fix: policy-explain not working properly

2026-05-06 21:52:54 +08:00 · 2020-06-09 22:17:35 +08:00
parent f441306d80
commit 5ebb18b691
4 changed files with 34 additions and 2 deletions
--- a/cmd/climc/shell/identity/policies.go
+++ b/cmd/climc/shell/identity/policies.go
@@ -288,12 +288,30 @@ func init() {
 		if err != nil {
 			log.Fatalf("Set log level %q: %v", "debug", err)
 		}
+		if args.Debug {
+			rbacutils.ShowMatchRuleDebug = true
+		}
 		auth.InitFromClientSession(s)
 		policy.EnableGlobalRbac(15*time.Second, 15*time.Second, false)
 		if args.Debug {
 			consts.EnableRbacDebug()
 		}

+		findPolicy := false
+		for !findPolicy {
+			all := policy.PolicyManager.AllPolicies()
+			for _, allP := range all {
+				if len(allP) > 0 {
+					findPolicy = true
+					break
+				}
+			}
+			if findPolicy {
+				break
+			}
+			time.Sleep(time.Second)
+		}
+
 		req := jsonutils.NewDict()
 		for i := 0; i < len(args.Request); i += 1 {
 			parts := strings.Split(args.Request[i], ":")
@@ -359,6 +377,7 @@ func init() {
 				Context: mcclient.SAuthContext{
 					Ip: args.Ip,
 				},
+				Token: "faketoken",
 			}
 		} else {
 			token = s.GetToken()
@@ -370,6 +389,10 @@ func init() {
 		}
 		printObject(result)

+		for _, r := range args.Role {
+			fmt.Println("role", r, "matched policies:", policy.PolicyManager.RoleMatchPolicies(r))
+		}
+
 		fmt.Println("userCred:", token)
 		for _, scope := range []rbacutils.TRbacScope{
 			rbacutils.ScopeSystem,
--- a/pkg/cloudcommon/policy/policy.go
+++ b/pkg/cloudcommon/policy/policy.go
@@ -186,7 +186,7 @@ func (manager *SPolicyManager) start(refreshInterval time.Duration, retryInterva
 			policiesMap[policy.Scope] = policies
 		}
 		manager.defaultPolicies = policiesMap
-		log.Debugf("%#v", manager.defaultPolicies)
+		// log.Debugf("%#v", manager.defaultPolicies)
 	}

 	manager.cache = hashcache.NewCache(2048, manager.refreshInterval/2)
--- a/pkg/mcclient/auth/auth.go
+++ b/pkg/mcclient/auth/auth.go
@@ -386,4 +386,6 @@ func InitFromClientSession(session *mcclient.ClientSession) {
 		info:            info,
 		adminCredential: token,
 	}
+
+	SetEndpointType(session.GetEndpointType())
 }
--- a/pkg/util/rbacutils/rbac.go
+++ b/pkg/util/rbacutils/rbac.go
@@ -228,15 +228,22 @@ func (policy *SRbacPolicy) GetMatchRule(service string, resource string, action
 	return GetMatchRule(policy.Rules, service, resource, action, extra...)
 }

+var (
+	ShowMatchRuleDebug = false
+)
+
 func GetMatchRule(rules []SRbacRule, service string, resource string, action string, extra ...string) *SRbacRule {
 	maxMatchCnt := 0
 	minWeight := 1000000
 	var matchRule *SRbacRule
 	for i := 0; i < len(rules); i += 1 {
 		match, matchCnt, weight := rules[i].match(service, resource, action, extra...)
+		if match && ShowMatchRuleDebug {
+			log.Debugf("rule %s match cnt %d weight %d", rules[i], matchCnt, weight)
+		}
 		if match && (maxMatchCnt < matchCnt ||
 			(maxMatchCnt == matchCnt && minWeight > weight) ||
-			(maxMatchCnt == matchCnt && minWeight == weight && matchRule.looserThan(&rules[i]))) {
+			(maxMatchCnt == matchCnt && minWeight == weight && matchRule.stricterThan(&rules[i]))) {
 			maxMatchCnt = matchCnt
 			minWeight = weight
 			matchRule = &rules[i]