This is an automated email from the ASF dual-hosted git repository.
littlecui pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/servicecomb-service-center.git
The following commit(s) were added to refs/heads/master by this push:
new 1885b50c Change: add old role migrate function, old role has config
permission default (#1355)
1885b50c is described below
commit 1885b50c6f5d347fa2fbc8cf5cc8014ba90b46ac
Author: kkf1 <[email protected]>
AuthorDate: Wed Nov 9 21:25:20 2022 +0800
Change: add old role migrate function, old role has config permission
default (#1355)
* Change: sc gov-resource pass-through Authorization to kie
* Change: sc gov-resource pass-through Authorization to kie
---
datasource/etcd/role.go | 39 ++++++++++++++++++++++++
datasource/etcd/role_test.go | 61 +++++++++++++++++++++++++++++++++++--
datasource/mongo/role.go | 4 +++
datasource/rbac/role.go | 1 +
server/service/rbac/permission.go | 2 +-
server/service/rbac/rbac.go | 1 +
server/service/rbac/resource.go | 1 +
server/service/rbac/role_service.go | 21 +++++++++++++
8 files changed, 126 insertions(+), 4 deletions(-)
diff --git a/datasource/etcd/role.go b/datasource/etcd/role.go
index d58d60c0..ec2233cb 100644
--- a/datasource/etcd/role.go
+++ b/datasource/etcd/role.go
@@ -20,6 +20,7 @@ package etcd
import (
"context"
"encoding/json"
+ "fmt"
"strconv"
"time"
@@ -32,6 +33,17 @@ import (
"github.com/apache/servicecomb-service-center/datasource/rbac"
"github.com/apache/servicecomb-service-center/pkg/log"
"github.com/apache/servicecomb-service-center/pkg/util"
+ rbacsvc
"github.com/apache/servicecomb-service-center/server/service/rbac"
+)
+
+const isMigrated = "/cse-sr/role-migrated"
+
+var (
+ resources = crbac.BuildResourceList(rbacsvc.ResourceConfig)
+ configPerms = &crbac.Permission{
+ Resources: resources,
+ Verbs: []string{"*"},
+ }
)
func (rm *RbacDAO) CreateRole(ctx context.Context, r *crbac.Role) error {
@@ -156,3 +168,30 @@ func (rm *RbacDAO) UpdateRole(ctx context.Context, name
string, role *crbac.Role
opts = append(opts, syncOpts...)
return etcdadpt.Txn(ctx, opts)
}
+func (rm *RbacDAO) MigrateOldRoles(ctx context.Context) error {
+ exist, err := etcdadpt.Exist(ctx, isMigrated)
+ if err != nil {
+ return err
+ }
+ if exist {
+ return nil
+ }
+ rs, _, err := rbac.Instance().ListRole(ctx)
+ if err != nil {
+ return err
+ }
+ for _, role := range rs {
+ role.Perms = append(role.Perms, configPerms)
+ err = rbac.Instance().UpdateRole(ctx, role.Name, role)
+ if err != nil {
+ log.Error(fmt.Sprintf("edit role [%s] info faied",
role.Name), err)
+ return err
+ }
+ }
+ err = etcdadpt.Put(ctx, isMigrated, "true")
+ if err != nil {
+ log.Error("can not save migrated flag", err)
+ return err
+ }
+ return nil
+}
diff --git a/datasource/etcd/role_test.go b/datasource/etcd/role_test.go
index 24f8e2d6..a5848957 100644
--- a/datasource/etcd/role_test.go
+++ b/datasource/etcd/role_test.go
@@ -22,9 +22,6 @@ import (
"strconv"
"testing"
- crbac "github.com/go-chassis/cari/rbac"
- "github.com/stretchr/testify/assert"
-
"github.com/apache/servicecomb-service-center/datasource"
"github.com/apache/servicecomb-service-center/datasource/rbac"
"github.com/apache/servicecomb-service-center/eventbase/model"
@@ -32,6 +29,9 @@ import (
"github.com/apache/servicecomb-service-center/eventbase/service/tombstone"
"github.com/apache/servicecomb-service-center/pkg/util"
_ "github.com/apache/servicecomb-service-center/test"
+ crbac "github.com/go-chassis/cari/rbac"
+ "github.com/little-cui/etcdadpt"
+ "github.com/stretchr/testify/assert"
)
func roleContext() context.Context {
@@ -126,4 +126,59 @@ func TestSyncRole(t *testing.T) {
})
})
+
+ t.Run("migrate old role", func(t *testing.T) {
+ t.Run("create two roles, then migrate them, and migrate again,
should paas test", func(t *testing.T) {
+ ctx := context.Background()
+ r4 := crbac.Role{
+ ID: "migrate-44444",
+ Name: "migrate-role-44444",
+ Perms: nil,
+ }
+ r5 := crbac.Role{
+ ID: "migrate-55555",
+ Name: "migrate-role-55555",
+ Perms: nil,
+ }
+
+ err := rbac.Instance().CreateRole(ctx, &r4)
+ assert.NoError(t, err)
+ err = rbac.Instance().CreateRole(ctx, &r5)
+ assert.NoError(t, err)
+ r, err := rbac.Instance().GetRole(ctx,
"migrate-role-44444")
+ assert.NoError(t, err)
+ assert.Equal(t, 0, len(r.Perms))
+ r, err = rbac.Instance().GetRole(ctx,
"migrate-role-55555")
+ assert.NoError(t, err)
+ assert.Equal(t, 0, len(r.Perms))
+
+ _, err = etcdadpt.Delete(ctx, "/cse-sr/role-migrated")
+ assert.NoError(t, err)
+ err = rbac.Instance().MigrateOldRoles(ctx)
+ assert.NoError(t, err)
+
+ r, err = rbac.Instance().GetRole(ctx,
"migrate-role-44444")
+ assert.NoError(t, err)
+ assert.Equal(t, r.Perms[0].Resources[0].Type, "config")
+ assert.Equal(t, r.Perms[0].Verbs[0], "*")
+ r, err = rbac.Instance().GetRole(ctx,
"migrate-role-55555")
+ assert.NoError(t, err)
+ assert.Equal(t, r.Perms[0].Resources[0].Type, "config")
+ assert.Equal(t, r.Perms[0].Verbs[0], "*")
+
+ err = rbac.Instance().MigrateOldRoles(ctx)
+ assert.NoError(t, err)
+ r, err = rbac.Instance().GetRole(ctx,
"migrate-role-44444")
+ assert.NoError(t, err)
+ assert.Equal(t, 1, len(r.Perms))
+ r, err = rbac.Instance().GetRole(ctx,
"migrate-role-55555")
+ assert.NoError(t, err)
+ assert.Equal(t, 1, len(r.Perms))
+
+ _, err = rbac.Instance().DeleteRole(ctx, r4.Name)
+ assert.NoError(t, err)
+ _, err = rbac.Instance().DeleteRole(ctx, r5.Name)
+ assert.NoError(t, err)
+ })
+ })
}
diff --git a/datasource/mongo/role.go b/datasource/mongo/role.go
index e1e96785..022696f7 100644
--- a/datasource/mongo/role.go
+++ b/datasource/mongo/role.go
@@ -165,3 +165,7 @@ func updateRoleTxn(ctx context.Context, filter bson.M,
updateFilter bson.M, role
return sync.DoUpdateOpts(sessionContext,
datasource.ResourceRole, role)
})
}
+
+func (ds *RbacDAO) MigrateOldRoles(ctx context.Context) error {
+ return nil
+}
diff --git a/datasource/rbac/role.go b/datasource/rbac/role.go
index c06dd09d..6b640a1c 100644
--- a/datasource/rbac/role.go
+++ b/datasource/rbac/role.go
@@ -38,4 +38,5 @@ type RoleManager interface {
ListRole(ctx context.Context) ([]*rbac.Role, int64, error)
DeleteRole(ctx context.Context, name string) (bool, error)
UpdateRole(ctx context.Context, name string, role *rbac.Role) error
+ MigrateOldRoles(ctx context.Context) error
}
diff --git a/server/service/rbac/permission.go
b/server/service/rbac/permission.go
index e229bb1c..9efe05d9 100644
--- a/server/service/rbac/permission.go
+++ b/server/service/rbac/permission.go
@@ -36,7 +36,7 @@ var (
// AdminPerms allocate all resource permissions
func AdminPerms() []*rbac.Permission {
resources := rbac.BuildResourceList(
- ResourceAccount, ResourceRole,
+ ResourceAccount, ResourceConfig, ResourceRole,
ResourceService, ResourceGovern, ResourceOps, ResourceSchema)
perm := []*rbac.Permission{
{
diff --git a/server/service/rbac/rbac.go b/server/service/rbac/rbac.go
index 20d91bcd..cd9e8a68 100644
--- a/server/service/rbac/rbac.go
+++ b/server/service/rbac/rbac.go
@@ -57,6 +57,7 @@ func Init() {
if err != nil {
log.Fatal("can not enable auth module", err)
}
+ migrateOldRoles()
// build-in role init
initBuildInRole()
initBuildInAccount()
diff --git a/server/service/rbac/resource.go b/server/service/rbac/resource.go
index 7e902395..238b13d5 100644
--- a/server/service/rbac/resource.go
+++ b/server/service/rbac/resource.go
@@ -29,6 +29,7 @@ import (
const (
ResourceAccount = "account"
+ ResourceConfig = "config"
ResourceRole = "role"
ResourceService = "service"
ResourceGovern = "governance"
diff --git a/server/service/rbac/role_service.go
b/server/service/rbac/role_service.go
index 658370e7..e4f08e27 100644
--- a/server/service/rbac/role_service.go
+++ b/server/service/rbac/role_service.go
@@ -32,6 +32,8 @@ import (
rbacmodel "github.com/go-chassis/cari/rbac"
)
+const isMigrated = "/cse-sr/role-migrated-lock"
+
func CreateRole(ctx context.Context, r *rbacmodel.Role) error {
err := validator.ValidateCreateRole(r)
if err != nil {
@@ -157,3 +159,22 @@ func RoleUsage(ctx context.Context) (int64, error) {
}
return used, nil
}
+
+func migrateOldRoles() {
+ if err := dlock.Lock(isMigrated, -1); err != nil {
+ log.Error("old role is migrating", err)
+ return
+ }
+ defer func() {
+ if err := dlock.Unlock(isMigrated); err != nil {
+ log.Error("unlock failed", err)
+ }
+ }()
+
+ err := rbac.Instance().MigrateOldRoles(context.Background())
+ if err != nil {
+ log.Error("migrate old role failed", err)
+ return
+ }
+ log.Info("migrate old role success")
+}
