code refactor (#1923)

Signed-off-by: hongming <talonwan@yunify.com>
2020-02-25 20:47:59 +08:00
parent 0664eeb559
commit 570ef8b60a
8 changed files with 98 additions and 104 deletions
--- a/pkg/kapis/iam/v1alpha2/register.go
+++ b/pkg/kapis/iam/v1alpha2/register.go
@@ -126,14 +126,14 @@ func AddToContainer(c *restful.Container, k8sClient k8s.Client, ldapClient ldapp
 		To(handler.ListClusterRoleRules).
 		Doc("List all policy rules of the specified cluster role.").
 		Param(ws.PathParameter("clusterrole", "cluster role name")).
-		Returns(http.StatusOK, api.StatusOK, []iam.SimpleRule{}).
+		Returns(http.StatusOK, api.StatusOK, []policy.SimpleRule{}).
 		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
 	ws.Route(ws.GET("/namespaces/{namespace}/roles/{role}/rules").
 		To(handler.ListRoleRules).
 		Doc("List all policy rules of the specified role in the given namespace.").
 		Param(ws.PathParameter("namespace", "kubernetes namespace")).
 		Param(ws.PathParameter("role", "role name")).
-		Returns(http.StatusOK, api.StatusOK, []iam.SimpleRule{}).
+		Returns(http.StatusOK, api.StatusOK, []policy.SimpleRule{}).
 		Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag}))
 	ws.Route(ws.GET("/rulesmapping/clusterroles").
 		To(handler.ClusterRulesMapping).
--- a/pkg/kapis/tenant/v1alpha2/register.go
+++ b/pkg/kapis/tenant/v1alpha2/register.go
@@ -29,7 +29,7 @@ import (
 	"kubesphere.io/kubesphere/pkg/apiserver/runtime"
 	"kubesphere.io/kubesphere/pkg/constants"
 	"kubesphere.io/kubesphere/pkg/models"
-	"kubesphere.io/kubesphere/pkg/models/iam"
+	"kubesphere.io/kubesphere/pkg/models/iam/policy"
 	"kubesphere.io/kubesphere/pkg/server/errors"
 	"kubesphere.io/kubesphere/pkg/server/params"
 	"kubesphere.io/kubesphere/pkg/simple/client/k8s"
@@ -63,19 +63,19 @@ func AddToContainer(c *restful.Container, k8sClient k8s.Client, db *mysql.Databa
 		To(handler.ListWorkspaceRules).
 		Param(ws.PathParameter("workspace", "workspace name")).
 		Doc("List the rules of the specified workspace for the current user").
-		Returns(http.StatusOK, api.StatusOK, iam.SimpleRule{}).
+		Returns(http.StatusOK, api.StatusOK, policy.SimpleRule{}).
 		Metadata(restfulspec.KeyOpenAPITags, []string{constants.TenantResourcesTag}))
 	ws.Route(ws.GET("/namespaces/{namespace}/rules").
 		To(handler.ListNamespaceRules).
 		Param(ws.PathParameter("namespace", "the name of the namespace")).
 		Doc("List the rules of the specified namespace for the current user").
-		Returns(http.StatusOK, api.StatusOK, iam.SimpleRule{}).
+		Returns(http.StatusOK, api.StatusOK, policy.SimpleRule{}).
 		Metadata(restfulspec.KeyOpenAPITags, []string{constants.TenantResourcesTag}))
 	ws.Route(ws.GET("/devops/{devops}/rules").
 		To(handler.ListDevopsRules).
 		Param(ws.PathParameter("devops", "devops project ID")).
 		Doc("List the rules of the specified DevOps project for the current user").
-		Returns(http.StatusOK, api.StatusOK, iam.SimpleRule{}).
+		Returns(http.StatusOK, api.StatusOK, policy.SimpleRule{}).
 		Metadata(restfulspec.KeyOpenAPITags, []string{constants.TenantResourcesTag}))
 	ws.Route(ws.GET("/workspaces/{workspace}/namespaces").
 		To(handler.ListNamespaces).
--- a/pkg/models/iam/am.go
+++ b/pkg/models/iam/am.go
@@ -51,12 +51,12 @@ type AccessManagementInterface interface {
 	ListRoles(namespace string, conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error)
 	ListClusterRoles(conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error)
 	ListClusterRoleBindings(clusterRole string) ([]*rbacv1.ClusterRoleBinding, error)
-	GetClusterRoleSimpleRules(clusterRole string) ([]SimpleRule, error)
-	GetRoleSimpleRules(namespace string, role string) ([]SimpleRule, error)
+	GetClusterRoleSimpleRules(clusterRole string) ([]policy.SimpleRule, error)
+	GetRoleSimpleRules(namespace string, role string) ([]policy.SimpleRule, error)
 	GetRoles(namespace, username string) ([]*rbacv1.Role, error)
 	GetClusterPolicyRules(username string) ([]rbacv1.PolicyRule, error)
 	GetPolicyRules(namespace, username string) ([]rbacv1.PolicyRule, error)
-	GetWorkspaceRoleSimpleRules(workspace, roleName string) []SimpleRule
+	GetWorkspaceRoleSimpleRules(workspace, roleName string) []policy.SimpleRule
 	GetWorkspaceRole(workspace, username string) (*rbacv1.ClusterRole, error)
 	GetWorkspaceRoleMap(username string) (map[string]string, error)
 }
@@ -97,12 +97,12 @@ func NewAMOperator(informers informers.SharedInformerFactory) *amOperator {
 	return &amOperator{informers: informers, resources: resourceGetter}
 }

-func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule {
-	var rules []SimpleRule
+func (am *amOperator) GetDevopsRoleSimpleRules(role string) []policy.SimpleRule {
+	var rules []policy.SimpleRule

 	switch role {
 	case "developer":
-		rules = []SimpleRule{
+		rules = []policy.SimpleRule{
 			{Name: "pipelines", Actions: []string{"view", "trigger"}},
 			{Name: "roles", Actions: []string{"view"}},
 			{Name: "members", Actions: []string{"view"}},
@@ -110,7 +110,7 @@ func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule {
 		}
 		break
 	case "owner":
-		rules = []SimpleRule{
+		rules = []policy.SimpleRule{
 			{Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}},
 			{Name: "roles", Actions: []string{"view"}},
 			{Name: "members", Actions: []string{"create", "edit", "view", "delete"}},
@@ -119,7 +119,7 @@ func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule {
 		}
 		break
 	case "maintainer":
-		rules = []SimpleRule{
+		rules = []policy.SimpleRule{
 			{Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}},
 			{Name: "roles", Actions: []string{"view"}},
 			{Name: "members", Actions: []string{"view"}},
@@ -130,7 +130,7 @@ func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule {
 	case "reporter":
 		fallthrough
 	default:
-		rules = []SimpleRule{
+		rules = []policy.SimpleRule{
 			{Name: "pipelines", Actions: []string{"view"}},
 			{Name: "roles", Actions: []string{"view"}},
 			{Name: "members", Actions: []string{"view"}},
@@ -412,13 +412,13 @@ func (am *amOperator) ListClusterRoles(conditions *params.Conditions, orderBy st
 	return am.resources.ListResources("", v1alpha2.ClusterRoles, conditions, orderBy, reverse, limit, offset)
 }

-func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []SimpleRule {
+func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []policy.SimpleRule {

-	workspaceRules := make([]SimpleRule, 0)
+	workspaceRules := make([]policy.SimpleRule, 0)

 	switch roleName {
 	case constants.WorkspaceAdmin:
-		workspaceRules = []SimpleRule{
+		workspaceRules = []policy.SimpleRule{
 			{Name: "workspaces", Actions: []string{"edit", "delete", "view"}},
 			{Name: "members", Actions: []string{"edit", "delete", "create", "view"}},
 			{Name: "devops", Actions: []string{"edit", "delete", "create", "view"}},
@@ -428,7 +428,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []
 			{Name: "repos", Actions: []string{"view", "manage"}},
 		}
 	case constants.WorkspaceRegular:
-		workspaceRules = []SimpleRule{
+		workspaceRules = []policy.SimpleRule{
 			{Name: "members", Actions: []string{"view"}},
 			{Name: "devops", Actions: []string{"view", "create"}},
 			{Name: "projects", Actions: []string{"view", "create"}},
@@ -436,7 +436,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []
 			{Name: "repos", Actions: []string{"view"}},
 		}
 	case constants.WorkspaceViewer:
-		workspaceRules = []SimpleRule{
+		workspaceRules = []policy.SimpleRule{
 			{Name: "workspaces", Actions: []string{"view"}},
 			{Name: "members", Actions: []string{"view"}},
 			{Name: "devops", Actions: []string{"view"}},
@@ -446,7 +446,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []
 			{Name: "repos", Actions: []string{"view"}},
 		}
 	case constants.WorkspacesManager:
-		workspaceRules = []SimpleRule{
+		workspaceRules = []policy.SimpleRule{
 			{Name: "workspaces", Actions: []string{"edit", "delete", "view"}},
 			{Name: "members", Actions: []string{"edit", "delete", "create", "view"}},
 			{Name: "roles", Actions: []string{"view"}},
@@ -457,7 +457,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []
 }

 // Convert cluster role to rules
-func (am *amOperator) GetClusterRoleSimpleRules(clusterRoleName string) ([]SimpleRule, error) {
+func (am *amOperator) GetClusterRoleSimpleRules(clusterRoleName string) ([]policy.SimpleRule, error) {

 	clusterRoleLister := am.informers.Rbac().V1().ClusterRoles().Lister()
 	clusterRole, err := clusterRoleLister.Get(clusterRoleName)
@@ -470,7 +470,7 @@ func (am *amOperator) GetClusterRoleSimpleRules(clusterRoleName string) ([]Simpl
 	return getClusterSimpleRule(clusterRole.Rules), nil
 }

-func (am *amOperator) GetUserClusterSimpleRules(username string) ([]SimpleRule, error) {
+func (am *amOperator) GetUserClusterSimpleRules(username string) ([]policy.SimpleRule, error) {
 	clusterRules, err := am.GetUserClusterRules(username)
 	if err != nil {
 		return nil, err
@@ -479,7 +479,7 @@ func (am *amOperator) GetUserClusterSimpleRules(username string) ([]SimpleRule,
 }

 // Convert roles to rules
-func (am *amOperator) GetRoleSimpleRules(namespace string, roleName string) ([]SimpleRule, error) {
+func (am *amOperator) GetRoleSimpleRules(namespace string, roleName string) ([]policy.SimpleRule, error) {

 	roleLister := am.informers.Rbac().V1().Roles().Lister()
 	role, err := roleLister.Roles(namespace).Get(roleName)
@@ -492,8 +492,8 @@ func (am *amOperator) GetRoleSimpleRules(namespace string, roleName string) ([]S
 	return ConvertToSimpleRule(role.Rules), nil
 }

-func getClusterSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule {
-	rules := make([]SimpleRule, 0)
+func getClusterSimpleRule(policyRules []rbacv1.PolicyRule) []policy.SimpleRule {
+	rules := make([]policy.SimpleRule, 0)

 	for i := 0; i < len(policy.ClusterRoleRuleMapping); i++ {
 		validActions := make([]string, 0)
@@ -503,17 +503,17 @@ func getClusterSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule {
 			}
 		}
 		if len(validActions) > 0 {
-			rules = append(rules, SimpleRule{Name: policy.ClusterRoleRuleMapping[i].Name, Actions: validActions})
+			rules = append(rules, policy.SimpleRule{Name: policy.ClusterRoleRuleMapping[i].Name, Actions: validActions})
 		}
 	}

 	return rules
 }

-func ConvertToSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule {
-	simpleRules := make([]SimpleRule, 0)
+func ConvertToSimpleRule(policyRules []rbacv1.PolicyRule) []policy.SimpleRule {
+	simpleRules := make([]policy.SimpleRule, 0)
 	for i := 0; i < len(policy.RoleRuleMapping); i++ {
-		rule := SimpleRule{Name: policy.RoleRuleMapping[i].Name}
+		rule := policy.SimpleRule{Name: policy.RoleRuleMapping[i].Name}
 		rule.Actions = make([]string, 0)
 		for j := 0; j < len(policy.RoleRuleMapping[i].Actions); j++ {
 			if rulesMatchesAction(policyRules, policy.RoleRuleMapping[i].Actions[j]) {
--- a/pkg/models/iam/policy/policy.go
+++ b/pkg/models/iam/policy/policy.go
@@ -21,21 +21,20 @@ package policy
 import (
 	"encoding/json"
 	"io/ioutil"
-	"kubesphere.io/kubesphere/pkg/models/iam"
-
 	"k8s.io/api/rbac/v1"
 )

 const (
-	rulesConfigPath        = iam.ConfigPath + "/rules.json"
-	clusterRulesConfigPath = iam.ConfigPath + "/clusterrules.json"
+	configPath             = "/etc/kubesphere/iam"
+	rulesConfigPath        = configPath + "/rules.json"
+	clusterRulesConfigPath = configPath + "/clusterrules.json"
 )

 func init() {
 	rulesConfig, err := ioutil.ReadFile(rulesConfigPath)

 	if err == nil {
-		config := &[]iam.Rule{}
+		config := &[]Rule{}
 		json.Unmarshal(rulesConfig, config)
 		if len(*config) > 0 {
 			RoleRuleMapping = *config
@@ -45,7 +44,7 @@ func init() {
 	clusterRulesConfig, err := ioutil.ReadFile(clusterRulesConfigPath)

 	if err == nil {
-		config := &[]iam.Rule{}
+		config := &[]Rule{}
 		json.Unmarshal(clusterRulesConfig, config)
 		if len(*config) > 0 {
 			ClusterRoleRuleMapping = *config
@@ -54,9 +53,9 @@ func init() {
 }

 var (
-	ClusterRoleRuleMapping = []iam.Rule{
+	ClusterRoleRuleMapping = []Rule{
 		{Name: "workspaces",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{
 					Name: "manage",
 					Rules: []v1.PolicyRule{
@@ -71,7 +70,7 @@ var (
 		},
 		{
 			Name: "monitoring",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{{
 						Verbs:     []string{"get", "list"},
@@ -87,7 +86,7 @@ var (
 		},
 		{
 			Name: "alerting",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{{
 						Verbs:     []string{"get", "list"},
@@ -113,7 +112,7 @@ var (
 		},
 		{
 			Name: "logging",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{{
 						Verbs:     []string{"get", "list"},
@@ -125,7 +124,7 @@ var (
 		},
 		{
 			Name: "accounts",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -192,7 +191,7 @@ var (
 			},
 		}, {
 			Name: "roles",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -238,7 +237,7 @@ var (
 			},
 		}, {
 			Name: "storageclasses",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -282,7 +281,7 @@ var (
 			},
 		}, {
 			Name: "nodes",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -313,7 +312,7 @@ var (
 			},
 		}, {
 			Name: "repos",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -353,7 +352,7 @@ var (
 			},
 		}, {
 			Name: "apps",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -366,7 +365,7 @@ var (
 			},
 		}, {
 			Name: "components",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -379,9 +378,9 @@ var (
 			},
 		}}

-	RoleRuleMapping = []iam.Rule{{
+	RoleRuleMapping = []Rule{{
 		Name: "projects",
-		Actions: []iam.Action{
+		Actions: []Action{
 			{Name: "view",
 				Rules: []v1.PolicyRule{
 					{
@@ -418,7 +417,7 @@ var (
 	},
 		{
 			Name: "monitoring",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{{
 						Verbs:     []string{"get", "list"},
@@ -435,7 +434,7 @@ var (

 		{
 			Name: "alerting",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{{
 						Verbs:     []string{"get", "list"},
@@ -461,7 +460,7 @@ var (
 		},
 		{
 			Name: "members",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -507,7 +506,7 @@ var (
 		},
 		{
 			Name: "roles",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -548,7 +547,7 @@ var (
 		},
 		{
 			Name: "deployments",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -604,7 +603,7 @@ var (
 			},
 		}, {
 			Name: "statefulsets",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -658,7 +657,7 @@ var (
 			},
 		}, {
 			Name: "daemonsets",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -703,7 +702,7 @@ var (
 			},
 		}, {
 			Name: "pods",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "terminal",
 					Rules: []v1.PolicyRule{
 						{
@@ -735,7 +734,7 @@ var (
 		},
 		{
 			Name: "services",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -777,7 +776,7 @@ var (
 		},
 		{
 			Name: "internet",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -819,7 +818,7 @@ var (

 		{
 			Name: "routes",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -859,7 +858,7 @@ var (
 			},
 		}, {
 			Name: "volumes",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -899,7 +898,7 @@ var (
 			},
 		}, {
 			Name: "applications",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view",
 					Rules: []v1.PolicyRule{
 						{
@@ -953,7 +952,7 @@ var (
 		},
 		{
 			Name: "jobs",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view", Rules: []v1.PolicyRule{
 					{
 						Verbs:     []string{"get", "list"},
@@ -986,7 +985,7 @@ var (
 		},
 		{
 			Name: "cronjobs",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view", Rules: []v1.PolicyRule{
 					{
 						Verbs:     []string{"get", "list"},
@@ -1019,7 +1018,7 @@ var (
 		},
 		{
 			Name: "secrets",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view", Rules: []v1.PolicyRule{
 					{
 						Verbs:     []string{"get", "list"},
@@ -1052,7 +1051,7 @@ var (
 		},
 		{
 			Name: "configmaps",
-			Actions: []iam.Action{
+			Actions: []Action{
 				{Name: "view", Rules: []v1.PolicyRule{
 					{
 						Verbs:     []string{"get", "list"},
@@ -1085,3 +1084,18 @@ var (
 		},
 	}
 )
+
+type Action struct {
+	Name  string          `json:"name"`
+	Rules []v1.PolicyRule `json:"rules"`
+}
+
+type Rule struct {
+	Name    string   `json:"name"`
+	Actions []Action `json:"actions"`
+}
+
+type SimpleRule struct {
+	Name    string   `json:"name" description:"rule name"`
+	Actions []string `json:"actions" description:"actions"`
+}
--- a/pkg/models/iam/types.go
+++ b/pkg/models/iam/types.go
@@ -19,12 +19,10 @@
 package iam

 import (
-	"k8s.io/api/rbac/v1"
 	"time"
 )

 const (
-	ConfigPath      = "/etc/kubesphere/iam"
 	KindTokenReview = "TokenReview"
 )

@@ -37,23 +35,3 @@ type User struct {
 	Groups      []string  `json:"groups,omitempty"`
 	Password    string    `json:"password,omitempty"`
 }
-
-type Action struct {
-	Name  string          `json:"name"`
-	Rules []v1.PolicyRule `json:"rules"`
-}
-
-type Rule struct {
-	Name    string   `json:"name"`
-	Actions []Action `json:"actions"`
-}
-
-type SimpleRule struct {
-	Name    string   `json:"name" description:"rule name"`
-	Actions []string `json:"actions" description:"actions"`
-}
-
-type RoleList struct {
-	ClusterRoles []*v1.ClusterRole `json:"clusterRole" description:"cluster role list"`
-	Roles        []*v1.Role        `json:"roles" description:"role list"`
-}
--- a/pkg/models/iam/utils.go
+++ b/pkg/models/iam/utils.go
@@ -20,6 +20,7 @@ package iam

 import (
 	rbacv1 "k8s.io/api/rbac/v1"
+	"kubesphere.io/kubesphere/pkg/models/iam/policy"
 	"strings"
 )

@@ -32,7 +33,7 @@ func RulesMatchesRequired(rules []rbacv1.PolicyRule, required rbacv1.PolicyRule)
 	return false
 }

-func rulesMatchesAction(rules []rbacv1.PolicyRule, action Action) bool {
+func rulesMatchesAction(rules []rbacv1.PolicyRule, action policy.Action) bool {

 	for _, required := range action.Rules {
 		if !RulesMatchesRequired(rules, required) {
--- a/pkg/models/tenant/devops.go
+++ b/pkg/models/tenant/devops.go
@@ -26,7 +26,7 @@ import (
 	"kubesphere.io/kubesphere/pkg/db"
 	"kubesphere.io/kubesphere/pkg/models"
 	"kubesphere.io/kubesphere/pkg/models/devops"
-	"kubesphere.io/kubesphere/pkg/models/iam"
+	"kubesphere.io/kubesphere/pkg/models/iam/policy"
 	"kubesphere.io/kubesphere/pkg/server/params"
 	dsClient "kubesphere.io/kubesphere/pkg/simple/client/devops"
 	"kubesphere.io/kubesphere/pkg/simple/client/mysql"
@@ -38,7 +38,7 @@ type DevOpsProjectOperator interface {
 	CreateDevOpsProject(username string, workspace string, req *v1alpha2.DevOpsProject) (*v1alpha2.DevOpsProject, error)
 	GetDevOpsProjectsCount(username string) (uint32, error)
 	DeleteDevOpsProject(projectId, username string) error
-	GetUserDevOpsSimpleRules(username, projectId string) ([]iam.SimpleRule, error)
+	GetUserDevOpsSimpleRules(username, projectId string) ([]policy.SimpleRule, error)
 }

 type devopsProjectOperator struct {
@@ -208,7 +208,7 @@ func (o *devopsProjectOperator) CreateDevOpsProject(username string, workspace s
 	return project, nil
 }

-func (o *devopsProjectOperator) GetUserDevOpsSimpleRules(username, projectId string) ([]iam.SimpleRule, error) {
+func (o *devopsProjectOperator) GetUserDevOpsSimpleRules(username, projectId string) ([]policy.SimpleRule, error) {

 	role, err := o.getProjectUserRole(username, projectId)
 	if err != nil {
@@ -236,12 +236,12 @@ func (o *devopsProjectOperator) getProjectUserRole(username, projectId string) (
 	return membership.Role, nil
 }

-func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule {
-	var rules []iam.SimpleRule
+func GetDevopsRoleSimpleRules(role string) []policy.SimpleRule {
+	var rules []policy.SimpleRule

 	switch role {
 	case "developer":
-		rules = []iam.SimpleRule{
+		rules = []policy.SimpleRule{
 			{Name: "pipelines", Actions: []string{"view", "trigger"}},
 			{Name: "roles", Actions: []string{"view"}},
 			{Name: "members", Actions: []string{"view"}},
@@ -249,7 +249,7 @@ func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule {
 		}
 		break
 	case "owner":
-		rules = []iam.SimpleRule{
+		rules = []policy.SimpleRule{
 			{Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}},
 			{Name: "roles", Actions: []string{"view"}},
 			{Name: "members", Actions: []string{"create", "edit", "view", "delete"}},
@@ -258,7 +258,7 @@ func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule {
 		}
 		break
 	case "maintainer":
-		rules = []iam.SimpleRule{
+		rules = []policy.SimpleRule{
 			{Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}},
 			{Name: "roles", Actions: []string{"view"}},
 			{Name: "members", Actions: []string{"view"}},
@@ -269,7 +269,7 @@ func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule {
 	case "reporter":
 		fallthrough
 	default:
-		rules = []iam.SimpleRule{
+		rules = []policy.SimpleRule{
 			{Name: "pipelines", Actions: []string{"view"}},
 			{Name: "roles", Actions: []string{"view"}},
 			{Name: "members", Actions: []string{"view"}},
--- a/pkg/models/tenant/tenant.go
+++ b/pkg/models/tenant/tenant.go
@@ -29,6 +29,7 @@ import (
 	"kubesphere.io/kubesphere/pkg/constants"
 	"kubesphere.io/kubesphere/pkg/models"
 	"kubesphere.io/kubesphere/pkg/models/iam"
+	"kubesphere.io/kubesphere/pkg/models/iam/policy"
 	"kubesphere.io/kubesphere/pkg/server/params"
 	"kubesphere.io/kubesphere/pkg/simple/client/mysql"
 	"strconv"
@@ -41,8 +42,8 @@ type Interface interface {
 	ListWorkspaces(username string, conditions *params.Conditions, orderBy string, reverse bool, limit, offset int) (*models.PageableResponse, error)
 	ListNamespaces(username string, conditions *params.Conditions, orderBy string, reverse bool, limit, offset int) (*models.PageableResponse, error)
 	ListDevopsProjects(username string, conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error)
-	GetWorkspaceSimpleRules(workspace, username string) ([]iam.SimpleRule, error)
-	GetNamespaceSimpleRules(namespace, username string) ([]iam.SimpleRule, error)
+	GetWorkspaceSimpleRules(workspace, username string) ([]policy.SimpleRule, error)
+	GetNamespaceSimpleRules(namespace, username string) ([]policy.SimpleRule, error)
 	CountDevOpsProjects(username string) (uint32, error)
 	DeleteDevOpsProject(username, projectId string) error
 	GetUserDevopsSimpleRules(username string, devops string) (interface{}, error)
@@ -122,7 +123,7 @@ func (t *tenantOperator) ListWorkspaces(username string, conditions *params.Cond
 	return &models.PageableResponse{Items: result, TotalCount: len(workspaces)}, nil
 }

-func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([]iam.SimpleRule, error) {
+func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([]policy.SimpleRule, error) {
 	clusterRules, err := t.am.GetClusterPolicyRules(username)
 	if err != nil {
 		return nil, err
@@ -150,7 +151,7 @@ func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([]

 	if err != nil {
 		if apierrors.IsNotFound(err) {
-			return []iam.SimpleRule{}, nil
+			return []policy.SimpleRule{}, nil
 		}

 		klog.Error(err)
@@ -160,7 +161,7 @@ func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([]
 	return t.am.GetWorkspaceRoleSimpleRules(workspace, workspaceRole.Annotations[constants.DisplayNameAnnotationKey]), nil
 }

-func (t *tenantOperator) GetNamespaceSimpleRules(namespace, username string) ([]iam.SimpleRule, error) {
+func (t *tenantOperator) GetNamespaceSimpleRules(namespace, username string) ([]policy.SimpleRule, error) {
 	clusterRules, err := t.am.GetClusterPolicyRules(username)
 	if err != nil {
 		return nil, err