feat：同步并分表存储资源组权限数据 TencentBlueKing#10964

fcfang123 · Sep 26, 2024 · 1dddae7 · 1dddae7
1 parent 53261cd
commit 1dddae7
Show file tree

Hide file tree

Showing 24 changed files with 411 additions and 238 deletions.
diff --git a/...h/src/main/kotlin/com/tencent/devops/auth/api/sync/OpAuthResourceGroupPermSyncResource.kt b/...h/src/main/kotlin/com/tencent/devops/auth/api/sync/OpAuthResourceGroupPermSyncResource.kt
@@ -35,6 +35,7 @@ import io.swagger.v3.oas.annotations.tags.Tag
 import javax.ws.rs.Consumes
 import javax.ws.rs.POST
 import javax.ws.rs.Path
+import javax.ws.rs.PathParam
 import javax.ws.rs.Produces
 import javax.ws.rs.core.MediaType
 
@@ -51,6 +52,18 @@ interface OpAuthResourceGroupPermSyncResource {
         projectIds: List<String>
     ): Result<Boolean>
 
+    @POST
+    @Path("{projectId}/{groupId}/syncGroup/")
+    @Operation(summary = "按条件同步组和成员")
+    fun syncGroup(
+        @Parameter(description = "项目ID", required = true)
+        @PathParam(value = "projectId")
+        projectId: String,
+        @Parameter(description = "组ID", required = true)
+        @PathParam(value = "groupId")
+        groupId: Int
+    ): Result<Boolean>
+
     @POST
     @Path("/syncByCondition")
     @Operation(summary = "按条件同步组和成员")

diff --git a/...uth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupSyncResource.kt b/...uth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupSyncResource.kt
@@ -86,4 +86,19 @@ interface UserAuthResourceGroupSyncResource {
         @PathParam("projectId")
         projectId: String
     ): Result<AuthMigrateStatus>
+
+    @PUT
+    @Path("{groupId}/syncGroupPermissions")
+    @Operation(summary = "同步IAM组权限")
+    fun syncGroupPermissions(
+        @Parameter(description = "用户名", required = true)
+        @HeaderParam(AUTH_HEADER_USER_ID)
+        userId: String,
+        @Parameter(description = "项目ID", required = true)
+        @PathParam("projectId")
+        projectId: String,
+        @Parameter(description = "用户组Id")
+        @PathParam("groupId")
+        groupId: Int
+    ): Result<Boolean>
 }
diff --git a/...th/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupPermissionDao.kt b/...th/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupPermissionDao.kt
@@ -61,6 +61,49 @@ class AuthResourceGroupPermissionDao {
         }
     }
 
+    fun deleteByGroupIds(
+        dslContext: DSLContext,
+        projectCode: String,
+        iamGroupIds: List<Int>
+    ) {
+        with(TAuthResourceGroupPermission.T_AUTH_RESOURCE_GROUP_PERMISSION) {
+            dslContext.deleteFrom(this)
+                .where(IAM_GROUP_ID.`in`(iamGroupIds))
+                .and(PROJECT_CODE.eq(projectCode))
+                .execute()
+        }
+    }
+
+    fun deleteByResourceCode(
+        dslContext: DSLContext,
+        projectCode: String,
+        resourceType: String,
+        resourceCode: String
+    ) {
+        with(TAuthResourceGroupPermission.T_AUTH_RESOURCE_GROUP_PERMISSION) {
+            dslContext.deleteFrom(this)
+                .where(RESOURCE_TYPE.eq(resourceType))
+                .and(RESOURCE_CODE.eq(resourceCode))
+                .and(PROJECT_CODE.eq(projectCode))
+                .execute()
+        }
+    }
+
+    fun deleteByRelatedResourceCode(
+        dslContext: DSLContext,
+        projectCode: String,
+        relatedResourceType: String,
+        relatedResourceCode: String
+    ) {
+        with(TAuthResourceGroupPermission.T_AUTH_RESOURCE_GROUP_PERMISSION) {
+            dslContext.deleteFrom(this)
+                .where(RELATED_RESOURCE_TYPE.eq(relatedResourceType))
+                .and(RELATED_RESOURCE_CODE.eq(relatedResourceCode))
+                .and(PROJECT_CODE.eq(projectCode))
+                .execute()
+        }
+    }
+
     fun listByGroupId(
         dslContext: DSLContext,
         projectCode: String,
@@ -74,6 +117,18 @@ class AuthResourceGroupPermissionDao {
         }
     }
 
+    fun listGroupsWithPermissions(
+        dslContext: DSLContext,
+        projectCode: String
+    ): List<Int> {
+        return with(TAuthResourceGroupPermission.T_AUTH_RESOURCE_GROUP_PERMISSION) {
+            dslContext.select(IAM_GROUP_ID).from(this)
+                .where(PROJECT_CODE.eq(projectCode))
+                .groupBy(IAM_GROUP_ID)
+                .fetch().map { it.value1() }
+        }
+    }
+
     fun listByConditions(
         dslContext: DSLContext,
         projectCode: String,

diff --git a/...uth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt b/...uth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt
@@ -42,6 +42,7 @@ import com.tencent.bk.sdk.iam.service.v2.V2ManagerService
 import com.tencent.bk.sdk.iam.service.v2.impl.V2GrantServiceImpl
 import com.tencent.bk.sdk.iam.service.v2.impl.V2ManagerServiceImpl
 import com.tencent.bk.sdk.iam.service.v2.impl.V2PolicyServiceImpl
+import com.tencent.devops.auth.dao.AuthActionDao
 import com.tencent.devops.auth.dao.AuthMigrationDao
 import com.tencent.devops.auth.dao.AuthMonitorSpaceDao
 import com.tencent.devops.auth.dao.AuthResourceGroupApplyDao
@@ -54,7 +55,6 @@ import com.tencent.devops.auth.provider.rbac.service.AuthResourceCodeConverter
 import com.tencent.devops.auth.provider.rbac.service.AuthResourceService
 import com.tencent.devops.auth.provider.rbac.service.ItsmService
 import com.tencent.devops.auth.provider.rbac.service.PermissionGradeManagerService
-import com.tencent.devops.auth.provider.rbac.service.PermissionGroupPoliciesService
 import com.tencent.devops.auth.provider.rbac.service.PermissionSubsetManagerService
 import com.tencent.devops.auth.provider.rbac.service.RbacCacheService
 import com.tencent.devops.auth.provider.rbac.service.RbacPermissionApplyService
@@ -83,6 +83,7 @@ import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateResultServic
 import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateV0PolicyService
 import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateV3PolicyService
 import com.tencent.devops.auth.provider.rbac.service.migrate.RbacPermissionMigrateService
+import com.tencent.devops.auth.service.AuthAuthorizationScopesService
 import com.tencent.devops.auth.service.AuthMonitorSpaceService
 import com.tencent.devops.auth.service.AuthProjectUserMetricsService
 import com.tencent.devops.auth.service.AuthVerifyRecordService
@@ -173,7 +174,7 @@ class RbacAuthConfiguration {
     fun permissionResourceGroupService(
         iamV2ManagerService: V2ManagerService,
         authResourceService: AuthResourceService,
-        permissionGroupPoliciesService: PermissionGroupPoliciesService,
+        permissionResourceGroupPermissionService: PermissionResourceGroupPermissionService,
         authResourceGroupDao: AuthResourceGroupDao,
         dslContext: DSLContext,
         authResourceGroupConfigDao: AuthResourceGroupConfigDao,
@@ -182,7 +183,7 @@ class RbacAuthConfiguration {
     ) = RbacPermissionResourceGroupService(
         iamV2ManagerService = iamV2ManagerService,
         authResourceService = authResourceService,
-        permissionGroupPoliciesService = permissionGroupPoliciesService,
+        permissionResourceGroupPermissionService = permissionResourceGroupPermissionService,
         authResourceGroupDao = authResourceGroupDao,
         dslContext = dslContext,
         authResourceGroupConfigDao = authResourceGroupConfigDao,
@@ -222,7 +223,11 @@ class RbacAuthConfiguration {
         dslContext: DSLContext,
         resourceGroupPermissionDao: AuthResourceGroupPermissionDao,
         converter: AuthResourceCodeConverter,
-        client: Client
+        client: Client,
+        iamV2ManagerService: V2ManagerService,
+        authAuthorizationScopesService: AuthAuthorizationScopesService,
+        authActionDao: AuthActionDao,
+        authResourceGroupConfigDao: AuthResourceGroupConfigDao
     ) = RbacPermissionResourceGroupPermissionService(
         v2ManagerService = v2ManagerService,
         rbacCacheService = rbacCacheService,
@@ -231,7 +236,11 @@ class RbacAuthConfiguration {
         dslContext = dslContext,
         resourceGroupPermissionDao = resourceGroupPermissionDao,
         converter = converter,
-        client = client
+        client = client,
+        iamV2ManagerService = iamV2ManagerService,
+        authAuthorizationScopesService = authAuthorizationScopesService,
+        authActionDao = authActionDao,
+        authResourceGroupConfigDao = authResourceGroupConfigDao
     )
 
     @Bean
@@ -389,7 +398,7 @@ class RbacAuthConfiguration {
         migrateCreatorFixService: MigrateCreatorFixService,
         authResourceService: AuthResourceService,
         permissionGradeManagerService: PermissionGradeManagerService,
-        permissionGroupPoliciesService: PermissionGroupPoliciesService,
+        permissionResourceGroupPermissionService: PermissionResourceGroupPermissionService,
         migrateResourceCodeConverter: MigrateResourceCodeConverter,
         tokenApi: AuthTokenApi,
         projectAuthServiceCode: ProjectAuthServiceCode,
@@ -404,7 +413,7 @@ class RbacAuthConfiguration {
         migrateCreatorFixService = migrateCreatorFixService,
         authResourceService = authResourceService,
         permissionGradeManagerService = permissionGradeManagerService,
-        permissionGroupPoliciesService = permissionGroupPoliciesService,
+        permissionResourceGroupPermissionService = permissionResourceGroupPermissionService,
         migrateResourceCodeConverter = migrateResourceCodeConverter,
         tokenApi = tokenApi,
         projectAuthServiceCode = projectAuthServiceCode,
@@ -471,7 +480,7 @@ class RbacAuthConfiguration {
         rbacCacheService: RbacCacheService,
         authMigrationDao: AuthMigrationDao,
         deptService: DeptService,
-        permissionGroupPoliciesService: PermissionGroupPoliciesService,
+        permissionResourceGroupPermissionService: PermissionResourceGroupPermissionService,
         permissionResourceMemberService: PermissionResourceMemberService
     ) = MigrateV3PolicyService(
         v2ManagerService = v2ManagerService,
@@ -486,7 +495,7 @@ class RbacAuthConfiguration {
         rbacCacheService = rbacCacheService,
         authMigrationDao = authMigrationDao,
         deptService = deptService,
-        permissionGroupPoliciesService = permissionGroupPoliciesService,
+        permissionResourceGroupPermissionService = permissionResourceGroupPermissionService,
         permissionResourceMemberService = permissionResourceMemberService
     )
 
@@ -504,7 +513,7 @@ class RbacAuthConfiguration {
         rbacCacheService: RbacCacheService,
         authMigrationDao: AuthMigrationDao,
         deptService: DeptService,
-        permissionGroupPoliciesService: PermissionGroupPoliciesService,
+        permissionResourceGroupPermissionService: PermissionResourceGroupPermissionService,
         permissionResourceMemberService: PermissionResourceMemberService
     ) = MigrateV0PolicyService(
         v2ManagerService = v2ManagerService,
@@ -519,7 +528,7 @@ class RbacAuthConfiguration {
         rbacCacheService = rbacCacheService,
         authMigrationDao = authMigrationDao,
         deptService = deptService,
-        permissionGroupPoliciesService = permissionGroupPoliciesService,
+        permissionResourceGroupPermissionService = permissionResourceGroupPermissionService,
         permissionResourceMemberService = permissionResourceMemberService
     )
 
@@ -620,7 +629,8 @@ class RbacAuthConfiguration {
         rbacCacheService: RbacCacheService,
         redisOperation: RedisOperation,
         authResourceSyncDao: AuthResourceSyncDao,
-        authResourceGroupApplyDao: AuthResourceGroupApplyDao
+        authResourceGroupApplyDao: AuthResourceGroupApplyDao,
+        resourceGroupPermissionService: PermissionResourceGroupPermissionService
     ) = RbacPermissionResourceGroupSyncService(
         client = client,
         dslContext = dslContext,
@@ -631,6 +641,7 @@ class RbacAuthConfiguration {
         rbacCacheService = rbacCacheService,
         redisOperation = redisOperation,
         authResourceSyncDao = authResourceSyncDao,
-        authResourceGroupApplyDao = authResourceGroupApplyDao
+        authResourceGroupApplyDao = authResourceGroupApplyDao,
+        resourceGroupPermissionService = resourceGroupPermissionService
     )
 }
diff --git a/.../src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacServiceConfiguration.kt b/.../src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacServiceConfiguration.kt
@@ -44,12 +44,12 @@ import com.tencent.devops.auth.provider.rbac.service.AuthResourceNameConverter
 import com.tencent.devops.auth.provider.rbac.service.AuthResourceService
 import com.tencent.devops.auth.provider.rbac.service.ItsmService
 import com.tencent.devops.auth.provider.rbac.service.PermissionGradeManagerService
-import com.tencent.devops.auth.provider.rbac.service.PermissionGroupPoliciesService
 import com.tencent.devops.auth.provider.rbac.service.PermissionSubsetManagerService
 import com.tencent.devops.auth.provider.rbac.service.RbacCacheService
 import com.tencent.devops.auth.service.AuthAuthorizationScopesService
 import com.tencent.devops.auth.service.AuthProjectUserMetricsService
 import com.tencent.devops.auth.service.BkHttpRequestService
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupPermissionService
 import com.tencent.devops.auth.service.iam.PermissionResourceGroupService
 import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService
 import com.tencent.devops.common.client.Client
@@ -84,7 +84,6 @@ class RbacServiceConfiguration {
 
     @Bean
     fun permissionSubsetManagerService(
-        permissionGroupPoliciesService: PermissionGroupPoliciesService,
         authAuthorizationScopesService: AuthAuthorizationScopesService,
         iamV2ManagerService: V2ManagerService,
         dslContext: DSLContext,
@@ -111,7 +110,6 @@ class RbacServiceConfiguration {
         authItsmCallbackDao: AuthItsmCallbackDao,
         dslContext: DSLContext,
         authResourceService: AuthResourceService,
-        authResourceGroupDao: AuthResourceGroupDao,
         authResourceGroupConfigDao: AuthResourceGroupConfigDao,
         traceEventDispatcher: TraceEventDispatcher,
         itsmService: ItsmService,
@@ -126,7 +124,6 @@ class RbacServiceConfiguration {
         authItsmCallbackDao = authItsmCallbackDao,
         dslContext = dslContext,
         authResourceService = authResourceService,
-        authResourceGroupDao = authResourceGroupDao,
         authResourceGroupConfigDao = authResourceGroupConfigDao,
         traceEventDispatcher = traceEventDispatcher,
         itsmService = itsmService,
@@ -135,23 +132,6 @@ class RbacServiceConfiguration {
         resourceGroupSyncService = resourceGroupSyncService
     )
 
-    @Bean
-    fun permissionGroupPoliciesService(
-        iamV2ManagerService: V2ManagerService,
-        authActionDao: AuthActionDao,
-        dslContext: DSLContext,
-        authResourceGroupConfigDao: AuthResourceGroupConfigDao,
-        authResourceGroupDao: AuthResourceGroupDao,
-        authAuthorizationScopesService: AuthAuthorizationScopesService
-    ) = PermissionGroupPoliciesService(
-        iamV2ManagerService = iamV2ManagerService,
-        authActionDao = authActionDao,
-        dslContext = dslContext,
-        authResourceGroupConfigDao = authResourceGroupConfigDao,
-        authResourceGroupDao = authResourceGroupDao,
-        authAuthorizationScopesService = authAuthorizationScopesService
-    )
-
     @Bean
     fun itsmService(bkHttpRequestService: BkHttpRequestService) = ItsmService(
         bkHttpRequestService = bkHttpRequestService
@@ -162,12 +142,14 @@ class RbacServiceConfiguration {
         dslContext: DSLContext,
         authResourceDao: AuthResourceDao,
         authResourceGroupDao: AuthResourceGroupDao,
-        authResourceGroupMemberDao: AuthResourceGroupMemberDao
+        authResourceGroupMemberDao: AuthResourceGroupMemberDao,
+        resourceGroupPermissionService: PermissionResourceGroupPermissionService
     ) = AuthResourceService(
         dslContext = dslContext,
         authResourceDao = authResourceDao,
         authResourceGroupDao = authResourceGroupDao,
-        authResourceGroupMemberDao = authResourceGroupMemberDao
+        authResourceGroupMemberDao = authResourceGroupMemberDao,
+        resourceGroupPermissionService = resourceGroupPermissionService
     )
 
     @Bean

diff --git a/...auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/AuthResourceService.kt b/...auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/AuthResourceService.kt
@@ -33,8 +33,8 @@ import com.tencent.devops.auth.dao.AuthResourceDao
 import com.tencent.devops.auth.dao.AuthResourceGroupDao
 import com.tencent.devops.auth.dao.AuthResourceGroupMemberDao
 import com.tencent.devops.auth.pojo.AuthResourceInfo
+import com.tencent.devops.auth.service.iam.PermissionResourceGroupPermissionService
 import com.tencent.devops.common.api.exception.ErrorCodeException
-import com.tencent.devops.common.auth.api.pojo.DefaultGroupType
 import org.jooq.DSLContext
 import org.jooq.impl.DSL
 import org.slf4j.LoggerFactory
@@ -47,7 +47,8 @@ class AuthResourceService @Autowired constructor(
     private val dslContext: DSLContext,
     private val authResourceDao: AuthResourceDao,
     private val authResourceGroupDao: AuthResourceGroupDao,
-    private val authResourceGroupMemberDao: AuthResourceGroupMemberDao
+    private val authResourceGroupMemberDao: AuthResourceGroupMemberDao,
+    private val resourceGroupPermissionService: PermissionResourceGroupPermissionService
 ) {
 
     companion object {
@@ -119,6 +120,11 @@ class AuthResourceService @Autowired constructor(
                 resourceType = resourceType,
                 resourceCode = resourceCode
             )
+            resourceGroupPermissionService.deleteByResource(
+                projectCode = projectCode,
+                resourceType = resourceType,
+                resourceCode = resourceCode
+            )
         }
     }
 
@@ -175,28 +181,13 @@ class AuthResourceService @Autowired constructor(
         resourceType: String,
         resourceCode: String
     ) {
-        val groupIds = authResourceGroupDao.getByResourceCode(
+        authResourceDao.disable(
             dslContext = dslContext,
+            userId = userId,
             projectCode = projectCode,
             resourceType = resourceType,
             resourceCode = resourceCode
-        ).filter {
-            it.groupCode != DefaultGroupType.MANAGER.value
-        }.map { it.id!! }
-        dslContext.transaction { configuration ->
-            val transactionContext = DSL.using(configuration)
-            authResourceDao.disable(
-                dslContext = transactionContext,
-                userId = userId,
-                projectCode = projectCode,
-                resourceType = resourceType,
-                resourceCode = resourceCode
-            )
-            authResourceGroupDao.deleteByIds(
-                dslContext = transactionContext,
-                ids = groupIds
-            )
-        }
+        )
     }
 
     fun list(