From bc02b3b433c56af54fee254bc6aec3c4fef019bb Mon Sep 17 00:00:00 2001 From: Qiu Jian Date: Fri, 30 Nov 2018 23:00:11 +0800 Subject: [PATCH] =?UTF-8?q?1.=20=E5=8F=96=E6=B6=88userCred.IsSystemAdmin()?= =?UTF-8?q?=EF=BC=8C=E5=9C=A8=E4=BD=BF=E7=94=A8policy=E7=9A=84=E5=BA=94?= =?UTF-8?q?=E7=94=A8=E4=B8=AD=EF=BC=8C=E9=80=9A=E8=BF=87userCred.IsAdminAl?= =?UTF-8?q?low=E5=88=A4=E6=96=AD=E6=98=AF=E5=90=A6=E6=98=AF=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E5=91=98=E4=B8=94=E5=85=B7=E5=A4=87=E7=9B=B8=E5=BA=94?= =?UTF-8?q?=E7=9A=84=E6=9D=83=E9=99=90=E3=80=82=E8=8E=B7=E5=8F=96token?= =?UTF-8?q?=E6=97=B6=EF=BC=8C=E9=9C=80=E8=A6=81=E4=BC=A0=E5=85=A5policy.Fi?= =?UTF-8?q?lterPolicyCredential=EF=BC=8C=E5=B0=86=E6=99=AE=E9=80=9AuserCre?= =?UTF-8?q?d=E8=BD=AC=E6=8D=A2=E6=88=90=E6=94=AF=E6=8C=81rbac=E7=9A=84user?= =?UTF-8?q?Cred=202.=20=E5=9C=A8=E5=BA=94=E7=94=A8=E5=90=AF=E5=8A=A8?= =?UTF-8?q?=E6=97=B6=E5=80=99=EF=BC=8C=E5=BF=85=E9=A1=BB=E8=AE=BE=E7=BD=AE?= =?UTF-8?q?=20SetServiceType=EF=BC=8C=E5=90=A6=E5=88=99=E9=80=80=E5=87=BA?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- pkg/cloudcommon/auth.go | 3 +- pkg/cloudcommon/db/db_dispatcher.go | 18 +-- pkg/cloudcommon/db/enabledstatusstandalone.go | 6 +- pkg/cloudcommon/db/interface.go | 4 +- pkg/cloudcommon/db/jointbase.go | 6 +- pkg/cloudcommon/db/metadata.go | 8 +- pkg/cloudcommon/db/modelbase.go | 8 +- pkg/cloudcommon/db/opslog.go | 6 +- pkg/cloudcommon/db/quotas/handler.go | 14 +- pkg/cloudcommon/db/sharablevirtual.go | 8 +- pkg/cloudcommon/db/standalone.go | 10 +- pkg/cloudcommon/db/statusstandalone.go | 4 +- pkg/cloudcommon/db/taskman/tasks.go | 6 +- pkg/cloudcommon/db/virtualjointbase.go | 12 +- pkg/cloudcommon/db/virtualresource.go | 26 ++-- pkg/cloudcommon/options.go | 4 + pkg/cloudcommon/policy/policy.go | 10 +- pkg/cloudcommon/policy/token.go | 145 ++++++++++++++++++ pkg/compute/capabilities/handler.go | 3 +- pkg/compute/models/baremetalagents.go | 10 +- pkg/compute/models/cachedimages.go | 4 +- pkg/compute/models/cloudaccounts.go | 10 +- pkg/compute/models/cloudproviders.go | 8 +- pkg/compute/models/cloudregions.go | 4 +- pkg/compute/models/disks.go | 16 +- pkg/compute/models/dnsrecords.go | 10 +- pkg/compute/models/dynamicschedtags.go | 4 +- pkg/compute/models/elasticips.go | 12 +- pkg/compute/models/guest_actions.go | 74 ++++----- pkg/compute/models/guests.go | 12 +- pkg/compute/models/helper.go | 4 +- pkg/compute/models/hostjoints.go | 16 +- pkg/compute/models/hosts.go | 57 ++++--- pkg/compute/models/inframanagers.go | 12 +- pkg/compute/models/isolated_devices.go | 6 +- pkg/compute/models/keypairs.go | 12 +- pkg/compute/models/loadbalanceracls.go | 4 +- pkg/compute/models/loadbalanceragents.go | 8 +- pkg/compute/models/loadbalancerbackends.go | 4 +- .../models/loadbalancerlistenerrules.go | 4 +- pkg/compute/models/loadbalancerlisteners.go | 4 +- pkg/compute/models/loadbalancers.go | 4 +- pkg/compute/models/networks.go | 19 ++- pkg/compute/models/reservedips.go | 4 +- pkg/compute/models/schedpolicies.go | 4 +- pkg/compute/models/secgrouprules.go | 6 +- pkg/compute/models/snapshots.go | 14 +- pkg/compute/models/storagecachedimages.go | 4 +- pkg/compute/models/storagecaches.go | 6 +- pkg/compute/models/storages.go | 6 +- pkg/compute/models/vpcs.go | 4 +- pkg/compute/specs/handler.go | 3 +- pkg/compute/sshkeys/handler.go | 10 +- pkg/compute/usages/handler.go | 4 +- pkg/mcclient/auth/middleware.go | 8 +- pkg/mcclient/modules/base.go | 2 +- pkg/mcclient/session.go | 5 +- pkg/mcclient/token.go | 5 +- pkg/mcclient/token2.go | 6 +- pkg/mcclient/token3.go | 6 +- pkg/mcclient/tokensimple.go | 6 +- pkg/webconsole/handlers.go | 5 +- pkg/webconsole/service/service.go | 3 + pkg/yunionconf/models/parameters.go | 16 +- pkg/yunionconf/service/service.go | 2 + 65 files changed, 516 insertions(+), 232 deletions(-) create mode 100644 pkg/cloudcommon/policy/token.go diff --git a/pkg/cloudcommon/auth.go b/pkg/cloudcommon/auth.go index c9661ce977..fab8fa949c 100644 --- a/pkg/cloudcommon/auth.go +++ b/pkg/cloudcommon/auth.go @@ -3,13 +3,14 @@ package cloudcommon import ( "fmt" "os" - "time" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/mcclient/auth" ) func InitAuth(options *Options, authComplete auth.AuthCompletedCallback) { + if len(options.AuthURL) == 0 { fmt.Println("Missing AuthURL") os.Exit(1) diff --git a/pkg/cloudcommon/db/db_dispatcher.go b/pkg/cloudcommon/db/db_dispatcher.go index c2d72e15f2..70ce2f8c91 100644 --- a/pkg/cloudcommon/db/db_dispatcher.go +++ b/pkg/cloudcommon/db/db_dispatcher.go @@ -65,7 +65,7 @@ func (dispatcher *DBModelDispatcher) Filter(f appsrv.FilterHandler) appsrv.Filte } func fetchUserCredential(ctx context.Context) mcclient.TokenCredential { - token := auth.FetchUserCredential(ctx) + token := auth.FetchUserCredential(ctx, policy.FilterPolicyCredential) if token == nil && !consts.IsRbacEnabled() { log.Fatalf("user token credential not found?") } @@ -113,7 +113,7 @@ func listFields(manager IModelManager, userCred mcclient.TokenCredential) []stri if !utils.IsInStringArray(list, []string{"user", "admin", ""}) { log.Warningf("Invalid list value %s for field %s", list, col.Name()) } - if list == "user" || (list == "admin" && userCred.IsSystemAdmin()) { + if list == "user" || (list == "admin" && userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList)) { ret = append(ret, col.Name()) } } @@ -127,7 +127,7 @@ func searchFields(manager IModelManager, userCred mcclient.TokenCredential) []st tags := col.Tags() list := tags["list"] search := tags["search"] - if list == "user" || search == "user" || ((list == "admin" || search == "admin") && userCred.IsSystemAdmin()) { + if list == "user" || search == "user" || ((list == "admin" || search == "admin") && userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList)) { ret = append(ret, col.Name()) } } @@ -140,7 +140,7 @@ func getDetailFields(manager IModelManager, userCred mcclient.TokenCredential) [ tags := col.Tags() list := tags["list"] get := tags["get"] - if list == "user" || get == "user" || ((list == "admin" || get == "admin") && userCred.IsSystemAdmin()) { + if list == "user" || get == "user" || ((list == "admin" || get == "admin") && userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionGet)) { ret = append(ret, col.Name()) } } @@ -152,7 +152,7 @@ func createRequireFields(manager IModelManager, userCred mcclient.TokenCredentia for _, col := range manager.TableSpec().Columns() { tags := col.Tags() create, _ := tags["create"] - if create == "required" || (create == "admin_required" && userCred.IsSystemAdmin()) { + if create == "required" || (create == "admin_required" && userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionCreate)) { ret = append(ret, col.Name()) } } @@ -166,7 +166,7 @@ func createFields(manager IModelManager, userCred mcclient.TokenCredential) []st tags := col.Tags() create, _ := tags["create"] update := tags["update"] - if update == "user" || (update == "admin" && userCred.IsSystemAdmin()) || create == "required" || create == "optional" || ((create == "admin_required" || create == "admin_optional") && userCred.IsSystemAdmin()) { + if update == "user" || (update == "admin" && userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionCreate)) || create == "required" || create == "optional" || ((create == "admin_required" || create == "admin_optional") && userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionCreate)) { ret = append(ret, col.Name()) } } @@ -179,7 +179,7 @@ func updateFields(manager IModelManager, userCred mcclient.TokenCredential) []st for _, col := range manager.TableSpec().Columns() { tags := col.Tags() update := tags["update"] - if update == "user" || (update == "admin" && userCred.IsSystemAdmin()) { + if update == "user" || (update == "admin" && userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionUpdate)) { ret = append(ret, col.Name()) } } @@ -315,7 +315,7 @@ func query2List(manager IModelManager, ctx context.Context, userCred mcclient.To } listF := listFields(manager, userCred) fieldFilter := jsonutils.GetQueryStringArray(query, "field") - if len(fieldFilter) > 0 && userCred.IsSystemAdmin() { + if len(fieldFilter) > 0 && userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) { // only sysadmin can specify list Fields listF = fieldFilter } @@ -735,7 +735,7 @@ func fetchOwnerProjectId(ctx context.Context, manager IModelManager, userCred mc isAllow = true } } else { - isAllow = userCred.IsSystemAdmin() + isAllow = userCred.IsAdminAllow(consts.GetServiceType(), policy.PolicyDelegation, "") } if !isAllow { return "", httperrors.NewForbiddenError("Delegation not allowed") diff --git a/pkg/cloudcommon/db/enabledstatusstandalone.go b/pkg/cloudcommon/db/enabledstatusstandalone.go index 1528c09200..ad6da79d6f 100644 --- a/pkg/cloudcommon/db/enabledstatusstandalone.go +++ b/pkg/cloudcommon/db/enabledstatusstandalone.go @@ -5,6 +5,8 @@ import ( "yunion.io/x/jsonutils" "yunion.io/x/log" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/mcclient" ) @@ -23,7 +25,7 @@ func NewEnabledStatusStandaloneResourceBaseManager(dt interface{}, tableName str } func (self *SEnabledStatusStandaloneResourceBase) AllowPerformEnable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "enable") } func (self *SEnabledStatusStandaloneResourceBase) PerformEnable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -42,7 +44,7 @@ func (self *SEnabledStatusStandaloneResourceBase) PerformEnable(ctx context.Cont } func (self *SEnabledStatusStandaloneResourceBase) AllowPerformDisable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "disable") } func (self *SEnabledStatusStandaloneResourceBase) PerformDisable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/cloudcommon/db/interface.go b/pkg/cloudcommon/db/interface.go index e63c2ac02e..b42c522bb9 100644 --- a/pkg/cloudcommon/db/interface.go +++ b/pkg/cloudcommon/db/interface.go @@ -69,6 +69,8 @@ type IModel interface { GetName() string + KeywordPlural() string + GetModelManager() IModelManager SetModelManager(IModelManager) @@ -164,7 +166,7 @@ type IVirtualModel interface { IStandaloneModel IsOwner(userCred mcclient.TokenCredential) bool - IsAdmin(userCred mcclient.TokenCredential) bool + // IsAdmin(userCred mcclient.TokenCredential) bool } type ISharableVirtualModelManager interface { diff --git a/pkg/cloudcommon/db/jointbase.go b/pkg/cloudcommon/db/jointbase.go index 6dcf2e3c97..14094ae5e4 100644 --- a/pkg/cloudcommon/db/jointbase.go +++ b/pkg/cloudcommon/db/jointbase.go @@ -8,6 +8,8 @@ import ( "yunion.io/x/jsonutils" "yunion.io/x/log" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/pkg/util/reflectutils" "yunion.io/x/sqlchemy" @@ -191,7 +193,7 @@ func (self *SJointResourceBase) AllowGetJointDetails(ctx context.Context, userCr master := item.Master() switch master.(type) { case IVirtualModel: - return master.(IVirtualModel).IsOwner(userCred) + return master.(IVirtualModel).IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), master.KeywordPlural(), policy.PolicyActionGet) default: // case item implemented customized AllowGetDetails, eg hostjoints return item.AllowGetDetails(ctx, userCred, query) } @@ -201,7 +203,7 @@ func (self *SJointResourceBase) AllowUpdateJointItem(ctx context.Context, userCr master := item.Master() switch master.(type) { case IVirtualModel: - return master.(IVirtualModel).IsOwner(userCred) + return master.(IVirtualModel).IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), master.KeywordPlural(), policy.PolicyActionUpdate) default: // case item implemented customized AllowGetDetails, eg hostjoints return item.AllowUpdateItem(ctx, userCred) } diff --git a/pkg/cloudcommon/db/metadata.go b/pkg/cloudcommon/db/metadata.go index 5c0c98206d..88463b21f9 100644 --- a/pkg/cloudcommon/db/metadata.go +++ b/pkg/cloudcommon/db/metadata.go @@ -11,7 +11,9 @@ import ( "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/pkg/util/stringutils" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db/lockman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" ) const ( @@ -65,7 +67,7 @@ raise Exception('get_object_idstr: failed to generate obj ID') return idstr */ func (manager *SMetadataManager) GetStringValue(model IModel, key string, userCred mcclient.TokenCredential) string { - if strings.HasPrefix(key, SYSTEM_ADMIN_PREFIX) && (userCred == nil || !userCred.IsSystemAdmin()) { + if strings.HasPrefix(key, SYSTEM_ADMIN_PREFIX) && (userCred == nil || !userCred.IsAdminAllow(consts.GetServiceType(), model.GetModelManager().KeywordPlural(), policy.PolicyActionGet, "metadata")) { return "" } idStr := GetObjectIdstr(model) @@ -78,7 +80,7 @@ func (manager *SMetadataManager) GetStringValue(model IModel, key string, userCr } func (manager *SMetadataManager) GetJsonValue(model IModel, key string, userCred mcclient.TokenCredential) jsonutils.JSONObject { - if strings.HasPrefix(key, SYSTEM_ADMIN_PREFIX) && (userCred == nil || !userCred.IsSystemAdmin()) { + if strings.HasPrefix(key, SYSTEM_ADMIN_PREFIX) && (userCred == nil || !userCred.IsAdminAllow(consts.GetServiceType(), model.GetModelManager().KeywordPlural(), policy.PolicyActionGet, "metadata")) { return nil } idStr := GetObjectIdstr(model) @@ -194,7 +196,7 @@ func (manager *SMetadataManager) GetAll(obj IModel, keys []string, userCred mccl for _, rec := range records { if len(rec.Value) > 0 { if strings.HasPrefix(rec.Key, SYSTEM_ADMIN_PREFIX) { - if userCred != nil && userCred.IsSystemAdmin() { + if userCred != nil && userCred.IsAdminAllow(consts.GetServiceType(), obj.GetModelManager().KeywordPlural(), policy.PolicyActionGet, "metadata") { key := rec.Key[len(SYSTEM_ADMIN_PREFIX):] ret[key] = rec.Value } diff --git a/pkg/cloudcommon/db/modelbase.go b/pkg/cloudcommon/db/modelbase.go index d4c9a704a9..bd5db2cdb8 100644 --- a/pkg/cloudcommon/db/modelbase.go +++ b/pkg/cloudcommon/db/modelbase.go @@ -6,6 +6,8 @@ import ( "fmt" "yunion.io/x/jsonutils" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/sqlchemy" ) @@ -151,7 +153,7 @@ func (manager *SModelBaseManager) PerformAction(ctx context.Context, userCred mc } func (manager *SModelBaseManager) AllowPerformCheckCreateData(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionPerform, "check-create-data") } func (manager *SModelBaseManager) InitializeData() error { @@ -178,6 +180,10 @@ func (model *SModelBase) Keyword() string { return model.GetModelManager().Keyword() } +func (model *SModelBase) KeywordPlural() string { + return model.GetModelManager().KeywordPlural() +} + func (model *SModelBase) GetName() string { return "" } diff --git a/pkg/cloudcommon/db/opslog.go b/pkg/cloudcommon/db/opslog.go index 35ef9c13e2..456c617697 100644 --- a/pkg/cloudcommon/db/opslog.go +++ b/pkg/cloudcommon/db/opslog.go @@ -9,6 +9,8 @@ import ( "yunion.io/x/jsonutils" "yunion.io/x/log" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/onecloud/pkg/util/logclient" "yunion.io/x/pkg/util/stringutils" @@ -293,7 +295,7 @@ func (manager *SOpsLogManager) ListItemFilter(ctx context.Context, q *sqlchemy.S queryDict.RemoveIgnoreCase("action") q = q.Filter(sqlchemy.In(q.Field("action"), action)) } - if !userCred.IsSystemAdmin() { + if !userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) { q = q.Filter(sqlchemy.OR(sqlchemy.AND(sqlchemy.IsNotNull(q.Field("owner_tenant_id")), sqlchemy.Equals(q.Field("owner_tenant_id"), userCred.GetProjectId())), sqlchemy.Equals(q.Field("tenant_id"), userCred.GetProjectId()))) } since, _ := query.GetTime("since") @@ -324,7 +326,7 @@ func (manager *SOpsLogManager) AllowCreateItem(ctx context.Context, userCred mcc } func (self *SOpsLog) AllowGetDetails(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() || userCred.GetProjectId() == self.ProjectId || userCred.GetProjectId() == self.OwnerProjectId + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionGet) || userCred.GetProjectId() == self.ProjectId || userCred.GetProjectId() == self.OwnerProjectId } func (self *SOpsLog) AllowUpdateItem(ctx context.Context, userCred mcclient.TokenCredential) bool { diff --git a/pkg/cloudcommon/db/quotas/handler.go b/pkg/cloudcommon/db/quotas/handler.go index ed27a32b72..4729168e4f 100644 --- a/pkg/cloudcommon/db/quotas/handler.go +++ b/pkg/cloudcommon/db/quotas/handler.go @@ -72,7 +72,7 @@ func queryQuota(ctx context.Context, projectId string) (*jsonutils.JSONDict, err } func getQuotaHanlder(ctx context.Context, w http.ResponseWriter, r *http.Request) { - userCred := auth.FetchUserCredential(ctx) + userCred := auth.FetchUserCredential(ctx, policy.FilterPolicyCredential) params := appctx.AppContextParams(ctx) projectId := params[""] @@ -93,7 +93,7 @@ func getQuotaHanlder(ctx context.Context, w http.ResponseWriter, r *http.Request policy.PolicyDelegation, policy.PolicyActionGet) isAllow = result == rbacutils.AdminAllow } else { - isAllow = userCred.IsSystemAdmin() + isAllow = userCred.IsAdminAllow(consts.GetServiceType(), policy.PolicyDelegation, policy.PolicyActionGet) } if !isAllow { httperrors.ForbiddenError(w, "not allow to delegate query quota") @@ -133,14 +133,15 @@ func getQuotaHanlder(ctx context.Context, w http.ResponseWriter, r *http.Request } func setQuotaHanlder(ctx context.Context, w http.ResponseWriter, r *http.Request) { - userCred := auth.FetchUserCredential(ctx) + userCred := auth.FetchUserCredential(ctx, policy.FilterPolicyCredential) var isAllow bool if consts.IsRbacEnabled() { isAllow = policy.PolicyManager.Allow(true, userCred, consts.GetServiceType(), "quotas", policy.PolicyActionUpdate) == rbacutils.AdminAllow } else { - isAllow = userCred.IsSystemAdmin() + isAllow = userCred.IsAdminAllow(consts.GetServiceType(), + "quotas", policy.PolicyActionUpdate) } if !isAllow { httperrors.ForbiddenError(w, "not allow to set quota") @@ -196,14 +197,15 @@ func setQuotaHanlder(ctx context.Context, w http.ResponseWriter, r *http.Request } func checkQuotaHanlder(ctx context.Context, w http.ResponseWriter, r *http.Request) { - userCred := auth.FetchUserCredential(ctx) + userCred := auth.FetchUserCredential(ctx, policy.FilterPolicyCredential) isAllow := false if consts.IsRbacEnabled() { isAllow = policy.PolicyManager.Allow(true, userCred, consts.GetServiceType(), policy.PolicyDelegation, policy.PolicyActionGet) == rbacutils.AdminAllow } else { - isAllow = userCred.IsSystemAdmin() + isAllow = userCred.IsAdminAllow(consts.GetServiceType(), + policy.PolicyDelegation, policy.PolicyActionGet) } if !isAllow { httperrors.ForbiddenError(w, "not allow to delegate check quota") diff --git a/pkg/cloudcommon/db/sharablevirtual.go b/pkg/cloudcommon/db/sharablevirtual.go index 8d1cf2db5f..d8c78a98df 100644 --- a/pkg/cloudcommon/db/sharablevirtual.go +++ b/pkg/cloudcommon/db/sharablevirtual.go @@ -4,6 +4,8 @@ import ( "context" "yunion.io/x/jsonutils" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/sqlchemy" ) @@ -30,7 +32,7 @@ func (manager *SSharableVirtualResourceBaseManager) FilterByOwner(q *sqlchemy.SQ } func (model *SSharableVirtualResourceBase) AllowGetDetails(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return model.IsOwner(userCred) || model.IsPublic + return model.IsOwner(userCred) || model.IsPublic || userCred.IsAdminAllow(consts.GetServiceType(), model.KeywordPlural(), policy.PolicyActionGet) } func (model *SSharableVirtualResourceBase) IsSharable() bool { @@ -38,11 +40,11 @@ func (model *SSharableVirtualResourceBase) IsSharable() bool { } func (model *SSharableVirtualResourceBase) AllowPerformPublic(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), model.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "public") } func (model *SSharableVirtualResourceBase) AllowPerformPrivate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), model.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "private") } func (model *SSharableVirtualResourceBase) PerformPublic(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/cloudcommon/db/standalone.go b/pkg/cloudcommon/db/standalone.go index d1fd803ae7..9d8d11f080 100644 --- a/pkg/cloudcommon/db/standalone.go +++ b/pkg/cloudcommon/db/standalone.go @@ -7,6 +7,8 @@ import ( "yunion.io/x/jsonutils" "yunion.io/x/log" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/pkg/util/regutils" @@ -147,7 +149,7 @@ func (model *SStandaloneResourceBase) GetMetadataJson(key string, userCred mccli } func (model *SStandaloneResourceBase) SetMetadata(ctx context.Context, key string, value interface{}, userCred mcclient.TokenCredential) error { - if Metadata.IsSystemAdminKey(key) && !userCred.IsSystemAdmin() { + if Metadata.IsSystemAdminKey(key) && !userCred.IsAdminAllow(consts.GetServiceType(), model.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "metadata") { return httperrors.NewNotSufficientPrivilegeError("cannot set system key") } return Metadata.SetValue(ctx, model, key, value, userCred) @@ -155,7 +157,7 @@ func (model *SStandaloneResourceBase) SetMetadata(ctx context.Context, key strin func (model *SStandaloneResourceBase) SetAllMetadata(ctx context.Context, dictstore map[string]interface{}, userCred mcclient.TokenCredential) error { for k := range dictstore { - if Metadata.IsSystemAdminKey(k) && !userCred.IsSystemAdmin() { + if Metadata.IsSystemAdminKey(k) && !userCred.IsAdminAllow(consts.GetServiceType(), model.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "metadata") { return httperrors.NewNotSufficientPrivilegeError(fmt.Sprintf("not allow to set system key %s", k)) } } @@ -175,7 +177,7 @@ func (model *SStandaloneResourceBase) GetAllMetadata(userCred mcclient.TokenCred } func (model *SStandaloneResourceBase) AllowGetDetailsMetadata(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), model.GetModelManager().KeywordPlural(), policy.PolicyActionGet, "metadata") } func (model *SStandaloneResourceBase) GetDetailsMetadata(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -188,7 +190,7 @@ func (model *SStandaloneResourceBase) GetDetailsMetadata(ctx context.Context, us } func (model *SStandaloneResourceBase) AllowPerformMetadata(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), model.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "metadata") } func (model *SStandaloneResourceBase) PerformMetadata(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/cloudcommon/db/statusstandalone.go b/pkg/cloudcommon/db/statusstandalone.go index 4304a37388..7f436d2c4c 100644 --- a/pkg/cloudcommon/db/statusstandalone.go +++ b/pkg/cloudcommon/db/statusstandalone.go @@ -6,6 +6,8 @@ import ( "strings" "yunion.io/x/jsonutils" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/onecloud/pkg/util/logclient" ) @@ -50,7 +52,7 @@ func (model *SStatusStandaloneResourceBase) SetStatus(userCred mcclient.TokenCre } func (model *SStatusStandaloneResourceBase) AllowPerformStatus(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), model.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "status") } func (model *SStatusStandaloneResourceBase) PerformStatus(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/cloudcommon/db/taskman/tasks.go b/pkg/cloudcommon/db/taskman/tasks.go index f16cc14387..177bb0a203 100644 --- a/pkg/cloudcommon/db/taskman/tasks.go +++ b/pkg/cloudcommon/db/taskman/tasks.go @@ -18,9 +18,11 @@ import ( "yunion.io/x/pkg/utils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/lockman" "yunion.io/x/onecloud/pkg/cloudcommon/db/quotas" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" ) const ( @@ -70,7 +72,7 @@ type STask struct { } func (manager *STaskManager) AllowListItems(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return true } func (manager *STaskManager) AllowCreateItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { @@ -115,7 +117,7 @@ func (manager *STaskManager) FilterByOwner(q *sqlchemy.SQuery, owner string) *sq } func (self *STask) AllowGetDetails(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() || userCred.GetProjectId() == self.UserCred.GetProjectId() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionGet) || userCred.GetProjectId() == self.UserCred.GetProjectId() } func (self *STask) AllowUpdateItem(ctx context.Context, userCred mcclient.TokenCredential) bool { diff --git a/pkg/cloudcommon/db/virtualjointbase.go b/pkg/cloudcommon/db/virtualjointbase.go index 23565cc777..5a0e571e5d 100644 --- a/pkg/cloudcommon/db/virtualjointbase.go +++ b/pkg/cloudcommon/db/virtualjointbase.go @@ -10,6 +10,8 @@ import ( "yunion.io/x/pkg/util/reflectutils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" ) @@ -27,7 +29,7 @@ func NewVirtualJointResourceBaseManager(dt interface{}, tableName string, keywor } func (manager *SVirtualJointResourceBaseManager) AllowListItems(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - if jsonutils.QueryBoolean(query, "admin", false) && !userCred.IsSystemAdmin() { + if jsonutils.QueryBoolean(query, "admin", false) && !userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) { return false } return true @@ -36,7 +38,7 @@ func (manager *SVirtualJointResourceBaseManager) AllowListItems(ctx context.Cont func (manager *SVirtualJointResourceBaseManager) AllowListDescendent(ctx context.Context, userCred mcclient.TokenCredential, master IStandaloneModel, query jsonutils.JSONObject) bool { masterVirtual := master.(IVirtualModel) - if masterVirtual.IsOwner(userCred) { + if masterVirtual.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), masterVirtual.KeywordPlural(), policy.PolicyActionList) { return true } return false @@ -62,12 +64,12 @@ func (manager *SVirtualJointResourceBaseManager) AllowAttach(ctx context.Context func (self *SVirtualJointResourceBase) AllowGetDetails(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { masterVirtual := self.Master().(IVirtualModel) - return masterVirtual.IsOwner(userCred) + return masterVirtual.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), masterVirtual.KeywordPlural(), policy.PolicyActionGet) } func (self *SVirtualJointResourceBase) AllowUpdateItem(ctx context.Context, userCred mcclient.TokenCredential) bool { masterVirtual := self.Master().(IVirtualModel) - return masterVirtual.IsOwner(userCred) + return masterVirtual.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), masterVirtual.KeywordPlural(), policy.PolicyActionUpdate) } func (manager *SVirtualJointResourceBaseManager) ListItemFilter(ctx context.Context, q *sqlchemy.SQuery, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (*sqlchemy.SQuery, error) { @@ -96,7 +98,7 @@ func (manager *SVirtualJointResourceBaseManager) ListItemFilter(ctx context.Cont sqlchemy.IsFalse(masterTable.Field("deleted")))) q = q.Join(slaveTable, sqlchemy.AND(sqlchemy.Equals(slaveField, slaveTable.Field("id")), sqlchemy.IsFalse(slaveTable.Field("deleted")))) - if jsonutils.QueryBoolean(query, "admin", false) && userCred.IsSystemAdmin() { + if jsonutils.QueryBoolean(query, "admin", false) && userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) { isSystem := jsonutils.QueryBoolean(query, "system", false) if !isSystem { if len(slaveQueryId) == 0 { diff --git a/pkg/cloudcommon/db/virtualresource.go b/pkg/cloudcommon/db/virtualresource.go index 16a9b44572..a9e31f0263 100644 --- a/pkg/cloudcommon/db/virtualresource.go +++ b/pkg/cloudcommon/db/virtualresource.go @@ -12,7 +12,9 @@ import ( "yunion.io/x/pkg/utils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db/lockman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" ) @@ -38,12 +40,12 @@ type SVirtualResourceBase struct { } func (model *SVirtualResourceBase) IsOwner(userCred mcclient.TokenCredential) bool { - return userCred.IsSystemAdmin() || userCred.GetProjectId() == model.ProjectId + return userCred.GetProjectId() == model.ProjectId } -func (model *SVirtualResourceBase) IsAdmin(userCred mcclient.TokenCredential) bool { +/*func (model *SVirtualResourceBase) IsAdmin(userCred mcclient.TokenCredential) bool { return userCred.IsSystemAdmin() || (userCred.GetProjectId() == model.ProjectId && userCred.IsAdmin()) -} +}*/ func (model *SVirtualResourceBase) GetOwnerProjectId() string { return model.ProjectId @@ -111,7 +113,7 @@ func (manager *SVirtualResourceBaseManager) ListItemFilter(ctx context.Context, func (manager *SVirtualResourceBaseManager) ValidateCreateData(ctx context.Context, userCred mcclient.TokenCredential, ownerProjId string, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) { isSystem, err := data.Bool("is_system") - if err == nil && isSystem && !userCred.IsSystemAdmin() { + if err == nil && isSystem && !userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionCreate) { return nil, httperrors.NewNotSufficientPrivilegeError("non-admin user not allowed to create system object") } return manager.SStandaloneResourceBaseManager.ValidateCreateData(ctx, userCred, ownerProjId, query, data) @@ -130,14 +132,14 @@ func (model *SVirtualResourceBase) CustomizeCreate(ctx context.Context, userCred func (manager *SVirtualResourceBaseManager) AllowListItems(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { isAdmin, err := query.Bool("admin") - if err == nil && isAdmin && !userCred.IsSystemAdmin() { + if err == nil && isAdmin && !userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) { return false } return true } func (model *SVirtualResourceBase) AllowGetDetails(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return model.IsOwner(userCred) + return model.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), model.KeywordPlural(), policy.PolicyActionGet) } func (manager *SVirtualResourceBaseManager) AllowCreateItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { @@ -145,19 +147,19 @@ func (manager *SVirtualResourceBaseManager) AllowCreateItem(ctx context.Context, } func (model *SVirtualResourceBase) AllowUpdateItem(ctx context.Context, userCred mcclient.TokenCredential) bool { - return model.IsOwner(userCred) + return model.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), model.KeywordPlural(), policy.PolicyActionUpdate) } func (model *SVirtualResourceBase) AllowDeleteItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return model.IsOwner(userCred) + return model.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), model.KeywordPlural(), policy.PolicyActionDelete) } func (model *SVirtualResourceBase) AllowGetDetailsMetadata(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return model.IsOwner(userCred) + return model.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), model.KeywordPlural(), policy.PolicyActionGet, "metadata") } func (model *SVirtualResourceBase) AllowPerformMetadata(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return model.IsOwner(userCred) + return model.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), model.KeywordPlural(), policy.PolicyActionPerform, "metadata") } func (model *SVirtualResourceBase) GetTenantCache(ctx context.Context) (*STenant, error) { @@ -166,7 +168,7 @@ func (model *SVirtualResourceBase) GetTenantCache(ctx context.Context) (*STenant } func (model *SVirtualResourceBase) getMoreDetails(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, extra *jsonutils.JSONDict) *jsonutils.JSONDict { - if userCred.IsSystemAdmin() { + if userCred.IsAdminAllow(consts.GetServiceType(), model.GetModelManager().KeywordPlural(), policy.PolicyActionGet) { // log.Debugf("GetCustomizeColumns") tobj, err := model.GetTenantCache(ctx) if err == nil { @@ -198,7 +200,7 @@ func (model *SVirtualResourceBase) GetExtraDetails(ctx context.Context, userCred } func (model *SVirtualResourceBase) AllowPerformChangeOwner(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), model.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "change-owner") } func (model *SVirtualResourceBase) PerformChangeOwner(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/cloudcommon/options.go b/pkg/cloudcommon/options.go index fa7730c4a9..c3d92e4201 100644 --- a/pkg/cloudcommon/options.go +++ b/pkg/cloudcommon/options.go @@ -63,6 +63,10 @@ func (this *DBOptions) GetDBConnection() (dialect, connstr string, err error) { } func ParseOptions(optStruct interface{}, optionsRef *Options, args []string, configFileName string) { + if len(consts.GetServiceType()) == 0 { + log.Fatalf("ServiceType not initialized!") + } + serviceName := path.Base(args[0]) parser, err := structarg.NewArgumentParser(optStruct, serviceName, diff --git a/pkg/cloudcommon/policy/policy.go b/pkg/cloudcommon/policy/policy.go index d4ab475993..2431c64ea5 100644 --- a/pkg/cloudcommon/policy/policy.go +++ b/pkg/cloudcommon/policy/policy.go @@ -90,6 +90,12 @@ var ( Action: PolicyActionCreate, Result: rbacutils.UserAllow, }, + { + Service: "yunionconf", + Resource: "parameters", + Action: PolicyActionGet, + Result: rbacutils.OwnerAllow, + }, } ) @@ -278,7 +284,7 @@ func (manager *SPolicyManager) explainPolicy(userCred mcclient.TokenCredential, if !consts.IsRbacEnabled() { if !isAdmin { return reqStrs, rbacutils.OwnerAllow, nil - } else if isAdmin && userCred.IsSystemAdmin() { + } else if isAdmin && userCred.HasSystemAdminPrivelege() { return reqStrs, rbacutils.AdminAllow, nil } else { return reqStrs, rbacutils.Deny, httperrors.NewForbiddenError("operation not allowed") @@ -305,7 +311,7 @@ func (manager *SPolicyManager) ExplainRpc(userCred mcclient.TokenCredential, par } func (manager *SPolicyManager) IsAdminCapable(userCred mcclient.TokenCredential) bool { - if !consts.IsRbacEnabled() && userCred.IsSystemAdmin() { + if !consts.IsRbacEnabled() && userCred.HasSystemAdminPrivelege() { return true } diff --git a/pkg/cloudcommon/policy/token.go b/pkg/cloudcommon/policy/token.go new file mode 100644 index 0000000000..c42b846bf4 --- /dev/null +++ b/pkg/cloudcommon/policy/token.go @@ -0,0 +1,145 @@ +package policy + +import ( + "time" + + "yunion.io/x/jsonutils" + "yunion.io/x/pkg/gotypes" + + "yunion.io/x/onecloud/pkg/cloudcommon/consts" + "yunion.io/x/onecloud/pkg/mcclient" + "yunion.io/x/onecloud/pkg/util/rbacutils" +) + +type SPolicyTokenCredential struct { + Token mcclient.TokenCredential +} + +func (self *SPolicyTokenCredential) String() string { + return self.Token.String() +} + +func (self *SPolicyTokenCredential) IsZero() bool { + return self.Token.IsZero() +} + +func (self *SPolicyTokenCredential) GetProjectId() string { + return self.Token.GetProjectId() +} + +func (self *SPolicyTokenCredential) GetTenantId() string { + return self.Token.GetTenantId() +} + +func (self *SPolicyTokenCredential) GetUserId() string { + return self.Token.GetUserId() +} + +func (self *SPolicyTokenCredential) GetServiceURL(service, region, zone, endpointType string) (string, error) { + return self.Token.GetServiceURL(service, region, zone, endpointType) +} + +func (self *SPolicyTokenCredential) GetServiceURLs(service, region, zone, endpointType string) ([]string, error) { + return self.Token.GetServiceURLs(service, region, zone, endpointType) +} + +func (self *SPolicyTokenCredential) GetTokenString() string { + return self.Token.GetTokenString() +} + +func (self *SPolicyTokenCredential) GetDomainId() string { + return self.Token.GetDomainId() +} + +func (self *SPolicyTokenCredential) GetDomainName() string { + return self.Token.GetDomainName() +} + +func (self *SPolicyTokenCredential) GetTenantName() string { + return self.Token.GetTenantName() +} + +func (self *SPolicyTokenCredential) GetProjectName() string { + return self.Token.GetProjectName() +} + +func (self *SPolicyTokenCredential) GetUserName() string { + return self.Token.GetUserName() +} + +func (self *SPolicyTokenCredential) GetRoles() []string { + return self.Token.GetRoles() +} + +func (self *SPolicyTokenCredential) GetExpires() time.Time { + return self.Token.GetExpires() +} + +func (self *SPolicyTokenCredential) IsValid() bool { + return self.Token.IsValid() +} + +func (self *SPolicyTokenCredential) ValidDuration() time.Duration { + return self.Token.ValidDuration() +} + +func (self *SPolicyTokenCredential) GetRegions() []string { + return self.Token.GetRegions() +} + +func (self *SPolicyTokenCredential) GetServiceCatalog() mcclient.IServiceCatalog { + return self.Token.GetServiceCatalog() +} + +func (self *SPolicyTokenCredential) GetCatalogData(serviceTypes []string, region string) jsonutils.JSONObject { + return self.Token.GetCatalogData(serviceTypes, region) +} + +func (self *SPolicyTokenCredential) GetInternalServices(region string) []string { + return self.Token.GetInternalServices(region) +} + +func (self *SPolicyTokenCredential) GetExternalServices(region string) []mcclient.ExternalService { + return self.Token.GetExternalServices(region) +} + +func (self *SPolicyTokenCredential) GetEndpoints(region string, endpointType string) []mcclient.Endpoint { + return self.Token.GetEndpoints(region, endpointType) +} + +func (self *SPolicyTokenCredential) ToJson() jsonutils.JSONObject { + return self.Token.ToJson() +} + +func (self *SPolicyTokenCredential) HasSystemAdminPrivelege() bool { + if consts.IsRbacEnabled() { + return PolicyManager.IsAdminCapable(self.Token) + } + return self.Token.HasSystemAdminPrivelege() +} + +func (self *SPolicyTokenCredential) IsAdminAllow(service string, resource string, action string, extra ...string) bool { + if consts.IsRbacEnabled() { + result := PolicyManager.Allow(true, self.Token, service, resource, action, extra...) + return result == rbacutils.AdminAllow + } + return self.Token.IsAdminAllow(service, resource, action, extra...) +} + +func init() { + gotypes.RegisterSerializable(mcclient.TokenCredentialType, func() gotypes.ISerializable { + return &SPolicyTokenCredential{} + }) +} + +func FilterPolicyCredential(token mcclient.TokenCredential) mcclient.TokenCredential { + if !consts.IsRbacEnabled() { + return token + } + switch token.(type) { + case *SPolicyTokenCredential: + return token + default: + return &SPolicyTokenCredential{Token: token} + } +} diff --git a/pkg/compute/capabilities/handler.go b/pkg/compute/capabilities/handler.go index a6f0aa9378..8df5482467 100644 --- a/pkg/compute/capabilities/handler.go +++ b/pkg/compute/capabilities/handler.go @@ -8,6 +8,7 @@ import ( "yunion.io/x/jsonutils" "yunion.io/x/onecloud/pkg/appsrv" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/compute/models" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient/auth" @@ -18,7 +19,7 @@ func AddCapabilityHandler(prefix string, app *appsrv.Application) { } func capaHandler(ctx context.Context, w http.ResponseWriter, r *http.Request) { - userCred := auth.FetchUserCredential(ctx) + userCred := auth.FetchUserCredential(ctx, policy.FilterPolicyCredential) query, err := jsonutils.ParseQueryString(r.URL.RawQuery) if err != nil { httperrors.GeneralServerError(w, err) diff --git a/pkg/compute/models/baremetalagents.go b/pkg/compute/models/baremetalagents.go index 780a5645ec..606333ea67 100644 --- a/pkg/compute/models/baremetalagents.go +++ b/pkg/compute/models/baremetalagents.go @@ -5,7 +5,9 @@ import ( "fmt" "yunion.io/x/jsonutils" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/pkg/util/regutils" @@ -80,7 +82,7 @@ func (manager *SBaremetalagentManager) ValidateCreateData(ctx context.Context, u } func (self *SBaremetalagent) AllowPerformEnable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "enable") } func (self *SBaremetalagent) PerformEnable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -95,7 +97,7 @@ func (self *SBaremetalagent) PerformEnable(ctx context.Context, userCred mcclien } func (self *SBaremetalagent) AllowPerformDisable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "disable") } func (self *SBaremetalagent) PerformDisable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -110,7 +112,7 @@ func (self *SBaremetalagent) PerformDisable(ctx context.Context, userCred mcclie } func (self *SBaremetalagent) AllowPerformOnline(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "online") } func (self *SBaremetalagent) PerformOnline(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -125,7 +127,7 @@ func (self *SBaremetalagent) PerformOnline(ctx context.Context, userCred mcclien } func (self *SBaremetalagent) AllowPerformOffline(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "offline") } func (self *SBaremetalagent) PerformOffline(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/cachedimages.go b/pkg/compute/models/cachedimages.go index 3d49d59128..67e0069e25 100644 --- a/pkg/compute/models/cachedimages.go +++ b/pkg/compute/models/cachedimages.go @@ -16,8 +16,10 @@ import ( "yunion.io/x/pkg/util/timeutils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/lockman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/compute/options" ) @@ -240,7 +242,7 @@ func (self *SCachedimage) GetCustomizeColumns(ctx context.Context, userCred mccl } func (self *SCachedimage) AllowPerformRefresh(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "refresh") } func (self *SCachedimage) PerformRefresh(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/cloudaccounts.go b/pkg/compute/models/cloudaccounts.go index fa889598f1..93d0bce62d 100644 --- a/pkg/compute/models/cloudaccounts.go +++ b/pkg/compute/models/cloudaccounts.go @@ -13,8 +13,10 @@ import ( "yunion.io/x/pkg/utils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/taskman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudprovider" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" @@ -199,7 +201,7 @@ func (self *SCloudaccount) CanSync() bool { } func (self *SCloudaccount) AllowPerformSync(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "sync") } func (self *SCloudaccount) PerformSync(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -218,7 +220,7 @@ func (self *SCloudaccount) PerformSync(ctx context.Context, userCred mcclient.To } func (self *SCloudaccount) AllowPerformUpdateCredential(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "update-credential") } func (self *SCloudaccount) PerformUpdateCredential(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -444,7 +446,7 @@ func (self *SCloudaccount) ImportSubAccount(ctx context.Context, userCred mcclie } func (self *SCloudaccount) AllowPerformImport(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionPerform, "import") } func (self *SCloudaccount) PerformImport(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -618,7 +620,7 @@ func (self *SCloudaccount) GetBalance() (float64, error) { } func (self *SCloudaccount) AllowGetDetailsBalance(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionGet, "balance") } func (self *SCloudaccount) GetDetailsBalance(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/cloudproviders.go b/pkg/compute/models/cloudproviders.go index 2a1361eb61..9ba07a5600 100644 --- a/pkg/compute/models/cloudproviders.go +++ b/pkg/compute/models/cloudproviders.go @@ -12,8 +12,10 @@ import ( "yunion.io/x/pkg/utils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/taskman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudprovider" "yunion.io/x/onecloud/pkg/compute/options" "yunion.io/x/onecloud/pkg/httperrors" @@ -297,7 +299,7 @@ func (sr *SSyncRange) Normalize() error { } func (self *SCloudprovider) AllowPerformSync(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "sync") } func (self *SCloudprovider) PerformSync(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -330,7 +332,7 @@ func (self *SCloudprovider) StartSyncCloudProviderInfoTask(ctx context.Context, } func (self *SCloudprovider) AllowPerformChangeProject(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "change-project") } func (self *SCloudprovider) PerformChangeProject(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -581,7 +583,7 @@ func (self *SCloudprovider) GetBalance() (float64, error) { } func (self *SCloudprovider) AllowGetDetailsBalance(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionGet, "balance") } func (self *SCloudprovider) GetDetailsBalance(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/cloudregions.go b/pkg/compute/models/cloudregions.go index 3e4c931cc8..374682c40e 100644 --- a/pkg/compute/models/cloudregions.go +++ b/pkg/compute/models/cloudregions.go @@ -12,7 +12,9 @@ import ( "yunion.io/x/pkg/util/compare" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudprovider" ) @@ -248,7 +250,7 @@ func (manager *SCloudregionManager) newFromCloudRegion(cloudRegion cloudprovider } func (self *SCloudregion) AllowPerformDefaultVpc(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "default-vpc") } func (self *SCloudregion) PerformDefaultVpc(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/disks.go b/pkg/compute/models/disks.go index e09560fc9e..f2c0e24168 100644 --- a/pkg/compute/models/disks.go +++ b/pkg/compute/models/disks.go @@ -19,9 +19,11 @@ import ( "yunion.io/x/pkg/utils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/quotas" "yunion.io/x/onecloud/pkg/cloudcommon/db/taskman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudprovider" "yunion.io/x/onecloud/pkg/compute/options" "yunion.io/x/onecloud/pkg/httperrors" @@ -442,7 +444,7 @@ func (self *SDisk) StartAllocate(ctx context.Context, host *SHost, storage *SSto } func (self *SDisk) AllowGetDetailsConvertSnapshot(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionGet, "convert-snapshot") } func (self *SDisk) GetDetailsConvertSnapshot(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -499,7 +501,7 @@ func (self *SDisk) CleanUpDiskSnapshots(ctx context.Context, userCred mcclient.T } func (self *SDisk) AllowPerformCreateSnapshot(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "create-snapshot") } func (self *SDisk) PerformCreateSnapshot(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -513,7 +515,7 @@ func (self *SDisk) PerformCreateSnapshot(ctx context.Context, userCred mcclient. } func (self *SDisk) AllowPerformDiskReset(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "disk-reset") } func (self *SDisk) PerformDiskReset(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -560,7 +562,7 @@ func (self *SDisk) StartResetDisk(ctx context.Context, userCred mcclient.TokenCr } func (self *SDisk) AllowPerformResize(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "resize") } func (self *SDisk) PerformResize(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -651,7 +653,7 @@ func (self *SDisk) PrepareSaveImage(ctx context.Context, userCred mcclient.Token } func (self *SDisk) AllowPerformSave(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "save") } func (self *SDisk) PerformSave(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1139,7 +1141,7 @@ func (self *SDisk) RealDelete(ctx context.Context, userCred mcclient.TokenCreden } func (self *SDisk) AllowPerformPurge(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "purge") } func (self *SDisk) PerformPurge(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1315,7 +1317,7 @@ func (self *SDisk) isInit() bool { } func (self *SDisk) AllowPerformCancelDelete(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "cancel-delete") } func (self *SDisk) PerformCancelDelete(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/dnsrecords.go b/pkg/compute/models/dnsrecords.go index 14c5ec9f2f..74590ae471 100644 --- a/pkg/compute/models/dnsrecords.go +++ b/pkg/compute/models/dnsrecords.go @@ -11,7 +11,9 @@ import ( "yunion.io/x/pkg/util/regutils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" ) @@ -383,7 +385,7 @@ func (rec *SDnsRecord) AddInfo(userCred mcclient.TokenCredential, data jsonutils } func (rec *SDnsRecord) AllowPerformAddRecords(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return rec.IsOwner(userCred) + return rec.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), rec.KeywordPlural(), policy.PolicyActionPerform, "add-records") } func (rec *SDnsRecord) PerformAddRecords(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -402,7 +404,7 @@ func (rec *SDnsRecord) PerformAddRecords(ctx context.Context, userCred mcclient. } func (rec *SDnsRecord) AllowPerformRemoveRecords(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return rec.IsOwner(userCred) + return rec.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), rec.KeywordPlural(), policy.PolicyActionPerform, "remove-records") } func (rec *SDnsRecord) PerformRemoveRecords(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -411,7 +413,7 @@ func (rec *SDnsRecord) PerformRemoveRecords(ctx context.Context, userCred mcclie } func (rec *SDnsRecord) AllowPerformEnable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return rec.IsOwner(userCred) || userCred.IsSystemAdmin() + return rec.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), rec.KeywordPlural(), policy.PolicyActionPerform, "enable") } func (rec *SDnsRecord) PerformEnable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -429,7 +431,7 @@ func (rec *SDnsRecord) PerformEnable(ctx context.Context, userCred mcclient.Toke } func (rec *SDnsRecord) AllowPerformDisable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return rec.IsOwner(userCred) || userCred.IsSystemAdmin() + return rec.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), rec.KeywordPlural(), policy.PolicyActionPerform, "disable") } func (rec *SDnsRecord) PerformDisable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/dynamicschedtags.go b/pkg/compute/models/dynamicschedtags.go index 3911948365..9770802575 100644 --- a/pkg/compute/models/dynamicschedtags.go +++ b/pkg/compute/models/dynamicschedtags.go @@ -7,7 +7,9 @@ import ( "yunion.io/x/log" "database/sql" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/onecloud/pkg/util/conditionparser" @@ -132,7 +134,7 @@ func (manager *SDynamicschedtagManager) getAllEnabledDynamicSchedtags() []SDynam } func (self *SDynamicschedtag) AllowPerformEvaluate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "evaluate") } func (self *SDynamicschedtag) PerformEvaluate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/elasticips.go b/pkg/compute/models/elasticips.go index b879e2010e..840f29bd35 100644 --- a/pkg/compute/models/elasticips.go +++ b/pkg/compute/models/elasticips.go @@ -13,10 +13,12 @@ import ( "yunion.io/x/pkg/utils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/lockman" "yunion.io/x/onecloud/pkg/cloudcommon/db/quotas" "yunion.io/x/onecloud/pkg/cloudcommon/db/taskman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudprovider" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" @@ -493,7 +495,7 @@ func (self *SElasticip) StartEipDeallocateTask(ctx context.Context, userCred mcc } func (self *SElasticip) AllowPerformAssociate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "associate") } func (self *SElasticip) PerformAssociate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -593,7 +595,7 @@ func (self *SElasticip) StartEipAssociateTask(ctx context.Context, userCred mccl } func (self *SElasticip) AllowPerformDissociate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "dissociate") } func (self *SElasticip) PerformDissociate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -647,7 +649,7 @@ func (self *SElasticip) GetIEip() (cloudprovider.ICloudEIP, error) { } func (self *SElasticip) AllowPerformSync(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "sync") } func (self *SElasticip) PerformSync(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -731,7 +733,7 @@ func (manager *SElasticipManager) allocateEipAndAssociateVM(ctx context.Context, } func (self *SElasticip) AllowPerformChangeBandwidth(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "change-bandwidth") } func (self *SElasticip) PerformChangeBandwidth(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -834,7 +836,7 @@ func (manager *SElasticipManager) TotalCount(projectId string, rangeObj db.IStan } func (self *SElasticip) AllowPerformPurge(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionDelete) } func (self *SElasticip) PerformPurge(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/guest_actions.go b/pkg/compute/models/guest_actions.go index 28cfa3fe33..3eab593ff8 100644 --- a/pkg/compute/models/guest_actions.go +++ b/pkg/compute/models/guest_actions.go @@ -23,6 +23,8 @@ import ( "yunion.io/x/jsonutils" "yunion.io/x/log" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/pkg/util/fileutils" "yunion.io/x/pkg/util/regutils" "yunion.io/x/pkg/utils" @@ -30,7 +32,7 @@ import ( ) func (self *SGuest) AllowGetDetailsVnc(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionGet, "vnc") } func (self *SGuest) GetDetailsVnc(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -51,7 +53,7 @@ func (self *SGuest) GetDetailsVnc(ctx context.Context, userCred mcclient.TokenCr } func (self *SGuest) AllowGetDetailsMonitor(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionGet, "monitor") } func (self *SGuest) GetDetailsMonitor(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -66,7 +68,7 @@ func (self *SGuest) GetDetailsMonitor(ctx context.Context, userCred mcclient.Tok } func (self *SGuest) AllowGetDetailsDesc(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionGet, "desc") } func (self *SGuest) GetDetailsDesc(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -79,7 +81,7 @@ func (self *SGuest) GetDetailsDesc(ctx context.Context, userCred mcclient.TokenC } func (self *SGuest) AllowPerformSaveImage(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "save-image") } func (self *SGuest) PerformSaveImage(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -117,7 +119,7 @@ func (self *SGuest) StartGuestSaveImage(ctx context.Context, userCred mcclient.T } func (self *SGuest) AllowPerformSync(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "sync") } func (self *SGuest) PerformSync(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -159,7 +161,7 @@ func (self *SGuest) CheckQemuVersion(qemuVer, compareVer string) bool { } func (self *SGuest) AllowPerformMigrate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "migrate") } func (self *SGuest) PerformMigrate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -186,7 +188,7 @@ func (self *SGuest) PerformMigrate(ctx context.Context, userCred mcclient.TokenC var preferHostId string preferHost, _ := data.GetString("prefer_host") if len(preferHost) > 0 { - if !userCred.IsSystemAdmin() { + if !userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "assign-host") { return nil, httperrors.NewBadRequestError("Only system admin can assign host") } iHost, _ := HostManager.FetchByIdOrName(userCred, preferHost) @@ -219,7 +221,7 @@ func (self *SGuest) StartMigrateTask(ctx context.Context, userCred mcclient.Toke } func (self *SGuest) AllowPerformLiveMigrate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "live-migrate") } func (self *SGuest) PerformLiveMigrate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -249,7 +251,7 @@ func (self *SGuest) PerformLiveMigrate(ctx context.Context, userCred mcclient.To var preferHostId string preferHost, _ := data.GetString("prefer_host") if len(preferHost) > 0 { - if !userCred.IsSystemAdmin() { + if !userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "assign-host") { return nil, httperrors.NewBadRequestError("Only system admin can assign host") } iHost, _ := HostManager.FetchByIdOrName(userCred, preferHost) @@ -282,7 +284,7 @@ func (self *SGuest) StartGuestLiveMigrateTask(ctx context.Context, userCred mccl } func (self *SGuest) AllowPerformDeploy(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "deploy") } func (self *SGuest) PerformDeploy(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -345,7 +347,7 @@ func (self *SGuest) PerformDeploy(ctx context.Context, userCred mcclient.TokenCr } func (self *SGuest) AllowPerformAttachdisk(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "attachdisk") } func (self *SGuest) ValidateAttachDisk(ctx context.Context, disk *SDisk) error { @@ -425,7 +427,7 @@ func (self *SGuest) StartSyncTask(ctx context.Context, userCred mcclient.TokenCr } func (self *SGuest) AllowPerformSuspend(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "suspend") } func (self *SGuest) PerformSuspend(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -448,7 +450,7 @@ func (self *SGuest) AllowPerformStart(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "start") } func (self *SGuest) PerformStart(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, @@ -624,11 +626,11 @@ func (self *SGuest) StartDeleteGuestTask(ctx context.Context, userCred mcclient. } func (self *SGuest) AllowPerformAssignSecgroup(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "assign-secgroup") } func (self *SGuest) AllowPerformRevokeSecgroup(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "revoke-secgroup") } func (self *SGuest) PerformRevokeSecgroup(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -679,7 +681,7 @@ func (self *SGuest) PerformAssignSecgroup(ctx context.Context, userCred mcclient } func (self *SGuest) AllowPerformPurge(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsAdmin(userCred) + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionDelete) } func (self *SGuest) PerformPurge(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -707,7 +709,7 @@ func (self *SGuest) setKeypairId(userCred mcclient.TokenCredential, keypairId st } func (self *SGuest) AllowPerformRebuildRoot(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "rebuild-root") } func (self *SGuest) PerformRebuildRoot(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -814,7 +816,7 @@ func (self *SGuest) DetachDisk(ctx context.Context, disk *SDisk, userCred mcclie } func (self *SGuest) AllowPerformCreatedisk(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "createdisk") } func (self *SGuest) PerformCreatedisk(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -885,7 +887,7 @@ func (self *SGuest) PerformCreatedisk(ctx context.Context, userCred mcclient.Tok } func (self *SGuest) AllowPerformDetachdisk(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "detachdisk") } func (self *SGuest) PerformDetachdisk(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -931,7 +933,7 @@ func (self *SGuest) PerformDetachdisk(ctx context.Context, userCred mcclient.Tok } func (self *SGuest) AllowPerformDetachIsolatedDevice(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "detach-isolated-device") } func (self *SGuest) PerformDetachIsolatedDevice(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -981,7 +983,7 @@ func (self *SGuest) detachIsolateDevice(userCred mcclient.TokenCredential, dev * } func (self *SGuest) AllowPerformAttachIsolatedDevice(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "attach-isolated-device") } func (self *SGuest) PerformAttachIsolatedDevice(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1019,7 +1021,7 @@ func (self *SGuest) PerformAttachIsolatedDevice(ctx context.Context, userCred mc } func (self *SGuest) AllowPerformDetachnetwork(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "detachnetwork") } func (self *SGuest) PerformDetachnetwork(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1041,7 +1043,7 @@ func (self *SGuest) PerformDetachnetwork(ctx context.Context, userCred mcclient. } func (self *SGuest) AllowPerformAttachnetwork(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "attachnetwork") } func (self *SGuest) PerformAttachnetwork(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1092,7 +1094,7 @@ func (self *SGuest) PerformAttachnetwork(ctx context.Context, userCred mcclient. } func (self *SGuest) AllowPerformChangeBandwidth(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) || userCred.IsSystemAdmin() + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "change-bandwidth") } func (self *SGuest) PerformChangeBandwidth(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1126,7 +1128,7 @@ func (self *SGuest) PerformChangeBandwidth(ctx context.Context, userCred mcclien } func (self *SGuest) AllowPerformChangeConfig(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) || self.IsAdmin(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "change-config") } func (self *SGuest) PerformChangeConfig(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1317,7 +1319,7 @@ func (self *SGuest) DoPendingDelete(ctx context.Context, userCred mcclient.Token } func (model *SGuest) AllowPerformCancelDelete(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), model.KeywordPlural(), policy.PolicyActionPerform, "cancel-delete") } func (self *SGuest) PerformCancelDelete(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1353,7 +1355,7 @@ func (self *SGuest) AllowPerformReset(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "reset") } func (self *SGuest) PerformReset(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, @@ -1367,7 +1369,7 @@ func (self *SGuest) PerformReset(ctx context.Context, userCred mcclient.TokenCre } func (self *SGuest) AllowPerformDiskSnapshot(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "disk-snapshot") } func (self *SGuest) PerformDiskSnapshot(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1421,7 +1423,7 @@ func (self *SGuest) PerformDiskSnapshot(ctx context.Context, userCred mcclient.T } func (self *SGuest) AllowPerformSyncstatus(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "syncstatus") } func (self *SGuest) PerformSyncstatus(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1465,7 +1467,7 @@ func (self *SGuest) AllowPerformStop(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "stop") } func (self *SGuest) PerformStop(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, @@ -1482,7 +1484,7 @@ func (self *SGuest) AllowPerformRestart(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "restart") } func (self *SGuest) PerformRestart(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1495,7 +1497,7 @@ func (self *SGuest) PerformRestart(ctx context.Context, userCred mcclient.TokenC } func (self *SGuest) AllowPerformSendkeys(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "sendkeys") } func (self *SGuest) PerformSendkeys(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1569,7 +1571,7 @@ func (self *SGuest) SendMonitorCommand(ctx context.Context, userCred mcclient.To } func (self *SGuest) AllowPerformAssociateEip(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "associate-eip") } func (self *SGuest) PerformAssociateEip(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1637,7 +1639,7 @@ func (self *SGuest) PerformAssociateEip(ctx context.Context, userCred mcclient.T } func (self *SGuest) AllowPerformDissociateEip(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "dissociate-eip") } func (self *SGuest) PerformDissociateEip(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1661,7 +1663,7 @@ func (self *SGuest) PerformDissociateEip(ctx context.Context, userCred mcclient. } func (self *SGuest) AllowPerformCreateEip(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "create-eip") } func (self *SGuest) PerformCreateEip(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1716,7 +1718,7 @@ func (self *SGuest) setUserData(ctx context.Context, userCred mcclient.TokenCred } func (self *SGuest) AllowPerformUserData(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "userdata") } func (self *SGuest) PerformUserData(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/guests.go b/pkg/compute/models/guests.go index 4d513dea9a..011b3ae613 100644 --- a/pkg/compute/models/guests.go +++ b/pkg/compute/models/guests.go @@ -22,9 +22,11 @@ import ( "yunion.io/x/pkg/utils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/lockman" "yunion.io/x/onecloud/pkg/cloudcommon/db/quotas" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudprovider" "yunion.io/x/onecloud/pkg/compute/options" "yunion.io/x/onecloud/pkg/compute/sshkeys" @@ -207,7 +209,7 @@ type SGuest struct { func (manager *SGuestManager) AllowListItems(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { if query.Contains("host") || query.Contains("wire") || query.Contains("zone") { - if !userCred.IsSystemAdmin() { + if !userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) { return false } } @@ -919,7 +921,7 @@ func (self *SGuest) getExtBandwidth() int { func (self *SGuest) GetCustomizeColumns(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) *jsonutils.JSONDict { extra := self.SVirtualResourceBase.GetCustomizeColumns(ctx, userCred, query) - if userCred.IsSystemAdmin() { + if userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionGet) { host := self.GetHost() if host != nil { extra.Add(jsonutils.NewString(host.Name), "host") @@ -1012,7 +1014,7 @@ func (self *SGuest) GetExtraDetails(ctx context.Context, userCred mcclient.Token if metaData, err := self.GetAllMetadata(userCred); err == nil { extra.Add(jsonutils.Marshal(metaData), "metadata") } - if userCred.IsSystemAdmin() { + if userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionGet) { host := self.GetHost() if host != nil { extra.Add(jsonutils.NewString(host.GetName()), "host") @@ -2211,10 +2213,10 @@ func (self *SGuest) AllowDeleteItem(ctx context.Context, userCred mcclient.Token overridePendingDelete = jsonutils.QueryBoolean(data, "override_pending_delete", false) purge = jsonutils.QueryBoolean(data, "purge", false) } - if (overridePendingDelete || purge) && !userCred.IsSystemAdmin() { + if (overridePendingDelete || purge) && !userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionDelete) { return false } - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionDelete) } func (self *SGuest) CustomizeDelete(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) error { diff --git a/pkg/compute/models/helper.go b/pkg/compute/models/helper.go index 41e680cdf6..83575fd8ac 100644 --- a/pkg/compute/models/helper.go +++ b/pkg/compute/models/helper.go @@ -10,8 +10,10 @@ import ( "yunion.io/x/log" "yunion.io/x/pkg/utils" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/taskman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" ) @@ -47,7 +49,7 @@ func ValidateScheduleCreateData(ctx context.Context, userCred mcclient.TokenCred // base validate_create_data if (data.Contains("prefer_baremetal") || data.Contains("prefer_host")) && hypervisor != HYPERVISOR_CONTAINER { - if !userCred.IsSystemAdmin() { + if !userCred.IsAdminAllow(consts.GetServiceType(), GuestManager.KeywordPlural(), policy.PolicyActionPerform, "assign-host") { return nil, httperrors.NewNotSufficientPrivilegeError("Only system admin can specify preferred host") } bmName, _ := data.GetString("prefer_host") diff --git a/pkg/compute/models/hostjoints.go b/pkg/compute/models/hostjoints.go index c6477c1877..b8d7dac8f3 100644 --- a/pkg/compute/models/hostjoints.go +++ b/pkg/compute/models/hostjoints.go @@ -6,7 +6,9 @@ import ( "yunion.io/x/jsonutils" "yunion.io/x/onecloud/pkg/mcclient" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" ) type SHostJointsManager struct { @@ -31,29 +33,29 @@ type SHostJointsBase struct { } func (manager *SHostJointsManager) AllowListItems(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) } func (manager *SHostJointsManager) AllowCreateItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionCreate) } func (manager *SHostJointsManager) AllowListDescendent(ctx context.Context, userCred mcclient.TokenCredential, model db.IStandaloneModel, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) } func (manager *SHostJointsManager) AllowAttach(ctx context.Context, userCred mcclient.TokenCredential, master db.IStandaloneModel, slave db.IStandaloneModel) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionDelete) } func (self *SHostJointsBase) AllowGetDetails(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionGet) } func (self *SHostJointsBase) AllowUpdateItem(ctx context.Context, userCred mcclient.TokenCredential) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionUpdate) } func (self *SHostJointsBase) AllowDeleteItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.GetModelManager().KeywordPlural(), policy.PolicyActionDelete) } diff --git a/pkg/compute/models/hosts.go b/pkg/compute/models/hosts.go index 187ed6e7d0..5edbc95027 100644 --- a/pkg/compute/models/hosts.go +++ b/pkg/compute/models/hosts.go @@ -20,9 +20,11 @@ import ( "yunion.io/x/pkg/utils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/lockman" "yunion.io/x/onecloud/pkg/cloudcommon/db/taskman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudprovider" "yunion.io/x/onecloud/pkg/compute/baremetal" "yunion.io/x/onecloud/pkg/compute/options" @@ -142,7 +144,7 @@ type SHost struct { // Status string = Column(VARCHAR(16, charset='ascii'), nullable=False, default=baremetalstatus.INIT) # status HostStatus string `width:"16" charset:"ascii" nullable:"false" default:"offline" list:"admin"` // Column(VARCHAR(16, charset='ascii'), nullable=False, server_default=HOST_OFFLINE, default=HOST_OFFLINE) - ZoneId string `width:"128" charset:"ascii" nullable:"false" list:"admin" create:"admin_required"` // Column(VARCHAR(ID_LENGTH, charset='ascii'), nullable=False) + ZoneId string `width:"128" charset:"ascii" nullable:"false" list:"admin" create:"admin_optional"` // Column(VARCHAR(ID_LENGTH, charset='ascii'), nullable=False) HostType string `width:"36" charset:"ascii" nullable:"false" list:"admin" update:"admin" create:"admin_required"` // Column(VARCHAR(36, charset='ascii'), nullable=False) @@ -160,15 +162,16 @@ func (manager *SHostManager) GetContextManager() []db.IModelManager { } func (manager *SHostManager) AllowCreateItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - zoneId, err := data.GetString("zone_id") + // allow create host without zone_id + /*zoneId, err := data.GetString("zone_id") if err != nil { return false } _, err = ZoneManager.FetchById(zoneId) if err != nil { return false - } - return userCred.IsSystemAdmin() + }*/ + return userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionCreate) } func (manager *SHostManager) ListItemFilter(ctx context.Context, q *sqlchemy.SQuery, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (*sqlchemy.SQuery, error) { @@ -261,6 +264,9 @@ func (manager *SHostManager) ListItemFilter(ctx context.Context, q *sqlchemy.SQu } func (self *SHost) GetZone() *SZone { + if len(self.ZoneId) == 0 { + return nil + } zone, _ := ZoneManager.FetchById(self.ZoneId) if zone != nil { return zone.(*SZone) @@ -1781,7 +1787,7 @@ func (self *SHost) GetExtraDetails(ctx context.Context, userCred mcclient.TokenC } func (self *SHost) AllowGetDetailsVnc(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionGet, "vnc") } func (self *SHost) GetDetailsVnc(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1796,7 +1802,7 @@ func (self *SHost) GetDetailsVnc(ctx context.Context, userCred mcclient.TokenCre } func (self *SHost) AllowGetDetailsIpmi(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionGet, "ipmi") } func (self *SHost) GetDetailsIpmi(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2087,7 +2093,7 @@ func (self *SHost) AllowPerformStart(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "start") } func (self *SHost) PerformStart(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, @@ -2122,7 +2128,7 @@ func (self *SHost) AllowPerformStop(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "stop") } func (self *SHost) PerformStop(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, @@ -2172,7 +2178,8 @@ func (self *SHost) AllowPerformMaintenance(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "maintenance") + } func (self *SHost) PerformMaintenance(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2211,7 +2218,7 @@ func (self *SHost) AllowPerformUnmaintenance(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "unmaintenance") } func (self *SHost) PerformUnmaintenance(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2273,7 +2280,7 @@ func (self *SHost) AllowPerformOffline(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "offline") } func (self *SHost) PerformOffline(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2292,7 +2299,7 @@ func (self *SHost) AllowPerformOnline(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "online") } func (self *SHost) PerformOnline(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2325,7 +2332,7 @@ func (self *SHost) AllowPerformPing(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "ping") } func (self *SHost) PerformPing(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2352,7 +2359,7 @@ func (self *SHost) AllowPerformPrepare(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "prepare") } func (self *SHost) PerformPrepare(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2388,7 +2395,7 @@ func (self *SHost) AllowPerformAddNetif(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "add-netif") } func (self *SHost) PerformAddNetif(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2540,7 +2547,7 @@ func (self *SHost) AllowPerformEnableNetif(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "enable-netif") } func (self *SHost) PerformEnableNetif(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2614,7 +2621,7 @@ func (self *SHost) AllowPerformDisableNetif(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "disable-netif") } func (self *SHost) PerformDisableNetif(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2668,7 +2675,7 @@ func (self *SHost) AllowPerformRemoveNetif(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "remove-netif") } func (self *SHost) PerformRemoveNetif(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2722,7 +2729,7 @@ func (self *SHost) AllowPerformSyncstatus(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "syncstatus") } func (self *SHost) PerformSyncstatus(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2734,7 +2741,7 @@ func (self *SHost) AllowPerformReset(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "reset") } func (self *SHost) PerformReset(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2764,7 +2771,7 @@ func (self *SHost) AllowPerformRemoveAllNetifs(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "remove-all-netifs") } func (self *SHost) PerformRemoveAllNetifs(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2781,7 +2788,7 @@ func (self *SHost) AllowPerformDisable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "disable") } func (self *SHost) PerformDisable(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2804,7 +2811,7 @@ func (self *SHost) AllowPerformCacheImage(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "cache-image") } func (self *SHost) PerformCacheImage(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -2836,7 +2843,7 @@ func (self *SHost) AllowPerformConvertHypervisor(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "convert-hypervisor") } func (self *SHost) isAlterNameUnique(name string) bool { @@ -2902,7 +2909,7 @@ func (self *SHost) AllowPerformUndoConvert(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "undo-convert") } func (self *SHost) PerformUndoConvert(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/inframanagers.go b/pkg/compute/models/inframanagers.go index 962f752369..96c9a5607f 100644 --- a/pkg/compute/models/inframanagers.go +++ b/pkg/compute/models/inframanagers.go @@ -3,6 +3,8 @@ package models import ( "context" "yunion.io/x/jsonutils" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/mcclient" ) @@ -13,21 +15,21 @@ type SInfrastructure struct { } func (self *SInfrastructureManager) AllowListItems(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), "*", policy.PolicyActionList) } func (self *SInfrastructureManager) AllowCreateItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), "*", policy.PolicyActionCreate) } func (self *SInfrastructure) AllowGetDetails(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), "*", policy.PolicyActionGet) } func (self *SInfrastructure) AllowUpdateItem(ctx context.Context, userCred mcclient.TokenCredential) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), "*", policy.PolicyActionUpdate) } func (self *SInfrastructure) AllowDeleteItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), "*", policy.PolicyActionDelete) } diff --git a/pkg/compute/models/isolated_devices.go b/pkg/compute/models/isolated_devices.go index 0c30205d36..7e55afb02b 100644 --- a/pkg/compute/models/isolated_devices.go +++ b/pkg/compute/models/isolated_devices.go @@ -7,7 +7,9 @@ import ( "yunion.io/x/jsonutils" "yunion.io/x/log" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/pkg/util/regutils" @@ -80,7 +82,7 @@ type SIsolatedDevice struct { func (manager *SIsolatedDeviceManager) AllowListItems(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { host, _ := query.GetString("host") - if len(host) > 0 && !userCred.IsSystemAdmin() { + if len(host) > 0 && !userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) { return false } return true @@ -92,7 +94,7 @@ func (manager *SIsolatedDeviceManager) ExtraSearchConditions(ctx context.Context } func (manager *SIsolatedDeviceManager) AllowCreateItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionCreate) } func (manager *SIsolatedDeviceManager) ListItemFilter(ctx context.Context, q *sqlchemy.SQuery, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (*sqlchemy.SQuery, error) { diff --git a/pkg/compute/models/keypairs.go b/pkg/compute/models/keypairs.go index 687a21243f..67ae5c7638 100644 --- a/pkg/compute/models/keypairs.go +++ b/pkg/compute/models/keypairs.go @@ -8,7 +8,9 @@ import ( "yunion.io/x/sqlchemy" "golang.org/x/crypto/ssh" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/onecloud/pkg/util/seclib2" @@ -47,7 +49,7 @@ func (manager *SKeypairManager) ListItemFilter(ctx context.Context, q *sqlchemy. if err != nil { return nil, err } - if userCred.IsSystemAdmin() && jsonutils.QueryBoolean(query, "admin", false) { + if jsonutils.QueryBoolean(query, "admin", false) && userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) { user, _ := query.GetString("user") if len(user) > 0 { uc, _ := db.UserCacheManager.FetchUserByIdOrName(user) @@ -71,7 +73,7 @@ func (self *SKeypair) IsOwner(userCred mcclient.TokenCredential) bool { } func (self *SKeypair) AllowGetDetails(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return self.IsOwner(userCred) || userCred.IsSystemAdmin() + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionGet) } func (self *SKeypair) GetCustomizeColumns(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) *jsonutils.JSONDict { @@ -85,7 +87,7 @@ func (self *SKeypair) GetExtraDetails(ctx context.Context, userCred mcclient.Tok extra := self.SStandaloneResourceBase.GetExtraDetails(ctx, userCred, query) extra.Add(jsonutils.NewInt(int64(len(self.PrivateKey))), "private_key_len") extra.Add(jsonutils.NewInt(int64(self.GetLinkedGuestsCount())), "linked_guest_count") - if userCred.IsSystemAdmin() { + if userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionGet) { extra.Add(jsonutils.NewString(self.OwnerId), "owner_id") uc, _ := db.UserCacheManager.FetchUserById(self.OwnerId) if uc != nil { @@ -100,11 +102,11 @@ func (manager *SKeypairManager) AllowCreateItem(ctx context.Context, userCred mc } func (self *SKeypair) AllowUpdateItem(ctx context.Context, userCred mcclient.TokenCredential) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionUpdate) } func (self *SKeypair) AllowDeleteItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) || userCred.IsSystemAdmin() + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionDelete) } func (self *SKeypair) GetLinkedGuestsCount() int { diff --git a/pkg/compute/models/loadbalanceracls.go b/pkg/compute/models/loadbalanceracls.go index 94fd544b2a..d177401fe9 100644 --- a/pkg/compute/models/loadbalanceracls.go +++ b/pkg/compute/models/loadbalanceracls.go @@ -12,7 +12,9 @@ import ( "yunion.io/x/pkg/gotypes" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudcommon/validators" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" @@ -136,7 +138,7 @@ func (lbacl *SLoadbalancerAcl) ValidateUpdateData(ctx context.Context, userCred } func (lbacl *SLoadbalancerAcl) AllowPerformPatch(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data *jsonutils.JSONDict) bool { - return lbacl.IsOwner(userCred) || userCred.IsSystemAdmin() + return lbacl.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), lbacl.KeywordPlural(), policy.PolicyActionPerform, "patch") } // PerformPatch patches acl entries by adding then deleting the specified acls. diff --git a/pkg/compute/models/loadbalanceragents.go b/pkg/compute/models/loadbalanceragents.go index 29269063fd..b7a0a1f455 100644 --- a/pkg/compute/models/loadbalanceragents.go +++ b/pkg/compute/models/loadbalanceragents.go @@ -12,7 +12,9 @@ import ( "yunion.io/x/log" "yunion.io/x/pkg/gotypes" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudcommon/validators" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" @@ -354,7 +356,7 @@ func (man *SLoadbalancerAgentManager) CleanPendingDeleteLoadbalancers(ctx contex } func (man *SLoadbalancerAgentManager) AllowCreateItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), man.KeywordPlural(), policy.PolicyActionCreate) } func (lbagent *SLoadbalancerAgent) ValidateUpdateData(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) { @@ -400,7 +402,7 @@ func (lbagent *SLoadbalancerAgent) ValidateUpdateData(ctx context.Context, userC } func (lbagent *SLoadbalancerAgent) AllowPerformHb(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data *jsonutils.JSONDict) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), lbagent.KeywordPlural(), policy.PolicyActionPerform, "hb") } func (lbagent *SLoadbalancerAgent) PerformHb(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) { @@ -426,7 +428,7 @@ func (lbagent *SLoadbalancerAgent) IsActive() bool { } func (lbagent *SLoadbalancerAgent) AllowPerformParamsPatch(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data *jsonutils.JSONDict) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), lbagent.KeywordPlural(), policy.PolicyActionPerform, "params-patch") } func (lbagent *SLoadbalancerAgent) PerformParamsPatch(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) { diff --git a/pkg/compute/models/loadbalancerbackends.go b/pkg/compute/models/loadbalancerbackends.go index f82dcc65cc..2ebc741a75 100644 --- a/pkg/compute/models/loadbalancerbackends.go +++ b/pkg/compute/models/loadbalancerbackends.go @@ -7,7 +7,9 @@ import ( "yunion.io/x/jsonutils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudcommon/validators" "yunion.io/x/onecloud/pkg/mcclient" ) @@ -137,7 +139,7 @@ func (man *SLoadbalancerBackendManager) ValidateCreateData(ctx context.Context, } baseName = guest.Name case LB_BACKEND_HOST: - if !userCred.IsSystemAdmin() { + if !userCred.IsAdminAllow(consts.GetServiceType(), man.KeywordPlural(), policy.PolicyActionCreate) { return nil, fmt.Errorf("only sysadmin can specify host as backend") } backendV := validators.NewModelIdOrNameValidator("backend", "host", userCred.GetProjectId()) diff --git a/pkg/compute/models/loadbalancerlistenerrules.go b/pkg/compute/models/loadbalancerlistenerrules.go index 71be2e4b89..a78f271e25 100644 --- a/pkg/compute/models/loadbalancerlistenerrules.go +++ b/pkg/compute/models/loadbalancerlistenerrules.go @@ -8,7 +8,9 @@ import ( "yunion.io/x/log" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudcommon/validators" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" @@ -126,7 +128,7 @@ func (man *SLoadbalancerListenerRuleManager) ValidateCreateData(ctx context.Cont } func (lbr *SLoadbalancerListenerRule) AllowPerformStatus(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return lbr.IsOwner(userCred) || userCred.IsSystemAdmin() + return lbr.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), lbr.KeywordPlural(), policy.PolicyActionPerform, "status") } func (lbr *SLoadbalancerListenerRule) ValidateUpdateData(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) { diff --git a/pkg/compute/models/loadbalancerlisteners.go b/pkg/compute/models/loadbalancerlisteners.go index 7ce180e9c1..6a115282fa 100644 --- a/pkg/compute/models/loadbalancerlisteners.go +++ b/pkg/compute/models/loadbalancerlisteners.go @@ -9,8 +9,10 @@ import ( "yunion.io/x/log" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/lockman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudcommon/validators" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" @@ -295,7 +297,7 @@ func (man *SLoadbalancerListenerManager) validateAcl(aclStatusV *validators.Vali } func (lblis *SLoadbalancerListener) AllowPerformStatus(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return lblis.IsOwner(userCred) || userCred.IsSystemAdmin() + return lblis.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), lblis.KeywordPlural(), policy.PolicyActionPerform, "status") } func (lblis *SLoadbalancerListener) ValidateUpdateData(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) { diff --git a/pkg/compute/models/loadbalancers.go b/pkg/compute/models/loadbalancers.go index 787a4b3159..00ce2c2219 100644 --- a/pkg/compute/models/loadbalancers.go +++ b/pkg/compute/models/loadbalancers.go @@ -9,8 +9,10 @@ import ( "yunion.io/x/pkg/util/netutils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/lockman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudcommon/validators" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" @@ -132,7 +134,7 @@ func (man *SLoadbalancerManager) ValidateCreateData(ctx context.Context, userCre } func (lb *SLoadbalancer) AllowPerformStatus(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return lb.IsOwner(userCred) || userCred.IsSystemAdmin() + return lb.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), lb.KeywordPlural(), policy.PolicyActionPerform, "status") } func (lb *SLoadbalancer) PostCreate(ctx context.Context, userCred mcclient.TokenCredential, ownerProjId string, query jsonutils.JSONObject, data jsonutils.JSONObject) { diff --git a/pkg/compute/models/networks.go b/pkg/compute/models/networks.go index c1ddf8b93d..d6316a8ff1 100644 --- a/pkg/compute/models/networks.go +++ b/pkg/compute/models/networks.go @@ -17,8 +17,10 @@ import ( "yunion.io/x/pkg/utils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/taskman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudprovider" "yunion.io/x/onecloud/pkg/compute/options" "yunion.io/x/onecloud/pkg/httperrors" @@ -134,7 +136,7 @@ func (self *SNetwork) GetVpc() *SVpc { } func (manager *SNetworkManager) AllowCreateItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionCreate) } func (self *SNetwork) ValidateDeleteCondition(ctx context.Context) error { @@ -627,7 +629,7 @@ func (manager *SNetworkManager) allNetworksQ(rangeObj db.IStandaloneModel) *sqlc func (manager *SNetworkManager) totalPortCountQ(userCred mcclient.TokenCredential, rangeObj db.IStandaloneModel) *sqlchemy.SQuery { q := manager.allNetworksQ(rangeObj) networks := manager.Query().SubQuery() - if userCred != nil && !userCred.IsSystemAdmin() { + if userCred != nil && !userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) { q = q.Filter(sqlchemy.OR( sqlchemy.Equals(networks.Field("tenant_id"), userCred.GetProjectId()), sqlchemy.IsTrue(networks.Field("is_public")))) @@ -759,7 +761,8 @@ func isValidNetworkInfo(userCred mcclient.TokenCredential, netConfig *SNetworkCo return httperrors.NewInputParameterError("Address %s not in range", netConfig.Address) } if netConfig.Reserved { - if !userCred.IsSystemAdmin() { + // the privilege to access reserved ip + if !userCred.IsAdminAllow(consts.GetServiceType(), ReservedipManager.KeywordPlural(), policy.PolicyActionGet) { return httperrors.NewForbiddenError("Only system admin allowed to use reserved ip") } if ReservedipManager.GetReservedIP(net, netConfig.Address) == nil { @@ -876,7 +879,7 @@ func (self *SNetwork) GetCustomizeColumns(ctx context.Context, userCred mcclient } func (self *SNetwork) AllowPerformReserveIp(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "reserve-ip") } func (self *SNetwork) PerformReserveIp(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -903,7 +906,7 @@ func (self *SNetwork) PerformReserveIp(ctx context.Context, userCred mcclient.To } func (self *SNetwork) AllowPerformReleaseReservedIp(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "release-reserved-ip") } func (self *SNetwork) PerformReleaseReservedIp(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -920,7 +923,7 @@ func (self *SNetwork) PerformReleaseReservedIp(ctx context.Context, userCred mcc } func (self *SNetwork) AllowGetDetailsReservedIps(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionGet, "reserved-ips") } func (self *SNetwork) GetDetailsReservedIps(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -1211,7 +1214,7 @@ func isOverlapNetworks(nets []SNetwork, startIp netutils.IPV4Addr, endIp netutil } func (self *SNetwork) CustomizeCreate(ctx context.Context, userCred mcclient.TokenCredential, ownerProjId string, query jsonutils.JSONObject, data jsonutils.JSONObject) error { - if userCred.IsSystemAdmin() && ownerProjId == userCred.GetProjectId() { + if userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionCreate) && ownerProjId == userCred.GetProjectId() { self.IsPublic = true } else { self.IsPublic = false @@ -1396,7 +1399,7 @@ func (self *SNetwork) ValidateUpdateCondition(ctx context.Context) error { } func (self *SNetwork) AllowPerformPurge(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionDelete) } func (self *SNetwork) PerformPurge(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/reservedips.go b/pkg/compute/models/reservedips.go index a03c11e945..80ca7fa632 100644 --- a/pkg/compute/models/reservedips.go +++ b/pkg/compute/models/reservedips.go @@ -6,7 +6,9 @@ import ( "yunion.io/x/jsonutils" "yunion.io/x/log" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/sqlchemy" @@ -39,7 +41,7 @@ type SReservedip struct { } func (manager *SReservedipManager) AllowListItems(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) } func (manager *SReservedipManager) AllowCreateItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { diff --git a/pkg/compute/models/schedpolicies.go b/pkg/compute/models/schedpolicies.go index 185f932e6b..edf88f4832 100644 --- a/pkg/compute/models/schedpolicies.go +++ b/pkg/compute/models/schedpolicies.go @@ -7,7 +7,9 @@ import ( "database/sql" "yunion.io/x/log" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/onecloud/pkg/util/conditionparser" @@ -121,7 +123,7 @@ func (manager *SSchedpolicyManager) getAllEnabledPolicies() []SSchedpolicy { } func (self *SSchedpolicy) AllowPerformEvaluate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "evaluate") } func (self *SSchedpolicy) PerformEvaluate(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/secgrouprules.go b/pkg/compute/models/secgrouprules.go index e107610536..126cc3ca7f 100644 --- a/pkg/compute/models/secgrouprules.go +++ b/pkg/compute/models/secgrouprules.go @@ -9,7 +9,9 @@ import ( "yunion.io/x/jsonutils" "yunion.io/x/log" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/pkg/util/compare" @@ -78,14 +80,14 @@ func (manager *SSecurityGroupRuleManager) AllowListItems(ctx context.Context, us func (self *SSecurityGroupRule) AllowUpdateItem(ctx context.Context, userCred mcclient.TokenCredential) bool { if secgroup := self.GetSecGroup(); secgroup != nil { - return secgroup.IsOwner(userCred) + return secgroup.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionUpdate) } return false } func (self *SSecurityGroupRule) AllowDeleteItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { if secgroup := self.GetSecGroup(); secgroup != nil { - return secgroup.IsOwner(userCred) + return secgroup.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionDelete) } return false } diff --git a/pkg/compute/models/snapshots.go b/pkg/compute/models/snapshots.go index ea57780729..b586fd9bff 100644 --- a/pkg/compute/models/snapshots.go +++ b/pkg/compute/models/snapshots.go @@ -11,8 +11,10 @@ import ( "yunion.io/x/pkg/util/compare" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/taskman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudprovider" "yunion.io/x/onecloud/pkg/compute/options" "yunion.io/x/onecloud/pkg/httperrors" @@ -86,8 +88,8 @@ func ValidateSnapshotName(hypervisor, name, owner string) error { return nil } -func (self *SSnapshot) AllowListItems(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return self.IsOwner(userCred) +func (self *SSnapshotManager) AllowListItems(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { + return true } func (manager *SSnapshotManager) ListItemFilter(ctx context.Context, q *sqlchemy.SQuery, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (*sqlchemy.SQuery, error) { @@ -323,7 +325,7 @@ func (self *SSnapshotManager) CreateSnapshot(ctx context.Context, userCred mccli } func (self *SSnapshot) AllowDeleteItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionDelete) } func (self *SSnapshot) StartSnapshotDeleteTask(ctx context.Context, userCred mcclient.TokenCredential, reloadDisk bool, parentTaskId string) error { @@ -364,7 +366,7 @@ func (self *SSnapshot) CustomizeDelete(ctx context.Context, userCred mcclient.To } func (self *SSnapshot) AllowPerformDeleted(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return self.IsOwner(userCred) + return self.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionDelete) } func (self *SSnapshot) PerformDeleted(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -401,7 +403,7 @@ func (self *SSnapshotManager) GetConvertSnapshot(deleteSnapshot *SSnapshot) (*SS } func (self *SSnapshotManager) AllowPerformDeleteDiskSnapshots(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "delete-disk-snapshots") } func (self *SSnapshotManager) PerformDeleteDiskSnapshots(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -586,7 +588,7 @@ func (self *SSnapshot) GetISnapshotRegion() (cloudprovider.ICloudRegion, error) } func (self *SSnapshot) AllowPerformPurge(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionDelete) } func (self *SSnapshot) PerformPurge(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/storagecachedimages.go b/pkg/compute/models/storagecachedimages.go index 4a646c146d..29d5889890 100644 --- a/pkg/compute/models/storagecachedimages.go +++ b/pkg/compute/models/storagecachedimages.go @@ -11,8 +11,10 @@ import ( "yunion.io/x/pkg/utils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/lockman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" ) @@ -127,7 +129,7 @@ func (self *SStoragecachedimage) GetExtraDetails(ctx context.Context, userCred m } func (manager *SStoragecachedimageManager) AllowListDescendent(ctx context.Context, userCred mcclient.TokenCredential, model db.IStandaloneModel, query jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) } func (self *SStoragecachedimage) GetCachedimage() *SCachedimage { diff --git a/pkg/compute/models/storagecaches.go b/pkg/compute/models/storagecaches.go index 240a99782b..78f33ad971 100644 --- a/pkg/compute/models/storagecaches.go +++ b/pkg/compute/models/storagecaches.go @@ -9,8 +9,10 @@ import ( "yunion.io/x/log" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/taskman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudprovider" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" @@ -292,7 +294,7 @@ func (self *SStoragecache) ValidateDeleteCondition(ctx context.Context) error { } func (self *SStoragecache) AllowPerformUncacheImage(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "uncache-image") } func (self *SStoragecache) PerformUncacheImage(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { @@ -329,7 +331,7 @@ func (self *SStoragecache) PerformUncacheImage(ctx context.Context, userCred mcc } func (self *SStoragecache) AllowPerformCacheImage(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "cache-image") } func (self *SStoragecache) PerformCacheImage(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/storages.go b/pkg/compute/models/storages.go index abab9ce61b..7a76c6e995 100644 --- a/pkg/compute/models/storages.go +++ b/pkg/compute/models/storages.go @@ -5,7 +5,9 @@ import ( "yunion.io/x/jsonutils" "yunion.io/x/log" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudprovider" "yunion.io/x/onecloud/pkg/compute/options" "yunion.io/x/onecloud/pkg/httperrors" @@ -692,7 +694,7 @@ func (self *SStorage) SetStoragecache(cache *SStoragecache) error { } func (self *SStorage) AllowPerformCacheImage(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "cache-image") } func (self *SStorage) GetStoragecache() *SStoragecache { @@ -714,7 +716,7 @@ func (self *SStorage) PerformCacheImage(ctx context.Context, userCred mcclient.T } func (self *SStorage) AllowPerformUncacheImage(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionPerform, "uncache-image") } func (self *SStorage) PerformUncacheImage(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/models/vpcs.go b/pkg/compute/models/vpcs.go index 842f55b98b..532dd2a512 100644 --- a/pkg/compute/models/vpcs.go +++ b/pkg/compute/models/vpcs.go @@ -11,8 +11,10 @@ import ( "yunion.io/x/pkg/util/netutils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/taskman" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/cloudprovider" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" @@ -456,7 +458,7 @@ func (self *SVpc) getIPRange() netutils.IPV4AddrRange { } func (self *SVpc) AllowPerformPurge(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), self.KeywordPlural(), policy.PolicyActionDelete) } func (self *SVpc) PerformPurge(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) (jsonutils.JSONObject, error) { diff --git a/pkg/compute/specs/handler.go b/pkg/compute/specs/handler.go index 2cf3b80d39..a7bc1a11b8 100644 --- a/pkg/compute/specs/handler.go +++ b/pkg/compute/specs/handler.go @@ -12,6 +12,7 @@ import ( "yunion.io/x/onecloud/pkg/appctx" "yunion.io/x/onecloud/pkg/appsrv" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/compute/models" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" @@ -42,7 +43,7 @@ func AddSpecHandler(prefix string, app *appsrv.Application) { func processFilter(handleFunc specHandleFunc) appsrv.FilterHandler { return func(ctx context.Context, w http.ResponseWriter, r *http.Request) { - userCred := auth.FetchUserCredential(ctx) + userCred := auth.FetchUserCredential(ctx, policy.FilterPolicyCredential) query, err := jsonutils.ParseQueryString(r.URL.RawQuery) if err != nil { httperrors.GeneralServerError(w, err) diff --git a/pkg/compute/sshkeys/handler.go b/pkg/compute/sshkeys/handler.go index f6bda5d2cf..85f8777933 100644 --- a/pkg/compute/sshkeys/handler.go +++ b/pkg/compute/sshkeys/handler.go @@ -9,7 +9,9 @@ import ( "yunion.io/x/jsonutils" "yunion.io/x/onecloud/pkg/appctx" "yunion.io/x/onecloud/pkg/appsrv" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" "yunion.io/x/onecloud/pkg/cloudcommon/db" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/httperrors" "yunion.io/x/onecloud/pkg/mcclient" "yunion.io/x/onecloud/pkg/mcclient/auth" @@ -22,8 +24,8 @@ func AddSshKeysHandler(prefix string, app *appsrv.Application) { func adminSshKeysHandler(ctx context.Context, w http.ResponseWriter, r *http.Request) { publicOnly := false - userCred := auth.FetchUserCredential(ctx) - if !userCred.IsSystemAdmin() { + userCred := auth.FetchUserCredential(ctx, policy.FilterPolicyCredential) + if !userCred.IsAdminAllow(consts.GetServiceType(), "sshkeypairs", policy.PolicyActionGet) { publicOnly = true } params := appctx.AppContextParams(ctx) @@ -53,7 +55,7 @@ func adminSshKeysHandler(ctx context.Context, w http.ResponseWriter, r *http.Req } func sshKeysHandler(ctx context.Context, w http.ResponseWriter, r *http.Request) { - userCred := auth.FetchUserCredential(ctx) + userCred := auth.FetchUserCredential(ctx, policy.FilterPolicyCredential) query, err := jsonutils.ParseQueryString(r.URL.RawQuery) if err != nil { httperrors.GeneralServerError(w, err) @@ -67,7 +69,7 @@ func sshKeysHandler(ctx context.Context, w http.ResponseWriter, r *http.Request) func sendSshKey(ctx context.Context, w http.ResponseWriter, userCred mcclient.TokenCredential, projectId string, isAdmin bool, publicOnly bool) { var privKey, pubKey string - if isAdmin && userCred.IsSystemAdmin() { + if isAdmin && userCred.IsAdminAllow(consts.GetServiceType(), "sshkeypairs", policy.PolicyActionGet) { privKey, pubKey, _ = GetSshAdminKeypair(ctx) } else { privKey, pubKey, _ = GetSshProjectKeypair(ctx, projectId) diff --git a/pkg/compute/usages/handler.go b/pkg/compute/usages/handler.go index 7a32ccfddd..edd4300612 100644 --- a/pkg/compute/usages/handler.go +++ b/pkg/compute/usages/handler.go @@ -75,7 +75,7 @@ func rangeObjHandler( reporter objUsageFunc, ) appsrv.FilterHandler { return func(ctx context.Context, w http.ResponseWriter, r *http.Request) { - userCred := auth.FetchUserCredential(ctx) + userCred := auth.FetchUserCredential(ctx, policy.FilterPolicyCredential) obj, err := getRangeObj(ctx, manager, userCred) if err != nil { httperrors.NotFoundError(w, err.Error()) @@ -276,7 +276,7 @@ func ReportGeneralUsage(userCred mcclient.TokenCredential, rangeObj db.IStandalo isAdmin = true } } else { - isAdmin = userCred.IsSystemAdmin() + isAdmin = userCred.IsAdminAllow(consts.GetServiceType(), "usages", policy.PolicyActionGet) } if isAdmin { diff --git a/pkg/mcclient/auth/middleware.go b/pkg/mcclient/auth/middleware.go index fa14ac898c..5c892a33ce 100644 --- a/pkg/mcclient/auth/middleware.go +++ b/pkg/mcclient/auth/middleware.go @@ -53,10 +53,14 @@ func AuthenticateWithDelayDecision(f appsrv.FilterHandler, delayDecision bool) a } } -func FetchUserCredential(ctx context.Context) mcclient.TokenCredential { +func FetchUserCredential(ctx context.Context, filter func(mcclient.TokenCredential) mcclient.TokenCredential) mcclient.TokenCredential { tokenValue := ctx.Value(AUTH_TOKEN) if tokenValue != nil { - return tokenValue.(mcclient.TokenCredential) + token := tokenValue.(mcclient.TokenCredential) + if filter != nil { + token = filter(token) + } + return token } return nil } diff --git a/pkg/mcclient/modules/base.go b/pkg/mcclient/modules/base.go index 3a71f43eac..97becef66b 100644 --- a/pkg/mcclient/modules/base.go +++ b/pkg/mcclient/modules/base.go @@ -32,7 +32,7 @@ func NewBaseManager(serviceType, endpointType, version string, columns, adminCol func (this *BaseManager) GetColumns(session *mcclient.ClientSession) []string { cols := this.columns - if session.IsSystemAdmin() && len(this.adminColumns) > 0 { + if session.HasSystemAdminPrivelege() && len(this.adminColumns) > 0 { cols = append(cols, this.adminColumns...) } return cols diff --git a/pkg/mcclient/session.go b/pkg/mcclient/session.go index fdf29f278d..574878ab3a 100644 --- a/pkg/mcclient/session.go +++ b/pkg/mcclient/session.go @@ -9,7 +9,6 @@ import ( "regexp" "strings" "time" - "yunion.io/x/jsonutils" "yunion.io/x/onecloud/pkg/util/httputils" "yunion.io/x/pkg/utils" @@ -150,8 +149,8 @@ func (this *ClientSession) ParseJSONResponse(resp *http.Response, err error) (ht return httputils.ParseJSONResponse(resp, err, this.client.debug) } -func (this *ClientSession) IsSystemAdmin() bool { - return this.token.IsSystemAdmin() +func (this *ClientSession) HasSystemAdminPrivelege() bool { + return this.token.HasSystemAdminPrivelege() } func (this *ClientSession) GetRegion() string { diff --git a/pkg/mcclient/token.go b/pkg/mcclient/token.go index 6aef27acd7..a2a0ab7ad8 100644 --- a/pkg/mcclient/token.go +++ b/pkg/mcclient/token.go @@ -44,8 +44,9 @@ type TokenCredential interface { GetExpires() time.Time IsValid() bool ValidDuration() time.Duration - IsAdmin() bool - IsSystemAdmin() bool + // IsAdmin() bool + HasSystemAdminPrivelege() bool + IsAdminAllow(service string, resource string, action string, extra ...string) bool GetRegions() []string GetServiceCatalog() IServiceCatalog diff --git a/pkg/mcclient/token2.go b/pkg/mcclient/token2.go index f2a8eb8a43..f64d045014 100644 --- a/pkg/mcclient/token2.go +++ b/pkg/mcclient/token2.go @@ -130,10 +130,14 @@ func (this *TokenCredentialV2) GetRegions() []string { return this.ServiceCatalog.getRegions() } -func (this *TokenCredentialV2) IsSystemAdmin() bool { +func (this *TokenCredentialV2) HasSystemAdminPrivelege() bool { return this.IsAdmin() && this.GetTenantName() == "system" } +func (this *TokenCredentialV2) IsAdminAllow(service string, resource string, action string, extra ...string) bool { + return this.HasSystemAdminPrivelege() +} + func (this *TokenCredentialV2) GetServiceURL(service, region, zone, endpointType string) (string, error) { return this.ServiceCatalog.GetServiceURL(service, region, zone, endpointType) } diff --git a/pkg/mcclient/token3.go b/pkg/mcclient/token3.go index bc172bf78d..38e962b119 100644 --- a/pkg/mcclient/token3.go +++ b/pkg/mcclient/token3.go @@ -135,10 +135,14 @@ func (this *TokenCredentialV3) IsAdmin() bool { return false } -func (this *TokenCredentialV3) IsSystemAdmin() bool { +func (this *TokenCredentialV3) HasSystemAdminPrivelege() bool { return this.IsAdmin() && this.GetTenantName() == "system" } +func (this *TokenCredentialV3) IsAdminAllow(service string, resource string, action string, extra ...string) bool { + return this.HasSystemAdminPrivelege() +} + func (this *TokenCredentialV3) GetRegions() []string { return this.Token.Catalog.getRegions() } diff --git a/pkg/mcclient/tokensimple.go b/pkg/mcclient/tokensimple.go index f10c2b73fa..15a8badbfb 100644 --- a/pkg/mcclient/tokensimple.go +++ b/pkg/mcclient/tokensimple.go @@ -84,10 +84,14 @@ func (self *SSimpleToken) IsAdmin() bool { return false } -func (self *SSimpleToken) IsSystemAdmin() bool { +func (self *SSimpleToken) HasSystemAdminPrivelege() bool { return self.IsAdmin() && self.Project == "system" } +func (this *SSimpleToken) IsAdminAllow(service string, resource string, action string, extra ...string) bool { + return this.HasSystemAdminPrivelege() +} + func (self *SSimpleToken) GetRegions() []string { return nil } diff --git a/pkg/webconsole/handlers.go b/pkg/webconsole/handlers.go index 37b2c47071..67ed8f81f6 100644 --- a/pkg/webconsole/handlers.go +++ b/pkg/webconsole/handlers.go @@ -17,6 +17,7 @@ import ( "yunion.io/x/onecloud/pkg/webconsole/command" o "yunion.io/x/onecloud/pkg/webconsole/options" "yunion.io/x/onecloud/pkg/webconsole/session" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" ) const ( @@ -102,7 +103,7 @@ type CloudEnv struct { func fetchCloudEnv(ctx context.Context, w http.ResponseWriter, r *http.Request) (*CloudEnv, error) { params, query, body := appsrv.FetchEnv(ctx, w, r) - userCred := auth.FetchUserCredential(ctx) + userCred := auth.FetchUserCredential(ctx, policy.FilterPolicyCredential) if userCred == nil { return nil, httperrors.NewUnauthorizedError("No token founded") } @@ -141,7 +142,7 @@ func handleK8sLog(ctx context.Context, w http.ResponseWriter, r *http.Request) { } func handleSshShell(ctx context.Context, w http.ResponseWriter, r *http.Request) { - userCred := auth.FetchUserCredential(ctx) + userCred := auth.FetchUserCredential(ctx, policy.FilterPolicyCredential) env, err := fetchCloudEnv(ctx, w, r) if err != nil { httperrors.GeneralServerError(w, err) diff --git a/pkg/webconsole/service/service.go b/pkg/webconsole/service/service.go index d86ef761c4..cc89ee6122 100644 --- a/pkg/webconsole/service/service.go +++ b/pkg/webconsole/service/service.go @@ -15,6 +15,7 @@ import ( "yunion.io/x/onecloud/pkg/webconsole" o "yunion.io/x/onecloud/pkg/webconsole/options" "yunion.io/x/onecloud/pkg/webconsole/server" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" ) func ensureBinExists(binPath string) { @@ -24,6 +25,8 @@ func ensureBinExists(binPath string) { } func StartService() { + consts.SetServiceType("webconsole") + cloudcommon.ParseOptions(&o.Options, &o.Options.Options, os.Args, "webconsole.conf") if o.Options.ApiServer == "" { diff --git a/pkg/yunionconf/models/parameters.go b/pkg/yunionconf/models/parameters.go index 9f3f56f97f..dbb11026be 100644 --- a/pkg/yunionconf/models/parameters.go +++ b/pkg/yunionconf/models/parameters.go @@ -11,6 +11,8 @@ import ( "yunion.io/x/pkg/util/timeutils" "yunion.io/x/pkg/utils" "yunion.io/x/sqlchemy" + "yunion.io/x/onecloud/pkg/cloudcommon/consts" + "yunion.io/x/onecloud/pkg/cloudcommon/policy" ) const ( @@ -72,7 +74,7 @@ func getNamespaceInContext(userCred mcclient.TokenCredential, query jsonutils.JS func getNamespace(userCred mcclient.TokenCredential, query jsonutils.JSONObject, data *jsonutils.JSONDict) (string, string, error) { var namespace, namespace_id string - if userCred.IsSystemAdmin() { + if userCred.IsAdminAllow(consts.GetServiceType(), ParameterManager.KeywordPlural(), policy.PolicyActionGet) { if name, nameId, e := getNamespaceInContext(userCred, query, data); e != nil { return "", "", e } else { @@ -92,7 +94,7 @@ func (manager *SParameterManager) AllowListItems(ctx context.Context, userCred m return true } - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) } func (manager *SParameterManager) AllowCreateItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { @@ -100,7 +102,7 @@ func (manager *SParameterManager) AllowCreateItem(ctx context.Context, userCred return true } - return userCred.IsSystemAdmin() + return userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionCreate) } func (manager *SParameterManager) ValidateCreateData(ctx context.Context, userCred mcclient.TokenCredential, ownerProjId string, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) { @@ -146,7 +148,7 @@ func (manager *SParameterManager) FilterByName(q *sqlchemy.SQuery, name string) } func (manager *SParameterManager) ListItemFilter(ctx context.Context, q *sqlchemy.SQuery, userCred mcclient.TokenCredential, query jsonutils.JSONObject) (*sqlchemy.SQuery, error) { - if userCred.IsSystemAdmin() { + if userCred.IsAdminAllow(consts.GetServiceType(), manager.KeywordPlural(), policy.PolicyActionList) { if id, _ := query.GetString("namespace_id"); len(id) > 0 { q = q.Equals("namespace_id", id) } else if id, _ := query.GetString("service_id"); len(id) > 0 { @@ -171,7 +173,7 @@ func (model *SParameter) IsOwner(userCred mcclient.TokenCredential) bool { } func (model *SParameter) AllowUpdateItem(ctx context.Context, userCred mcclient.TokenCredential) bool { - return model.IsOwner(userCred) || userCred.IsSystemAdmin() + return model.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), model.KeywordPlural(), policy.PolicyActionUpdate) } func (model *SParameter) ValidateUpdateData(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) { @@ -191,7 +193,7 @@ func (model *SParameter) ValidateUpdateData(ctx context.Context, userCred mcclie } func (model *SParameter) AllowDeleteItem(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) bool { - return model.IsOwner(userCred) || userCred.IsSystemAdmin() + return model.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), model.KeywordPlural(), policy.PolicyActionDelete) } func (model *SParameter) CustomizeDelete(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, data jsonutils.JSONObject) error { @@ -211,5 +213,5 @@ func (model *SParameter) Delete(ctx context.Context, userCred mcclient.TokenCred } func (model *SParameter) AllowGetDetails(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return model.IsOwner(userCred) || userCred.IsSystemAdmin() + return model.IsOwner(userCred) || userCred.IsAdminAllow(consts.GetServiceType(), model.KeywordPlural(), policy.PolicyActionGet) } diff --git a/pkg/yunionconf/service/service.go b/pkg/yunionconf/service/service.go index 8899ce3f1f..9520a5dfba 100644 --- a/pkg/yunionconf/service/service.go +++ b/pkg/yunionconf/service/service.go @@ -16,6 +16,8 @@ import ( ) func StartService() { + consts.SetServiceType("yunionconf") + cloudcommon.ParseOptions(&options.Options, &options.Options.Options, os.Args, "yunionconf.conf") cloudcommon.InitAuth(&options.Options.Options, func() { log.Infof("Auth complete!!")