From a3aa26b8e2ac96005eeb643fcfcd7969d0dcc3c3 Mon Sep 17 00:00:00 2001
From: Jian Qiu <swordqiu@gmail.com>
Date: Sun, 14 May 2023 08:35:04 +0800
Subject: [PATCH] fix: options of the maximal number of roles of a user in
 project (#17033)

Co-authored-by: QIU Jian <qiujian@yunionyun.com>
---
 pkg/apis/identity/consts.go        | 3 ---
 pkg/keystone/models/assignments.go | 8 ++++----
 pkg/keystone/options/options.go    | 3 +++
 3 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/pkg/apis/identity/consts.go b/pkg/apis/identity/consts.go
index 1ed0cff491..4c48bb6bbc 100644
--- a/pkg/apis/identity/consts.go
+++ b/pkg/apis/identity/consts.go
@@ -84,9 +84,6 @@ const (
 	IdentitySyncStatusIdle    = "idle"
 
 	MinimalSyncIntervalSeconds = 5 * 60 // 5 minutes
-
-	MaxUserRolesInProject  = 10
-	MaxGroupRolesInProject = 5
 )
 
 var (
diff --git a/pkg/keystone/models/assignments.go b/pkg/keystone/models/assignments.go
index 8842566f27..94e486d377 100644
--- a/pkg/keystone/models/assignments.go
+++ b/pkg/keystone/models/assignments.go
@@ -347,8 +347,8 @@ func (manager *SAssignmentManager) ProjectAddUser(ctx context.Context, userCred
 	if err != nil {
 		return errors.Wrap(err, "FetchUserProjectRoleCount")
 	}
-	if roleCnt >= api.MaxUserRolesInProject {
-		return errors.Wrapf(httperrors.ErrTooLarge, "user %s has joined project %s more than %d roles", user.Name, project.Name, roleCnt)
+	if roleCnt >= options.Options.MaxUserRolesInProject {
+		return errors.Wrapf(httperrors.ErrTooLarge, "user %s has joined project %s %d roles more than %d", user.Name, project.Name, roleCnt, options.Options.MaxUserRolesInProject)
 	}
 	err = manager.add(ctx, api.AssignmentUserProject, user.Id, project.Id, role.Id)
 	if err != nil {
@@ -498,8 +498,8 @@ func (manager *SAssignmentManager) projectAddGroup(ctx context.Context, userCred
 	if err != nil {
 		return errors.Wrap(err, "fetchGroupProjectRoleCount")
 	}
-	if roleCnt >= api.MaxGroupRolesInProject {
-		return errors.Wrapf(httperrors.ErrTooLarge, "group %s has joined project %s more than %d roles", group.Name, project.Name, roleCnt)
+	if roleCnt >= options.Options.MaxGroupRolesInProject {
+		return errors.Wrapf(httperrors.ErrTooLarge, "group %s has joined project %s %d roles more than %d", group.Name, project.Name, roleCnt, options.Options.MaxGroupRolesInProject)
 	}
 	err = manager.add(ctx, api.AssignmentGroupProject, group.Id, project.Id, role.Id)
 	if err != nil {
diff --git a/pkg/keystone/options/options.go b/pkg/keystone/options/options.go
index 5fd9660007..09255d0b18 100644
--- a/pkg/keystone/options/options.go
+++ b/pkg/keystone/options/options.go
@@ -73,6 +73,9 @@ type SKeystoneOptions struct {
 	LdapSearchPageSize uint32 `help:"pagination size for LDAP search" default:"100"`
 
 	ProjectAdminRole string `help:"name of role to be saved as admin user of project" default:"project_owner"`
+
+	MaxUserRolesInProject  int `help:"maximal allowed roles of a user in a project" default:"20"`
+	MaxGroupRolesInProject int `help:"maximal allowed roles of a group in a project" default:"20"`
 }
 
 var (