add interface for iam
Signed-off-by: shaowenchen <mail@chenshaowen.com>
This commit is contained in:
shaowenchen
@@ -230,8 +230,7 @@ func addControllers(
|
||||
kubesphereInformer.Tenant().V1alpha2().WorkspaceTemplates(), multiClusterEnabled)
|
||||
|
||||
globalRoleBindingController := globalrolebinding.NewController(client.Kubernetes(), client.KubeSphere(),
|
||||
kubesphereInformer.Iam().V1alpha2().GlobalRoleBindings(),
|
||||
fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController, multiClusterEnabled)
|
||||
kubesphereInformer.Iam().V1alpha2().GlobalRoleBindings(), fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController, multiClusterEnabled, devopsClient)
|
||||
|
||||
workspaceRoleBindingController := workspacerolebinding.NewController(client.Kubernetes(), client.KubeSphere(),
|
||||
kubesphereInformer.Iam().V1alpha2().WorkspaceRoleBindings(),
|
||||
|
||||
@@ -39,6 +39,9 @@ import (
|
||||
iamv1alpha2informers "kubesphere.io/kubesphere/pkg/client/informers/externalversions/iam/v1alpha2"
|
||||
iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2"
|
||||
"kubesphere.io/kubesphere/pkg/constants"
|
||||
modeldevops "kubesphere.io/kubesphere/pkg/models/devops"
|
||||
devops "kubesphere.io/kubesphere/pkg/simple/client/devops"
|
||||
|
||||
"reflect"
|
||||
"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
|
||||
"time"
|
||||
@@ -70,10 +73,11 @@ type Controller struct {
|
||||
// Kubernetes API.
|
||||
recorder record.EventRecorder
|
||||
multiClusterEnabled bool
|
||||
devopsClient devops.Interface
|
||||
}
|
||||
|
||||
func NewController(k8sClient kubernetes.Interface, ksClient kubesphere.Interface, globalRoleBindingInformer iamv1alpha2informers.GlobalRoleBindingInformer,
|
||||
fedGlobalRoleBindingCache cache.Store, fedGlobalRoleBindingCacheController cache.Controller, multiClusterEnabled bool) *Controller {
|
||||
fedGlobalRoleBindingCache cache.Store, fedGlobalRoleBindingCacheController cache.Controller, multiClusterEnabled bool, devopsClient devops.Interface) *Controller {
|
||||
// Create event broadcaster
|
||||
// Add sample-controller types to the default Kubernetes Scheme so Events can be
|
||||
// logged for sample-controller types.
|
||||
@@ -94,6 +98,7 @@ func NewController(k8sClient kubernetes.Interface, ksClient kubesphere.Interface
|
||||
workqueue: workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "GlobalRoleBinding"),
|
||||
recorder: recorder,
|
||||
multiClusterEnabled: multiClusterEnabled,
|
||||
devopsClient: devopsClient,
|
||||
}
|
||||
klog.Info("Setting up event handlers")
|
||||
globalRoleBindingInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
|
||||
@@ -228,6 +233,14 @@ func (c *Controller) reconcile(key string) error {
|
||||
klog.Error(err)
|
||||
return err
|
||||
}
|
||||
if c.devopsClient != nil {
|
||||
username := findExpectUsername(globalRoleBinding)
|
||||
err = c.devopsClient.AssignGlobalRole(modeldevops.JenkinsAdminRoleName, username)
|
||||
if err != nil {
|
||||
klog.Errorf("%+v", err)
|
||||
return err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if c.multiClusterEnabled {
|
||||
|
||||
@@ -17,7 +17,9 @@ limitations under the License.
|
||||
package devops
|
||||
|
||||
import (
|
||||
"fmt"
|
||||
"github.com/fatih/structs"
|
||||
"kubesphere.io/kubesphere/pkg/simple/client/devops"
|
||||
"kubesphere.io/kubesphere/pkg/utils/stringutils"
|
||||
)
|
||||
|
||||
@@ -64,3 +66,252 @@ const (
|
||||
const (
|
||||
KS_ADMIN = "admin"
|
||||
)
|
||||
|
||||
// define roles of DevOps
|
||||
const (
|
||||
ProjectOwner = "owner"
|
||||
ProjectMaintainer = "maintainer"
|
||||
ProjectDeveloper = "developer"
|
||||
ProjectReporter = "reporter"
|
||||
)
|
||||
|
||||
const (
|
||||
JenkinsAllUserRoleName = "kubesphere-user"
|
||||
JenkinsAdminRoleName = "admin"
|
||||
)
|
||||
|
||||
type Role struct {
|
||||
Name string `json:"name" description:"role's name e.g. owner'"`
|
||||
Description string `json:"description" description:"role 's description'"`
|
||||
}
|
||||
|
||||
var DefaultRoles = []*Role{
|
||||
{
|
||||
Name: ProjectOwner,
|
||||
Description: "Owner have access to do all the operations of a DevOps project and own the highest permissions as well.",
|
||||
},
|
||||
{
|
||||
Name: ProjectMaintainer,
|
||||
Description: "Maintainer have access to manage pipeline and credential configuration in a DevOps project.",
|
||||
},
|
||||
{
|
||||
Name: ProjectDeveloper,
|
||||
Description: "Developer is able to view and trigger the pipeline.",
|
||||
},
|
||||
{
|
||||
Name: ProjectReporter,
|
||||
Description: "Reporter is only allowed to view the status of the pipeline.",
|
||||
},
|
||||
}
|
||||
|
||||
var AllRoleSlice = []string{ProjectDeveloper, ProjectReporter, ProjectMaintainer, ProjectOwner}
|
||||
|
||||
// define the permission matrix of owner
|
||||
var JenkinsOwnerProjectPermissionIds = &devops.ProjectPermissionIds{
|
||||
CredentialCreate: true,
|
||||
CredentialDelete: true,
|
||||
CredentialManageDomains: true,
|
||||
CredentialUpdate: true,
|
||||
CredentialView: true,
|
||||
ItemBuild: true,
|
||||
ItemCancel: true,
|
||||
ItemConfigure: true,
|
||||
ItemCreate: true,
|
||||
ItemDelete: true,
|
||||
ItemDiscover: true,
|
||||
ItemMove: true,
|
||||
ItemRead: true,
|
||||
ItemWorkspace: true,
|
||||
RunDelete: true,
|
||||
RunReplay: true,
|
||||
RunUpdate: true,
|
||||
SCMTag: true,
|
||||
}
|
||||
|
||||
// define the permission matrix of DevOps, including owner, maintainer, developer, reporter
|
||||
var JenkinsProjectPermissionMap = map[string]devops.ProjectPermissionIds{
|
||||
ProjectOwner: {
|
||||
CredentialCreate: true,
|
||||
CredentialDelete: true,
|
||||
CredentialManageDomains: true,
|
||||
CredentialUpdate: true,
|
||||
CredentialView: true,
|
||||
ItemBuild: true,
|
||||
ItemCancel: true,
|
||||
ItemConfigure: true,
|
||||
ItemCreate: true,
|
||||
ItemDelete: true,
|
||||
ItemDiscover: true,
|
||||
ItemMove: true,
|
||||
ItemRead: true,
|
||||
ItemWorkspace: true,
|
||||
RunDelete: true,
|
||||
RunReplay: true,
|
||||
RunUpdate: true,
|
||||
SCMTag: true,
|
||||
},
|
||||
ProjectMaintainer: {
|
||||
CredentialCreate: true,
|
||||
CredentialDelete: true,
|
||||
CredentialManageDomains: true,
|
||||
CredentialUpdate: true,
|
||||
CredentialView: true,
|
||||
ItemBuild: true,
|
||||
ItemCancel: true,
|
||||
ItemConfigure: false,
|
||||
ItemCreate: true,
|
||||
ItemDelete: false,
|
||||
ItemDiscover: true,
|
||||
ItemMove: false,
|
||||
ItemRead: true,
|
||||
ItemWorkspace: true,
|
||||
RunDelete: true,
|
||||
RunReplay: true,
|
||||
RunUpdate: true,
|
||||
SCMTag: true,
|
||||
},
|
||||
ProjectDeveloper: {
|
||||
CredentialCreate: false,
|
||||
CredentialDelete: false,
|
||||
CredentialManageDomains: false,
|
||||
CredentialUpdate: false,
|
||||
CredentialView: false,
|
||||
ItemBuild: true,
|
||||
ItemCancel: true,
|
||||
ItemConfigure: false,
|
||||
ItemCreate: false,
|
||||
ItemDelete: false,
|
||||
ItemDiscover: true,
|
||||
ItemMove: false,
|
||||
ItemRead: true,
|
||||
ItemWorkspace: true,
|
||||
RunDelete: true,
|
||||
RunReplay: true,
|
||||
RunUpdate: true,
|
||||
SCMTag: false,
|
||||
},
|
||||
ProjectReporter: {
|
||||
CredentialCreate: false,
|
||||
CredentialDelete: false,
|
||||
CredentialManageDomains: false,
|
||||
CredentialUpdate: false,
|
||||
CredentialView: false,
|
||||
ItemBuild: false,
|
||||
ItemCancel: false,
|
||||
ItemConfigure: false,
|
||||
ItemCreate: false,
|
||||
ItemDelete: false,
|
||||
ItemDiscover: true,
|
||||
ItemMove: false,
|
||||
ItemRead: true,
|
||||
ItemWorkspace: false,
|
||||
RunDelete: false,
|
||||
RunReplay: false,
|
||||
RunUpdate: false,
|
||||
SCMTag: false,
|
||||
},
|
||||
}
|
||||
|
||||
// define the permission matrix of pipeline, including owner, maintainer, developer, reporter
|
||||
var JenkinsPipelinePermissionMap = map[string]devops.ProjectPermissionIds{
|
||||
ProjectOwner: {
|
||||
CredentialCreate: true,
|
||||
CredentialDelete: true,
|
||||
CredentialManageDomains: true,
|
||||
CredentialUpdate: true,
|
||||
CredentialView: true,
|
||||
ItemBuild: true,
|
||||
ItemCancel: true,
|
||||
ItemConfigure: true,
|
||||
ItemCreate: true,
|
||||
ItemDelete: true,
|
||||
ItemDiscover: true,
|
||||
ItemMove: true,
|
||||
ItemRead: true,
|
||||
ItemWorkspace: true,
|
||||
RunDelete: true,
|
||||
RunReplay: true,
|
||||
RunUpdate: true,
|
||||
SCMTag: true,
|
||||
},
|
||||
ProjectMaintainer: {
|
||||
CredentialCreate: true,
|
||||
CredentialDelete: true,
|
||||
CredentialManageDomains: true,
|
||||
CredentialUpdate: true,
|
||||
CredentialView: true,
|
||||
ItemBuild: true,
|
||||
ItemCancel: true,
|
||||
ItemConfigure: true,
|
||||
ItemCreate: true,
|
||||
ItemDelete: true,
|
||||
ItemDiscover: true,
|
||||
ItemMove: true,
|
||||
ItemRead: true,
|
||||
ItemWorkspace: true,
|
||||
RunDelete: true,
|
||||
RunReplay: true,
|
||||
RunUpdate: true,
|
||||
SCMTag: true,
|
||||
},
|
||||
ProjectDeveloper: {
|
||||
CredentialCreate: false,
|
||||
CredentialDelete: false,
|
||||
CredentialManageDomains: false,
|
||||
CredentialUpdate: false,
|
||||
CredentialView: false,
|
||||
ItemBuild: true,
|
||||
ItemCancel: true,
|
||||
ItemConfigure: false,
|
||||
ItemCreate: false,
|
||||
ItemDelete: false,
|
||||
ItemDiscover: true,
|
||||
ItemMove: false,
|
||||
ItemRead: true,
|
||||
ItemWorkspace: true,
|
||||
RunDelete: true,
|
||||
RunReplay: true,
|
||||
RunUpdate: true,
|
||||
SCMTag: false,
|
||||
},
|
||||
ProjectReporter: {
|
||||
CredentialCreate: false,
|
||||
CredentialDelete: false,
|
||||
CredentialManageDomains: false,
|
||||
CredentialUpdate: false,
|
||||
CredentialView: false,
|
||||
ItemBuild: false,
|
||||
ItemCancel: false,
|
||||
ItemConfigure: false,
|
||||
ItemCreate: false,
|
||||
ItemDelete: false,
|
||||
ItemDiscover: true,
|
||||
ItemMove: false,
|
||||
ItemRead: true,
|
||||
ItemWorkspace: false,
|
||||
RunDelete: false,
|
||||
RunReplay: false,
|
||||
RunUpdate: false,
|
||||
SCMTag: false,
|
||||
},
|
||||
}
|
||||
|
||||
// get roleName of the project
|
||||
func GetProjectRoleName(projectId, role string) string {
|
||||
return fmt.Sprintf("%s-%s-project", projectId, role)
|
||||
}
|
||||
|
||||
// get roleName of the pipeline
|
||||
func GetPipelineRoleName(projectId, role string) string {
|
||||
return fmt.Sprintf("%s-%s-pipeline", projectId, role)
|
||||
}
|
||||
|
||||
// get pattern string of the project
|
||||
func GetProjectRolePattern(projectId string) string {
|
||||
return fmt.Sprintf("^%s$", projectId)
|
||||
}
|
||||
|
||||
// get pattern string of the project
|
||||
func GetPipelineRolePattern(projectId string) string {
|
||||
return fmt.Sprintf("^%s/.*", projectId)
|
||||
}
|
||||
|
||||
@@ -540,3 +540,39 @@ func (d *Devops) GetProjectPipelineConfig(projectId, pipelineId string) (*devops
|
||||
|
||||
return d.Pipelines[projectId][pipelineId], nil
|
||||
}
|
||||
|
||||
func (d *Devops) AddGlobalRole(roleName string, ids devops.GlobalPermissionIds, overwrite bool) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *Devops) AddProjectRole(roleName string, pattern string, ids devops.ProjectPermissionIds, overwrite bool) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *Devops) DeleteProjectRoles(roleName ...string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *Devops) AssignProjectRole(roleName string, sid string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *Devops) UnAssignProjectRole(roleName string, sid string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *Devops) AssignGlobalRole(roleName string, sid string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *Devops) UnAssignGlobalRole(roleName string, sid string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *Devops) DeleteUserInProject(sid string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (d *Devops) GetGlobalRole(roleName string) (string, error) {
|
||||
return "", nil
|
||||
}
|
||||
|
||||
@@ -17,6 +17,8 @@ type Interface interface {
|
||||
ProjectPipelineOperator
|
||||
|
||||
ProjectOperator
|
||||
|
||||
RoleOperator
|
||||
}
|
||||
|
||||
func GetDevOpsStatusCode(devopsErr error) int {
|
||||
|
||||
@@ -214,7 +214,9 @@ func (j *Jenkins) Poll() (int, error) {
|
||||
return resp.StatusCode, nil
|
||||
}
|
||||
|
||||
func (j *Jenkins) GetGlobalRole(roleName string) (*GlobalRole, error) {
|
||||
// query roleName exist or not
|
||||
// if return roleName means exist
|
||||
func (j *Jenkins) GetGlobalRole(roleName string) (string, error) {
|
||||
roleResponse := &GlobalRoleResponse{
|
||||
RoleName: roleName,
|
||||
}
|
||||
@@ -226,15 +228,29 @@ func (j *Jenkins) GetGlobalRole(roleName string) (*GlobalRole, error) {
|
||||
"type": GLOBAL_ROLE,
|
||||
})
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return "", err
|
||||
}
|
||||
if response.StatusCode != http.StatusOK {
|
||||
return nil, errors.New(strconv.Itoa(response.StatusCode))
|
||||
return "", errors.New(strconv.Itoa(response.StatusCode))
|
||||
}
|
||||
if stringResponse == "{}" {
|
||||
return nil, nil
|
||||
return "", nil
|
||||
}
|
||||
err = json.Unmarshal([]byte(stringResponse), roleResponse)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
return roleResponse.RoleName, nil
|
||||
}
|
||||
|
||||
func (j *Jenkins) GetGlobalRoleHandler(roleName string) (*GlobalRole, error) {
|
||||
name, err := j.GetGlobalRole(roleName)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
roleResponse := &GlobalRoleResponse{
|
||||
RoleName: name,
|
||||
}
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -244,6 +260,50 @@ func (j *Jenkins) GetGlobalRole(roleName string) (*GlobalRole, error) {
|
||||
}, nil
|
||||
}
|
||||
|
||||
// assign a global roleName to username(sid)
|
||||
func (j *Jenkins) AssignGlobalRole(roleName string, sid string) error {
|
||||
globalRole, err := j.GetGlobalRoleHandler(roleName)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
param := map[string]string{
|
||||
"type": GLOBAL_ROLE,
|
||||
"roleName": globalRole.Raw.RoleName,
|
||||
"sid": sid,
|
||||
}
|
||||
responseString := ""
|
||||
response, err := j.Requester.Post("/role-strategy/strategy/assignRole", nil, &responseString, param)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if response.StatusCode != http.StatusOK {
|
||||
return errors.New(strconv.Itoa(response.StatusCode))
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// unassign a global roleName to username(sid)
|
||||
func (j *Jenkins) UnAssignGlobalRole(roleName string, sid string) error {
|
||||
globalRole, err := j.GetGlobalRoleHandler(roleName)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
param := map[string]string{
|
||||
"type": GLOBAL_ROLE,
|
||||
"roleName": globalRole.Raw.RoleName,
|
||||
"sid": sid,
|
||||
}
|
||||
responseString := ""
|
||||
response, err := j.Requester.Post("/role-strategy/strategy/unassignRole", nil, &responseString, param)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if response.StatusCode != http.StatusOK {
|
||||
return errors.New(strconv.Itoa(response.StatusCode))
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (j *Jenkins) GetProjectRole(roleName string) (*ProjectRole, error) {
|
||||
roleResponse := &ProjectRoleResponse{
|
||||
RoleName: roleName,
|
||||
@@ -274,13 +334,52 @@ func (j *Jenkins) GetProjectRole(roleName string) (*ProjectRole, error) {
|
||||
}, nil
|
||||
}
|
||||
|
||||
func (j *Jenkins) AddGlobalRole(roleName string, ids GlobalPermissionIds, overwrite bool) (*GlobalRole, error) {
|
||||
responseRole := &GlobalRole{
|
||||
Jenkins: j,
|
||||
Raw: GlobalRoleResponse{
|
||||
RoleName: roleName,
|
||||
PermissionIds: ids,
|
||||
}}
|
||||
// assign a project roleName to username(sid)
|
||||
func (j *Jenkins) AssignProjectRole(roleName string, sid string) error {
|
||||
projectRole, err := j.GetProjectRole(roleName)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
param := map[string]string{
|
||||
"type": PROJECT_ROLE,
|
||||
"roleName": projectRole.Raw.RoleName,
|
||||
"sid": sid,
|
||||
}
|
||||
responseString := ""
|
||||
response, err := j.Requester.Post("/role-strategy/strategy/assignRole", nil, &responseString, param)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if response.StatusCode != http.StatusOK {
|
||||
return errors.New(strconv.Itoa(response.StatusCode))
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// unassign a project roleName to username(sid)
|
||||
func (j *Jenkins) UnAssignProjectRole(roleName string, sid string) error {
|
||||
projectRole, err := j.GetProjectRole(roleName)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
param := map[string]string{
|
||||
"type": PROJECT_ROLE,
|
||||
"roleName": projectRole.Raw.RoleName,
|
||||
"sid": sid,
|
||||
}
|
||||
responseString := ""
|
||||
response, err := j.Requester.Post("/role-strategy/strategy/unassignRole", nil, &responseString, param)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if response.StatusCode != http.StatusOK {
|
||||
return errors.New(strconv.Itoa(response.StatusCode))
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// add a global roleName
|
||||
func (j *Jenkins) AddGlobalRole(roleName string, ids devops.GlobalPermissionIds, overwrite bool) error {
|
||||
var idArray []string
|
||||
values := reflect.ValueOf(ids)
|
||||
for i := 0; i < values.NumField(); i++ {
|
||||
@@ -298,14 +397,15 @@ func (j *Jenkins) AddGlobalRole(roleName string, ids GlobalPermissionIds, overwr
|
||||
responseString := ""
|
||||
response, err := j.Requester.Post("/role-strategy/strategy/addRole", nil, &responseString, param)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return err
|
||||
}
|
||||
if response.StatusCode != http.StatusOK {
|
||||
return nil, errors.New(strconv.Itoa(response.StatusCode))
|
||||
return errors.New(strconv.Itoa(response.StatusCode))
|
||||
}
|
||||
return responseRole, nil
|
||||
return nil
|
||||
}
|
||||
|
||||
// delete roleName from the project
|
||||
func (j *Jenkins) DeleteProjectRoles(roleName ...string) error {
|
||||
responseString := ""
|
||||
|
||||
@@ -323,14 +423,8 @@ func (j *Jenkins) DeleteProjectRoles(roleName ...string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (j *Jenkins) AddProjectRole(roleName string, pattern string, ids ProjectPermissionIds, overwrite bool) (*ProjectRole, error) {
|
||||
responseRole := &ProjectRole{
|
||||
Jenkins: j,
|
||||
Raw: ProjectRoleResponse{
|
||||
RoleName: roleName,
|
||||
PermissionIds: ids,
|
||||
Pattern: pattern,
|
||||
}}
|
||||
// add roleName for project
|
||||
func (j *Jenkins) AddProjectRole(roleName string, pattern string, ids devops.ProjectPermissionIds, overwrite bool) error {
|
||||
var idArray []string
|
||||
values := reflect.ValueOf(ids)
|
||||
for i := 0; i < values.NumField(); i++ {
|
||||
@@ -349,12 +443,12 @@ func (j *Jenkins) AddProjectRole(roleName string, pattern string, ids ProjectPer
|
||||
responseString := ""
|
||||
response, err := j.Requester.Post("/role-strategy/strategy/addRole", nil, &responseString, param)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
return err
|
||||
}
|
||||
if response.StatusCode != http.StatusOK {
|
||||
return nil, errors.New(strconv.Itoa(response.StatusCode))
|
||||
return errors.New(strconv.Itoa(response.StatusCode))
|
||||
}
|
||||
return responseRole, nil
|
||||
return nil
|
||||
}
|
||||
|
||||
func (j *Jenkins) DeleteUserInProject(username string) error {
|
||||
|
||||
@@ -2,6 +2,7 @@ package jenkins
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"kubesphere.io/kubesphere/pkg/simple/client/devops"
|
||||
"net/http"
|
||||
"reflect"
|
||||
"strconv"
|
||||
@@ -9,8 +10,8 @@ import (
|
||||
)
|
||||
|
||||
type GlobalRoleResponse struct {
|
||||
RoleName string `json:"roleName"`
|
||||
PermissionIds GlobalPermissionIds `json:"permissionIds"`
|
||||
RoleName string `json:"roleName"`
|
||||
PermissionIds devops.GlobalPermissionIds `json:"permissionIds"`
|
||||
}
|
||||
|
||||
type GlobalRole struct {
|
||||
@@ -18,71 +19,18 @@ type GlobalRole struct {
|
||||
Raw GlobalRoleResponse
|
||||
}
|
||||
|
||||
type GlobalPermissionIds struct {
|
||||
Administer bool `json:"hudson.model.Hudson.Administer"`
|
||||
GlobalRead bool `json:"hudson.model.Hudson.Read"`
|
||||
CredentialCreate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Create"`
|
||||
CredentialUpdate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Update"`
|
||||
CredentialView bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.View"`
|
||||
CredentialDelete bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Delete"`
|
||||
CredentialManageDomains bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains"`
|
||||
SlaveCreate bool `json:"hudson.model.Computer.Create"`
|
||||
SlaveConfigure bool `json:"hudson.model.Computer.Configure"`
|
||||
SlaveDelete bool `json:"hudson.model.Computer.Delete"`
|
||||
SlaveBuild bool `json:"hudson.model.Computer.Build"`
|
||||
SlaveConnect bool `json:"hudson.model.Computer.Connect"`
|
||||
SlaveDisconnect bool `json:"hudson.model.Computer.Disconnect"`
|
||||
ItemBuild bool `json:"hudson.model.Item.Build"`
|
||||
ItemCreate bool `json:"hudson.model.Item.Create"`
|
||||
ItemRead bool `json:"hudson.model.Item.Read"`
|
||||
ItemConfigure bool `json:"hudson.model.Item.Configure"`
|
||||
ItemCancel bool `json:"hudson.model.Item.Cancel"`
|
||||
ItemMove bool `json:"hudson.model.Item.Move"`
|
||||
ItemDiscover bool `json:"hudson.model.Item.Discover"`
|
||||
ItemWorkspace bool `json:"hudson.model.Item.Workspace"`
|
||||
ItemDelete bool `json:"hudson.model.Item.Delete"`
|
||||
RunUpdate bool `json:"hudson.model.Run.Update"`
|
||||
RunDelete bool `json:"hudson.model.Run.Delete"`
|
||||
ViewCreate bool `json:"hudson.model.View.Create"`
|
||||
ViewConfigure bool `json:"hudson.model.View.Configure"`
|
||||
ViewRead bool `json:"hudson.model.View.Read"`
|
||||
ViewDelete bool `json:"hudson.model.View.Delete"`
|
||||
SCMTag bool `json:"hudson.scm.SCM.Tag"`
|
||||
}
|
||||
|
||||
type ProjectRole struct {
|
||||
Jenkins *Jenkins
|
||||
Raw ProjectRoleResponse
|
||||
}
|
||||
|
||||
type ProjectRoleResponse struct {
|
||||
RoleName string `json:"roleName"`
|
||||
PermissionIds ProjectPermissionIds `json:"permissionIds"`
|
||||
Pattern string `json:"pattern"`
|
||||
RoleName string `json:"roleName"`
|
||||
PermissionIds devops.ProjectPermissionIds `json:"permissionIds"`
|
||||
Pattern string `json:"pattern"`
|
||||
}
|
||||
|
||||
type ProjectPermissionIds struct {
|
||||
CredentialCreate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Create"`
|
||||
CredentialUpdate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Update"`
|
||||
CredentialView bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.View"`
|
||||
CredentialDelete bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Delete"`
|
||||
CredentialManageDomains bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains"`
|
||||
ItemBuild bool `json:"hudson.model.Item.Build"`
|
||||
ItemCreate bool `json:"hudson.model.Item.Create"`
|
||||
ItemRead bool `json:"hudson.model.Item.Read"`
|
||||
ItemConfigure bool `json:"hudson.model.Item.Configure"`
|
||||
ItemCancel bool `json:"hudson.model.Item.Cancel"`
|
||||
ItemMove bool `json:"hudson.model.Item.Move"`
|
||||
ItemDiscover bool `json:"hudson.model.Item.Discover"`
|
||||
ItemWorkspace bool `json:"hudson.model.Item.Workspace"`
|
||||
ItemDelete bool `json:"hudson.model.Item.Delete"`
|
||||
RunUpdate bool `json:"hudson.model.Run.Update"`
|
||||
RunDelete bool `json:"hudson.model.Run.Delete"`
|
||||
RunReplay bool `json:"hudson.model.Run.Replay"`
|
||||
SCMTag bool `json:"hudson.scm.SCM.Tag"`
|
||||
}
|
||||
|
||||
func (j *GlobalRole) Update(ids GlobalPermissionIds) error {
|
||||
func (j *GlobalRole) Update(ids devops.GlobalPermissionIds) error {
|
||||
var idArray []string
|
||||
values := reflect.ValueOf(ids)
|
||||
for i := 0; i < values.NumField(); i++ {
|
||||
@@ -108,6 +56,7 @@ func (j *GlobalRole) Update(ids GlobalPermissionIds) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// call jenkins api to update global role
|
||||
func (j *GlobalRole) AssignRole(sid string) error {
|
||||
param := map[string]string{
|
||||
"type": GLOBAL_ROLE,
|
||||
@@ -142,7 +91,9 @@ func (j *GlobalRole) UnAssignRole(sid string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (j *ProjectRole) Update(pattern string, ids ProjectPermissionIds) error {
|
||||
// update ProjectPermissionIds to Project
|
||||
// pattern string means some project, like project-name/*
|
||||
func (j *ProjectRole) Update(pattern string, ids devops.ProjectPermissionIds) error {
|
||||
var idArray []string
|
||||
values := reflect.ValueOf(ids)
|
||||
for i := 0; i < values.NumField(); i++ {
|
||||
|
||||
89
pkg/simple/client/devops/role.go
Normal file
89
pkg/simple/client/devops/role.go
Normal file
@@ -0,0 +1,89 @@
|
||||
/*
|
||||
Copyright 2020 The KubeSphere Authors.
|
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License");
|
||||
you may not use this file except in compliance with the License.
|
||||
You may obtain a copy of the License at
|
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0
|
||||
|
||||
Unless required by applicable law or agreed to in writing, software
|
||||
distributed under the License is distributed on an "AS IS" BASIS,
|
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
See the License for the specific language governing permissions and
|
||||
limitations under the License.
|
||||
*/
|
||||
|
||||
package devops
|
||||
|
||||
// define the id of global permission items
|
||||
type GlobalPermissionIds struct {
|
||||
Administer bool `json:"hudson.model.Hudson.Administer"`
|
||||
GlobalRead bool `json:"hudson.model.Hudson.Read"`
|
||||
CredentialCreate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Create"`
|
||||
CredentialUpdate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Update"`
|
||||
CredentialView bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.View"`
|
||||
CredentialDelete bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Delete"`
|
||||
CredentialManageDomains bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains"`
|
||||
SlaveCreate bool `json:"hudson.model.Computer.Create"`
|
||||
SlaveConfigure bool `json:"hudson.model.Computer.Configure"`
|
||||
SlaveDelete bool `json:"hudson.model.Computer.Delete"`
|
||||
SlaveBuild bool `json:"hudson.model.Computer.Build"`
|
||||
SlaveConnect bool `json:"hudson.model.Computer.Connect"`
|
||||
SlaveDisconnect bool `json:"hudson.model.Computer.Disconnect"`
|
||||
ItemBuild bool `json:"hudson.model.Item.Build"`
|
||||
ItemCreate bool `json:"hudson.model.Item.Create"`
|
||||
ItemRead bool `json:"hudson.model.Item.Read"`
|
||||
ItemConfigure bool `json:"hudson.model.Item.Configure"`
|
||||
ItemCancel bool `json:"hudson.model.Item.Cancel"`
|
||||
ItemMove bool `json:"hudson.model.Item.Move"`
|
||||
ItemDiscover bool `json:"hudson.model.Item.Discover"`
|
||||
ItemWorkspace bool `json:"hudson.model.Item.Workspace"`
|
||||
ItemDelete bool `json:"hudson.model.Item.Delete"`
|
||||
RunUpdate bool `json:"hudson.model.Run.Update"`
|
||||
RunDelete bool `json:"hudson.model.Run.Delete"`
|
||||
ViewCreate bool `json:"hudson.model.View.Create"`
|
||||
ViewConfigure bool `json:"hudson.model.View.Configure"`
|
||||
ViewRead bool `json:"hudson.model.View.Read"`
|
||||
ViewDelete bool `json:"hudson.model.View.Delete"`
|
||||
SCMTag bool `json:"hudson.scm.SCM.Tag"`
|
||||
}
|
||||
|
||||
// define the id of project permission items
|
||||
type ProjectPermissionIds struct {
|
||||
CredentialCreate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Create"`
|
||||
CredentialUpdate bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Update"`
|
||||
CredentialView bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.View"`
|
||||
CredentialDelete bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Delete"`
|
||||
CredentialManageDomains bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains"`
|
||||
ItemBuild bool `json:"hudson.model.Item.Build"`
|
||||
ItemCreate bool `json:"hudson.model.Item.Create"`
|
||||
ItemRead bool `json:"hudson.model.Item.Read"`
|
||||
ItemConfigure bool `json:"hudson.model.Item.Configure"`
|
||||
ItemCancel bool `json:"hudson.model.Item.Cancel"`
|
||||
ItemMove bool `json:"hudson.model.Item.Move"`
|
||||
ItemDiscover bool `json:"hudson.model.Item.Discover"`
|
||||
ItemWorkspace bool `json:"hudson.model.Item.Workspace"`
|
||||
ItemDelete bool `json:"hudson.model.Item.Delete"`
|
||||
RunUpdate bool `json:"hudson.model.Run.Update"`
|
||||
RunDelete bool `json:"hudson.model.Run.Delete"`
|
||||
RunReplay bool `json:"hudson.model.Run.Replay"`
|
||||
SCMTag bool `json:"hudson.scm.SCM.Tag"`
|
||||
}
|
||||
|
||||
// describe the interface of DevOps to operator role
|
||||
type RoleOperator interface {
|
||||
AddGlobalRole(roleName string, ids GlobalPermissionIds, overwrite bool) error
|
||||
GetGlobalRole(roleName string) (string, error)
|
||||
|
||||
AddProjectRole(roleName string, pattern string, ids ProjectPermissionIds, overwrite bool) error
|
||||
DeleteProjectRoles(roleName ...string) error
|
||||
|
||||
AssignProjectRole(roleName string, sid string) error
|
||||
UnAssignProjectRole(roleName string, sid string) error
|
||||
|
||||
AssignGlobalRole(roleName string, sid string) error
|
||||
UnAssignGlobalRole(roleName string, sid string) error
|
||||
|
||||
DeleteUserInProject(sid string) error
|
||||
}
|
||||
Reference in New Issue
Block a user