diff --git a/pkg/kapis/iam/v1alpha2/register.go b/pkg/kapis/iam/v1alpha2/register.go index ffefcd3dd..c9c7b546f 100644 --- a/pkg/kapis/iam/v1alpha2/register.go +++ b/pkg/kapis/iam/v1alpha2/register.go @@ -126,14 +126,14 @@ func AddToContainer(c *restful.Container, k8sClient k8s.Client, ldapClient ldapp To(handler.ListClusterRoleRules). Doc("List all policy rules of the specified cluster role."). Param(ws.PathParameter("clusterrole", "cluster role name")). - Returns(http.StatusOK, api.StatusOK, []iam.SimpleRule{}). + Returns(http.StatusOK, api.StatusOK, []policy.SimpleRule{}). Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag})) ws.Route(ws.GET("/namespaces/{namespace}/roles/{role}/rules"). To(handler.ListRoleRules). Doc("List all policy rules of the specified role in the given namespace."). Param(ws.PathParameter("namespace", "kubernetes namespace")). Param(ws.PathParameter("role", "role name")). - Returns(http.StatusOK, api.StatusOK, []iam.SimpleRule{}). + Returns(http.StatusOK, api.StatusOK, []policy.SimpleRule{}). Metadata(restfulspec.KeyOpenAPITags, []string{constants.AccessManagementTag})) ws.Route(ws.GET("/rulesmapping/clusterroles"). To(handler.ClusterRulesMapping). diff --git a/pkg/kapis/tenant/v1alpha2/register.go b/pkg/kapis/tenant/v1alpha2/register.go index f8454b485..7d9fabe4d 100644 --- a/pkg/kapis/tenant/v1alpha2/register.go +++ b/pkg/kapis/tenant/v1alpha2/register.go @@ -29,7 +29,7 @@ import ( "kubesphere.io/kubesphere/pkg/apiserver/runtime" "kubesphere.io/kubesphere/pkg/constants" "kubesphere.io/kubesphere/pkg/models" - "kubesphere.io/kubesphere/pkg/models/iam" + "kubesphere.io/kubesphere/pkg/models/iam/policy" "kubesphere.io/kubesphere/pkg/server/errors" "kubesphere.io/kubesphere/pkg/server/params" "kubesphere.io/kubesphere/pkg/simple/client/k8s" @@ -63,19 +63,19 @@ func AddToContainer(c *restful.Container, k8sClient k8s.Client, db *mysql.Databa To(handler.ListWorkspaceRules). Param(ws.PathParameter("workspace", "workspace name")). Doc("List the rules of the specified workspace for the current user"). - Returns(http.StatusOK, api.StatusOK, iam.SimpleRule{}). + Returns(http.StatusOK, api.StatusOK, policy.SimpleRule{}). Metadata(restfulspec.KeyOpenAPITags, []string{constants.TenantResourcesTag})) ws.Route(ws.GET("/namespaces/{namespace}/rules"). To(handler.ListNamespaceRules). Param(ws.PathParameter("namespace", "the name of the namespace")). Doc("List the rules of the specified namespace for the current user"). - Returns(http.StatusOK, api.StatusOK, iam.SimpleRule{}). + Returns(http.StatusOK, api.StatusOK, policy.SimpleRule{}). Metadata(restfulspec.KeyOpenAPITags, []string{constants.TenantResourcesTag})) ws.Route(ws.GET("/devops/{devops}/rules"). To(handler.ListDevopsRules). Param(ws.PathParameter("devops", "devops project ID")). Doc("List the rules of the specified DevOps project for the current user"). - Returns(http.StatusOK, api.StatusOK, iam.SimpleRule{}). + Returns(http.StatusOK, api.StatusOK, policy.SimpleRule{}). Metadata(restfulspec.KeyOpenAPITags, []string{constants.TenantResourcesTag})) ws.Route(ws.GET("/workspaces/{workspace}/namespaces"). To(handler.ListNamespaces). diff --git a/pkg/models/iam/am.go b/pkg/models/iam/am.go index 75a45ce57..dcda859b5 100644 --- a/pkg/models/iam/am.go +++ b/pkg/models/iam/am.go @@ -51,12 +51,12 @@ type AccessManagementInterface interface { ListRoles(namespace string, conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error) ListClusterRoles(conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error) ListClusterRoleBindings(clusterRole string) ([]*rbacv1.ClusterRoleBinding, error) - GetClusterRoleSimpleRules(clusterRole string) ([]SimpleRule, error) - GetRoleSimpleRules(namespace string, role string) ([]SimpleRule, error) + GetClusterRoleSimpleRules(clusterRole string) ([]policy.SimpleRule, error) + GetRoleSimpleRules(namespace string, role string) ([]policy.SimpleRule, error) GetRoles(namespace, username string) ([]*rbacv1.Role, error) GetClusterPolicyRules(username string) ([]rbacv1.PolicyRule, error) GetPolicyRules(namespace, username string) ([]rbacv1.PolicyRule, error) - GetWorkspaceRoleSimpleRules(workspace, roleName string) []SimpleRule + GetWorkspaceRoleSimpleRules(workspace, roleName string) []policy.SimpleRule GetWorkspaceRole(workspace, username string) (*rbacv1.ClusterRole, error) GetWorkspaceRoleMap(username string) (map[string]string, error) } @@ -97,12 +97,12 @@ func NewAMOperator(informers informers.SharedInformerFactory) *amOperator { return &amOperator{informers: informers, resources: resourceGetter} } -func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule { - var rules []SimpleRule +func (am *amOperator) GetDevopsRoleSimpleRules(role string) []policy.SimpleRule { + var rules []policy.SimpleRule switch role { case "developer": - rules = []SimpleRule{ + rules = []policy.SimpleRule{ {Name: "pipelines", Actions: []string{"view", "trigger"}}, {Name: "roles", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}}, @@ -110,7 +110,7 @@ func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule { } break case "owner": - rules = []SimpleRule{ + rules = []policy.SimpleRule{ {Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}}, {Name: "roles", Actions: []string{"view"}}, {Name: "members", Actions: []string{"create", "edit", "view", "delete"}}, @@ -119,7 +119,7 @@ func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule { } break case "maintainer": - rules = []SimpleRule{ + rules = []policy.SimpleRule{ {Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}}, {Name: "roles", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}}, @@ -130,7 +130,7 @@ func (am *amOperator) GetDevopsRoleSimpleRules(role string) []SimpleRule { case "reporter": fallthrough default: - rules = []SimpleRule{ + rules = []policy.SimpleRule{ {Name: "pipelines", Actions: []string{"view"}}, {Name: "roles", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}}, @@ -412,13 +412,13 @@ func (am *amOperator) ListClusterRoles(conditions *params.Conditions, orderBy st return am.resources.ListResources("", v1alpha2.ClusterRoles, conditions, orderBy, reverse, limit, offset) } -func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []SimpleRule { +func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) []policy.SimpleRule { - workspaceRules := make([]SimpleRule, 0) + workspaceRules := make([]policy.SimpleRule, 0) switch roleName { case constants.WorkspaceAdmin: - workspaceRules = []SimpleRule{ + workspaceRules = []policy.SimpleRule{ {Name: "workspaces", Actions: []string{"edit", "delete", "view"}}, {Name: "members", Actions: []string{"edit", "delete", "create", "view"}}, {Name: "devops", Actions: []string{"edit", "delete", "create", "view"}}, @@ -428,7 +428,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) [] {Name: "repos", Actions: []string{"view", "manage"}}, } case constants.WorkspaceRegular: - workspaceRules = []SimpleRule{ + workspaceRules = []policy.SimpleRule{ {Name: "members", Actions: []string{"view"}}, {Name: "devops", Actions: []string{"view", "create"}}, {Name: "projects", Actions: []string{"view", "create"}}, @@ -436,7 +436,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) [] {Name: "repos", Actions: []string{"view"}}, } case constants.WorkspaceViewer: - workspaceRules = []SimpleRule{ + workspaceRules = []policy.SimpleRule{ {Name: "workspaces", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}}, {Name: "devops", Actions: []string{"view"}}, @@ -446,7 +446,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) [] {Name: "repos", Actions: []string{"view"}}, } case constants.WorkspacesManager: - workspaceRules = []SimpleRule{ + workspaceRules = []policy.SimpleRule{ {Name: "workspaces", Actions: []string{"edit", "delete", "view"}}, {Name: "members", Actions: []string{"edit", "delete", "create", "view"}}, {Name: "roles", Actions: []string{"view"}}, @@ -457,7 +457,7 @@ func (am *amOperator) GetWorkspaceRoleSimpleRules(workspace, roleName string) [] } // Convert cluster role to rules -func (am *amOperator) GetClusterRoleSimpleRules(clusterRoleName string) ([]SimpleRule, error) { +func (am *amOperator) GetClusterRoleSimpleRules(clusterRoleName string) ([]policy.SimpleRule, error) { clusterRoleLister := am.informers.Rbac().V1().ClusterRoles().Lister() clusterRole, err := clusterRoleLister.Get(clusterRoleName) @@ -470,7 +470,7 @@ func (am *amOperator) GetClusterRoleSimpleRules(clusterRoleName string) ([]Simpl return getClusterSimpleRule(clusterRole.Rules), nil } -func (am *amOperator) GetUserClusterSimpleRules(username string) ([]SimpleRule, error) { +func (am *amOperator) GetUserClusterSimpleRules(username string) ([]policy.SimpleRule, error) { clusterRules, err := am.GetUserClusterRules(username) if err != nil { return nil, err @@ -479,7 +479,7 @@ func (am *amOperator) GetUserClusterSimpleRules(username string) ([]SimpleRule, } // Convert roles to rules -func (am *amOperator) GetRoleSimpleRules(namespace string, roleName string) ([]SimpleRule, error) { +func (am *amOperator) GetRoleSimpleRules(namespace string, roleName string) ([]policy.SimpleRule, error) { roleLister := am.informers.Rbac().V1().Roles().Lister() role, err := roleLister.Roles(namespace).Get(roleName) @@ -492,8 +492,8 @@ func (am *amOperator) GetRoleSimpleRules(namespace string, roleName string) ([]S return ConvertToSimpleRule(role.Rules), nil } -func getClusterSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule { - rules := make([]SimpleRule, 0) +func getClusterSimpleRule(policyRules []rbacv1.PolicyRule) []policy.SimpleRule { + rules := make([]policy.SimpleRule, 0) for i := 0; i < len(policy.ClusterRoleRuleMapping); i++ { validActions := make([]string, 0) @@ -503,17 +503,17 @@ func getClusterSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule { } } if len(validActions) > 0 { - rules = append(rules, SimpleRule{Name: policy.ClusterRoleRuleMapping[i].Name, Actions: validActions}) + rules = append(rules, policy.SimpleRule{Name: policy.ClusterRoleRuleMapping[i].Name, Actions: validActions}) } } return rules } -func ConvertToSimpleRule(policyRules []rbacv1.PolicyRule) []SimpleRule { - simpleRules := make([]SimpleRule, 0) +func ConvertToSimpleRule(policyRules []rbacv1.PolicyRule) []policy.SimpleRule { + simpleRules := make([]policy.SimpleRule, 0) for i := 0; i < len(policy.RoleRuleMapping); i++ { - rule := SimpleRule{Name: policy.RoleRuleMapping[i].Name} + rule := policy.SimpleRule{Name: policy.RoleRuleMapping[i].Name} rule.Actions = make([]string, 0) for j := 0; j < len(policy.RoleRuleMapping[i].Actions); j++ { if rulesMatchesAction(policyRules, policy.RoleRuleMapping[i].Actions[j]) { diff --git a/pkg/models/iam/policy/policy.go b/pkg/models/iam/policy/policy.go index 6574244f1..59dbe9c30 100644 --- a/pkg/models/iam/policy/policy.go +++ b/pkg/models/iam/policy/policy.go @@ -21,21 +21,20 @@ package policy import ( "encoding/json" "io/ioutil" - "kubesphere.io/kubesphere/pkg/models/iam" - "k8s.io/api/rbac/v1" ) const ( - rulesConfigPath = iam.ConfigPath + "/rules.json" - clusterRulesConfigPath = iam.ConfigPath + "/clusterrules.json" + configPath = "/etc/kubesphere/iam" + rulesConfigPath = configPath + "/rules.json" + clusterRulesConfigPath = configPath + "/clusterrules.json" ) func init() { rulesConfig, err := ioutil.ReadFile(rulesConfigPath) if err == nil { - config := &[]iam.Rule{} + config := &[]Rule{} json.Unmarshal(rulesConfig, config) if len(*config) > 0 { RoleRuleMapping = *config @@ -45,7 +44,7 @@ func init() { clusterRulesConfig, err := ioutil.ReadFile(clusterRulesConfigPath) if err == nil { - config := &[]iam.Rule{} + config := &[]Rule{} json.Unmarshal(clusterRulesConfig, config) if len(*config) > 0 { ClusterRoleRuleMapping = *config @@ -54,9 +53,9 @@ func init() { } var ( - ClusterRoleRuleMapping = []iam.Rule{ + ClusterRoleRuleMapping = []Rule{ {Name: "workspaces", - Actions: []iam.Action{ + Actions: []Action{ { Name: "manage", Rules: []v1.PolicyRule{ @@ -71,7 +70,7 @@ var ( }, { Name: "monitoring", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{{ Verbs: []string{"get", "list"}, @@ -87,7 +86,7 @@ var ( }, { Name: "alerting", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{{ Verbs: []string{"get", "list"}, @@ -113,7 +112,7 @@ var ( }, { Name: "logging", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{{ Verbs: []string{"get", "list"}, @@ -125,7 +124,7 @@ var ( }, { Name: "accounts", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -192,7 +191,7 @@ var ( }, }, { Name: "roles", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -238,7 +237,7 @@ var ( }, }, { Name: "storageclasses", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -282,7 +281,7 @@ var ( }, }, { Name: "nodes", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -313,7 +312,7 @@ var ( }, }, { Name: "repos", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -353,7 +352,7 @@ var ( }, }, { Name: "apps", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -366,7 +365,7 @@ var ( }, }, { Name: "components", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -379,9 +378,9 @@ var ( }, }} - RoleRuleMapping = []iam.Rule{{ + RoleRuleMapping = []Rule{{ Name: "projects", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -418,7 +417,7 @@ var ( }, { Name: "monitoring", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{{ Verbs: []string{"get", "list"}, @@ -435,7 +434,7 @@ var ( { Name: "alerting", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{{ Verbs: []string{"get", "list"}, @@ -461,7 +460,7 @@ var ( }, { Name: "members", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -507,7 +506,7 @@ var ( }, { Name: "roles", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -548,7 +547,7 @@ var ( }, { Name: "deployments", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -604,7 +603,7 @@ var ( }, }, { Name: "statefulsets", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -658,7 +657,7 @@ var ( }, }, { Name: "daemonsets", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -703,7 +702,7 @@ var ( }, }, { Name: "pods", - Actions: []iam.Action{ + Actions: []Action{ {Name: "terminal", Rules: []v1.PolicyRule{ { @@ -735,7 +734,7 @@ var ( }, { Name: "services", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -777,7 +776,7 @@ var ( }, { Name: "internet", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -819,7 +818,7 @@ var ( { Name: "routes", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -859,7 +858,7 @@ var ( }, }, { Name: "volumes", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -899,7 +898,7 @@ var ( }, }, { Name: "applications", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { @@ -953,7 +952,7 @@ var ( }, { Name: "jobs", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { Verbs: []string{"get", "list"}, @@ -986,7 +985,7 @@ var ( }, { Name: "cronjobs", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { Verbs: []string{"get", "list"}, @@ -1019,7 +1018,7 @@ var ( }, { Name: "secrets", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { Verbs: []string{"get", "list"}, @@ -1052,7 +1051,7 @@ var ( }, { Name: "configmaps", - Actions: []iam.Action{ + Actions: []Action{ {Name: "view", Rules: []v1.PolicyRule{ { Verbs: []string{"get", "list"}, @@ -1085,3 +1084,18 @@ var ( }, } ) + +type Action struct { + Name string `json:"name"` + Rules []v1.PolicyRule `json:"rules"` +} + +type Rule struct { + Name string `json:"name"` + Actions []Action `json:"actions"` +} + +type SimpleRule struct { + Name string `json:"name" description:"rule name"` + Actions []string `json:"actions" description:"actions"` +} diff --git a/pkg/models/iam/types.go b/pkg/models/iam/types.go index 6af94c46d..dee5699b3 100644 --- a/pkg/models/iam/types.go +++ b/pkg/models/iam/types.go @@ -19,12 +19,10 @@ package iam import ( - "k8s.io/api/rbac/v1" "time" ) const ( - ConfigPath = "/etc/kubesphere/iam" KindTokenReview = "TokenReview" ) @@ -37,23 +35,3 @@ type User struct { Groups []string `json:"groups,omitempty"` Password string `json:"password,omitempty"` } - -type Action struct { - Name string `json:"name"` - Rules []v1.PolicyRule `json:"rules"` -} - -type Rule struct { - Name string `json:"name"` - Actions []Action `json:"actions"` -} - -type SimpleRule struct { - Name string `json:"name" description:"rule name"` - Actions []string `json:"actions" description:"actions"` -} - -type RoleList struct { - ClusterRoles []*v1.ClusterRole `json:"clusterRole" description:"cluster role list"` - Roles []*v1.Role `json:"roles" description:"role list"` -} diff --git a/pkg/models/iam/utils.go b/pkg/models/iam/utils.go index 508e69683..1f7c90b32 100644 --- a/pkg/models/iam/utils.go +++ b/pkg/models/iam/utils.go @@ -20,6 +20,7 @@ package iam import ( rbacv1 "k8s.io/api/rbac/v1" + "kubesphere.io/kubesphere/pkg/models/iam/policy" "strings" ) @@ -32,7 +33,7 @@ func RulesMatchesRequired(rules []rbacv1.PolicyRule, required rbacv1.PolicyRule) return false } -func rulesMatchesAction(rules []rbacv1.PolicyRule, action Action) bool { +func rulesMatchesAction(rules []rbacv1.PolicyRule, action policy.Action) bool { for _, required := range action.Rules { if !RulesMatchesRequired(rules, required) { diff --git a/pkg/models/tenant/devops.go b/pkg/models/tenant/devops.go index e9068f602..44e1e75ae 100644 --- a/pkg/models/tenant/devops.go +++ b/pkg/models/tenant/devops.go @@ -26,7 +26,7 @@ import ( "kubesphere.io/kubesphere/pkg/db" "kubesphere.io/kubesphere/pkg/models" "kubesphere.io/kubesphere/pkg/models/devops" - "kubesphere.io/kubesphere/pkg/models/iam" + "kubesphere.io/kubesphere/pkg/models/iam/policy" "kubesphere.io/kubesphere/pkg/server/params" dsClient "kubesphere.io/kubesphere/pkg/simple/client/devops" "kubesphere.io/kubesphere/pkg/simple/client/mysql" @@ -38,7 +38,7 @@ type DevOpsProjectOperator interface { CreateDevOpsProject(username string, workspace string, req *v1alpha2.DevOpsProject) (*v1alpha2.DevOpsProject, error) GetDevOpsProjectsCount(username string) (uint32, error) DeleteDevOpsProject(projectId, username string) error - GetUserDevOpsSimpleRules(username, projectId string) ([]iam.SimpleRule, error) + GetUserDevOpsSimpleRules(username, projectId string) ([]policy.SimpleRule, error) } type devopsProjectOperator struct { @@ -208,7 +208,7 @@ func (o *devopsProjectOperator) CreateDevOpsProject(username string, workspace s return project, nil } -func (o *devopsProjectOperator) GetUserDevOpsSimpleRules(username, projectId string) ([]iam.SimpleRule, error) { +func (o *devopsProjectOperator) GetUserDevOpsSimpleRules(username, projectId string) ([]policy.SimpleRule, error) { role, err := o.getProjectUserRole(username, projectId) if err != nil { @@ -236,12 +236,12 @@ func (o *devopsProjectOperator) getProjectUserRole(username, projectId string) ( return membership.Role, nil } -func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule { - var rules []iam.SimpleRule +func GetDevopsRoleSimpleRules(role string) []policy.SimpleRule { + var rules []policy.SimpleRule switch role { case "developer": - rules = []iam.SimpleRule{ + rules = []policy.SimpleRule{ {Name: "pipelines", Actions: []string{"view", "trigger"}}, {Name: "roles", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}}, @@ -249,7 +249,7 @@ func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule { } break case "owner": - rules = []iam.SimpleRule{ + rules = []policy.SimpleRule{ {Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}}, {Name: "roles", Actions: []string{"view"}}, {Name: "members", Actions: []string{"create", "edit", "view", "delete"}}, @@ -258,7 +258,7 @@ func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule { } break case "maintainer": - rules = []iam.SimpleRule{ + rules = []policy.SimpleRule{ {Name: "pipelines", Actions: []string{"create", "edit", "view", "delete", "trigger"}}, {Name: "roles", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}}, @@ -269,7 +269,7 @@ func GetDevopsRoleSimpleRules(role string) []iam.SimpleRule { case "reporter": fallthrough default: - rules = []iam.SimpleRule{ + rules = []policy.SimpleRule{ {Name: "pipelines", Actions: []string{"view"}}, {Name: "roles", Actions: []string{"view"}}, {Name: "members", Actions: []string{"view"}}, diff --git a/pkg/models/tenant/tenant.go b/pkg/models/tenant/tenant.go index 200fa23f9..f66ec4a63 100644 --- a/pkg/models/tenant/tenant.go +++ b/pkg/models/tenant/tenant.go @@ -29,6 +29,7 @@ import ( "kubesphere.io/kubesphere/pkg/constants" "kubesphere.io/kubesphere/pkg/models" "kubesphere.io/kubesphere/pkg/models/iam" + "kubesphere.io/kubesphere/pkg/models/iam/policy" "kubesphere.io/kubesphere/pkg/server/params" "kubesphere.io/kubesphere/pkg/simple/client/mysql" "strconv" @@ -41,8 +42,8 @@ type Interface interface { ListWorkspaces(username string, conditions *params.Conditions, orderBy string, reverse bool, limit, offset int) (*models.PageableResponse, error) ListNamespaces(username string, conditions *params.Conditions, orderBy string, reverse bool, limit, offset int) (*models.PageableResponse, error) ListDevopsProjects(username string, conditions *params.Conditions, orderBy string, reverse bool, limit int, offset int) (*models.PageableResponse, error) - GetWorkspaceSimpleRules(workspace, username string) ([]iam.SimpleRule, error) - GetNamespaceSimpleRules(namespace, username string) ([]iam.SimpleRule, error) + GetWorkspaceSimpleRules(workspace, username string) ([]policy.SimpleRule, error) + GetNamespaceSimpleRules(namespace, username string) ([]policy.SimpleRule, error) CountDevOpsProjects(username string) (uint32, error) DeleteDevOpsProject(username, projectId string) error GetUserDevopsSimpleRules(username string, devops string) (interface{}, error) @@ -122,7 +123,7 @@ func (t *tenantOperator) ListWorkspaces(username string, conditions *params.Cond return &models.PageableResponse{Items: result, TotalCount: len(workspaces)}, nil } -func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([]iam.SimpleRule, error) { +func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([]policy.SimpleRule, error) { clusterRules, err := t.am.GetClusterPolicyRules(username) if err != nil { return nil, err @@ -150,7 +151,7 @@ func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([] if err != nil { if apierrors.IsNotFound(err) { - return []iam.SimpleRule{}, nil + return []policy.SimpleRule{}, nil } klog.Error(err) @@ -160,7 +161,7 @@ func (t *tenantOperator) GetWorkspaceSimpleRules(workspace, username string) ([] return t.am.GetWorkspaceRoleSimpleRules(workspace, workspaceRole.Annotations[constants.DisplayNameAnnotationKey]), nil } -func (t *tenantOperator) GetNamespaceSimpleRules(namespace, username string) ([]iam.SimpleRule, error) { +func (t *tenantOperator) GetNamespaceSimpleRules(namespace, username string) ([]policy.SimpleRule, error) { clusterRules, err := t.am.GetClusterPolicyRules(username) if err != nil { return nil, err