修正：1. attach权限校验总是false 2. 增加climc user

default_project_id相关方法

cmd/climc/shell/users.go

@@ -8,11 +8,13 @@ import (
 
 func init() {
 	type UserListOptions struct {
-		Domain string `help:"Filter by domain"`
-		Name   string `help:"Filter by name"`
-		Limit  int64  `help:"Limit, default 0, i.e. no limit"`
-		Offset int64  `help:"Offset, default 0, i.e. no offset"`
-		Search string `help:"Search by name"`
+		Domain           string `help:"Filter by domain"`
+		Name             string `help:"Filter by name"`
+		Limit            int64  `help:"Limit, default 0, i.e. no limit"`
+		Offset           int64  `help:"Offset, default 0, i.e. no offset"`
+		Search           string `help:"Search by name"`
+		DefaultProject   string `help:"Filter by default_project_id"`
+		NoDefaultProject bool   `help:"Filter users without valid default_project_id"`
 	}
 	R(&UserListOptions{}, "user-list", "List users", func(s *mcclient.ClientSession, args *UserListOptions) error {
 		mod, err := modules.GetModule(s, "users")
@@ -39,6 +41,15 @@ func init() {
 		if args.Offset > 0 {
 			params.Add(jsonutils.NewInt(args.Offset), "offset")
 		}
+		if len(args.DefaultProject) > 0 {
+			projId, err := modules.Projects.GetId(s, args.DefaultProject, nil)
+			if err != nil {
+				return err
+			}
+			params.Add(jsonutils.NewString(projId), "default_project_id")
+		} else if args.NoDefaultProject {
+			params.Add(jsonutils.NewString(""), "default_project_id__iempty")
+		}
 		result, err := mod.List(s, params)
 		if err != nil {
 			return err
@@ -219,6 +230,8 @@ func init() {
 		Mobile      string `help:"Mobile"`
 		Enabled     bool   `help:"Enabled"`
 		Disabled    bool   `help:"Disabled"`
+
+		DefaultProject string `help:"Default project"`
 		// Option []string `help:"User options"`
 	}
 	R(&UserUpdateOptions{}, "user-update", "Update a user", func(s *mcclient.ClientSession, args *UserUpdateOptions) error {
@@ -258,6 +271,13 @@ func init() {
 		} else if !args.Enabled && args.Disabled {
 			params.Add(jsonutils.JSONFalse, "enabled")
 		}
+		if len(args.DefaultProject) > 0 {
+			projId, err := modules.Projects.GetId(s, args.DefaultProject, nil)
+			if err != nil {
+				return err
+			}
+			params.Add(jsonutils.NewString(projId), "default_project_id")
+		}
 		/*
 		   if len(args.Option) > 0 {
 		       uoptions := jsonutils.NewDict()

pkg/cloudcommon/db/db_joint_dispatcher.go

@@ -156,7 +156,8 @@ func (dispatcher *DBJointModelDispatcher) Get(ctx context.Context, id1 string, i
 func attachItems(dispatcher *DBJointModelDispatcher, master IStandaloneModel, slave IStandaloneModel, ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) {
 	var isAllow bool
 	if consts.IsRbacEnabled() {
-		isAllow = isObjectRbacAllowed(master.GetModelManager(), master, userCred, policy.PolicyActionPerform, "attach")
+		isAllow = isObjectRbacAllowed(master.GetModelManager(), master, userCred, policy.PolicyActionPerform, "attach") &&
+			isObjectRbacAllowed(slave.GetModelManager(), slave, userCred, policy.PolicyActionPerform, "attach")
 	} else {
 		isAllow = dispatcher.JointModelManager().AllowAttach(ctx, userCred, master, slave)
 	}

pkg/cloudcommon/db/interface.go

@@ -118,6 +118,7 @@ type IModel interface {
 	PostDelete(ctx context.Context, userCred mcclient.TokenCredential)
 
 	GetOwnerProjectId() string
+	IsSharable() bool
 
 	CustomizedGetDetailsBody(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (jsonutils.JSONObject, error)
 }
@@ -186,7 +187,7 @@ type ISharableVirtualModelManager interface {
 
 type ISharableVirtualModel interface {
 	IVirtualModel
-	IsSharable() bool
+	// IsSharable() bool
 }
 
 type IAdminSharableVirtualModelManager interface {

pkg/cloudcommon/db/jointbase.go

@@ -103,11 +103,11 @@ func (manager *SJointResourceBaseManager) FetchByIds(masterId string, slaveId st
 }
 
 func (manager *SJointResourceBaseManager) AllowListDescendent(ctx context.Context, userCred mcclient.TokenCredential, model IStandaloneModel, query jsonutils.JSONObject) bool {
-	return false
+	return IsAdminAllowList(userCred, manager)
 }
 
 func (manager *SJointResourceBaseManager) AllowAttach(ctx context.Context, userCred mcclient.TokenCredential, master IStandaloneModel, slave IStandaloneModel) bool {
-	return false
+	return IsAdminAllowCreate(userCred, manager)
 }
 
 func JointModelExtra(jointModel IJointModel, extra *jsonutils.JSONDict) *jsonutils.JSONDict {

pkg/cloudcommon/db/modelbase.go

@@ -311,6 +311,10 @@ func (model *SModelBase) GetOwnerProjectId() string {
 	return ""
 }
 
+func (model *SModelBase) IsSharable() bool {
+	return false
+}
+
 func (model *SModelBase) CustomizedGetDetailsBody(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (jsonutils.JSONObject, error) {
 	return nil, nil
 }

pkg/cloudcommon/db/rbac.go

@@ -92,7 +92,7 @@ func isObjectRbacAllowed(manager IModelManager, model IModel, userCred mcclient.
 
 	if len(ownerId) > 0 {
 		objOwnerId := model.GetOwnerProjectId()
-		if ownerId == objOwnerId {
+		if ownerId == objOwnerId || model.IsSharable() {
 			isOwner = true
 			requireAdmin = false
 		} else {

pkg/cloudcommon/db/sharablevirtual.go

@@ -65,4 +65,4 @@ func (model *SSharableVirtualResourceBase) PerformPrivate(ctx context.Context, u
 		return nil, err
 	}
 	return nil, nil
-}
+}

pkg/mcclient/modules/mod_users.go

@@ -160,7 +160,7 @@ func init() {
 
 	UsersV3 = UserManagerV3{NewIdentityV3Manager("user", "users",
 		[]string{},
-		[]string{"ID", "Name", "Domain_Id",
+		[]string{"ID", "Name", "Domain_Id", "default_project_id",
 			"Enabled", "Email", "Mobile"})}
 
 	register(&UsersV3)