Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

perf: 无权限提示信息带上用户名 #784

Closed
jsonwan opened this issue Apr 6, 2022 · 6 comments
Closed

perf: 无权限提示信息带上用户名 #784

jsonwan opened this issue Apr 6, 2022 · 6 comments
Assignees
@jsonwan @liuliaozhong
Labels
kind/enhancement 功能改进特性 stage/prod Production environment in tencent has been deploy stage/test Test environment in tencent has been deploy test/passed 测试环境通过/test patest passed for test stage
Milestone
V3.5.0

Comments

@jsonwan
Copy link
Collaborator

jsonwan commented Apr 6, 2022

No description provided.

@jsonwan jsonwan added the kind/enhancement 功能改进特性 label Apr 6, 2022
@jsonwan jsonwan self-assigned this Apr 6, 2022
@jsonwan
Copy link
Collaborator Author

jsonwan commented Apr 8, 2022

企业微信截图_16494132277955

@jsonwan jsonwan added this to the V3.5.0 milestone Apr 11, 2022
@liuliaozhong
Copy link
Collaborator

该异常主要是用户在操作鉴权时,没有相应的操作权限,通过PermissionDeniedException对象抛出的异常,主要想到两种处理方式

方案1

PermissionDeniedException类中增加一个带有errorParams参数的构造方法,在需要抛出异常地方把username传进来。该异常用到的地方很多,所以改动很大,也不利于后续维护。

方案2

从服务请求来分析,来自三个方面,web调用、esb调用、服务内部调用,需要鉴权的是web调用和esb调用,这两类调用中都有统一的异常Advice处理类,可以在其处理统一权限异常逻辑中获取到username信息并添加到响应对象。

web调用

WebExceptionControllerAdvice#handlePermissionDeniedException()
添加一个buildAuthFailResp重载方法,username通过errorParams参数传给Response对象
Response<T> buildAuthFailResp(AuthResultVO authResult, Object[] errorParams){{ new Response<>(errorCode, errorParams, null); }

esb调用

EsbExceptionControllerAdvice#handlePermissionDeniedException()
在AuthService接口中增加如下重载方法,增加errorParams参数
<T> EsbResp<T> buildEsbAuthFailResp(List<PermissionActionResource> permissionActionResources, Object[] errorParams)
在EsbResp类中增加如下重载方法,增加errorParams参数
<T> EsbResp<T> buildAuthFailResult(EsbApplyPermissionDTO permission, Object[] errorParams){ EsbResp<T> esbResp = buildCommonFailResp(ErrorCode.BK_PERMISSION_DENIED, errorParams, null); }

i18n资源文件

对权限不足的错误码添加username通配符,如:
1238001=用户{0}权限不足
9900403=用户{0}权限不足

@jsonwan
Copy link
Collaborator Author

jsonwan commented Dec 27, 2022

通过errorParams参数传递的话,还是需要在每个抛出异常的地方传进去,改动还是很大。
代码框架中有提取出web/esb请求的用户信息放到threadlocal数据中,一个请求只会有一个操作者,可以考虑直接从threadlocal数据中拿出用户身份使用,就不用每个地方都传一遍了

@liuliaozhong
Copy link
Collaborator

JobCommonInterceptor#addUsername(request)有把用户放到threadlocal中,每个web/esb请求都会执行到吗,能否直接拿出来用?

@liuliaozhong
Copy link
Collaborator

实现
image

@jsonwan
Copy link
Collaborator Author

jsonwan commented Dec 27, 2022

JobCommonInterceptor#addUsername(request)有把用户放到threadlocal中,每个web/esb请求都会执行到吗,能否直接拿出来用?

设计上是都会执行到的,具体会不会可以分析下代码,也可以实践验证下

@liuliaozhong liuliaozhong removed their assignment Dec 27, 2022
liuliaozhong pushed a commit to liuliaozhong/bk-job that referenced this issue Dec 28, 2022
无权限提示信息带上用户名 TencentBlueKing#784
3c67260
liuliaozhong pushed a commit to liuliaozhong/bk-job that referenced this issue Dec 28, 2022
无权限提示信息带上用户名 TencentBlueKing#784
b3fdbb8
liuliaozhong pushed a commit to liuliaozhong/bk-job that referenced this issue Jan 3, 2023
无权限提示信息带上用户名 TencentBlueKing#784
30530a0
liuliaozhong pushed a commit to liuliaozhong/bk-job that referenced this issue Jan 3, 2023
无权限提示信息带上用户名 TencentBlueKing#784 -v1
940e99c
liuliaozhong pushed a commit to liuliaozhong/bk-job that referenced this issue Jan 3, 2023
无权限提示信息带上用户名 TencentBlueKing#784 -v2
29bcc78
liuliaozhong pushed a commit to liuliaozhong/bk-job that referenced this issue Jan 3, 2023
无权限提示信息带上用户名 TencentBlueKing#784
092b9a5
liuliaozhong pushed a commit to liuliaozhong/bk-job that referenced this issue Jan 3, 2023
无权限提示信息带上用户名 TencentBlueKing#784
6d51fe1
jsonwan added a commit that referenced this issue Jan 3, 2023
@jsonwan
Merge pull request #1645 from liuliaozhong/3.5.x
4274768 
perf: 无权限提示信息带上用户名 #784
liuliaozhong pushed a commit that referenced this issue Jan 4, 2023
无权限提示信息带上用户名 #784
8e9bbfb
liuliaozhong pushed a commit to liuliaozhong/bk-job that referenced this issue Jan 4, 2023
bugfix:无权限提示信息带上用户名 TencentBlueKing#784
739018d
jsonwan added a commit that referenced this issue Jan 4, 2023
@jsonwan
Merge pull request #1652 from liuliaozhong/3.5.x
62e8b8a 
bugfix:无权限提示信息带上用户名 #784
liuliaozhong pushed a commit to liuliaozhong/bk-job that referenced this issue Jan 4, 2023
bugfix: 无权限提示信息带上用户名 TencentBlueKing#784
aa23f51
jsonwan added a commit that referenced this issue Jan 4, 2023
@jsonwan
Merge pull request #1653 from liuliaozhong/3.6.x
13e2312 
bugfix:无权限提示信息带上用户名 #784
@bkjob-bot bkjob-bot added the stage/test Test environment in tencent has been deploy label Jan 6, 2023
@fabio-he fabio-he added the test/passed 测试环境通过/test patest passed for test stage label Feb 6, 2023
@bkjob-bot bkjob-bot added the stage/prod Production environment in tencent has been deploy label Mar 14, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jsonwan jsonwan

@liuliaozhong liuliaozhong

Labels
kind/enhancement 功能改进特性 stage/prod Production environment in tencent has been deploy stage/test Test environment in tencent has been deploy test/passed 测试环境通过/test patest passed for test stage
Projects
None yet
Milestone
V3.5.0
Development

No branches or pull requests
4 participants
@jsonwan @fabio-he @bkjob-bot @liuliaozhong