admin/kubesphere
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: ks-account abnormal restart

Browse Source 
Signed-off-by: hongming <talonwan@yunify.com>
This commit is contained in:
hongming
2019-04-16 15:31:37 +08:00
committed by zryfish
parent 5c8a087a9c
commit dd963c0be4
40 changed files with 394 additions and 314 deletions
Download Patch File Download Diff File Expand all files Collapse all files

178
pkg/models/iam/im.go
View File

@@ -18,8 +18,10 @@
package iam
import (
"encoding/json"
"errors"
"fmt"
"io/ioutil"
"kubesphere.io/kubesphere/pkg/constants"
"kubesphere.io/kubesphere/pkg/informers"
"kubesphere.io/kubesphere/pkg/params"
@@ -51,6 +53,10 @@ var (
tokenExpireTime time.Duration
)
const (
userInitFile = "/etc/ks-iam/users.json"
)
func Init(email, password string, t time.Duration) error {
adminEmail = email
adminPassword = password
@@ -67,12 +73,18 @@ func Init(email, password string, t time.Duration) error {
err = checkAndCreateDefaultUser(conn)
if err != nil {
glog.Errorln("create default users", err)
return err
}
err = checkAndCreateDefaultGroup(conn)
return err
if err != nil {
glog.Errorln("create default groups", err)
return err
}
return nil
}
func checkAndCreateDefaultGroup(conn ldap.Client) error {
@@ -124,10 +136,19 @@ func checkAndCreateDefaultUser(conn ldap.Client) error {
return fmt.Errorf("iam database init failed: %s\n", err)
}
if users == nil || len(users.Entries) == 0 {
_, err := CreateUser(&models.User{Username: constants.AdminUserName, Email: adminEmail, Password: adminPassword, Description: "Administrator account that was always created by default."})
if err != nil {
return fmt.Errorf("admin create failed: %s\n", err)
data, err := ioutil.ReadFile(userInitFile)
var initUsers []models.User
if err == nil {
json.Unmarshal(data, &initUsers)
}
initUsers = append(initUsers, models.User{Username: constants.AdminUserName, Email: adminEmail, Password: adminPassword, Description: "Administrator account that was always created by default.", ClusterRole: constants.ClusterAdmin})
if users == nil || len(users.Entries) < len(initUsers) {
for _, user := range initUsers {
_, err = CreateUser(&user)
if err != nil && !ldap.IsErrorWithCode(err, ldap.LDAPResultEntryAlreadyExists) {
return fmt.Errorf("user %s init failed: %s\n", user.Username, err)
}
}
}
@@ -192,6 +213,7 @@ func Login(username string, password string, ip string) (*models.Token, error) {
err = conn.Bind(dn, password)
if err != nil {
glog.Errorln("auth error", username, err)
return nil, err
}
@@ -228,55 +250,6 @@ func LoginLog(username string) ([]string, error) {
return data, nil
}
func ListUsersByName(names []string) (*models.PageableResponse, error) {
users := make([]*models.User, 0)
for _, name := range names {
if !k8sutil.ContainsUser(users, name) {
user, err := GetUserInfo(name)
if err != nil {
if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
continue
}
return nil, err
}
users = append(users, user)
}
}
items := make([]interface{}, 0)
for _, u := range users {
items = append(items, u)
}
return &models.PageableResponse{Items: items, TotalCount: len(items)}, nil
}
func ListUserByEmail(email []string) (*models.PageableResponse, error) {
users := make([]*models.User, 0)
for _, mail := range email {
user, err := GetUserInfoByEmail(mail)
if err != nil {
if ldap.IsErrorWithCode(err, ldap.LDAPResultNoSuchObject) {
continue
}
return nil, err
}
if !k8sutil.ContainsUser(users, user.Username) {
users = append(users, user)
}
}
items := make([]interface{}, 0)
for _, u := range users {
items = append(items, u)
}
return &models.PageableResponse{Items: items, TotalCount: len(items)}, nil
}
func ListUsers(conditions *params.Conditions, orderBy string, reverse bool, limit, offset int) (*models.PageableResponse, error) {
conn, err := ldapclient.Client()
@@ -325,6 +298,7 @@ func ListUsers(conditions *params.Conditions, orderBy string, reverse bool, limi
response, err := conn.Search(userSearchRequest)
if err != nil {
glog.Errorln("search user", err)
return nil, err
}
@@ -396,55 +370,15 @@ func DescribeUser(username string) (*models.User, error) {
groups, err := GetUserGroups(username)
if err != nil {
return nil, err
if err == nil {
user.Groups = groups
}
user.Groups = groups
user.AvatarUrl = getAvatar(username)
return user, nil
}
func GetUserInfoByEmail(mail string) (*models.User, error) {
conn, err := ldapclient.Client()
if err != nil {
return nil, err
}
userSearchRequest := ldap.NewSearchRequest(
ldapclient.UserSearchBase,
ldap.ScopeWholeSubtree, ldap.NeverDerefAliases, 0, 0, false,
fmt.Sprintf("(&(objectClass=inetOrgPerson)(mail=%s))", mail),
[]string{"uid", "description", "preferredLanguage", "createTimestamp"},
nil,
)
result, err := conn.Search(userSearchRequest)
if err != nil {
return nil, err
}
if len(result.Entries) != 1 {
return nil, ldap.NewError(ldap.LDAPResultNoSuchObject, fmt.Errorf("user %s does not exist", mail))
}
username := result.Entries[0].GetAttributeValue("uid")
description := result.Entries[0].GetAttributeValue("description")
lang := result.Entries[0].GetAttributeValue("preferredLanguage")
createTimestamp, _ := time.Parse("20060102150405Z", result.Entries[0].GetAttributeValue("createTimestamp"))
user := &models.User{Username: username, Email: mail, Description: description, Lang: lang, CreateTime: createTimestamp}
user.LastLoginTime = getLastLoginTime(username)
clusterRole, err := GetUserClusterRole(user.Username)
if err != nil {
return nil, err
}
user.ClusterRole = clusterRole.Name
return user, nil
}
// Get user info only included email description & lang
func GetUserInfo(username string) (*models.User, error) {
@@ -465,6 +399,7 @@ func GetUserInfo(username string) (*models.User, error) {
result, err := conn.Search(userSearchRequest)
if err != nil {
glog.Errorln("search user", err)
return nil, err
}
@@ -567,6 +502,7 @@ func DeleteUser(username string) error {
err = conn.Del(deleteRequest)
if err != nil {
glog.Errorln("delete user", err)
return err
}
@@ -673,14 +609,11 @@ func UserCreateCheck(check string) (exist bool, err error) {
result, err := conn.Search(userSearchRequest)
if err != nil {
glog.Errorln("search user", err)
return false, err
}
if len(result.Entries) > 0 {
return true, nil
} else {
return false, nil
}
return len(result.Entries) > 0, nil
}
func CreateUser(user *models.User) (*models.User, error) {
@@ -708,6 +641,7 @@ func CreateUser(user *models.User) (*models.User, error) {
result, err := conn.Search(userSearchRequest)
if err != nil {
glog.Errorln("search user", err)
return nil, err
}
@@ -718,6 +652,7 @@ func CreateUser(user *models.User) (*models.User, error) {
maxUid, err := getMaxUid(conn)
if err != nil {
glog.Errorln("get max uid", err)
return nil, err
}
@@ -743,6 +678,7 @@ func CreateUser(user *models.User) (*models.User, error) {
err = conn.Add(userCreateRequest)
if err != nil {
glog.Errorln("create user", err)
return nil, err
}
@@ -754,6 +690,7 @@ func CreateUser(user *models.User) (*models.User, error) {
err := CreateClusterRoleBinding(user.Username, user.ClusterRole)
if err != nil {
glog.Errorln("create cluster role binding filed", err)
return nil, err
}
}
@@ -864,6 +801,7 @@ func UpdateUser(user *models.User) (*models.User, error) {
err = CreateClusterRoleBinding(user.Username, user.ClusterRole)
if err != nil {
glog.Errorln("create cluster role binding filed", err)
return nil, err
}
@@ -884,6 +822,7 @@ func DeleteGroup(path string) error {
err = conn.Del(groupDeleteRequest)
if err != nil {
glog.Errorln("delete user group", err)
return err
}
@@ -903,6 +842,7 @@ func CreateGroup(group *models.Group) (*models.Group, error) {
maxGid, err := getMaxGid(conn)
if err != nil {
glog.Errorln("get max gid", err)
return nil, err
}
@@ -930,6 +870,7 @@ func CreateGroup(group *models.Group) (*models.Group, error) {
err = conn.Add(groupCreateRequest)
if err != nil {
glog.Errorln("create group", err)
return nil, err
}
@@ -976,45 +917,13 @@ func UpdateGroup(group *models.Group) (*models.Group, error) {
err = conn.Modify(groupUpdateRequest)
if err != nil {
glog.Errorln("update group", err)
return nil, err
}
return group, nil
}
func CountChild(path string) (int, error) {
// bind root DN
conn, err := ldapclient.Client()
if err != nil {
return 0, err
}
defer conn.Close()
var groupSearchRequest *ldap.SearchRequest
if path == "" {
groupSearchRequest = ldap.NewSearchRequest(ldapclient.GroupSearchBase,
ldap.ScopeSingleLevel, ldap.NeverDerefAliases, 0, 0, false,
"(&(objectClass=posixGroup))",
[]string{"cn", "gidNumber", "memberUid", "description"},
nil)
} else {
searchBase, cn := splitPath(path)
groupSearchRequest = ldap.NewSearchRequest(fmt.Sprintf("cn=%s,%s", cn, searchBase),
ldap.ScopeSingleLevel, ldap.NeverDerefAliases, 0, 0, false,
"(&(objectClass=posixGroup))",
[]string{"cn", "gidNumber", "memberUid", "description"},
nil)
}
result, err := conn.Search(groupSearchRequest)
if err != nil {
return 0, err
}
return len(result.Entries), nil
}
func ChildList(path string) ([]models.Group, error) {
// bind root DN
@@ -1105,6 +1014,7 @@ func DescribeGroup(path string) (*models.Group, error) {
result, err := conn.Search(groupSearchRequest)
if err != nil {
glog.Errorln("search group", err)
return nil, err
}