Merge pull request #11377 from fcfang123/issue-11246

feat：获取有权限的资源接口优化 #11246
TencentBlueKing · Jan 9, 2025 · 2234aac · 2234aac
2 parents cbd6302 + 9049080
commit 2234aac
Show file tree

Hide file tree

Showing 5 changed files with 51 additions and 43 deletions.
diff --git a/...n/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt b/...n/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt
@@ -29,6 +29,7 @@ package com.tencent.devops.auth.provider.rbac.service
 
 import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
 import com.tencent.bk.sdk.iam.dto.V2PageInfoDTO
+import com.tencent.bk.sdk.iam.dto.manager.GroupMemberVerifyInfo
 import com.tencent.bk.sdk.iam.dto.manager.dto.SearchGroupDTO
 import com.tencent.bk.sdk.iam.exception.IamException
 import com.tencent.bk.sdk.iam.service.v2.V2ManagerService
@@ -161,10 +162,16 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor(
                 if (deptService.isUserDeparted(memberId)) {
                     return@forEach
                 }
-                val verifyResults = iamV2ManagerService.verifyGroupValidMember(
-                    memberId,
-                    groupInfos.joinToString(",") { it.iamGroupId.toString() }
-                )
+                // 获取用户加入组的有效期
+                val groupIds = groupInfos.map { it.iamGroupId }
+                val verifyResults = mutableMapOf<Int, GroupMemberVerifyInfo>()
+                groupIds.chunked(20).forEach { batchGroupIds ->
+                    val batchVerifyGroupValidMember = iamV2ManagerService.verifyGroupValidMember(
+                        memberId,
+                        batchGroupIds.joinToString(",")
+                    )
+                    verifyResults.putAll(batchVerifyGroupValidMember)
+                }
                 verifyResults.forEach { (groupId, verifyResult) ->
                     if (verifyResult.belong == true && verifyResult.expiredAt > LocalDateTime.now().timestamp()) {
                         logger.info("The member of group needs to be renewed:$projectCode|$groupId|$memberId")

diff --git a/...tlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt b/...tlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt
@@ -589,7 +589,7 @@ class RbacPermissionResourceMemberService(
         groupId: Int,
         memberRenewalDTO: GroupMemberRenewalDTO
     ): Boolean {
-        logger.info("renewal group member|$userId|$projectCode|$resourceType|$groupId")
+        logger.info("renewal group member|$userId|$projectCode|$resourceType|$groupId|${memberRenewalDTO.expiredAt}")
         val managerMemberGroupDTO = GroupMemberRenewApplicationDTO.builder()
             .groupIds(listOf(groupId))
             .expiredAt(memberRenewalDTO.expiredAt)

diff --git a/...th/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt b/...th/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt
@@ -51,6 +51,7 @@ import com.tencent.devops.common.auth.rbac.utils.RbacAuthUtils
 import com.tencent.devops.common.client.Client
 import com.tencent.devops.common.service.trace.TraceTag
 import com.tencent.devops.common.service.utils.LogUtils
+import com.tencent.devops.process.api.service.ServicePipelineViewResource
 import com.tencent.devops.process.api.user.UserPipelineViewResource
 import org.slf4j.LoggerFactory
 import org.slf4j.MDC
@@ -360,6 +361,30 @@ class RbacPermissionService(
                         projectCode = projectCode,
                         resourceType = resourceType
                     )
+
+                resourceType == AuthResourceType.PIPELINE_DEFAULT.value -> {
+                    val authViewPipelineIds = instanceMap[AuthResourceType.PIPELINE_GROUP.value]?.let { authViewIds ->
+                        client.get(ServicePipelineViewResource::class).listPipelineIdByViewIds(
+                            projectId = projectCode,
+                            viewIdsEncode = authViewIds
+                        ).data
+                    } ?: emptyList()
+
+                    val authPipelineIamIds = instanceMap[AuthResourceType.PIPELINE_DEFAULT.value] ?: emptyList()
+                    val pipelineIds = mutableSetOf<String>().apply {
+                        addAll(authViewPipelineIds)
+                        addAll(
+                            getFinalResourceCodes(
+                                projectCode = projectCode,
+                                resourceType = resourceType,
+                                iamResourceCodes = authPipelineIamIds,
+                                createUser = userId
+                            )
+                        )
+                    }
+                    pipelineIds.toList()
+                }
+
                 // 返回具体资源列表
                 else -> {
                     val iamResourceCodes = instanceMap[resourceType] ?: emptyList()

diff --git a/...rc/main/kotlin/com/tencent/devops/process/permission/AbstractPipelinePermissionService.kt b/...rc/main/kotlin/com/tencent/devops/process/permission/AbstractPipelinePermissionService.kt
@@ -242,6 +242,6 @@ abstract class AbstractPipelinePermissionService constructor(
     }
 
     override fun isControlPipelineListPermission(projectId: String): Boolean {
-        return true
+        return false
     }
 }
diff --git a/...ss/src/main/kotlin/com/tencent/devops/process/permission/RbacPipelinePermissionService.kt b/...ss/src/main/kotlin/com/tencent/devops/process/permission/RbacPipelinePermissionService.kt
@@ -186,43 +186,19 @@ class RbacPipelinePermissionService(
         }
     }
 
-    override fun getResourceByPermission(userId: String, projectId: String, permission: AuthPermission): List<String> {
-        logger.info("[rbac] get resource by permission|$userId|$projectId|$permission")
-        val startEpoch = System.currentTimeMillis()
-        try {
-            // 获取有权限的流水线、流水线组、项目列表
-            val instanceMap = authPermissionApi.getUserResourceAndParentByPermission(
-                user = userId,
-                serviceCode = pipelineAuthServiceCode,
-                projectCode = projectId,
-                permission = permission,
-                resourceType = resourceType
-            )
-            return when {
-                // 如果有项目下所有该资源权限,返回项目下流水线列表
-                instanceMap[AuthResourceType.PROJECT.value]?.contains(projectId) == true ->
-                    getAllAuthPipelineIds(projectId = projectId)
-
-                else -> {
-                    // 获取有权限流水线组下的流水线
-                    val authViewPipelineIds = instanceMap[AuthResourceType.PIPELINE_GROUP.value]?.let { authViewIds ->
-                        pipelineViewGroupCommonService.listPipelineIdsByViewIds(projectId, authViewIds)
-                    } ?: emptyList()
-                    // 获取有权限的流水线列表
-                    val authPipelineIds = instanceMap[AuthResourceType.PIPELINE_DEFAULT.value] ?: emptyList()
-
-                    val pipelineIds = mutableSetOf<String>()
-                    pipelineIds.addAll(authViewPipelineIds)
-                    pipelineIds.addAll(authPipelineIds)
-                    pipelineIds.toList()
-                }
-            }
-        } finally {
-            logger.info(
-                "It take(${System.currentTimeMillis() - startEpoch})ms to get resource by permission|" +
-                    "$userId|$projectId|$permission"
-            )
-        }
+    override fun getResourceByPermission(
+        userId: String,
+        projectId: String,
+        permission: AuthPermission
+    ): List<String> {
+        return authPermissionApi.getUserResourceByPermission(
+            user = userId,
+            serviceCode = pipelineAuthServiceCode,
+            resourceType = resourceType,
+            projectCode = projectId,
+            permission = permission,
+            supplier = null
+        )
     }
 
     override fun filterPipelines(