fix bug multi tenant auditing, logging and event is incorrect

Signed-off-by: wanjunlei <wanjunlei@yunify.com>

pkg/models/tenant/tenant.go

@@ -558,11 +558,10 @@ func (t *tenantOperator) DeleteWorkspace(workspace string) error {
 }
 
 // listIntersectedNamespaces lists the namespaces which meet all the following conditions at the same time
-// 1. the namespace which belongs to user.
-// 2. the namespace in workspace which is in workspaces when workspaces is not empty.
-// 3. the namespace in workspace which contains one of workspaceSubstrs when workspaceSubstrs is not empty.
-// 4. the namespace which is in namespaces when namespaces is not empty.
-// 5. the namespace which contains one of namespaceSubstrs when namespaceSubstrs is not empty.
+// 1. the namespace in workspace which is in workspaces when workspaces is not empty.
+// 2. the namespace in workspace which contains one of workspaceSubstrs when workspaceSubstrs is not empty.
+// 3. the namespace which is in namespaces when namespaces is not empty.
+// 4. the namespace which contains one of namespaceSubstrs when namespaceSubstrs is not empty.
 func (t *tenantOperator) listIntersectedNamespaces(user user.Info,
 	workspaces, workspaceSubstrs, namespaces, namespaceSubstrs []string) ([]*corev1.Namespace, error) {
 	var (
@@ -573,7 +572,7 @@ func (t *tenantOperator) listIntersectedNamespaces(user user.Info,
 	)
 	includeNsWithoutWs := len(workspaceSet) == 0 && len(workspaceSubstrs) == 0
 
-	result, err := t.ListNamespaces(user, "", query.New())
+	result, err := t.resourceGetter.List("namespaces", "", query.New())
 	if err != nil {
 		return nil, err
 	}
@@ -806,21 +805,43 @@ func (t *tenantOperator) Auditing(user user.Info, queryParam *auditingv1alpha1.Q
 	}
 
 	namespaceCreateTimeMap := make(map[string]time.Time)
+
+	// Now auditing and event have the same authority management, so we can determine whether the user
+	// has permission to view the auditing log in ns by judging whether the user has the permission to view the event in ns.
 	for _, ns := range iNamespaces {
-		namespaceCreateTimeMap[ns.Name] = ns.CreationTimestamp.Time
-	}
-	// If there are no ns and ws query conditions,
-	// those events with empty `ObjectRef.Namespace` will also be listed when user can list all namespaces
-	if len(queryParam.WorkspaceFilter) == 0 && len(queryParam.ObjectRefNamespaceFilter) == 0 &&
-		len(queryParam.WorkspaceSearch) == 0 && len(queryParam.ObjectRefNamespaceSearch) == 0 {
-		listNs := authorizer.AttributesRecord{
+		listEvts := authorizer.AttributesRecord{
 			User:            user,
 			Verb:            "list",
-			Resource:        "namespaces",
+			APIGroup:        "",
+			APIVersion:      "v1",
+			Namespace:       ns.Name,
+			Resource:        "events",
+			ResourceRequest: true,
+			ResourceScope:   request.NamespaceScope,
+		}
+		decision, _, err := t.authorizer.Authorize(listEvts)
+		if err != nil {
+			klog.Error(err)
+			return nil, err
+		}
+		if decision == authorizer.DecisionAllow {
+			namespaceCreateTimeMap[ns.Name] = ns.CreationTimestamp.Time
+		}
+	}
+	// If there are no ns and ws query conditions,
+	// those events with empty `objectRef.namespace` will also be listed when user can list all events
+	if len(queryParam.WorkspaceFilter) == 0 && len(queryParam.ObjectRefNamespaceFilter) == 0 &&
+		len(queryParam.WorkspaceSearch) == 0 && len(queryParam.ObjectRefNamespaceSearch) == 0 {
+		listEvts := authorizer.AttributesRecord{
+			User:            user,
+			Verb:            "list",
+			APIGroup:        "",
+			APIVersion:      "v1",
+			Resource:        "events",
 			ResourceRequest: true,
 			ResourceScope:   request.ClusterScope,
 		}
-		decision, _, err := t.authorizer.Authorize(listNs)
+		decision, _, err := t.authorizer.Authorize(listEvts)
 		if err != nil {
 			klog.Error(err)
 			return nil, err