Merge pull request #10835 from fcfang123/issue-9620-1

feat：支持管理员查看项目成员 #9620
TencentBlueKing · Aug 19, 2024 · 2bf1791 · 2bf1791
2 parents 266c496 + d51eeed
commit 2bf1791
Show file tree

Hide file tree

Showing 13 changed files with 190 additions and 25 deletions.
diff --git a/...uth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/migrate/OpAuthMigrateResource.kt b/...uth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/migrate/OpAuthMigrateResource.kt
@@ -153,4 +153,12 @@ interface OpAuthMigrateResource {
     @Path("/migrateAllResourceAuthorization")
     @Operation(summary = "迁移资源授权-全量")
     fun migrateAllResourceAuthorization(): Result<Boolean>
+
+    @POST
+    @Path("/fixResourceGroups")
+    @Operation(summary = "修复资源组")
+    fun fixResourceGroups(
+        @Parameter(description = "迁移项目", required = true)
+        projectCodes: List<String>
+    ): Result<Boolean>
 }
diff --git a/...ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupDao.kt b/...ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupDao.kt
@@ -123,7 +123,7 @@ class AuthResourceGroupDao {
                     it.iamTemplateId
                 ).onDuplicateKeyUpdate()
                     .set(GROUP_NAME, it.groupName)
-                    .set(UPDATE_TIME, it.updateTime)
+                    .set(UPDATE_TIME, now)
             }).execute()
         }
     }
@@ -135,13 +135,15 @@ class AuthResourceGroupDao {
         resourceCode: String,
         resourceName: String,
         groupCode: String,
-        groupName: String
+        groupName: String,
+        relationId: String? = null
     ): Int {
         val now = LocalDateTime.now()
         return with(TAuthResourceGroup.T_AUTH_RESOURCE_GROUP) {
             dslContext.update(this)
                 .set(GROUP_NAME, groupName)
                 .set(RESOURCE_NAME, resourceName)
+                .let { if (relationId != null) it.set(RELATION_ID, relationId) else it }
                 .set(UPDATE_TIME, now)
                 .where(PROJECT_CODE.eq(projectCode))
                 .and(RESOURCE_CODE.eq(resourceCode))
@@ -281,11 +283,29 @@ class AuthResourceGroupDao {
         projectCode: String,
         resourceType: String,
         resourceCode: String
-    ): List<TAuthResourceGroupRecord> {
+    ): List<AuthResourceGroup> {
         return with(TAuthResourceGroup.T_AUTH_RESOURCE_GROUP) {
+            val result = mutableListOf<AuthResourceGroup>()
             dslContext.selectFrom(this).where(PROJECT_CODE.eq(projectCode))
                 .and(RESOURCE_CODE.eq(resourceCode))
                 .and(RESOURCE_TYPE.eq(resourceType))
+                .fetch().forEach {
+                    val authResourceGroup = convert(it)
+                    if (authResourceGroup != null) {
+                        result.add(authResourceGroup)
+                    }
+                }
+            result
+        }
+    }
+
+    fun listRecordsOfNeedToFix(
+        dslContext: DSLContext,
+        projectCode: String
+    ): Result<TAuthResourceGroupRecord> {
+        return with(TAuthResourceGroup.T_AUTH_RESOURCE_GROUP) {
+            dslContext.selectFrom(this).where(PROJECT_CODE.eq(projectCode))
+                .and(RELATION_ID.eq("null"))
                 .fetch()
         }
     }

diff --git a/...uth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt b/...uth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt
@@ -73,6 +73,7 @@ import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateIamApiServic
 import com.tencent.devops.auth.provider.rbac.service.migrate.MigratePermissionHandoverService
 import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateResourceAuthorizationService
 import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateResourceCodeConverter
+import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateResourceGroupService
 import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateResourceService
 import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateResultService
 import com.tencent.devops.auth.provider.rbac.service.migrate.MigrateV0PolicyService
@@ -372,6 +373,19 @@ class RbacAuthConfiguration {
         authResourceGroupDao = authResourceGroupDao
     )
 
+    @Bean
+    fun migrateResourceGroupService(
+        authResourceService: AuthResourceService,
+        dslContext: DSLContext,
+        authResourceGroupDao: AuthResourceGroupDao,
+        iamV2ManagerService: V2ManagerService
+    ) = MigrateResourceGroupService(
+        authResourceService = authResourceService,
+        dslContext = dslContext,
+        authResourceGroupDao = authResourceGroupDao,
+        iamV2ManagerService = iamV2ManagerService
+    )
+
     @Bean
     fun migrateIamApiService() = MigrateIamApiService()
 
@@ -486,7 +500,8 @@ class RbacAuthConfiguration {
         authMonitorSpaceDao: AuthMonitorSpaceDao,
         cacheService: RbacCacheService,
         permissionResourceMemberService: RbacPermissionResourceMemberService,
-        migrateResourceAuthorizationService: MigrateResourceAuthorizationService
+        migrateResourceAuthorizationService: MigrateResourceAuthorizationService,
+        migrateResourceGroupService: MigrateResourceGroupService
     ) = RbacPermissionMigrateService(
         client = client,
         migrateResourceService = migrateResourceService,
@@ -503,7 +518,8 @@ class RbacAuthConfiguration {
         authMonitorSpaceDao = authMonitorSpaceDao,
         cacheService = cacheService,
         permissionResourceMemberService = permissionResourceMemberService,
-        migrateResourceAuthorizationService = migrateResourceAuthorizationService
+        migrateResourceAuthorizationService = migrateResourceAuthorizationService,
+        migrateResourceGroupService = migrateResourceGroupService
     )
 
     @Bean

diff --git a/...auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/AuthResourceService.kt b/...auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/AuthResourceService.kt
@@ -182,7 +182,7 @@ class AuthResourceService @Autowired constructor(
             resourceCode = resourceCode
         ).filter {
             it.groupCode != DefaultGroupType.MANAGER.value
-        }.map { it.id }
+        }.map { it.id!! }
         dslContext.transaction { configuration ->
             val transactionContext = DSL.using(configuration)
             authResourceDao.disable(

diff --git a/...in/kotlin/com/tencent/devops/auth/provider/rbac/service/PermissionSubsetManagerService.kt b/...in/kotlin/com/tencent/devops/auth/provider/rbac/service/PermissionSubsetManagerService.kt
@@ -357,7 +357,7 @@ class PermissionSubsetManagerService @Autowired constructor(
             it.groupCode != DefaultGroupType.MANAGER.value
         }.forEach {
             logger.info("delete subset manage default group|$subsetManagerId|${it.relationId}")
-            iamV2ManagerService.deleteRoleGroupV2(it.relationId.toInt())
+            iamV2ManagerService.deleteRoleGroupV2(it.relationId)
         }
     }
 }
diff --git a/...otlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupService.kt b/...otlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupService.kt
@@ -135,7 +135,7 @@ class RbacPermissionResourceGroupService @Autowired constructor(
                 projectCode = projectId,
                 resourceType = resourceType,
                 resourceCode = resourceCode
-            ).associateBy { it.relationId.toInt() }
+            ).associateBy { it.relationId }
             val iamGroupInfoVoList = iamGroupInfoList.map {
                 val resourceGroup = resourceGroupMap[it.id]
                 val defaultGroup = resourceGroup?.defaultGroup ?: false

diff --git a/...n/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt b/...n/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt
@@ -143,7 +143,7 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor(
                 resourceType = resourceType,
                 resourceCode = resourceCode,
                 groupCode = resourceGroup.groupCode,
-                iamGroupId = resourceGroup.relationId.toInt()
+                iamGroupId = resourceGroup.relationId
             )
         }
     }
@@ -262,7 +262,7 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor(
                 projectCode = projectCode,
                 resourceType = AuthResourceType.PROJECT.value,
                 resourceCode = projectCode
-            ).associateBy { it.relationId.toInt() }
+            ).associateBy { it.relationId }
 
             // 查询项目下用户组列表
             val searchGroupDTO = SearchGroupDTO.builder().inherit(false).build()
@@ -304,16 +304,13 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor(
                         projectGroup.description != iamGroupInfo.description ||
                         projectGroup.iamTemplateId != templateId
                     ) {
-                        val toUpdateGroupRecord = authResourceGroupDao.convert(projectGroup)
-                        if (toUpdateGroupRecord != null) {
-                            toUpdateGroups.add(
-                                toUpdateGroupRecord.copy(
-                                    groupName = iamGroupInfo.name,
-                                    description = iamGroupInfo.description,
-                                    iamTemplateId = templateId
-                                )
+                        toUpdateGroups.add(
+                            projectGroup.copy(
+                                groupName = iamGroupInfo.name,
+                                description = iamGroupInfo.description,
+                                iamTemplateId = templateId
                             )
-                        }
+                        )
                     }
                 } else {
                     toAddGroups.add(
@@ -335,7 +332,7 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor(
             }
             dslContext.transaction { configuration ->
                 val transactionContext = DSL.using(configuration)
-                authResourceGroupDao.deleteByIds(transactionContext, toDeleteGroups.map { it.id })
+                authResourceGroupDao.deleteByIds(transactionContext, toDeleteGroups.map { it.id!! })
                 authResourceGroupDao.batchCreate(transactionContext, toAddGroups)
                 authResourceGroupDao.batchUpdate(transactionContext, toUpdateGroups)
             }

diff --git a/...in/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/AbMigratePolicyService.kt b/...in/kotlin/com/tencent/devops/auth/provider/rbac/service/migrate/AbMigratePolicyService.kt
@@ -157,7 +157,7 @@ abstract class AbMigratePolicyService(
                 projectName = groupInfo.resourceName
             )
             authorizationScopeList.forEach { authorizationScope ->
-                v2ManagerService.grantRoleGroupV2(groupInfo.relationId.toInt(), authorizationScope)
+                v2ManagerService.grantRoleGroupV2(groupInfo.relationId, authorizationScope)
             }
         }
     }

diff --git a/...tlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateResourceGroupService.kt b/...tlin/com/tencent/devops/auth/provider/rbac/service/migrate/MigrateResourceGroupService.kt
@@ -0,0 +1,103 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+package com.tencent.devops.auth.provider.rbac.service.migrate
+
+import com.tencent.bk.sdk.iam.dto.V2PageInfoDTO
+import com.tencent.bk.sdk.iam.dto.manager.dto.SearchGroupDTO
+import com.tencent.bk.sdk.iam.service.v2.V2ManagerService
+import com.tencent.devops.auth.dao.AuthResourceGroupDao
+import com.tencent.devops.auth.provider.rbac.service.AuthResourceService
+import com.tencent.devops.common.api.util.PageUtil
+import com.tencent.devops.common.auth.api.AuthResourceType
+import org.jooq.DSLContext
+import org.slf4j.LoggerFactory
+import org.springframework.beans.factory.annotation.Autowired
+
+/**
+ * 将资源组迁移到权限中心
+ */
+@Suppress("LongParameterList", "MagicNumber")
+class MigrateResourceGroupService @Autowired constructor(
+    private val authResourceService: AuthResourceService,
+    private val dslContext: DSLContext,
+    private val authResourceGroupDao: AuthResourceGroupDao,
+    private val iamV2ManagerService: V2ManagerService
+) {
+    fun fixResourceGroups(projectCode: String) {
+        logger.info("start to fix resource groups,$projectCode ")
+        val recordsOfNeedToFix = authResourceGroupDao.listRecordsOfNeedToFix(
+            dslContext = dslContext,
+            projectCode = projectCode
+        )
+        logger.info("resource groups need to fix ,$projectCode|$recordsOfNeedToFix")
+        recordsOfNeedToFix.forEach { resourceGroupInfo ->
+            val resourceInfo = authResourceService.get(
+                projectCode = projectCode,
+                resourceType = resourceGroupInfo.resourceType,
+                resourceCode = resourceGroupInfo.resourceCode
+            )
+            val pageInfoDTO = V2PageInfoDTO()
+            pageInfoDTO.page = PageUtil.DEFAULT_PAGE
+            pageInfoDTO.pageSize = PageUtil.DEFAULT_PAGE_SIZE
+            val iamGroupInfo = if (resourceInfo.resourceType == AuthResourceType.PROJECT.value) {
+                val searchGroupDTO = SearchGroupDTO.builder()
+                    .inherit(false)
+                    .name(resourceGroupInfo.groupName)
+                    .build()
+                iamV2ManagerService.getGradeManagerRoleGroupV2(
+                    resourceInfo.relationId,
+                    searchGroupDTO,
+                    pageInfoDTO
+                )
+            } else {
+                iamV2ManagerService.getSubsetManagerRoleGroup(
+                    resourceInfo.relationId.toInt(),
+                    pageInfoDTO
+                )
+            }.results.firstOrNull { it.name == resourceGroupInfo.groupName }
+            logger.info("resource groups need to fix,iam group info $projectCode|$iamGroupInfo")
+            if (iamGroupInfo != null) {
+                authResourceGroupDao.update(
+                    dslContext = dslContext,
+                    projectCode = projectCode,
+                    resourceType = resourceGroupInfo.resourceType,
+                    resourceCode = resourceGroupInfo.resourceCode,
+                    resourceName = resourceInfo.resourceName,
+                    groupCode = resourceGroupInfo.groupCode,
+                    groupName = resourceGroupInfo.groupName,
+                    relationId = iamGroupInfo.id.toString()
+                )
+            }
+        }
+    }
+
+    companion object {
+        private val logger = LoggerFactory.getLogger(MigrateResourceGroupService::class.java)
+    }
+}
diff --git a/...lin/com/tencent/devops/auth/provider/rbac/service/migrate/RbacPermissionMigrateService.kt b/...lin/com/tencent/devops/auth/provider/rbac/service/migrate/RbacPermissionMigrateService.kt
@@ -57,12 +57,12 @@ import com.tencent.devops.project.api.service.ServiceProjectResource
 import com.tencent.devops.project.api.service.ServiceProjectTagResource
 import com.tencent.devops.project.pojo.ProjectProperties
 import com.tencent.devops.project.pojo.ProjectVO
-import java.util.concurrent.CompletionException
-import java.util.concurrent.Executors
 import org.jooq.DSLContext
 import org.slf4j.LoggerFactory
 import org.slf4j.MDC
 import org.springframework.beans.factory.annotation.Value
+import java.util.concurrent.CompletionException
+import java.util.concurrent.Executors
 
 /**
  * rbac迁移服务
@@ -84,7 +84,8 @@ class RbacPermissionMigrateService constructor(
     private val authMonitorSpaceDao: AuthMonitorSpaceDao,
     private val cacheService: RbacCacheService,
     private val permissionResourceMemberService: PermissionResourceMemberService,
-    private val migrateResourceAuthorizationService: MigrateResourceAuthorizationService
+    private val migrateResourceAuthorizationService: MigrateResourceAuthorizationService,
+    private val migrateResourceGroupService: MigrateResourceGroupService
 ) : PermissionMigrateService {
 
     companion object {
@@ -207,7 +208,7 @@ class RbacPermissionMigrateService constructor(
         val resourceType = migrateResourceDTO.resourceType
         val isMigrateProjectResource = migrateResourceDTO.migrateProjectResource == true
         val isMigrateOtherResource = migrateResourceDTO.migrateOtherResource == true &&
-                resourceType != null
+            resourceType != null
         val projectInfoList = client.get(ServiceProjectResource::class).listByProjectCode(projectCodes.toSet())
             .data!!.filter {
                 val r = it.routerTag
@@ -685,4 +686,13 @@ class RbacPermissionMigrateService constructor(
     override fun migrateAllResourceAuthorization(): Boolean {
         return migrateResourceAuthorizationService.migrateAllResourceAuthorization()
     }
+
+    override fun fixResourceGroups(projectCodes: List<String>): Boolean {
+        projectCodes.forEach {
+            migrateResourceGroupService.fixResourceGroups(
+                projectCode = it
+            )
+        }
+        return true
+    }
 }
diff --git a/.../kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionMigrateService.kt b/.../kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionMigrateService.kt
@@ -98,4 +98,6 @@ class SamplePermissionMigrateService(
     override fun migrateAllResourceAuthorization(): Boolean {
         return migrateResourceAuthorizationService.migrateAllResourceAuthorization()
     }
+
+    override fun fixResourceGroups(projectCodes: List<String>): Boolean = true
 }
diff --git a/...h/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthMigrateResourceImpl.kt b/...h/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthMigrateResourceImpl.kt
@@ -106,4 +106,8 @@ class OpAuthMigrateResourceImpl @Autowired constructor(
     override fun migrateAllResourceAuthorization(): Result<Boolean> {
         return Result(permissionMigrateService.migrateAllResourceAuthorization())
     }
+
+    override fun fixResourceGroups(projectCodes: List<String>): Result<Boolean> {
+        return Result(permissionMigrateService.fixResourceGroups(projectCodes))
+    }
 }
diff --git a/.../biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionMigrateService.kt b/.../biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionMigrateService.kt
@@ -111,4 +111,9 @@ interface PermissionMigrateService {
      * 全量迁移资源授权
      */
     fun migrateAllResourceAuthorization(): Boolean
+
+    /**
+     * 修复资源组数据，存在同步iam资源组数据，数据库 iam组id为NULL的情况，需要进行修复
+     */
+    fun fixResourceGroups(projectCodes: List<String>): Boolean
 }