1.

取消userCred.IsSystemAdmin()，在使用policy的应用中，通过userCred.IsAdminAllow判断是否是管理员且具备相应的权限。获取token时，需要传入policy.FilterPolicyCredential，将普通userCred转换成支持rbac的userCred 2. 在应用启动时候，必须设置 SetServiceType，否则退出
2026-07-01 02:24:47 +08:00 · 2018-11-30 23:00:11 +08:00
parent bfed7c25c3
commit bc02b3b433
65 changed files with 516 additions and 232 deletions
--- a/pkg/webconsole/handlers.go
+++ b/pkg/webconsole/handlers.go
@@ -17,6 +17,7 @@ import (
 	"yunion.io/x/onecloud/pkg/webconsole/command"
 	o "yunion.io/x/onecloud/pkg/webconsole/options"
 	"yunion.io/x/onecloud/pkg/webconsole/session"
+	"yunion.io/x/onecloud/pkg/cloudcommon/policy"
 )

 const (
@@ -102,7 +103,7 @@ type CloudEnv struct {

 func fetchCloudEnv(ctx context.Context, w http.ResponseWriter, r *http.Request) (*CloudEnv, error) {
 	params, query, body := appsrv.FetchEnv(ctx, w, r)
-	userCred := auth.FetchUserCredential(ctx)
+	userCred := auth.FetchUserCredential(ctx, policy.FilterPolicyCredential)
 	if userCred == nil {
 		return nil, httperrors.NewUnauthorizedError("No token founded")
 	}
@@ -141,7 +142,7 @@ func handleK8sLog(ctx context.Context, w http.ResponseWriter, r *http.Request) {
 }

 func handleSshShell(ctx context.Context, w http.ResponseWriter, r *http.Request) {
-	userCred := auth.FetchUserCredential(ctx)
+	userCred := auth.FetchUserCredential(ctx, policy.FilterPolicyCredential)
 	env, err := fetchCloudEnv(ctx, w, r)
 	if err != nil {
 		httperrors.GeneralServerError(w, err)
--- a/pkg/webconsole/service/service.go
+++ b/pkg/webconsole/service/service.go
@@ -15,6 +15,7 @@ import (
 	"yunion.io/x/onecloud/pkg/webconsole"
 	o "yunion.io/x/onecloud/pkg/webconsole/options"
 	"yunion.io/x/onecloud/pkg/webconsole/server"
+	"yunion.io/x/onecloud/pkg/cloudcommon/consts"
 )

 func ensureBinExists(binPath string) {
@@ -24,6 +25,8 @@ func ensureBinExists(binPath string) {
 }

 func StartService() {
+	consts.SetServiceType("webconsole")
+
 	cloudcommon.ParseOptions(&o.Options, &o.Options.Options, os.Args, "webconsole.conf")

 	if o.Options.ApiServer == "" {