.name.lowercase() companion object { fun lookup(resType: String, pAction: String): ActionTypeMapping { - return values().find { it.resType == resType && it.pAction == pAction } - ?: throw IllegalArgumentException("No enum for resType $resType and pAction $pAction!") + return values().find { it.resType == resType && it.pAction == pAction } ?: PROJECT_MANAGE } } } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/RepoModeController.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/RepoModeController.kt index d89fbad6ed..b5c4c388e3 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/RepoModeController.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/user/RepoModeController.kt @@ -33,8 +33,12 @@ import com.tencent.bkrepo.auth.pojo.permission.RepoModeStatus import com.tencent.bkrepo.auth.pojo.authconfig.RepoAuthStatusRequest import com.tencent.bkrepo.auth.service.PermissionService import com.tencent.bkrepo.auth.service.RepoModeService +import com.tencent.bkrepo.auth.service.bkiamv3.BkIamV3Service import com.tencent.bkrepo.common.api.pojo.Response +import com.tencent.bkrepo.common.lock.service.LockOperation +import com.tencent.bkrepo.common.security.util.SecurityUtils import com.tencent.bkrepo.common.service.util.ResponseBuilder +import org.springframework.beans.factory.annotation.Autowired import org.springframework.web.bind.annotation.RestController import org.springframework.web.bind.annotation.RequestMapping import org.springframework.web.bind.annotation.GetMapping @@ -49,6 +53,12 @@ class RepoModeController( permissionService: PermissionService ) : OpenResource(permissionService) { + @Autowired + private var bkIamV3Service: BkIamV3Service? = null + + @Autowired + lateinit var lockOperation: LockOperation + @GetMapping("/query") fun getStatus( @RequestParam projectId: String, @@ -66,14 +76,38 @@ class RepoModeController( with(request) { preCheckProjectAdmin(projectId) repoModeService.createOrUpdateConfig( - projectId, - repoName, - accessControlMode, - officeDenyGroupSet, - bkiamv3Check + projectId = projectId, + repoName = repoName, + accessControlMode = accessControlMode, + officeDenyGroupSet = officeDenyGroupSet, + bkiamv3Check = bkiamv3Check ) + if (bkIamV3Service != null && bkiamv3Check) { + lockAction(projectId) { + val userId = SecurityUtils.getUserId() + bkIamV3Service!!.createGradeManager(userId, projectId, repoName) + } + } return ResponseBuilder.success(repoModeService.getAccessControlStatus(projectId, repoName)) } } + fun lockAction(projectId: String, action: () -> T): T { + val lockKey = "${AUTH_LOCK_KEY_PREFIX}$projectId" + val lock = lockOperation.getLock(lockKey) + return if (lockOperation.getSpinLock(lockKey, lock)) { + try { + action() + } finally { + lockOperation.close(lockKey, lock) + } + } else { + action() + } + } + + companion object { + const val AUTH_LOCK_KEY_PREFIX = "auth:lock:gradeCreate:" + } + } \ No newline at end of file diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt index 0b2f4fa524..c781645ea0 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt @@ -199,6 +199,11 @@ class DevopsPermissionServiceImpl constructor( } } + private fun matchDevopsRepoCond(repoName: String?): Boolean { + return repoName != null && defaultRepoList.contains(repoName) + } + + private fun checkProjectPermission(context: CheckPermissionContext): Boolean { with(context) { // 只有用户为非项目管理员,代码才会走到这里, action为MANAGE需要项目管理员权限 @@ -206,8 +211,8 @@ class DevopsPermissionServiceImpl constructor( logger.debug("project request need manage permission [$context]") return false } + // 项目权限暂时以devops为准 return isDevopsProjectMember(userId, projectId, action) - || checkBkIamV3ProjectPermission(projectId, userId, action) } } @@ -304,5 +309,6 @@ class DevopsPermissionServiceImpl constructor( companion object { private val logger = LoggerFactory.getLogger(DevopsPermissionServiceImpl::class.java) + private val defaultRepoList = listOf(CUSTOM, PIPELINE, LOG, REPORT) } } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt index 03c4181602..16ac037984 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt @@ -27,10 +27,6 @@ package com.tencent.bkrepo.auth.service.bkiamv3 -import com.tencent.bkrepo.auth.constant.CUSTOM -import com.tencent.bkrepo.auth.constant.LOG -import com.tencent.bkrepo.auth.constant.PIPELINE -import com.tencent.bkrepo.auth.constant.REPORT import com.tencent.bkrepo.auth.dao.AccountDao import com.tencent.bkrepo.auth.dao.PermissionDao import com.tencent.bkrepo.auth.dao.PersonalPathDao @@ -103,50 +99,33 @@ open class BkIamV3PermissionServiceImpl( fun checkBkIamV3Permission(request: CheckPermissionRequest): Boolean { with(request) { - if (projectId == null) return false + if (projectId == null) { + return false + } val resourceId = bkiamV3Service.getResourceId( resourceType, projectId, repoName, path ) ?: StringPool.EMPTY - return if (checkDefaultRepository(resourceType, repoName)) { - checkBkIamV3ProjectPermission(projectId!!, uid, action) - } else { - bkiamV3Service.validateResourcePermission( - userId = uid, - projectId = projectId!!, - repoName = repoName, - resourceType = resourceType.lowercase(), - action = convertActionType(resourceType, action), - resourceId = resourceId, - appId = appId - ) - } + return bkiamV3Service.validateResourcePermission( + userId = uid, + projectId = projectId!!, + repoName = repoName, + resourceType = resourceType.lowercase(), + action = convertActionType(resourceType, action), + resourceId = resourceId, + appId = appId + ) } } - /** - * 针对默认创建的4个仓库不开启v3-rbac校验,只校验项目权限 - */ - private fun checkDefaultRepository(resourceType: String, repoName: String?): Boolean { - return when (resourceType) { - ResourceType.NODE.toString(), ResourceType.REPO.toString() -> { - defaultRepoList.contains(repoName) - } - else -> false - } - } - fun checkBkIamV3ProjectPermission(projectId: String, userId: String, action: String): Boolean { + fun checkBkIamV3ProjectPermission(userId: String, projectId: String, action: String): Boolean { logger.info("v3 checkBkIamV3ProjectPermission userId: $userId, projectId: $projectId, action: $action") return bkiamV3Service.validateResourcePermission( userId = userId, projectId = projectId, repoName = null, resourceType = ResourceType.PROJECT.id(), - action = try { - convertActionType(ResourceType.PROJECT.name, action) - } catch (e: IllegalArgumentException) { - ActionTypeMapping.PROJECT_MANAGE.id() - }, + action = convertActionType(ResourceType.PROJECT.name, action), resourceId = projectId, appId = null ) @@ -188,7 +167,6 @@ open class BkIamV3PermissionServiceImpl( companion object { private val logger = LoggerFactory.getLogger(BkIamV3PermissionServiceImpl::class.java) - private val defaultRepoList = listOf(CUSTOM, PIPELINE, LOG, REPORT) } } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3Service.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3Service.kt index 40f2e2d10e..45420eea8f 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3Service.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3Service.kt @@ -83,7 +83,7 @@ interface BkIamV3Service { ): List /** - * 刷新项目以及旗下仓库对应的权限中心权限 + * 刷新项目以及其下仓库对应的权限中心权限 */ fun refreshProjectManager(userId: String? = null, projectId: String): Boolean @@ -91,19 +91,12 @@ interface BkIamV3Service { /** * 创建项目分级管理员 */ - fun createGradeManager( - userId: String, - projectId: String, - repoName: String? = null - ): String? + fun createGradeManager(userId: String, projectId: String, repoName: String? = null): String? /** * 删除分级管理员 */ - fun deleteGradeManager( - projectId: String, - repoName: String? = null - ): Boolean + fun deleteGradeManager(projectId: String, repoName: String? = null): Boolean /** * 资源id转换 @@ -114,5 +107,5 @@ interface BkIamV3Service { /** * 查询列表中的项目是否已生成rbac默认用户组 */ - fun getExistRbacDefaultGroupProjectIds(ids: List) : Map + fun getExistRbacDefaultGroupProjectIds(ids: List): Map } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt index d0671a012f..afafa807cc 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt @@ -117,7 +117,7 @@ class BkIamV3ServiceImpl( private lateinit var repositoryClient: RepositoryClient @Value("\${$AUTH_CONFIG_PREFIX.$AUTH_CONFIG_TYPE_NAME}") - private var ciAuthServer: String = "" + private var realm: String = "" @Value("\${auth.iam.applyJoinUserGroupUrl:}") private val applyJoinUserGroupUrl = "" @@ -145,16 +145,14 @@ class BkIamV3ServiceImpl( override fun checkBkiamv3Config(projectId: String?, repoName: String?): Boolean { // 如果配置是bkiamv3,默认走bkiamv3校验 - if (ciAuthServer == AUTH_CONFIG_TYPE_VALUE_BKIAMV3) return true + if (realm == AUTH_CONFIG_TYPE_VALUE_BKIAMV3) return true if (projectId != null && repoName != null) { return repoModeService.getAccessControlStatus(projectId, repoName).bkiamv3Check } return false } - override fun getPermissionUrl( - request: CheckPermissionRequest - ): String? { + override fun getPermissionUrl(request: CheckPermissionRequest): String? { logger.debug( "v3 getPermissionUrl, userId: ${request.uid}, projectId: ${request.projectId}, " + "repoName: ${request.repoName} resourceType: ${request.resourceType}, " + @@ -175,9 +173,7 @@ class BkIamV3ServiceImpl( private fun generatePermissionUrl(request: CheckPermissionRequest): String? { with(request) { - val resourceId = getResourceId( - resourceType, projectId, repoName, path - ) + val resourceId = getResourceId(resourceType, projectId, repoName, path) val action = BkIamV3Utils.convertActionType(request.resourceType, request.action) val resourceType = request.resourceType.lowercase() if (repoName != null && !checkBkiamv3Config(projectId, repoName)) return null @@ -356,14 +352,7 @@ class BkIamV3ServiceImpl( ?: createGradeManager(SecurityUtils.getUserId(), projectId)).isNullOrEmpty() } - /** - * 创建项目分级管理员 - */ - override fun createGradeManager( - userId: String, - projectId: String, - repoName: String? - ): String? { + override fun createGradeManager(userId: String, projectId: String, repoName: String?): String? { if (!checkIamConfiguration()) return null val realUserId = userService.getUserInfoById(userId)?.asstUsers?.firstOrNull() ?: userId return if (repoName == null) { @@ -418,10 +407,7 @@ class BkIamV3ServiceImpl( } } - fun createProjectGradeManager( - userId: String, - projectId: String - ): String? { + fun createProjectGradeManager(userId: String, projectId: String): String? { val projectInfo = projectService.getProjectInfo(projectId)!! logger.debug("v3 start to create grade manager for project $projectId with user $userId") // 如果已经创建project管理员,则返回 @@ -482,11 +468,7 @@ class BkIamV3ServiceImpl( /** * 创建项目分级管理员 */ - private fun createRepoGradeManager( - userId: String, - projectId: String, - repoName: String - ): String? { + private fun createRepoGradeManager(userId: String, projectId: String, repoName: String): String? { val projectInfo = projectService.getProjectInfo(projectId)!! val repoDetail = repositoryClient.getRepoInfo(projectId, repoName).data!! // 如果已经创建repo管理员,则返回 @@ -569,7 +551,6 @@ class BkIamV3ServiceImpl( ResourceType.PROJECT.toString() -> projectId!! ResourceType.REPO.toString() -> convertRepoResourceId(projectId!!, repoName!!) - ResourceType.NODE.toString() -> convertNodeResourceId(projectId!!, repoName!!, path!!) @@ -589,12 +570,7 @@ class BkIamV3ServiceImpl( return result } - private fun saveTBkIamAuthManager( - projectId: String, - repoName: String?, - managerId: Int, - userId: String - ) { + private fun saveTBkIamAuthManager(projectId: String, repoName: String?, managerId: Int, userId: String) { val tBkIamAuthManager = if (repoName == null) { TBkIamAuthManager( resourceId = projectId, diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/callback/BkiamRepoResourceService.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/callback/BkiamRepoResourceService.kt index fa2fcac48f..9d1075d64f 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/callback/BkiamRepoResourceService.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/callback/BkiamRepoResourceService.kt @@ -47,8 +47,8 @@ import org.springframework.stereotype.Component @Component class BkiamRepoResourceService( private val repositoryClient: RepositoryClient, - val mongoTemplate: MongoTemplate -): BkiamResourceBaseService, BkiamV3BaseService(mongoTemplate) { + mongoTemplate: MongoTemplate +) : BkiamResourceBaseService, BkiamV3BaseService(mongoTemplate) { override fun resourceType(): ResourceType { return ResourceType.REPO } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/callback/BkiamResourceBaseService.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/callback/BkiamResourceBaseService.kt index cde446ba77..f4d8667e81 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/callback/BkiamResourceBaseService.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/callback/BkiamResourceBaseService.kt @@ -48,7 +48,7 @@ interface BkiamResourceBaseService { fun listInstanceInfo(request: CallbackRequestDTO): CallbackBaseResponseDTO - fun buildFetchInstanceInfoResponseDTO(data: List) : CallbackBaseResponseDTO { + fun buildFetchInstanceInfoResponseDTO(data: List): CallbackBaseResponseDTO { val result = FetchInstanceInfoResponseDTO() result.code = 0 result.message = "" @@ -72,10 +72,7 @@ interface BkiamResourceBaseService { return result } - fun buildBaseDataResponseDTO( - count: Long, - records: List - ): BaseDataResponseDTO { + fun buildBaseDataResponseDTO(count: Long, records: List): BaseDataResponseDTO { val data = BaseDataResponseDTO() data.count = count data.result = records diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/util/BkIamV3Utils.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/util/BkIamV3Utils.kt index b30a3f5946..84ea98a7a5 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/util/BkIamV3Utils.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/util/BkIamV3Utils.kt @@ -130,58 +130,6 @@ object BkIamV3Utils { return ActionTypeMapping.lookup(resourceTyp, action).id() } - fun getProjects(content: ExpressionDTO): List { - - if (content.field != "project.id") { - when(content.operator) { - ExpressionOperationEnum.ANY, - ExpressionOperationEnum.OR, - ExpressionOperationEnum.AND, - ExpressionOperationEnum.START_WITH -> { - } - else -> return emptyList() - } - } - val projectList = mutableListOf() - when (content.operator) { - ExpressionOperationEnum.START_WITH -> getProjectFromExpression(content)?.let {projectList.add(it) } - ExpressionOperationEnum.ANY -> projectList.add("*") - ExpressionOperationEnum.EQUAL -> projectList.add(content.value.toString()) - ExpressionOperationEnum.IN -> projectList.addAll(StringUtils.obj2List(content.value.toString())) - ExpressionOperationEnum.OR, ExpressionOperationEnum.AND -> content.content.forEach { - projectList.addAll(getProjects(it)) - } - else -> { - } - } - return projectList - } - - // 无content怎么处理 一层怎么处理,二层怎么处理。 默认只有两层。 - fun getResourceInstance(expression: ExpressionDTO, projectId: String, resourceType: String): Set { - val instantList = mutableSetOf() - if (expression.content.isNullOrEmpty()) { - instantList.addAll(getInstanceByField(expression, projectId, resourceType)) - } else { - instantList.addAll(getInstanceByContent(expression.content, expression, projectId, resourceType)) - } - return instantList - } - - private fun getInstanceByContent( - childExpression: List, - parentExpression: ExpressionDTO, - projectId: String, - resourceType: String - ): Set { - return getInstanceByContent( - childExpression = childExpression, - projectId = projectId, - resourceType = resourceType, - type = parentExpression.operator - ) - } - private fun getInstanceByContent( childExpression: List, projectId: String, @@ -284,35 +232,6 @@ object BkIamV3Utils { return null } - private fun getInstanceByField(expression: ExpressionDTO, projectId: String, resourceType: String): Set { - val instanceList = mutableSetOf() - val value = expression.value - - // 如果权限为整个项目, 直接返回 - if (expression.value == projectId && expression.operator == ExpressionOperationEnum.EQUAL) { - instanceList.add("*") - return instanceList - } - - if (!checkField(expression.field, resourceType)) { - return emptySet() - } - - when (expression.operator) { - ExpressionOperationEnum.ANY -> instanceList.add("*") - ExpressionOperationEnum.EQUAL -> instanceList.add(value.toString()) - ExpressionOperationEnum.IN -> instanceList.addAll(StringUtils.obj2List(value.toString())) - ExpressionOperationEnum.START_WITH -> { - instanceList.addAll(checkProject(projectId, expression).second) - } - else -> { - } - } - - return instanceList - } - - private fun checkProject(projectId: String, expression: ExpressionDTO): Pair> { val instanceList = mutableSetOf() val values = expression.value.toString().split(",") @@ -326,12 +245,6 @@ object BkIamV3Utils { return Pair(true, instanceList) } - private fun getProjectFromExpression(expression: ExpressionDTO): String? { - val values = expression.value.toString().split(",") - if (values[0] != "/project") return null - return values[1].substringBefore("/") - } - private fun checkField(field: String, resourceType: String): Boolean { if (field.contains(resourceType)) { return true diff --git a/src/backend/common/common-metadata/metadata-service/src/main/kotlin/com/tencent/bkrepo/common/metadata/dao/repo/RepositoryDao.kt b/src/backend/common/common-metadata/metadata-service/src/main/kotlin/com/tencent/bkrepo/common/metadata/dao/repo/RepositoryDao.kt index 7cf309bca0..a12491e57d 100644 --- a/src/backend/common/common-metadata/metadata-service/src/main/kotlin/com/tencent/bkrepo/common/metadata/dao/repo/RepositoryDao.kt +++ b/src/backend/common/common-metadata/metadata-service/src/main/kotlin/com/tencent/bkrepo/common/metadata/dao/repo/RepositoryDao.kt @@ -82,4 +82,5 @@ class RepositoryDao : SimpleMongoDao() { val update = Update().unset(TRepository::oldCredentialsKey.name) updateFirst(query, update) } + } From 21affd506c25d149071edbdc2100fa99a343ed87 Mon Sep 17 00:00:00 2001 From: owenlxu Date: Fri, 25 Oct 2024 20:02:08 +0800 Subject: [PATCH 3/8] =?UTF-8?q?feat:=20=E6=9D=83=E9=99=90=E6=8E=A5?= =?UTF-8?q?=E5=85=A5=E4=B8=8E=E8=93=9D=E9=B2=B8=E6=9D=83=E9=99=90=E4=B8=AD?= =?UTF-8?q?=E5=BF=83=E8=81=94=E5=8A=A8=20#2698?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../bkrepo/auth/pojo/permission/RepoModeStatus.kt | 2 +- .../bkrepo/auth/service/RepoModeService.kt | 2 ++ .../bkdevops/DevopsPermissionServiceImpl.kt | 10 +++++++--- .../bkiamv3/BkIamV3PermissionServiceImpl.kt | 8 +++----- .../auth/service/bkiamv3/BkIamV3ServiceImpl.kt | 2 +- .../auth/service/impl/RepoModeServiceImpl.kt | 15 +++++++++++---- 6 files changed, 25 insertions(+), 14 deletions(-) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/permission/RepoModeStatus.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/permission/RepoModeStatus.kt index 8b8ec3945f..922879af13 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/permission/RepoModeStatus.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/pojo/permission/RepoModeStatus.kt @@ -3,7 +3,7 @@ package com.tencent.bkrepo.auth.pojo.permission import com.tencent.bkrepo.auth.pojo.enums.AccessControlMode data class RepoModeStatus( - val id: String, + val id: String?, val accessControlMode: AccessControlMode?, val officeDenyGroupSet: Set = emptySet(), val bkiamv3Check: Boolean diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt index 091879ce68..5c1bf73e8f 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt @@ -48,4 +48,6 @@ interface RepoModeService { fun getAccessControlStatus(projectId: String, repoName: String): RepoModeStatus + fun bkiamv3Check(projectId: String, repoName: String): Boolean + } \ No newline at end of file diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt index faaea0a861..a08dd7b0a9 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt @@ -103,9 +103,13 @@ class DevopsPermissionServiceImpl constructor( // 校验平台账号操作范围 if (request.appId != null && !checkPlatformPermission(request)) return false - // bkiamv3权限校验 - if (matchBkiamv3Cond(request)) { - // 开启iamv3 + // 兼容bkiam权限与devops权限 + if (matchBkiamv3Cond(request.projectId, request.repoName) && matchDevopsRepoCond(request.repoName)) { + return checkBkIamV3Permission(request) || checkDevopsPermission(request) + } + + // 采用bkiamv3权限 + if (matchBkiamv3Cond(request.projectId, request.repoName) && !matchDevopsRepoCond(request.repoName)) { return checkBkIamV3Permission(request) } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt index e2320881e1..b2c5136b6a 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt @@ -90,11 +90,9 @@ open class BkIamV3PermissionServiceImpl( /** * 判断仓库创建时是否开启权限校验 */ - fun matchBkiamv3Cond(request: CheckPermissionRequest): Boolean { - with(request) { - if (!bkiamV3Service.checkIamConfiguration()) return false - return bkiamV3Service.checkBkiamv3Config(projectId, repoName) - } + fun matchBkiamv3Cond(projectId: String?, repoName: String?): Boolean { + if (!bkiamV3Service.checkIamConfiguration()) return false + return bkiamV3Service.checkBkiamv3Config(projectId, repoName) } fun checkBkIamV3Permission(request: CheckPermissionRequest): Boolean { diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt index 3bd898a58b..7c3de41f66 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt @@ -149,7 +149,7 @@ class BkIamV3ServiceImpl( // 如果配置是bkiamv3,默认走bkiamv3校验 if (realm == AUTH_CONFIG_TYPE_VALUE_BKIAMV3) return true if (projectId != null && repoName != null) { - return repoModeService.getAccessControlStatus(projectId, repoName).bkiamv3Check + return repoModeService.bkiamv3Check(projectId, repoName) } return false } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt index 9d62940279..9eb7fa341e 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt @@ -69,10 +69,13 @@ class RepoModeServiceImpl( var controlMode = AccessControlMode.DEFAULT var officeDenyGroupSet = emptySet() var bkiamv3Check = false - if (permissionDao.listByResourceAndRepo(ResourceType.NODE.name, projectId, repoName).isNotEmpty()) { + + val result = repoAuthDao.findOneByProjectRepo(projectId, repoName) + if (result == null && + permissionDao.listByResourceAndRepo(ResourceType.NODE.name, projectId, repoName).isNotEmpty() + ) { controlMode = AccessControlMode.DIR_CTRL } - val result = repoAuthDao.findOneByProjectRepo(projectId, repoName) if (result != null) { if (result.officeDenyGroupSet != null) { officeDenyGroupSet = result.officeDenyGroupSet!! @@ -86,13 +89,17 @@ class RepoModeServiceImpl( } bkiamv3Check = result.bkiamv3Check ?: false } - val id = repoAuthDao.upsertProjectRepo(projectId, repoName, controlMode, officeDenyGroupSet, bkiamv3Check) return RepoModeStatus( - id = id, + id = null, accessControlMode = controlMode, officeDenyGroupSet = officeDenyGroupSet, bkiamv3Check = bkiamv3Check ) } + override fun bkiamv3Check(projectId: String, repoName: String): Boolean { + val result = repoAuthDao.findOneByProjectRepo(projectId, repoName) ?: return false + return result.bkiamv3Check!! + } + } From f1d9e8643cf14764da214e3151b6f59764622802 Mon Sep 17 00:00:00 2001 From: owenlxu Date: Fri, 1 Nov 2024 16:07:53 +0800 Subject: [PATCH 4/8] =?UTF-8?q?feat:=20=E6=9D=83=E9=99=90=E6=8E=A5?= =?UTF-8?q?=E5=85=A5=E4=B8=8E=E8=93=9D=E9=B2=B8=E6=9D=83=E9=99=90=E4=B8=AD?= =?UTF-8?q?=E5=BF=83=E8=81=94=E5=8A=A8=20#2698?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../tencent/bkrepo/auth/dao/RepoAuthConfigDao.kt | 9 +++++++++ .../tencent/bkrepo/auth/service/RepoModeService.kt | 2 ++ .../service/bkdevops/DevopsPermissionServiceImpl.kt | 8 +++++++- .../service/bkiamv3/BkIamV3PermissionServiceImpl.kt | 13 +++++++++++++ .../bkrepo/auth/service/bkiamv3/BkIamV3Service.kt | 5 +++++ .../auth/service/bkiamv3/BkIamV3ServiceImpl.kt | 8 ++++++++ .../bkrepo/auth/service/impl/RepoModeServiceImpl.kt | 4 ++++ 7 files changed, 48 insertions(+), 1 deletion(-) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/RepoAuthConfigDao.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/RepoAuthConfigDao.kt index bdf01e9db8..300fe04c4a 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/RepoAuthConfigDao.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/RepoAuthConfigDao.kt @@ -50,6 +50,15 @@ class RepoAuthConfigDao : SimpleMongoDao() { ) } + fun checkByProject(projectId: String): Boolean { + return this.exists( + Query.query( + Criteria.where(TRepoAuthConfig::projectId.name).`is`(projectId) + .and(TRepoAuthConfig::bkiamv3Check.name).`is`(true) + ) + ) + } + fun upsertProjectRepo( projectId: String, repoName: String, diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt index 5c1bf73e8f..5c89fe1048 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/RepoModeService.kt @@ -50,4 +50,6 @@ interface RepoModeService { fun bkiamv3Check(projectId: String, repoName: String): Boolean + fun projectBkiamv3Check(projectId: String): Boolean + } \ No newline at end of file diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt index a08dd7b0a9..2fc5f2dff8 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt @@ -103,7 +103,8 @@ class DevopsPermissionServiceImpl constructor( // 校验平台账号操作范围 if (request.appId != null && !checkPlatformPermission(request)) return false - // 兼容bkiam权限与devops权限 + + // repo,node权限兼容bkiam权限与devops权限 if (matchBkiamv3Cond(request.projectId, request.repoName) && matchDevopsRepoCond(request.repoName)) { return checkBkIamV3Permission(request) || checkDevopsPermission(request) } @@ -113,6 +114,11 @@ class DevopsPermissionServiceImpl constructor( return checkBkIamV3Permission(request) } + // project,read权限 + if (matchBkiamv3ProjectCond(request)) { + return checkBkIamV3Permission(request) || checkDevopsPermission(request) + } + return checkDevopsPermission(request) } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt index b2c5136b6a..fd91e549c3 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt @@ -34,6 +34,7 @@ import com.tencent.bkrepo.auth.dao.RepoAuthConfigDao import com.tencent.bkrepo.auth.dao.UserDao import com.tencent.bkrepo.auth.dao.repository.RoleRepository import com.tencent.bkrepo.auth.pojo.enums.ActionTypeMapping +import com.tencent.bkrepo.auth.pojo.enums.PermissionAction import com.tencent.bkrepo.auth.pojo.enums.ResourceType import com.tencent.bkrepo.auth.pojo.permission.CheckPermissionRequest import com.tencent.bkrepo.auth.service.local.PermissionServiceImpl @@ -95,6 +96,18 @@ open class BkIamV3PermissionServiceImpl( return bkiamV3Service.checkBkiamv3Config(projectId, repoName) } + /** + * 是否需要采用iamv3项目校验 + */ + fun matchBkiamv3ProjectCond(request: CheckPermissionRequest): Boolean { + with(request) { + if (!bkiamV3Service.checkIamConfiguration()) return false + return request.requestSource == ResourceType.PROJECT.name && + request.action == PermissionAction.READ.name && + bkiamV3Service.checkBkiamv3ProjectConfig(projectId) + } + } + fun checkBkIamV3Permission(request: CheckPermissionRequest): Boolean { with(request) { if (projectId == null) { diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3Service.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3Service.kt index 45420eea8f..5a884d137d 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3Service.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3Service.kt @@ -44,6 +44,11 @@ interface BkIamV3Service { */ fun checkBkiamv3Config(projectId: String?, repoName: String?): Boolean + /** + * 判断项目下是否开启蓝鲸权限 + */ + fun checkBkiamv3ProjectConfig(projectId: String?): Boolean + /** * 生成无权限跳转url */ diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt index 7c3de41f66..9d3449322e 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3ServiceImpl.kt @@ -154,6 +154,14 @@ class BkIamV3ServiceImpl( return false } + override fun checkBkiamv3ProjectConfig(projectId: String?): Boolean { + if (realm == AUTH_CONFIG_TYPE_VALUE_BKIAMV3) return true + if (projectId != null) { + return repoModeService.projectBkiamv3Check(projectId) + } + return false + } + override fun getPermissionUrl(request: CheckPermissionRequest): String? { logger.debug( "v3 getPermissionUrl, userId: ${request.uid}, projectId: ${request.projectId}, " + diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt index 9eb7fa341e..faddd33339 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/impl/RepoModeServiceImpl.kt @@ -102,4 +102,8 @@ class RepoModeServiceImpl( return result.bkiamv3Check!! } + override fun projectBkiamv3Check(projectId: String): Boolean { + return repoAuthDao.checkByProject(projectId) + } + } From 633fe4d17d8881edf404209e08ef2d30be87bc96 Mon Sep 17 00:00:00 2001 From: owenlxu Date: Fri, 1 Nov 2024 17:08:38 +0800 Subject: [PATCH 5/8] =?UTF-8?q?feat:=20=E6=9D=83=E9=99=90=E6=8E=A5?= =?UTF-8?q?=E5=85=A5=E4=B8=8E=E8=93=9D=E9=B2=B8=E6=9D=83=E9=99=90=E4=B8=AD?= =?UTF-8?q?=E5=BF=83=E8=81=94=E5=8A=A8=20#2698?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt | 2 +- .../bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt index 2fc5f2dff8..17f21e4aca 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt @@ -99,7 +99,7 @@ class DevopsPermissionServiceImpl constructor( } override fun checkPermission(request: CheckPermissionRequest): Boolean { - + logger.debug("check permission [$request]") // 校验平台账号操作范围 if (request.appId != null && !checkPlatformPermission(request)) return false diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt index fd91e549c3..083133fff7 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt @@ -101,6 +101,7 @@ open class BkIamV3PermissionServiceImpl( */ fun matchBkiamv3ProjectCond(request: CheckPermissionRequest): Boolean { with(request) { + logger.debug("check match cond permission [$request]") if (!bkiamV3Service.checkIamConfiguration()) return false return request.requestSource == ResourceType.PROJECT.name && request.action == PermissionAction.READ.name && From 775e4571306aeb5ced017bd7d3e01364712dc0de Mon Sep 17 00:00:00 2001 From: owenlxu Date: Fri, 1 Nov 2024 17:22:52 +0800 Subject: [PATCH 6/8] =?UTF-8?q?feat:=20=E6=9D=83=E9=99=90=E6=8E=A5?= =?UTF-8?q?=E5=85=A5=E4=B8=8E=E8=93=9D=E9=B2=B8=E6=9D=83=E9=99=90=E4=B8=AD?= =?UTF-8?q?=E5=BF=83=E8=81=94=E5=8A=A8=20#2698?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt | 1 + 1 file changed, 1 insertion(+) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt index 083133fff7..6c4e030c2e 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt @@ -111,6 +111,7 @@ open class BkIamV3PermissionServiceImpl( fun checkBkIamV3Permission(request: CheckPermissionRequest): Boolean { with(request) { + logger.debug("checkBkIamV3Permission [$request]") if (projectId == null) { return false } From aace0e921a8775039feec6ba527c1df7803571ad Mon Sep 17 00:00:00 2001 From: owenlxu Date: Fri, 1 Nov 2024 17:46:40 +0800 Subject: [PATCH 7/8] =?UTF-8?q?feat:=20=E6=9D=83=E9=99=90=E6=8E=A5?= =?UTF-8?q?=E5=85=A5=E4=B8=8E=E8=93=9D=E9=B2=B8=E6=9D=83=E9=99=90=E4=B8=AD?= =?UTF-8?q?=E5=BF=83=E8=81=94=E5=8A=A8=20#2698?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt index 6c4e030c2e..68b6714353 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt @@ -103,7 +103,7 @@ open class BkIamV3PermissionServiceImpl( with(request) { logger.debug("check match cond permission [$request]") if (!bkiamV3Service.checkIamConfiguration()) return false - return request.requestSource == ResourceType.PROJECT.name && + return request.resourceType == ResourceType.PROJECT.name && request.action == PermissionAction.READ.name && bkiamV3Service.checkBkiamv3ProjectConfig(projectId) } From 8e792583911418fe70e8d387141a44893d76b694 Mon Sep 17 00:00:00 2001 From: owenlxu Date: Fri, 1 Nov 2024 18:00:59 +0800 Subject: [PATCH 8/8] =?UTF-8?q?feat:=20=E6=9D=83=E9=99=90=E6=8E=A5?= =?UTF-8?q?=E5=85=A5=E4=B8=8E=E8=93=9D=E9=B2=B8=E6=9D=83=E9=99=90=E4=B8=AD?= =?UTF-8?q?=E5=BF=83=E8=81=94=E5=8A=A8=20#2698?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../auth/service/bkdevops/DevopsPermissionServiceImpl.kt | 5 +---- .../auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt | 2 -- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt index 17f21e4aca..55c5fe9473 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkdevops/DevopsPermissionServiceImpl.kt @@ -99,11 +99,10 @@ class DevopsPermissionServiceImpl constructor( } override fun checkPermission(request: CheckPermissionRequest): Boolean { - logger.debug("check permission [$request]") + logger.debug("devops check permission request [$request]") // 校验平台账号操作范围 if (request.appId != null && !checkPlatformPermission(request)) return false - // repo,node权限兼容bkiam权限与devops权限 if (matchBkiamv3Cond(request.projectId, request.repoName) && matchDevopsRepoCond(request.repoName)) { return checkBkIamV3Permission(request) || checkDevopsPermission(request) @@ -165,8 +164,6 @@ class DevopsPermissionServiceImpl constructor( private fun checkDevopsPermission(request: CheckPermissionRequest): Boolean { with(request) { - logger.debug("check devops permission request [$request]") - // 用户不存在 val user = getUserInfo(uid) ?: return false // 系统管理员用户 diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt index 68b6714353..93ca1eb4c7 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkiamv3/BkIamV3PermissionServiceImpl.kt @@ -101,7 +101,6 @@ open class BkIamV3PermissionServiceImpl( */ fun matchBkiamv3ProjectCond(request: CheckPermissionRequest): Boolean { with(request) { - logger.debug("check match cond permission [$request]") if (!bkiamV3Service.checkIamConfiguration()) return false return request.resourceType == ResourceType.PROJECT.name && request.action == PermissionAction.READ.name && @@ -111,7 +110,6 @@ open class BkIamV3PermissionServiceImpl( fun checkBkIamV3Permission(request: CheckPermissionRequest): Boolean { with(request) { - logger.debug("checkBkIamV3Permission [$request]") if (projectId == null) { return false }