From f44cb2f72183986b9a34b27373ab1dd45e3d53db Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 20 Aug 2024 16:43:04 +0800 Subject: [PATCH 1/9] =?UTF-8?q?feat=EF=BC=9A=E6=94=AF=E6=8C=81=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E5=91=98=E6=9F=A5=E7=9C=8B=E9=A1=B9=E7=9B=AE=E6=88=90?= =?UTF-8?q?=E5=91=98=20#9620?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../sync/OpAuthResourceGroupSyncResource.kt | 5 ++ .../auth/api/user/UserAuthResourceResource.kt | 3 + .../auth/pojo/enum/ApplyToGroupStatus.kt | 40 ++++++++++ .../auth/cron/AuthCronSyncGroupAndMember.kt | 21 +++++- .../auth/dao/AuthResourceGroupApplyDao.kt | 63 ++++++++++++++++ .../rbac/config/RbacAuthConfiguration.kt | 13 +++- .../service/RbacPermissionApplyService.kt | 9 ++- .../RbacPermissionResourceGroupSyncService.kt | 73 ++++++++++++++++++- ...amplePermissionResourceGroupSyncService.kt | 2 + .../OpAuthResourceGroupSyncResourceImpl.kt | 5 ++ .../resources/UserAuthResourceResourceImpl.kt | 3 +- .../iam/PermissionResourceGroupSyncService.kt | 5 ++ .../service/lock/SyncMemberForApplyLock.kt | 44 +++++++++++ support-files/sql/1001_ci_auth_ddl_mysql.sql | 14 ++++ 14 files changed, 292 insertions(+), 8 deletions(-) create mode 100644 src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/ApplyToGroupStatus.kt create mode 100644 src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt create mode 100644 src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/lock/SyncMemberForApplyLock.kt diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/sync/OpAuthResourceGroupSyncResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/sync/OpAuthResourceGroupSyncResource.kt index 6563ef2ea96..a907ba8fb87 100644 --- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/sync/OpAuthResourceGroupSyncResource.kt +++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/sync/OpAuthResourceGroupSyncResource.kt @@ -100,4 +100,9 @@ interface OpAuthResourceGroupSyncResource { @PathParam(value = "projectId") projectId: String ): Result + + @POST + @Path("/syncIamGroupMembersOfApply") + @Operation(summary = "同步iam组成员--用户申请加入") + fun syncIamGroupMembersOfApply(): Result } diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceResource.kt index b9ade443a7d..aa0f259134d 100644 --- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceResource.kt +++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceResource.kt @@ -106,6 +106,9 @@ interface UserAuthResourceResource { @Parameter(description = "资源ID") @PathParam("resourceCode") resourceCode: String, + @Parameter(description = "获取所有成员标识") + @QueryParam("allProjectMembersGroupFlag") + allProjectMembersGroupFlag: Boolean?, @Parameter(description = "第几页") @QueryParam("page") page: Int, diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/ApplyToGroupStatus.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/ApplyToGroupStatus.kt new file mode 100644 index 00000000000..e1aa282decd --- /dev/null +++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/ApplyToGroupStatus.kt @@ -0,0 +1,40 @@ +/* + * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available. + * + * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. + * + * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license. + * + * A copy of the MIT License is included in this file. + * + * + * Terms of the MIT License: + * --------------------------------------------------- + * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated + * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all copies or substantial portions of + * the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT + * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN + * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + * + */ + +package com.tencent.devops.auth.pojo.enum + +enum class ApplyToGroupStatus(val value: Int) { + // 审批中 + PENDING(0), + + // 审批成功 + SUCCEED(1), + + // 审批超时 + TIME_OUT(2); +} diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/cron/AuthCronSyncGroupAndMember.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/cron/AuthCronSyncGroupAndMember.kt index a58c07b74a0..c7734f9ee65 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/cron/AuthCronSyncGroupAndMember.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/cron/AuthCronSyncGroupAndMember.kt @@ -24,7 +24,7 @@ class AuthCronSyncGroupAndMember( private val logger = LoggerFactory.getLogger(AuthCronSyncGroupAndMember::class.java) } - @Scheduled(cron = "0 0 22 * * ?") + @Scheduled(cron = "0 0 0 6 * ?") fun syncGroupAndMemberRegularly() { if (!enable) { return @@ -44,4 +44,23 @@ class AuthCronSyncGroupAndMember( logger.warn("sync group and member regularly |error", e) } } + + @Scheduled(cron = "0 0 8,16 * * ?") + fun syncIamGroupMembersOfApplyRegularly() { + if (!enable) { + return + } + try { + logger.info("sync members of apply regularly | start") + val lockSuccess = redisLock.tryLock() + if (lockSuccess) { + permissionResourceGroupSyncService.syncIamGroupMembersOfApply() + logger.info("sync members of apply regularly | finish") + } else { + logger.info("sync members of apply regularly | running") + } + } catch (e: Exception) { + logger.warn("sync members of apply regularly | error", e) + } + } } diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt new file mode 100644 index 00000000000..fe0d6ba3388 --- /dev/null +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt @@ -0,0 +1,63 @@ +package com.tencent.devops.auth.dao + +import com.tencent.devops.auth.pojo.ApplyJoinGroupInfo +import com.tencent.devops.auth.pojo.enum.ApplyToGroupStatus +import com.tencent.devops.model.auth.tables.TAuthResourceGroupApply +import com.tencent.devops.model.auth.tables.records.TAuthResourceGroupApplyRecord +import org.jooq.DSLContext +import org.jooq.Result +import org.springframework.stereotype.Repository +import java.time.LocalDateTime + +@Repository +class AuthResourceGroupApplyDao { + fun list( + dslContext: DSLContext, + limit: Int, + offset: Int + ): Result { + return with(TAuthResourceGroupApply.T_AUTH_RESOURCE_GROUP_APPLY) { + dslContext.selectFrom(this) + .where(STATUS.eq(ApplyToGroupStatus.PENDING.value)) + .offset(offset) + .limit(limit) + .fetch() + } + } + + fun batchUpdate( + dslContext: DSLContext, + ids: List, + applyToGroupStatus: ApplyToGroupStatus + ) { + with(TAuthResourceGroupApply.T_AUTH_RESOURCE_GROUP_APPLY) { + dslContext.batch( + ids.map { id -> + dslContext.update(this) + .set(STATUS, applyToGroupStatus.value) + .set(NUMBER_OF_CHECKS, NUMBER_OF_CHECKS + 1) + .set(UPDATE_TIME, LocalDateTime.now()) + .where(ID.eq(id)) + } + ).execute() + } + } + + fun batchCreate( + dslContext: DSLContext, + applyJoinGroupInfo: ApplyJoinGroupInfo + ) { + with(TAuthResourceGroupApply.T_AUTH_RESOURCE_GROUP_APPLY) { + dslContext.batch( + applyJoinGroupInfo.groupIds.map { groupId -> + dslContext.insertInto(this) + .set(PROJECT_CODE, applyJoinGroupInfo.projectCode) + .set(MEMBER_ID, applyJoinGroupInfo.applicant) + .set(IAM_GROUP_ID, groupId) + .set(STATUS, ApplyToGroupStatus.PENDING.value) + .set(NUMBER_OF_CHECKS, 0) + } + ) + } + } +} diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt index aa5e79a6e84..f6dc9dd7779 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt @@ -44,6 +44,7 @@ import com.tencent.bk.sdk.iam.service.v2.impl.V2ManagerServiceImpl import com.tencent.bk.sdk.iam.service.v2.impl.V2PolicyServiceImpl import com.tencent.devops.auth.dao.AuthMigrationDao import com.tencent.devops.auth.dao.AuthMonitorSpaceDao +import com.tencent.devops.auth.dao.AuthResourceGroupApplyDao import com.tencent.devops.auth.dao.AuthResourceGroupConfigDao import com.tencent.devops.auth.dao.AuthResourceGroupDao import com.tencent.devops.auth.dao.AuthResourceGroupMemberDao @@ -305,7 +306,8 @@ class RbacAuthConfiguration { authResourceCodeConverter: AuthResourceCodeConverter, permissionService: PermissionService, itsmService: ItsmService, - deptService: DeptService + deptService: DeptService, + authResourceGroupApplyDao: AuthResourceGroupApplyDao ) = RbacPermissionApplyService( dslContext = dslContext, v2ManagerService = v2ManagerService, @@ -318,7 +320,8 @@ class RbacAuthConfiguration { authResourceCodeConverter = authResourceCodeConverter, permissionService = permissionService, itsmService = itsmService, - deptService = deptService + deptService = deptService, + authResourceGroupApplyDao = authResourceGroupApplyDao ) @Bean @@ -578,7 +581,8 @@ class RbacAuthConfiguration { authResourceGroupMemberDao: AuthResourceGroupMemberDao, rbacCacheService: RbacCacheService, redisOperation: RedisOperation, - authResourceSyncDao: AuthResourceSyncDao + authResourceSyncDao: AuthResourceSyncDao, + authResourceGroupApplyDao: AuthResourceGroupApplyDao ) = RbacPermissionResourceGroupSyncService( client = client, dslContext = dslContext, @@ -588,6 +592,7 @@ class RbacAuthConfiguration { authResourceGroupMemberDao = authResourceGroupMemberDao, rbacCacheService = rbacCacheService, redisOperation = redisOperation, - authResourceSyncDao = authResourceSyncDao + authResourceSyncDao = authResourceSyncDao, + authResourceGroupApplyDao = authResourceGroupApplyDao ) } diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionApplyService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionApplyService.kt index 7897c7b490c..7e670bf6409 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionApplyService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionApplyService.kt @@ -11,6 +11,7 @@ import com.tencent.devops.auth.constant.AuthI18nConstants import com.tencent.devops.auth.constant.AuthI18nConstants.ACTION_NAME_SUFFIX import com.tencent.devops.auth.constant.AuthI18nConstants.AUTH_RESOURCE_GROUP_CONFIG_GROUP_NAME_SUFFIX import com.tencent.devops.auth.constant.AuthMessageCode +import com.tencent.devops.auth.dao.AuthResourceGroupApplyDao import com.tencent.devops.auth.dao.AuthResourceGroupConfigDao import com.tencent.devops.auth.dao.AuthResourceGroupDao import com.tencent.devops.auth.pojo.ApplyJoinGroupFormDataInfo @@ -64,7 +65,8 @@ class RbacPermissionApplyService @Autowired constructor( val authResourceCodeConverter: AuthResourceCodeConverter, val permissionService: PermissionService, val itsmService: ItsmService, - val deptService: DeptService + val deptService: DeptService, + val authResourceGroupApplyDao: AuthResourceGroupApplyDao ) : PermissionApplyService { @Value("\${auth.iamSystem:}") private val systemId = "" @@ -348,6 +350,11 @@ class RbacPermissionApplyService @Autowired constructor( .reason(applyJoinGroupInfo.reason).build() logger.info("apply to join group: iamApplicationDTO=$iamApplicationDTO") v2ManagerService.createRoleGroupApplicationV2(iamApplicationDTO) + // 记录单据,用于同步用户组 + authResourceGroupApplyDao.batchCreate( + dslContext = dslContext, + applyJoinGroupInfo = applyJoinGroupInfo + ) } catch (e: Exception) { throw ErrorCodeException( errorCode = AuthMessageCode.APPLY_TO_JOIN_GROUP_FAIL, diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt index 9d88a0d9972..8238a90620b 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt @@ -32,14 +32,17 @@ import com.tencent.bk.sdk.iam.dto.V2PageInfoDTO import com.tencent.bk.sdk.iam.dto.manager.dto.SearchGroupDTO import com.tencent.bk.sdk.iam.exception.IamException import com.tencent.bk.sdk.iam.service.v2.V2ManagerService +import com.tencent.devops.auth.dao.AuthResourceGroupApplyDao import com.tencent.devops.auth.dao.AuthResourceGroupDao import com.tencent.devops.auth.dao.AuthResourceGroupMemberDao import com.tencent.devops.auth.dao.AuthResourceSyncDao import com.tencent.devops.auth.pojo.AuthResourceGroup import com.tencent.devops.auth.pojo.AuthResourceGroupMember +import com.tencent.devops.auth.pojo.enum.ApplyToGroupStatus import com.tencent.devops.auth.pojo.enum.AuthMigrateStatus import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService import com.tencent.devops.auth.service.lock.SyncGroupAndMemberLock +import com.tencent.devops.auth.service.lock.SyncMemberForApplyLock import com.tencent.devops.common.api.exception.ErrorCodeException import com.tencent.devops.common.api.util.DateTimeUtil import com.tencent.devops.common.api.util.PageUtil @@ -69,13 +72,15 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor( private val authResourceGroupMemberDao: AuthResourceGroupMemberDao, private val rbacCacheService: RbacCacheService, private val redisOperation: RedisOperation, - private val authResourceSyncDao: AuthResourceSyncDao + private val authResourceSyncDao: AuthResourceSyncDao, + private val authResourceGroupApplyDao: AuthResourceGroupApplyDao ) : PermissionResourceGroupSyncService { companion object { private val logger = LoggerFactory.getLogger(RbacPermissionResourceGroupSyncService::class.java) private val syncExecutorService = Executors.newFixedThreadPool(5) private val syncProjectsExecutorService = Executors.newFixedThreadPool(10) private val syncResourceMemberExecutorService = Executors.newFixedThreadPool(50) + private const val MAX_NUMBER_OF_CHECKS = 3 } override fun syncByCondition(projectConditionDTO: ProjectConditionDTO) { @@ -164,6 +169,72 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor( ) } + override fun syncIamGroupMembersOfApply() { + val traceId = MDC.get(TraceTag.BIZID) + syncExecutorService.submit { + MDC.put(TraceTag.BIZID, traceId) + SyncMemberForApplyLock(redisOperation).use { lock -> + if (!lock.tryLock()) { + logger.info("sync members of apply | running") + return@use + } + val limit = 100 + var offset = 0 + val startEpoch = System.currentTimeMillis() + do { + logger.info("sync members of apply | start") + val records = authResourceGroupApplyDao.list( + dslContext = dslContext, + limit = limit, + offset = offset + ) + val recordIdsOfTimeOut = records.filter { it.numberOfChecks > MAX_NUMBER_OF_CHECKS }.map { it.id } + val (recordsOfSuccess, recordsOfPending) = records.filterNot { recordIdsOfTimeOut.contains(it.id) }.partition { + try { + val isMemberJoinedToGroup = iamV2ManagerService.verifyGroupValidMember( + it.memberId, + it.iamGroupId.toString() + )[it.iamGroupId]?.belong == true + isMemberJoinedToGroup + } catch (ignore: Exception) { + logger.warn("verify group valid member failed,${it.memberId}|${it.iamGroupId}", ignore) + false + } + } + recordsOfSuccess.forEach { + syncIamGroupMember( + projectCode = it.projectCode, + iamGroupId = it.iamGroupId + ) + } + if (recordIdsOfTimeOut.isNotEmpty()) { + authResourceGroupApplyDao.batchUpdate( + dslContext = dslContext, + ids = recordIdsOfTimeOut, + applyToGroupStatus = ApplyToGroupStatus.TIME_OUT + ) + } + if (recordsOfSuccess.isNotEmpty()) { + authResourceGroupApplyDao.batchUpdate( + dslContext = dslContext, + ids = recordsOfSuccess.map { it.id }, + applyToGroupStatus = ApplyToGroupStatus.SUCCEED + ) + } + if (recordsOfPending.isNotEmpty()) { + authResourceGroupApplyDao.batchUpdate( + dslContext = dslContext, + ids = recordsOfPending.map { it.id }, + applyToGroupStatus = ApplyToGroupStatus.PENDING + ) + } + offset += limit + } while (records.size == limit) + logger.info("It take(${System.currentTimeMillis() - startEpoch})ms to sync members of apply") + } + } + } + override fun syncGroupAndMember(projectCode: String) { val traceId = MDC.get(TraceTag.BIZID) syncProjectsExecutorService.submit { diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceGroupSyncService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceGroupSyncService.kt index 1dafe76f592..eceb19c8a3c 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceGroupSyncService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceGroupSyncService.kt @@ -49,5 +49,7 @@ class SamplePermissionResourceGroupSyncService : PermissionResourceGroupSyncServ override fun syncIamGroupMember(projectCode: String, iamGroupId: Int) = Unit + override fun syncIamGroupMembersOfApply() = Unit + override fun fixResourceGroupMember(projectCode: String) = Unit } diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthResourceGroupSyncResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthResourceGroupSyncResourceImpl.kt index 55f652d09ba..40cccbbb9ba 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthResourceGroupSyncResourceImpl.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/OpAuthResourceGroupSyncResourceImpl.kt @@ -72,4 +72,9 @@ class OpAuthResourceGroupSyncResourceImpl @Autowired constructor( permissionResourceGroupSyncService.fixResourceGroupMember(projectId) return Result(true) } + + override fun syncIamGroupMembersOfApply(): Result { + permissionResourceGroupSyncService.syncIamGroupMembersOfApply() + return Result(true) + } } diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceResourceImpl.kt index c99eada828e..5ee46656fe5 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceResourceImpl.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthResourceResourceImpl.kt @@ -84,6 +84,7 @@ class UserAuthResourceResourceImpl @Autowired constructor( projectId: String, resourceType: String, resourceCode: String, + allProjectMembersGroupFlag: Boolean?, page: Int, pageSize: Int ): Result> { @@ -94,7 +95,7 @@ class UserAuthResourceResourceImpl @Autowired constructor( projectId = projectId, resourceType = resourceType, resourceCode = resourceCode, - getAllProjectMembersGroup = true, + getAllProjectMembersGroup = allProjectMembersGroupFlag ?: true, page = page, pageSize = pageSize ) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceGroupSyncService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceGroupSyncService.kt index 34013381960..c9e5f5c8157 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceGroupSyncService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceGroupSyncService.kt @@ -74,6 +74,11 @@ interface PermissionResourceGroupSyncService { */ fun syncIamGroupMember(projectCode: String, iamGroupId: Int) + /** + * 同步iam组成员--用户申请加入 + */ + fun syncIamGroupMembersOfApply() + /** * 防止出现用户组表的数据已经删了,但是用户组成员表的数据未删除,导致出现不同步,调用iam接口报错问题。 */ diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/lock/SyncMemberForApplyLock.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/lock/SyncMemberForApplyLock.kt new file mode 100644 index 00000000000..4fd30354d38 --- /dev/null +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/lock/SyncMemberForApplyLock.kt @@ -0,0 +1,44 @@ +/* + * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available. + * + * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. + * + * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license. + * + * A copy of the MIT License is included in this file. + * + * + * Terms of the MIT License: + * --------------------------------------------------- + * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated + * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all copies or substantial portions of + * the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT + * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN + * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + */ + +package com.tencent.devops.auth.service.lock + +import com.tencent.devops.common.redis.RedisLock +import com.tencent.devops.common.redis.RedisOperation + +class SyncMemberForApplyLock(redisOperation: RedisOperation) : + RedisLock( + redisOperation = redisOperation, + lockKey = "sync.member.apply.lock", + // 12小时,防止服务重启,锁未释放 + expiredTimeInSeconds = 43200 + ) { + override fun decorateKey(key: String): String { + // buildId,key无需加上集群信息前缀来区分 + return key + } +} diff --git a/support-files/sql/1001_ci_auth_ddl_mysql.sql b/support-files/sql/1001_ci_auth_ddl_mysql.sql index 9d591fbbfa1..83f1a550c0b 100644 --- a/support-files/sql/1001_ci_auth_ddl_mysql.sql +++ b/support-files/sql/1001_ci_auth_ddl_mysql.sql @@ -405,4 +405,18 @@ CREATE TABLE IF NOT EXISTS `T_AUTH_RESOURCE_SYNC` PRIMARY KEY (`PROJECT_CODE`) ) ENGINE = InnoDB DEFAULT CHARSET = utf8mb4 COMMENT ='同步IAM资源'; +CREATE TABLE IF NOT EXISTS `T_AUTH_RESOURCE_GROUP_APPLY` +( + `ID` bigint auto_increment comment '主键ID', + `PROJECT_CODE` varchar(64) not null comment '项目ID', + `MEMBER_ID` varchar(64) not null comment '成员ID', + `IAM_GROUP_ID` int(20) not null comment 'IAM组ID', + `STATUS` int(2) default 0 null comment '状态, 0-审批中,1-审批成功,2-审批超时', + `NUMBER_OF_CHECKS` int(10) default 0 null comment '检查次数,用于同步组数据', + `CREATE_TIME` datetime default CURRENT_TIMESTAMP not null comment '创建时间', + `UPDATE_TIME` datetime default CURRENT_TIMESTAMP not null comment '更新时间', + PRIMARY KEY (`ID`), + INDEX `IDX_STATUS` (`STATUS`) +) ENGINE = InnoDB DEFAULT CHARSET = utf8mb4 COMMENT ='用户组申请记录表'; + SET FOREIGN_KEY_CHECKS = 1; From 716e160d28e52ce3f0e0557828b7282ded2c117b Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 20 Aug 2024 16:55:22 +0800 Subject: [PATCH 2/9] =?UTF-8?q?feat=EF=BC=9A=E6=94=AF=E6=8C=81=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E5=91=98=E6=9F=A5=E7=9C=8B=E9=A1=B9=E7=9B=AE=E6=88=90?= =?UTF-8?q?=E5=91=98=20#9620?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt index fe0d6ba3388..10d0ab5360d 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt @@ -57,7 +57,7 @@ class AuthResourceGroupApplyDao { .set(STATUS, ApplyToGroupStatus.PENDING.value) .set(NUMBER_OF_CHECKS, 0) } - ) + ).execute() } } } From 7f0ed86910714bb1d2218822d10d25ed3eafec83 Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 20 Aug 2024 17:13:56 +0800 Subject: [PATCH 3/9] =?UTF-8?q?feat=EF=BC=9A=E6=94=AF=E6=8C=81=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E5=91=98=E6=9F=A5=E7=9C=8B=E9=A1=B9=E7=9B=AE=E6=88=90?= =?UTF-8?q?=E5=91=98=20#9620?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../rbac/service/RbacPermissionResourceGroupSyncService.kt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt index 8238a90620b..32e69b95f39 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt @@ -80,7 +80,7 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor( private val syncExecutorService = Executors.newFixedThreadPool(5) private val syncProjectsExecutorService = Executors.newFixedThreadPool(10) private val syncResourceMemberExecutorService = Executors.newFixedThreadPool(50) - private const val MAX_NUMBER_OF_CHECKS = 3 + private const val MAX_NUMBER_OF_CHECKS = 120 } override fun syncByCondition(projectConditionDTO: ProjectConditionDTO) { @@ -188,7 +188,7 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor( limit = limit, offset = offset ) - val recordIdsOfTimeOut = records.filter { it.numberOfChecks > MAX_NUMBER_OF_CHECKS }.map { it.id } + val recordIdsOfTimeOut = records.filter { it.numberOfChecks >= MAX_NUMBER_OF_CHECKS }.map { it.id } val (recordsOfSuccess, recordsOfPending) = records.filterNot { recordIdsOfTimeOut.contains(it.id) }.partition { try { val isMemberJoinedToGroup = iamV2ManagerService.verifyGroupValidMember( From 5019ea6948a61fbd2016f039c37c6b70060231e9 Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 20 Aug 2024 17:25:27 +0800 Subject: [PATCH 4/9] =?UTF-8?q?feat=EF=BC=9A=E6=94=AF=E6=8C=81=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E5=91=98=E6=9F=A5=E7=9C=8B=E9=A1=B9=E7=9B=AE=E6=88=90?= =?UTF-8?q?=E5=91=98=20#9620?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../RbacPermissionResourceGroupSyncService.kt | 24 +++++++++---------- 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt index 32e69b95f39..45835d3eb7d 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt @@ -201,12 +201,6 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor( false } } - recordsOfSuccess.forEach { - syncIamGroupMember( - projectCode = it.projectCode, - iamGroupId = it.iamGroupId - ) - } if (recordIdsOfTimeOut.isNotEmpty()) { authResourceGroupApplyDao.batchUpdate( dslContext = dslContext, @@ -214,18 +208,24 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor( applyToGroupStatus = ApplyToGroupStatus.TIME_OUT ) } - if (recordsOfSuccess.isNotEmpty()) { + if (recordsOfPending.isNotEmpty()) { authResourceGroupApplyDao.batchUpdate( dslContext = dslContext, - ids = recordsOfSuccess.map { it.id }, - applyToGroupStatus = ApplyToGroupStatus.SUCCEED + ids = recordsOfPending.map { it.id }, + applyToGroupStatus = ApplyToGroupStatus.PENDING ) } - if (recordsOfPending.isNotEmpty()) { + if (recordsOfSuccess.isNotEmpty()) { + recordsOfSuccess.forEach { + syncIamGroupMember( + projectCode = it.projectCode, + iamGroupId = it.iamGroupId + ) + } authResourceGroupApplyDao.batchUpdate( dslContext = dslContext, - ids = recordsOfPending.map { it.id }, - applyToGroupStatus = ApplyToGroupStatus.PENDING + ids = recordsOfSuccess.map { it.id }, + applyToGroupStatus = ApplyToGroupStatus.SUCCEED ) } offset += limit From 454fc82961588ccc62a97def8d9a391cc92a3302 Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 20 Aug 2024 17:28:54 +0800 Subject: [PATCH 5/9] =?UTF-8?q?feat=EF=BC=9A=E6=94=AF=E6=8C=81=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E5=91=98=E6=9F=A5=E7=9C=8B=E9=A1=B9=E7=9B=AE=E6=88=90?= =?UTF-8?q?=E5=91=98=20#9620?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../RbacPermissionResourceGroupSyncService.kt | 6 --- .../service/lock/SyncMemberForApplyLock.kt | 44 ------------------- 2 files changed, 50 deletions(-) delete mode 100644 src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/lock/SyncMemberForApplyLock.kt diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt index 45835d3eb7d..a2015ea3035 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt @@ -173,11 +173,6 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor( val traceId = MDC.get(TraceTag.BIZID) syncExecutorService.submit { MDC.put(TraceTag.BIZID, traceId) - SyncMemberForApplyLock(redisOperation).use { lock -> - if (!lock.tryLock()) { - logger.info("sync members of apply | running") - return@use - } val limit = 100 var offset = 0 val startEpoch = System.currentTimeMillis() @@ -231,7 +226,6 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor( offset += limit } while (records.size == limit) logger.info("It take(${System.currentTimeMillis() - startEpoch})ms to sync members of apply") - } } } diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/lock/SyncMemberForApplyLock.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/lock/SyncMemberForApplyLock.kt deleted file mode 100644 index 4fd30354d38..00000000000 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/lock/SyncMemberForApplyLock.kt +++ /dev/null @@ -1,44 +0,0 @@ -/* - * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available. - * - * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. - * - * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license. - * - * A copy of the MIT License is included in this file. - * - * - * Terms of the MIT License: - * --------------------------------------------------- - * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated - * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the - * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to - * permit persons to whom the Software is furnished to do so, subject to the following conditions: - * - * The above copyright notice and this permission notice shall be included in all copies or substantial portions of - * the Software. - * - * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT - * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN - * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, - * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE - * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. - */ - -package com.tencent.devops.auth.service.lock - -import com.tencent.devops.common.redis.RedisLock -import com.tencent.devops.common.redis.RedisOperation - -class SyncMemberForApplyLock(redisOperation: RedisOperation) : - RedisLock( - redisOperation = redisOperation, - lockKey = "sync.member.apply.lock", - // 12小时,防止服务重启,锁未释放 - expiredTimeInSeconds = 43200 - ) { - override fun decorateKey(key: String): String { - // buildId,key无需加上集群信息前缀来区分 - return key - } -} From b75b9f2305642b4735377fa5f94a479c5339f272 Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 20 Aug 2024 17:30:02 +0800 Subject: [PATCH 6/9] =?UTF-8?q?feat=EF=BC=9A=E6=94=AF=E6=8C=81=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E5=91=98=E6=9F=A5=E7=9C=8B=E9=A1=B9=E7=9B=AE=E6=88=90?= =?UTF-8?q?=E5=91=98=20#9620?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../RbacPermissionResourceGroupSyncService.kt | 99 +++++++++---------- 1 file changed, 49 insertions(+), 50 deletions(-) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt index a2015ea3035..8a231b39bab 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt @@ -42,7 +42,6 @@ import com.tencent.devops.auth.pojo.enum.ApplyToGroupStatus import com.tencent.devops.auth.pojo.enum.AuthMigrateStatus import com.tencent.devops.auth.service.iam.PermissionResourceGroupSyncService import com.tencent.devops.auth.service.lock.SyncGroupAndMemberLock -import com.tencent.devops.auth.service.lock.SyncMemberForApplyLock import com.tencent.devops.common.api.exception.ErrorCodeException import com.tencent.devops.common.api.util.DateTimeUtil import com.tencent.devops.common.api.util.PageUtil @@ -173,59 +172,59 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor( val traceId = MDC.get(TraceTag.BIZID) syncExecutorService.submit { MDC.put(TraceTag.BIZID, traceId) - val limit = 100 - var offset = 0 - val startEpoch = System.currentTimeMillis() - do { - logger.info("sync members of apply | start") - val records = authResourceGroupApplyDao.list( + val limit = 100 + var offset = 0 + val startEpoch = System.currentTimeMillis() + do { + logger.info("sync members of apply | start") + val records = authResourceGroupApplyDao.list( + dslContext = dslContext, + limit = limit, + offset = offset + ) + val recordIdsOfTimeOut = records.filter { it.numberOfChecks >= MAX_NUMBER_OF_CHECKS }.map { it.id } + val (recordsOfSuccess, recordsOfPending) = records.filterNot { recordIdsOfTimeOut.contains(it.id) }.partition { + try { + val isMemberJoinedToGroup = iamV2ManagerService.verifyGroupValidMember( + it.memberId, + it.iamGroupId.toString() + )[it.iamGroupId]?.belong == true + isMemberJoinedToGroup + } catch (ignore: Exception) { + logger.warn("verify group valid member failed,${it.memberId}|${it.iamGroupId}", ignore) + false + } + } + if (recordIdsOfTimeOut.isNotEmpty()) { + authResourceGroupApplyDao.batchUpdate( dslContext = dslContext, - limit = limit, - offset = offset + ids = recordIdsOfTimeOut, + applyToGroupStatus = ApplyToGroupStatus.TIME_OUT ) - val recordIdsOfTimeOut = records.filter { it.numberOfChecks >= MAX_NUMBER_OF_CHECKS }.map { it.id } - val (recordsOfSuccess, recordsOfPending) = records.filterNot { recordIdsOfTimeOut.contains(it.id) }.partition { - try { - val isMemberJoinedToGroup = iamV2ManagerService.verifyGroupValidMember( - it.memberId, - it.iamGroupId.toString() - )[it.iamGroupId]?.belong == true - isMemberJoinedToGroup - } catch (ignore: Exception) { - logger.warn("verify group valid member failed,${it.memberId}|${it.iamGroupId}", ignore) - false - } - } - if (recordIdsOfTimeOut.isNotEmpty()) { - authResourceGroupApplyDao.batchUpdate( - dslContext = dslContext, - ids = recordIdsOfTimeOut, - applyToGroupStatus = ApplyToGroupStatus.TIME_OUT - ) - } - if (recordsOfPending.isNotEmpty()) { - authResourceGroupApplyDao.batchUpdate( - dslContext = dslContext, - ids = recordsOfPending.map { it.id }, - applyToGroupStatus = ApplyToGroupStatus.PENDING - ) - } - if (recordsOfSuccess.isNotEmpty()) { - recordsOfSuccess.forEach { - syncIamGroupMember( - projectCode = it.projectCode, - iamGroupId = it.iamGroupId - ) - } - authResourceGroupApplyDao.batchUpdate( - dslContext = dslContext, - ids = recordsOfSuccess.map { it.id }, - applyToGroupStatus = ApplyToGroupStatus.SUCCEED + } + if (recordsOfPending.isNotEmpty()) { + authResourceGroupApplyDao.batchUpdate( + dslContext = dslContext, + ids = recordsOfPending.map { it.id }, + applyToGroupStatus = ApplyToGroupStatus.PENDING + ) + } + if (recordsOfSuccess.isNotEmpty()) { + recordsOfSuccess.forEach { + syncIamGroupMember( + projectCode = it.projectCode, + iamGroupId = it.iamGroupId ) } - offset += limit - } while (records.size == limit) - logger.info("It take(${System.currentTimeMillis() - startEpoch})ms to sync members of apply") + authResourceGroupApplyDao.batchUpdate( + dslContext = dslContext, + ids = recordsOfSuccess.map { it.id }, + applyToGroupStatus = ApplyToGroupStatus.SUCCEED + ) + } + offset += limit + } while (records.size == limit) + logger.info("It take(${System.currentTimeMillis() - startEpoch})ms to sync members of apply") } } From 9cb2bd0ed279e9f94f375345a590e399de8e2dba Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 20 Aug 2024 17:34:13 +0800 Subject: [PATCH 7/9] =?UTF-8?q?feat=EF=BC=9A=E6=94=AF=E6=8C=81=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E5=91=98=E6=9F=A5=E7=9C=8B=E9=A1=B9=E7=9B=AE=E6=88=90?= =?UTF-8?q?=E5=91=98=20#9620?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt | 1 + 1 file changed, 1 insertion(+) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt index 10d0ab5360d..61341fdc78b 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt @@ -19,6 +19,7 @@ class AuthResourceGroupApplyDao { return with(TAuthResourceGroupApply.T_AUTH_RESOURCE_GROUP_APPLY) { dslContext.selectFrom(this) .where(STATUS.eq(ApplyToGroupStatus.PENDING.value)) + .orderBy(CREATE_TIME.desc()) .offset(offset) .limit(limit) .fetch() From e0e3f63309e03a1c6a6e1f3db6e28621cd1ab95f Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 20 Aug 2024 17:35:05 +0800 Subject: [PATCH 8/9] =?UTF-8?q?feat=EF=BC=9A=E6=94=AF=E6=8C=81=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E5=91=98=E6=9F=A5=E7=9C=8B=E9=A1=B9=E7=9B=AE=E6=88=90?= =?UTF-8?q?=E5=91=98=20#9620?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt index 61341fdc78b..82fd8c51918 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/dao/AuthResourceGroupApplyDao.kt @@ -19,7 +19,7 @@ class AuthResourceGroupApplyDao { return with(TAuthResourceGroupApply.T_AUTH_RESOURCE_GROUP_APPLY) { dslContext.selectFrom(this) .where(STATUS.eq(ApplyToGroupStatus.PENDING.value)) - .orderBy(CREATE_TIME.desc()) + .orderBy(CREATE_TIME.asc()) .offset(offset) .limit(limit) .fetch() From e01dbaca2e9c0ab627c1b58020595ac7cf1f4ddd Mon Sep 17 00:00:00 2001 From: greysonfang Date: Tue, 20 Aug 2024 17:46:47 +0800 Subject: [PATCH 9/9] =?UTF-8?q?feat=EF=BC=9A=E6=94=AF=E6=8C=81=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E5=91=98=E6=9F=A5=E7=9C=8B=E9=A1=B9=E7=9B=AE=E6=88=90?= =?UTF-8?q?=E5=91=98=20#9620?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../rbac/service/RbacPermissionResourceGroupSyncService.kt | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt index 8a231b39bab..7c82422b684 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt @@ -183,7 +183,9 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor( offset = offset ) val recordIdsOfTimeOut = records.filter { it.numberOfChecks >= MAX_NUMBER_OF_CHECKS }.map { it.id } - val (recordsOfSuccess, recordsOfPending) = records.filterNot { recordIdsOfTimeOut.contains(it.id) }.partition { + val (recordsOfSuccess, recordsOfPending) = records.filterNot { + recordIdsOfTimeOut.contains(it.id) + }.partition { try { val isMemberJoinedToGroup = iamV2ManagerService.verifyGroupValidMember( it.memberId,