mirror of
https://github.com/yunionio/cloudpods.git
synced 2026-07-01 16:14:19 +08:00
fix: allow turn off non-default domain projects
This commit is contained in:
@@ -83,4 +83,5 @@ func InitBaseAuth(options *common_options.BaseOptions) {
|
||||
options.RbacDebug,
|
||||
)
|
||||
}
|
||||
consts.SetNonDefaultDomainProjects(options.NonDefaultDomainProjects)
|
||||
}
|
||||
|
||||
@@ -24,6 +24,8 @@ var (
|
||||
globalServiceType = ""
|
||||
|
||||
tenantCacheExpireSeconds = 900
|
||||
|
||||
nonDefaultDomainProjects = false
|
||||
)
|
||||
|
||||
func SetRegion(region string) {
|
||||
@@ -49,3 +51,11 @@ func SetTenantCacheExpireSeconds(sec int) {
|
||||
func GetTenantCacheExpireSeconds() time.Duration {
|
||||
return time.Duration(tenantCacheExpireSeconds) * time.Second
|
||||
}
|
||||
|
||||
func SetNonDefaultDomainProjects(val bool) {
|
||||
nonDefaultDomainProjects = val
|
||||
}
|
||||
|
||||
func GetNonDefaultDomainProjects() bool {
|
||||
return nonDefaultDomainProjects
|
||||
}
|
||||
|
||||
@@ -20,6 +20,9 @@ import (
|
||||
"yunion.io/x/jsonutils"
|
||||
"yunion.io/x/sqlchemy"
|
||||
|
||||
"yunion.io/x/onecloud/pkg/apis/identity"
|
||||
"yunion.io/x/onecloud/pkg/cloudcommon/consts"
|
||||
"yunion.io/x/onecloud/pkg/httperrors"
|
||||
"yunion.io/x/onecloud/pkg/mcclient"
|
||||
"yunion.io/x/onecloud/pkg/util/rbacutils"
|
||||
)
|
||||
@@ -55,3 +58,10 @@ func (model *SDomainizedResourceBase) GetOwnerId() mcclient.IIdentityProvider {
|
||||
owner := SOwnerId{DomainId: model.DomainId}
|
||||
return &owner
|
||||
}
|
||||
|
||||
func ValidateCreateDomainId(domainId string) error {
|
||||
if !consts.GetNonDefaultDomainProjects() && domainId != identity.DEFAULT_DOMAIN_ID {
|
||||
return httperrors.NewForbiddenError("project in non-default domain is prohibited")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -67,6 +67,8 @@ type BaseOptions struct {
|
||||
|
||||
CalculateQuotaUsageIntervalSeconds int `help:"interval to calculate quota usages, default 30 minutes" default:"900"`
|
||||
|
||||
NonDefaultDomainProjects bool `help:"allow projects in non-default domains" default:"false"`
|
||||
|
||||
structarg.BaseOptions
|
||||
}
|
||||
|
||||
|
||||
@@ -66,6 +66,30 @@ var (
|
||||
Action: PolicyActionGet,
|
||||
Result: rbacutils.Allow,
|
||||
},
|
||||
{
|
||||
Service: "compute",
|
||||
Resource: "vpcs",
|
||||
Action: PolicyActionList,
|
||||
Result: rbacutils.Allow,
|
||||
},
|
||||
{
|
||||
Service: "compute",
|
||||
Resource: "vpcs",
|
||||
Action: PolicyActionGet,
|
||||
Result: rbacutils.Allow,
|
||||
},
|
||||
{
|
||||
Service: "compute",
|
||||
Resource: "wires",
|
||||
Action: PolicyActionList,
|
||||
Result: rbacutils.Allow,
|
||||
},
|
||||
{
|
||||
Service: "compute",
|
||||
Resource: "wires",
|
||||
Action: PolicyActionGet,
|
||||
Result: rbacutils.Allow,
|
||||
},
|
||||
{
|
||||
Service: "compute",
|
||||
Resource: "schedtags",
|
||||
|
||||
@@ -248,6 +248,11 @@ func (self *SCloudaccount) ValidateUpdateData(ctx context.Context, userCred mccl
|
||||
}
|
||||
|
||||
func (manager *SCloudaccountManager) ValidateCreateData(ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) {
|
||||
// check domainId
|
||||
err := db.ValidateCreateDomainId(ownerId.GetProjectDomainId())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// check provider
|
||||
// name, _ := data.GetString("name")
|
||||
provider, _ := data.GetString("provider")
|
||||
|
||||
@@ -955,7 +955,6 @@ func (manager *SCloudproviderManager) ListItemFilter(ctx context.Context, q *sql
|
||||
sq = sq.Filter(sqlchemy.In(providers.Field("health_status"), api.CLOUD_PROVIDER_VALID_HEALTH_STATUS))
|
||||
sq = sq.Filter(sqlchemy.Equals(vpcs.Field("status"), api.VPC_STATUS_AVAILABLE))
|
||||
|
||||
|
||||
sq2 := providers.Query(sqlchemy.DISTINCT("id", providers.Field("id")))
|
||||
sq2 = sq2.Join(vpcs, sqlchemy.Equals(vpcs.Field("manager_id"), providers.Field("id")))
|
||||
sq2 = sq2.Join(wires, sqlchemy.Equals(vpcs.Field("id"), wires.Field("vpc_id")))
|
||||
|
||||
@@ -26,6 +26,7 @@ import (
|
||||
"yunion.io/x/pkg/tristate"
|
||||
|
||||
api "yunion.io/x/onecloud/pkg/apis/identity"
|
||||
"yunion.io/x/onecloud/pkg/cloudcommon/consts"
|
||||
"yunion.io/x/onecloud/pkg/cloudcommon/db"
|
||||
"yunion.io/x/onecloud/pkg/cloudcommon/db/lockman"
|
||||
"yunion.io/x/onecloud/pkg/keystone/models"
|
||||
@@ -213,7 +214,7 @@ func (self *SLDAPDriver) syncDomainInfo(ctx context.Context, info SDomainInfo) (
|
||||
return nil, errors.Wrap(err, "insert")
|
||||
}
|
||||
|
||||
if self.AutoCreateProject {
|
||||
if self.AutoCreateProject && consts.GetNonDefaultDomainProjects() {
|
||||
project := &models.SProject{}
|
||||
project.SetModelManager(models.ProjectManager, project)
|
||||
projectName := models.NormalizeProjectName(fmt.Sprintf("%s_default_project", info.Name))
|
||||
|
||||
@@ -243,6 +243,10 @@ func (manager *SAssignmentManager) fetchProjectUserIdsQuery(projId string) *sqlc
|
||||
}
|
||||
|
||||
func (manager *SAssignmentManager) projectAddUser(ctx context.Context, userCred mcclient.TokenCredential, project *SProject, user *SUser, role *SRole) error {
|
||||
err := db.ValidateCreateDomainId(project.DomainId)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if project.DomainId != user.DomainId {
|
||||
if project.DomainId != api.DEFAULT_DOMAIN_ID {
|
||||
return httperrors.NewInputParameterError("join user into project of default domain or identical domain")
|
||||
@@ -254,7 +258,7 @@ func (manager *SAssignmentManager) projectAddUser(ctx context.Context, userCred
|
||||
return httperrors.NewForbiddenError("not enough privilege")
|
||||
}
|
||||
}
|
||||
err := manager.add(api.AssignmentUserProject, user.Id, project.Id, role.Id)
|
||||
err = manager.add(api.AssignmentUserProject, user.Id, project.Id, role.Id)
|
||||
if err == nil {
|
||||
db.OpsLog.LogEvent(user, db.ACT_ATTACH, project.GetShortDesc(ctx), userCred)
|
||||
db.OpsLog.LogEvent(project, db.ACT_ATTACH, user.GetShortDesc(ctx), userCred)
|
||||
@@ -337,6 +341,10 @@ func (manager *SAssignmentManager) projectRemoveUser(ctx context.Context, userCr
|
||||
}
|
||||
|
||||
func (manager *SAssignmentManager) projectAddGroup(ctx context.Context, userCred mcclient.TokenCredential, project *SProject, group *SGroup, role *SRole) error {
|
||||
err := db.ValidateCreateDomainId(project.DomainId)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if project.DomainId != group.DomainId {
|
||||
if project.DomainId != api.DEFAULT_DOMAIN_ID {
|
||||
return httperrors.NewInputParameterError("join group into project of default domain or identical domain")
|
||||
@@ -348,7 +356,7 @@ func (manager *SAssignmentManager) projectAddGroup(ctx context.Context, userCred
|
||||
return httperrors.NewForbiddenError("not enough privilege")
|
||||
}
|
||||
}
|
||||
err := manager.add(api.AssignmentGroupProject, group.Id, project.Id, role.Id)
|
||||
err = manager.add(api.AssignmentGroupProject, group.Id, project.Id, role.Id)
|
||||
if err == nil {
|
||||
db.OpsLog.LogEvent(group, db.ACT_ATTACH, project.GetShortDesc(ctx), userCred)
|
||||
db.OpsLog.LogEvent(project, db.ACT_ATTACH, group.GetShortDesc(ctx), userCred)
|
||||
|
||||
@@ -113,6 +113,10 @@ func (manager *SPolicyManager) ValidateCreateData(ctx context.Context, userCred
|
||||
/*if policy.IsSystemWidePolicy() && policyman.PolicyManager.Allow(rbacutils.ScopeSystem, userCred, consts.GetServiceType(), manager.KeywordPlural(), policyman.PolicyActionCreate) == rbacutils.Deny {
|
||||
return nil, httperrors.NewNotSufficientPrivilegeError("not allow to create system-wide policy")
|
||||
}*/
|
||||
err = db.ValidateCreateDomainId(ownerId.GetProjectDomainId())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return manager.SEnabledIdentityBaseResourceManager.ValidateCreateData(ctx, userCred, ownerId, query, data)
|
||||
}
|
||||
|
||||
|
||||
@@ -353,3 +353,11 @@ func (manager *SProjectManager) FetchUserProjects(userId string) ([]SProjectExte
|
||||
}
|
||||
return ret, nil
|
||||
}
|
||||
|
||||
func (manager *SProjectManager) ValidateCreateData(ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) {
|
||||
err := db.ValidateCreateDomainId(ownerId.GetProjectDomainId())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return manager.SIdentityBaseResourceManager.ValidateCreateData(ctx, userCred, ownerId, query, data)
|
||||
}
|
||||
|
||||
@@ -376,3 +376,11 @@ func (role *SRole) PerformPrivate(ctx context.Context, userCred mcclient.TokenCr
|
||||
}
|
||||
return res, err
|
||||
}
|
||||
|
||||
func (manager *SRoleManager) ValidateCreateData(ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) {
|
||||
err := db.ValidateCreateDomainId(ownerId.GetProjectDomainId())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return manager.SIdentityBaseResourceManager.ValidateCreateData(ctx, userCred, ownerId, query, data)
|
||||
}
|
||||
|
||||
@@ -28,7 +28,6 @@ type SKeystoneOptions struct {
|
||||
TokenExpirationSeconds int `default:"86400" help:"token expiration seconds" token:"expiration"`
|
||||
FernetKeyRepository string `help:"fernet key repo directory" token:"key_repository" default:"/etc/yunion/keystone/fernet-keys"`
|
||||
SetupCredentialKeys bool `help:"setup standalone fernet keys for credentials" token:"setup_credential_key" default:"false"`
|
||||
// SetupStateKey bool `help:"setup standalone fernet keys for openid state" token:"setup_state_key"`
|
||||
|
||||
BootstrapAdminUserPassword string `help:"bootstreap sysadmin user password" default:"sysadmin"`
|
||||
ResetAdminUserPassword bool `help:"reset sysadmin password if exists and this option is true"`
|
||||
|
||||
@@ -81,6 +81,8 @@ type SCloudAccountCreateBaseOptions struct {
|
||||
EnableAutoSync bool `help:"Enable automatically synchronize resources of this account"`
|
||||
|
||||
SyncIntervalSeconds int `help:"Interval to synchronize if auto sync is enable" metavar:"SECONDS"`
|
||||
|
||||
ProjectDomain string `help:"domain for this account, default is Default" default:"Default"`
|
||||
}
|
||||
|
||||
type SVMwareCloudAccountCreateOptions struct {
|
||||
|
||||
@@ -164,12 +164,12 @@ func (self *SRegion) fetchIVpcs() error {
|
||||
}
|
||||
|
||||
self.ivpcs = append(self.ivpcs, &SVpc{region: self,
|
||||
CidrBlock: *vpc.CidrBlock,
|
||||
Tags: tags,
|
||||
IsDefault: *vpc.IsDefault,
|
||||
RegionId: self.RegionId,
|
||||
Status: *vpc.State,
|
||||
VpcId: *vpc.VpcId,
|
||||
CidrBlock: *vpc.CidrBlock,
|
||||
Tags: tags,
|
||||
IsDefault: *vpc.IsDefault,
|
||||
RegionId: self.RegionId,
|
||||
Status: *vpc.State,
|
||||
VpcId: *vpc.VpcId,
|
||||
InstanceTenancy: *vpc.InstanceTenancy,
|
||||
})
|
||||
}
|
||||
|
||||
@@ -121,4 +121,4 @@ func NewServerV2Manager(regionId, projectId string, signer auth.Signer, debug bo
|
||||
|
||||
ResourceKeyword: "cloudservers",
|
||||
}}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -31,10 +31,10 @@ import (
|
||||
|
||||
billing_api "yunion.io/x/onecloud/pkg/apis/billing"
|
||||
api "yunion.io/x/onecloud/pkg/apis/compute"
|
||||
"yunion.io/x/onecloud/pkg/util/cloudinit"
|
||||
"yunion.io/x/onecloud/pkg/cloudprovider"
|
||||
"yunion.io/x/onecloud/pkg/multicloud"
|
||||
"yunion.io/x/onecloud/pkg/util/billing"
|
||||
"yunion.io/x/onecloud/pkg/util/cloudinit"
|
||||
"yunion.io/x/onecloud/pkg/util/huawei/client/modules"
|
||||
)
|
||||
|
||||
@@ -1295,4 +1295,4 @@ func updateUserData(userData, username, password string) (string, error) {
|
||||
}
|
||||
|
||||
return config.UserDataBase64(), nil
|
||||
}
|
||||
}
|
||||
|
||||
@@ -125,7 +125,7 @@ func init() {
|
||||
|
||||
shellutils.R(&InstanceRebuildRootOptions{}, "instance-rebuild-root", "Reinstall virtual server system image", func(cli *huawei.SRegion, args *InstanceRebuildRootOptions) error {
|
||||
ctx := context.Background()
|
||||
jobId, err := cli.ChangeRoot(ctx, args.UserId,args.ID, args.Image, args.Password, args.PublicKey, args.UserData)
|
||||
jobId, err := cli.ChangeRoot(ctx, args.UserId, args.ID, args.Image, args.Password, args.PublicKey, args.UserData)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user