feat: 权限中心v3默认用户组支持op配置权限组合 TencentBlueKing#5418

src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt

@@ -54,6 +54,7 @@ object AuthMessageCode {
     const val UN_DEFAULT_GROUP_ERROR = "2121009" // 权限系统：非默认分组与默认分组重名
     const val DEFAULT_GROUP_UPDATE_NAME_ERROR = "2121010" // 权限系统：该分组为默认分组,不允许重命名
     const val CAN_NOT_FIND_RELATION = "2121011" // 权限系统：用户组无关联系统用户组
+    const val IAM_SYSTEM_ERROR = "2121012" // 权限系统：Iam权限中心异常。异常信息{0}
 
     const val TOKEN_TICKET_FAIL = "2121106" // 权限系统：token校验失败
     const val PARENT_TYPE_FAIL = "2121107" // 权限系统：父类资源必须为"项目"

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/impl/AbsPermissionRoleMemberImpl.kt

@@ -36,14 +36,17 @@ import com.tencent.bk.sdk.iam.dto.manager.ManagerRoleGroupInfo
 import com.tencent.bk.sdk.iam.dto.manager.dto.ManagerMemberGroupDTO
 import com.tencent.bk.sdk.iam.dto.manager.dto.ManagerRoleMemberDTO
 import com.tencent.bk.sdk.iam.dto.manager.vo.ManagerGroupMemberVo
+import com.tencent.bk.sdk.iam.exception.IamException
 import com.tencent.bk.sdk.iam.service.ManagerService
+import com.tencent.devops.auth.constant.AuthMessageCode
 import com.tencent.devops.auth.constant.AuthMessageCode.CAN_NOT_FIND_RELATION
 import com.tencent.devops.auth.pojo.MemberInfo
 import com.tencent.devops.auth.pojo.dto.RoleMemberDTO
 import com.tencent.devops.auth.pojo.vo.ProjectMembersVO
 import com.tencent.devops.auth.service.AuthGroupService
 import com.tencent.devops.auth.service.iam.PermissionGradeService
 import com.tencent.devops.auth.service.iam.PermissionRoleMemberService
+import com.tencent.devops.common.api.exception.OperationException
 import com.tencent.devops.common.api.exception.ParamBlankException
 import com.tencent.devops.common.api.util.PageUtil
 import com.tencent.devops.common.service.utils.MessageCodeUtil
@@ -91,7 +94,25 @@ abstract class AbsPermissionRoleMemberImpl @Autowired constructor(
         }
         val expiredTime = System.currentTimeMillis() / 1000 + TimeUnit.DAYS.toSeconds(expiredAt)
         val managerMemberGroupDTO = ManagerMemberGroupDTO.builder().expiredAt(expiredTime).members(roleMembers).build()
-        iamManagerService.createRoleGroupMember(iamId!!.toInt(), managerMemberGroupDTO)
+        try {
+            iamManagerService.createRoleGroupMember(iamId!!.toInt(), managerMemberGroupDTO)
+        } catch (iamEx: IamException) {
+            logger.warn("create group user fail. code: ${iamEx.errorCode}| msg: ${iamEx.errorMsg}")
+            throw OperationException(
+                MessageCodeUtil.getCodeMessage(
+                    messageCode = AuthMessageCode.IAM_SYSTEM_ERROR,
+                    params = arrayOf(iamEx.errorMsg)
+                ).toString()
+            )
+        } catch (e: Exception) {
+            logger.warn("create group user fail. code: $e")
+            throw OperationException(
+                MessageCodeUtil.getCodeMessage(
+                    messageCode = AuthMessageCode.IAM_SYSTEM_ERROR,
+                    params = arrayOf(e.message ?: "unknown")
+                ).toString()
+            )
+        }
 
         // 添加用户到管理员需要同步添加用户到分级管理员
         if (managerGroup) {

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/impl/IamPermissionRoleExtService.kt

@@ -44,8 +44,10 @@ import com.tencent.devops.auth.pojo.DefaultGroup
 import com.tencent.devops.auth.pojo.dto.ProjectRoleDTO
 import com.tencent.devops.auth.pojo.vo.GroupInfoVo
 import com.tencent.devops.auth.service.AuthGroupService
+import com.tencent.devops.auth.service.StrategyService
 import com.tencent.devops.auth.service.iam.PermissionGradeService
 import com.tencent.devops.common.api.exception.ErrorCodeException
+import com.tencent.devops.common.auth.api.AuthPermission
 import com.tencent.devops.common.auth.utils.IamGroupUtils
 import com.tencent.devops.common.auth.api.AuthResourceType
 import com.tencent.devops.common.auth.api.pojo.BkAuthGroup
@@ -63,7 +65,8 @@ open class IamPermissionRoleExtService @Autowired constructor(
     private val groupService: AuthGroupService,
     private val groupDao: AuthGroupDao,
     private val dslContext: DSLContext,
-    private val client: Client
+    private val client: Client,
+    private val strategyService: StrategyService
 ) : AbsPermissionRoleServiceImpl(groupService) {
 
     override fun groupCreateExt(
@@ -210,67 +213,130 @@ open class IamPermissionRoleExtService @Autowired constructor(
     }
 
     private fun addDevelopPermission(roleId: Int, projectCode: String) {
-        val actions = mutableListOf<String>()
-        actions.add(PROJECT)
-        actions.add(PIPELINEACTION)
-        actions.add(CREDENTIALACTION)
-        actions.add(CERTACTION)
-        actions.add(REPERTORYACTION)
-        actions.add(ENVIRONMENTACTION)
-        actions.add(NODEACTION)
-//        actions.add(REPORTACTION)
-        val authorizationScopes = buildCreateAuthorizationScopes(actions, projectCode)
-        iamManagerService.createRolePermission(roleId, authorizationScopes)
+//        val actions = mutableListOf<String>()
+//        actions.add(PROJECT)
+//        actions.add(PIPELINEACTION)
+//        actions.add(CREDENTIALACTION)
+//        actions.add(CERTACTION)
+//        actions.add(REPERTORYACTION)
+//        actions.add(ENVIRONMENTACTION)
+//        actions.add(NODEACTION)
+////        actions.add(REPORTACTION)
+//        val authorizationScopes = buildCreateAuthorizationScopes(actions, projectCode)
+//        iamManagerService.createRolePermission(roleId, authorizationScopes)
+        addIamGroupAction(roleId, projectCode, DefaultGroupType.DEVELOPER)
     }
 
     private fun addTestPermission(roleId: Int, projectCode: String) {
         val actions = mutableListOf<String>()
-        actions.add(PROJECT)
-        actions.add(PIPELINEACTION)
-        actions.add(CREDENTIALACTION)
-        actions.add(REPERTORYACTION)
-        actions.add(ENVIRONMENTACTION)
-        actions.add(NODEACTION)
-        val authorizationScopes = buildCreateAuthorizationScopes(actions, projectCode)
-        iamManagerService.createRolePermission(roleId, authorizationScopes)
+//        actions.add(PROJECT)
+//        actions.add(PIPELINEACTION)
+//        actions.add(CREDENTIALACTION)
+//        actions.add(REPERTORYACTION)
+//        actions.add(ENVIRONMENTACTION)
+//        actions.add(NODEACTION)
+//        val authorizationScopes = buildCreateAuthorizationScopes(actions, projectCode)
+//        iamManagerService.createRolePermission(roleId, authorizationScopes)
+        addIamGroupAction(roleId, projectCode, DefaultGroupType.TESTER)
     }
 
     private fun addPMPermission(roleId: Int, projectCode: String) {
-        val actions = mutableListOf<String>()
-        actions.add(PROJECT)
-        actions.add(CREDENTIALACTION)
-        actions.add(REPERTORYACTION)
-        val authorizationScopes = buildCreateAuthorizationScopes(actions, projectCode)
-        iamManagerService.createRolePermission(roleId, authorizationScopes)
+//        val actions = mutableListOf<String>()
+//        actions.add(PROJECT)
+//        actions.add(CREDENTIALACTION)
+//        actions.add(REPERTORYACTION)
+//        val authorizationScopes = buildCreateAuthorizationScopes(actions, projectCode)
+//        iamManagerService.createRolePermission(roleId, authorizationScopes)
+        addIamGroupAction(roleId, projectCode, DefaultGroupType.PM)
     }
 
     private fun addQCPermission(roleId: Int, projectCode: String) {
-        val createActions = mutableListOf<String>()
-        createActions.add(PROJECT)
-        createActions.add(CREDENTIALACTION)
-        createActions.add(REPERTORYACTION)
-        createActions.add(RULECREATEACTION)
-        createActions.add(GROUPCREATEACTION)
-        val createAuthorizationScopes = buildCreateAuthorizationScopes(createActions, projectCode)
-        iamManagerService.createRolePermission(roleId, createAuthorizationScopes)
-        val ruleAction = RULEACTION.split(",")
-        val ruleAuthorizationScopes = buildOtherAuthorizationScopes(ruleAction, projectCode, "rule")
-        iamManagerService.createRolePermission(roleId, ruleAuthorizationScopes)
-        val groupAction = GROUPACTION.split(",")
-        val groupAuthorizationScopes = buildOtherAuthorizationScopes(groupAction, projectCode, "quality_group")
-        iamManagerService.createRolePermission(roleId, groupAuthorizationScopes)
+//        val createActions = mutableListOf<String>()
+//        createActions.add(PROJECT)
+//        createActions.add(CREDENTIALACTION)
+//        createActions.add(REPERTORYACTION)
+//        createActions.add(RULECREATEACTION)
+//        createActions.add(GROUPCREATEACTION)
+//        val createAuthorizationScopes = buildCreateAuthorizationScopes(createActions, projectCode)
+//        iamManagerService.createRolePermission(roleId, createAuthorizationScopes)
+//        val ruleAction = RULEACTION.split(",")
+//        val ruleAuthorizationScopes = buildOtherAuthorizationScopes(ruleAction, projectCode, "rule")
+//        iamManagerService.createRolePermission(roleId, ruleAuthorizationScopes)
+//        val groupAction = GROUPACTION.split(",")
+//        val groupAuthorizationScopes = buildOtherAuthorizationScopes(groupAction, projectCode, "quality_group")
+//        iamManagerService.createRolePermission(roleId, groupAuthorizationScopes)
+        addIamGroupAction(roleId, projectCode, DefaultGroupType.QC)
     }
 
     private fun addMaintainerPermission(roleId: Int, projectCode: String) {
-        val actions = mutableListOf<String>()
-        actions.add(PROJECT)
-        actions.add(PIPELINEACTION)
-        actions.add(CREDENTIALACTION)
-        actions.add(REPERTORYACTION)
-        actions.add(ENVIRONMENTACTION)
-        actions.add(NODEACTION)
-        val authorizationScopes = buildCreateAuthorizationScopes(actions, projectCode)
-        iamManagerService.createRolePermission(roleId, authorizationScopes)
+//        val actions = mutableListOf<String>()
+//        actions.add(PROJECT)
+//        actions.add(PIPELINEACTION)
+//        actions.add(CREDENTIALACTION)
+//        actions.add(REPERTORYACTION)
+//        actions.add(ENVIRONMENTACTION)
+//        actions.add(NODEACTION)
+//        val authorizationScopes = buildCreateAuthorizationScopes(actions, projectCode)
+//        iamManagerService.createRolePermission(roleId, authorizationScopes)
+        addIamGroupAction(roleId, projectCode, DefaultGroupType.MAINTAINER)
+    }
+
+    private fun addIamGroupAction(
+        roleId: Int,
+        projectCode: String,
+        group: DefaultGroupType
+    ) {
+        val actions = getGroupStrategy(group)
+        if (actions.first.isNotEmpty()) {
+            val authorizationScopes = buildCreateAuthorizationScopes(actions.first, projectCode)
+            iamManagerService.createRolePermission(roleId, authorizationScopes)
+        }
+        if (actions.second.isNotEmpty()) {
+            actions.second.forEach { (resource, actions) ->
+                val groupAuthorizationScopes = buildOtherAuthorizationScopes(actions, projectCode, resource)
+                iamManagerService.createRolePermission(roleId, groupAuthorizationScopes)
+            }
+        }
+    }
+
+    private fun getGroupStrategy(defaultGroup: DefaultGroupType): Pair<List<String>, Map<String, List<String>>> {
+        val strategyInfo = strategyService.getStrategyByName(defaultGroup.displayName)
+            ?: throw ErrorCodeException(
+                errorCode = AuthMessageCode.STRATEGT_NAME_NOT_EXIST,
+                defaultMessage = MessageCodeUtil.getCodeMessage(
+                    messageCode = AuthMessageCode.STRATEGT_NAME_NOT_EXIST,
+                    params = arrayOf(defaultGroup.value)
+                ))
+        logger.info("getGroupStrategy ${strategyInfo.strategy}")
+        val projectStrategyList = mutableListOf<String>()
+        val resourceStrategyMap = mutableMapOf<String, List<String>>()
+        strategyInfo.strategy.forEach { resource, list ->
+            // 如果是project相关的资源, 直接拼接action
+            if (resource == AuthResourceType.PROJECT.value) {
+                list.forEach { projectAction ->
+                    projectStrategyList.add(resource + "_" + projectAction)
+                }
+            } else {
+                var useResource = resource
+                val resourceStrategyList = mutableListOf<String>()
+                list.forEach {
+                    // 历史遗留问题, 红线和版本体验的group冲突
+//                    if (TActionUtils.extResourceTypeCheck(resource)) {
+//                        // TODO: 需要质量红线和版本体验，resource需要添加前缀，如何判断。
+//                        logger.info("group has quality or experience: $resource")
+//                    }
+                    // 如果是非project资源。 若action是create,需挂在project下,因create相关的资源都是绑定在项目下。
+                    if (it == AuthPermission.CREATE.value) {
+                        projectStrategyList.add(useResource + "_" + it)
+                    } else {
+                        resourceStrategyList.add(useResource + "_" + it)
+                    }
+                }
+                resourceStrategyMap[useResource] = resourceStrategyList
+                logger.info("$useResource $resourceStrategyList")
+            }
+        }
+        return Pair(projectStrategyList, resourceStrategyMap)
     }
 
     private fun buildCreateAuthorizationScopes(actions: List<String>, projectCode: String): AuthorizationScopes {
@@ -367,9 +433,6 @@ open class IamPermissionRoleExtService @Autowired constructor(
         val logger = LoggerFactory.getLogger(AbsPermissionRoleMemberImpl::class.java)
         const val PROJECT = "project_view"
         const val PIPELINEACTION = "pipeline_create"
-
-        // TODO:确认代码库的默认权限
-        const val REPORTACTION = "pipeline_view"
         const val CREDENTIALACTION = "credential_create"
         const val CERTACTION = "cert_create"
         const val REPERTORYACTION = "repertory_create"

src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/pojo/DefaultGroupType.kt

@@ -32,7 +32,7 @@ package com.tencent.devops.common.auth.api.pojo
  * 项目角色组
  */
 enum class DefaultGroupType(val value: String, val displayName: String) {
-    MANAGER("manager", "管理员"), // 管理员
+    MANAGER("manager", "CI管理员"), // 管理员
     DEVELOPER("developer", "开发人员"), // 开发人员
     MAINTAINER("maintainer", "运维人员"), // 运维人员
     TESTER("tester", "测试人员"), // 测试人员