fix: allow turn off non-default domain projects

This commit is contained in:
Qiu Jian
2019-07-27 09:55:57 +08:00
committed by Yousong Zhou
parent 8ddcfa99dd
commit fea61697e9
18 changed files with 96 additions and 15 deletions

View File

@@ -83,4 +83,5 @@ func InitBaseAuth(options *common_options.BaseOptions) {
options.RbacDebug,
)
}
consts.SetNonDefaultDomainProjects(options.NonDefaultDomainProjects)
}

View File

@@ -24,6 +24,8 @@ var (
globalServiceType = ""
tenantCacheExpireSeconds = 900
nonDefaultDomainProjects = false
)
func SetRegion(region string) {
@@ -49,3 +51,11 @@ func SetTenantCacheExpireSeconds(sec int) {
func GetTenantCacheExpireSeconds() time.Duration {
return time.Duration(tenantCacheExpireSeconds) * time.Second
}
func SetNonDefaultDomainProjects(val bool) {
nonDefaultDomainProjects = val
}
func GetNonDefaultDomainProjects() bool {
return nonDefaultDomainProjects
}

View File

@@ -20,6 +20,9 @@ import (
"yunion.io/x/jsonutils"
"yunion.io/x/sqlchemy"
"yunion.io/x/onecloud/pkg/apis/identity"
"yunion.io/x/onecloud/pkg/cloudcommon/consts"
"yunion.io/x/onecloud/pkg/httperrors"
"yunion.io/x/onecloud/pkg/mcclient"
"yunion.io/x/onecloud/pkg/util/rbacutils"
)
@@ -55,3 +58,10 @@ func (model *SDomainizedResourceBase) GetOwnerId() mcclient.IIdentityProvider {
owner := SOwnerId{DomainId: model.DomainId}
return &owner
}
func ValidateCreateDomainId(domainId string) error {
if !consts.GetNonDefaultDomainProjects() && domainId != identity.DEFAULT_DOMAIN_ID {
return httperrors.NewForbiddenError("project in non-default domain is prohibited")
}
return nil
}

View File

@@ -67,6 +67,8 @@ type BaseOptions struct {
CalculateQuotaUsageIntervalSeconds int `help:"interval to calculate quota usages, default 30 minutes" default:"900"`
NonDefaultDomainProjects bool `help:"allow projects in non-default domains" default:"false"`
structarg.BaseOptions
}

View File

@@ -66,6 +66,30 @@ var (
Action: PolicyActionGet,
Result: rbacutils.Allow,
},
{
Service: "compute",
Resource: "vpcs",
Action: PolicyActionList,
Result: rbacutils.Allow,
},
{
Service: "compute",
Resource: "vpcs",
Action: PolicyActionGet,
Result: rbacutils.Allow,
},
{
Service: "compute",
Resource: "wires",
Action: PolicyActionList,
Result: rbacutils.Allow,
},
{
Service: "compute",
Resource: "wires",
Action: PolicyActionGet,
Result: rbacutils.Allow,
},
{
Service: "compute",
Resource: "schedtags",

View File

@@ -248,6 +248,11 @@ func (self *SCloudaccount) ValidateUpdateData(ctx context.Context, userCred mccl
}
func (manager *SCloudaccountManager) ValidateCreateData(ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) {
// check domainId
err := db.ValidateCreateDomainId(ownerId.GetProjectDomainId())
if err != nil {
return nil, err
}
// check provider
// name, _ := data.GetString("name")
provider, _ := data.GetString("provider")

View File

@@ -955,7 +955,6 @@ func (manager *SCloudproviderManager) ListItemFilter(ctx context.Context, q *sql
sq = sq.Filter(sqlchemy.In(providers.Field("health_status"), api.CLOUD_PROVIDER_VALID_HEALTH_STATUS))
sq = sq.Filter(sqlchemy.Equals(vpcs.Field("status"), api.VPC_STATUS_AVAILABLE))
sq2 := providers.Query(sqlchemy.DISTINCT("id", providers.Field("id")))
sq2 = sq2.Join(vpcs, sqlchemy.Equals(vpcs.Field("manager_id"), providers.Field("id")))
sq2 = sq2.Join(wires, sqlchemy.Equals(vpcs.Field("id"), wires.Field("vpc_id")))

View File

@@ -26,6 +26,7 @@ import (
"yunion.io/x/pkg/tristate"
api "yunion.io/x/onecloud/pkg/apis/identity"
"yunion.io/x/onecloud/pkg/cloudcommon/consts"
"yunion.io/x/onecloud/pkg/cloudcommon/db"
"yunion.io/x/onecloud/pkg/cloudcommon/db/lockman"
"yunion.io/x/onecloud/pkg/keystone/models"
@@ -213,7 +214,7 @@ func (self *SLDAPDriver) syncDomainInfo(ctx context.Context, info SDomainInfo) (
return nil, errors.Wrap(err, "insert")
}
if self.AutoCreateProject {
if self.AutoCreateProject && consts.GetNonDefaultDomainProjects() {
project := &models.SProject{}
project.SetModelManager(models.ProjectManager, project)
projectName := models.NormalizeProjectName(fmt.Sprintf("%s_default_project", info.Name))

View File

@@ -243,6 +243,10 @@ func (manager *SAssignmentManager) fetchProjectUserIdsQuery(projId string) *sqlc
}
func (manager *SAssignmentManager) projectAddUser(ctx context.Context, userCred mcclient.TokenCredential, project *SProject, user *SUser, role *SRole) error {
err := db.ValidateCreateDomainId(project.DomainId)
if err != nil {
return err
}
if project.DomainId != user.DomainId {
if project.DomainId != api.DEFAULT_DOMAIN_ID {
return httperrors.NewInputParameterError("join user into project of default domain or identical domain")
@@ -254,7 +258,7 @@ func (manager *SAssignmentManager) projectAddUser(ctx context.Context, userCred
return httperrors.NewForbiddenError("not enough privilege")
}
}
err := manager.add(api.AssignmentUserProject, user.Id, project.Id, role.Id)
err = manager.add(api.AssignmentUserProject, user.Id, project.Id, role.Id)
if err == nil {
db.OpsLog.LogEvent(user, db.ACT_ATTACH, project.GetShortDesc(ctx), userCred)
db.OpsLog.LogEvent(project, db.ACT_ATTACH, user.GetShortDesc(ctx), userCred)
@@ -337,6 +341,10 @@ func (manager *SAssignmentManager) projectRemoveUser(ctx context.Context, userCr
}
func (manager *SAssignmentManager) projectAddGroup(ctx context.Context, userCred mcclient.TokenCredential, project *SProject, group *SGroup, role *SRole) error {
err := db.ValidateCreateDomainId(project.DomainId)
if err != nil {
return err
}
if project.DomainId != group.DomainId {
if project.DomainId != api.DEFAULT_DOMAIN_ID {
return httperrors.NewInputParameterError("join group into project of default domain or identical domain")
@@ -348,7 +356,7 @@ func (manager *SAssignmentManager) projectAddGroup(ctx context.Context, userCred
return httperrors.NewForbiddenError("not enough privilege")
}
}
err := manager.add(api.AssignmentGroupProject, group.Id, project.Id, role.Id)
err = manager.add(api.AssignmentGroupProject, group.Id, project.Id, role.Id)
if err == nil {
db.OpsLog.LogEvent(group, db.ACT_ATTACH, project.GetShortDesc(ctx), userCred)
db.OpsLog.LogEvent(project, db.ACT_ATTACH, group.GetShortDesc(ctx), userCred)

View File

@@ -113,6 +113,10 @@ func (manager *SPolicyManager) ValidateCreateData(ctx context.Context, userCred
/*if policy.IsSystemWidePolicy() && policyman.PolicyManager.Allow(rbacutils.ScopeSystem, userCred, consts.GetServiceType(), manager.KeywordPlural(), policyman.PolicyActionCreate) == rbacutils.Deny {
return nil, httperrors.NewNotSufficientPrivilegeError("not allow to create system-wide policy")
}*/
err = db.ValidateCreateDomainId(ownerId.GetProjectDomainId())
if err != nil {
return nil, err
}
return manager.SEnabledIdentityBaseResourceManager.ValidateCreateData(ctx, userCred, ownerId, query, data)
}

View File

@@ -353,3 +353,11 @@ func (manager *SProjectManager) FetchUserProjects(userId string) ([]SProjectExte
}
return ret, nil
}
func (manager *SProjectManager) ValidateCreateData(ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) {
err := db.ValidateCreateDomainId(ownerId.GetProjectDomainId())
if err != nil {
return nil, err
}
return manager.SIdentityBaseResourceManager.ValidateCreateData(ctx, userCred, ownerId, query, data)
}

View File

@@ -376,3 +376,11 @@ func (role *SRole) PerformPrivate(ctx context.Context, userCred mcclient.TokenCr
}
return res, err
}
func (manager *SRoleManager) ValidateCreateData(ctx context.Context, userCred mcclient.TokenCredential, ownerId mcclient.IIdentityProvider, query jsonutils.JSONObject, data *jsonutils.JSONDict) (*jsonutils.JSONDict, error) {
err := db.ValidateCreateDomainId(ownerId.GetProjectDomainId())
if err != nil {
return nil, err
}
return manager.SIdentityBaseResourceManager.ValidateCreateData(ctx, userCred, ownerId, query, data)
}

View File

@@ -28,7 +28,6 @@ type SKeystoneOptions struct {
TokenExpirationSeconds int `default:"86400" help:"token expiration seconds" token:"expiration"`
FernetKeyRepository string `help:"fernet key repo directory" token:"key_repository" default:"/etc/yunion/keystone/fernet-keys"`
SetupCredentialKeys bool `help:"setup standalone fernet keys for credentials" token:"setup_credential_key" default:"false"`
// SetupStateKey bool `help:"setup standalone fernet keys for openid state" token:"setup_state_key"`
BootstrapAdminUserPassword string `help:"bootstreap sysadmin user password" default:"sysadmin"`
ResetAdminUserPassword bool `help:"reset sysadmin password if exists and this option is true"`

View File

@@ -81,6 +81,8 @@ type SCloudAccountCreateBaseOptions struct {
EnableAutoSync bool `help:"Enable automatically synchronize resources of this account"`
SyncIntervalSeconds int `help:"Interval to synchronize if auto sync is enable" metavar:"SECONDS"`
ProjectDomain string `help:"domain for this account, default is Default" default:"Default"`
}
type SVMwareCloudAccountCreateOptions struct {

View File

@@ -164,12 +164,12 @@ func (self *SRegion) fetchIVpcs() error {
}
self.ivpcs = append(self.ivpcs, &SVpc{region: self,
CidrBlock: *vpc.CidrBlock,
Tags: tags,
IsDefault: *vpc.IsDefault,
RegionId: self.RegionId,
Status: *vpc.State,
VpcId: *vpc.VpcId,
CidrBlock: *vpc.CidrBlock,
Tags: tags,
IsDefault: *vpc.IsDefault,
RegionId: self.RegionId,
Status: *vpc.State,
VpcId: *vpc.VpcId,
InstanceTenancy: *vpc.InstanceTenancy,
})
}

View File

@@ -121,4 +121,4 @@ func NewServerV2Manager(regionId, projectId string, signer auth.Signer, debug bo
ResourceKeyword: "cloudservers",
}}
}
}

View File

@@ -31,10 +31,10 @@ import (
billing_api "yunion.io/x/onecloud/pkg/apis/billing"
api "yunion.io/x/onecloud/pkg/apis/compute"
"yunion.io/x/onecloud/pkg/util/cloudinit"
"yunion.io/x/onecloud/pkg/cloudprovider"
"yunion.io/x/onecloud/pkg/multicloud"
"yunion.io/x/onecloud/pkg/util/billing"
"yunion.io/x/onecloud/pkg/util/cloudinit"
"yunion.io/x/onecloud/pkg/util/huawei/client/modules"
)
@@ -1295,4 +1295,4 @@ func updateUserData(userData, username, password string) (string, error) {
}
return config.UserDataBase64(), nil
}
}

View File

@@ -125,7 +125,7 @@ func init() {
shellutils.R(&InstanceRebuildRootOptions{}, "instance-rebuild-root", "Reinstall virtual server system image", func(cli *huawei.SRegion, args *InstanceRebuildRootOptions) error {
ctx := context.Background()
jobId, err := cli.ChangeRoot(ctx, args.UserId,args.ID, args.Image, args.Password, args.PublicKey, args.UserData)
jobId, err := cli.ChangeRoot(ctx, args.UserId, args.ID, args.Image, args.Password, args.PublicKey, args.UserData)
if err != nil {
return err
}