diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt index dd986dbebbd..477c5043982 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceGroupSyncService.kt @@ -29,6 +29,7 @@ package com.tencent.devops.auth.provider.rbac.service import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum import com.tencent.bk.sdk.iam.dto.V2PageInfoDTO +import com.tencent.bk.sdk.iam.dto.manager.GroupMemberVerifyInfo import com.tencent.bk.sdk.iam.dto.manager.dto.SearchGroupDTO import com.tencent.bk.sdk.iam.exception.IamException import com.tencent.bk.sdk.iam.service.v2.V2ManagerService @@ -161,10 +162,16 @@ class RbacPermissionResourceGroupSyncService @Autowired constructor( if (deptService.isUserDeparted(memberId)) { return@forEach } - val verifyResults = iamV2ManagerService.verifyGroupValidMember( - memberId, - groupInfos.joinToString(",") { it.iamGroupId.toString() } - ) + // 获取用户加入组的有效期 + val groupIds = groupInfos.map { it.iamGroupId } + val verifyResults = mutableMapOf() + groupIds.chunked(20).forEach { batchGroupIds -> + val batchVerifyGroupValidMember = iamV2ManagerService.verifyGroupValidMember( + memberId, + batchGroupIds.joinToString(",") + ) + verifyResults.putAll(batchVerifyGroupValidMember) + } verifyResults.forEach { (groupId, verifyResult) -> if (verifyResult.belong == true && verifyResult.expiredAt > LocalDateTime.now().timestamp()) { logger.info("The member of group needs to be renewed:$projectCode|$groupId|$memberId") diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt index b0ad89bd245..9c44f61526e 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt @@ -589,7 +589,7 @@ class RbacPermissionResourceMemberService( groupId: Int, memberRenewalDTO: GroupMemberRenewalDTO ): Boolean { - logger.info("renewal group member|$userId|$projectCode|$resourceType|$groupId") + logger.info("renewal group member|$userId|$projectCode|$resourceType|$groupId|${memberRenewalDTO.expiredAt}") val managerMemberGroupDTO = GroupMemberRenewApplicationDTO.builder() .groupIds(listOf(groupId)) .expiredAt(memberRenewalDTO.expiredAt) diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt index 3523cbf5544..447bb9168de 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionService.kt @@ -51,6 +51,7 @@ import com.tencent.devops.common.auth.rbac.utils.RbacAuthUtils import com.tencent.devops.common.client.Client import com.tencent.devops.common.service.trace.TraceTag import com.tencent.devops.common.service.utils.LogUtils +import com.tencent.devops.process.api.service.ServicePipelineViewResource import com.tencent.devops.process.api.user.UserPipelineViewResource import org.slf4j.LoggerFactory import org.slf4j.MDC @@ -360,6 +361,30 @@ class RbacPermissionService( projectCode = projectCode, resourceType = resourceType ) + + resourceType == AuthResourceType.PIPELINE_DEFAULT.value -> { + val authViewPipelineIds = instanceMap[AuthResourceType.PIPELINE_GROUP.value]?.let { authViewIds -> + client.get(ServicePipelineViewResource::class).listPipelineIdByViewIds( + projectId = projectCode, + viewIdsEncode = authViewIds + ).data + } ?: emptyList() + + val authPipelineIamIds = instanceMap[AuthResourceType.PIPELINE_DEFAULT.value] ?: emptyList() + val pipelineIds = mutableSetOf().apply { + addAll(authViewPipelineIds) + addAll( + getFinalResourceCodes( + projectCode = projectCode, + resourceType = resourceType, + iamResourceCodes = authPipelineIamIds, + createUser = userId + ) + ) + } + pipelineIds.toList() + } + // 返回具体资源列表 else -> { val iamResourceCodes = instanceMap[resourceType] ?: emptyList() diff --git a/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/AbstractPipelinePermissionService.kt b/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/AbstractPipelinePermissionService.kt index 0ddfb5f80d6..59bfb948968 100644 --- a/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/AbstractPipelinePermissionService.kt +++ b/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/AbstractPipelinePermissionService.kt @@ -242,6 +242,6 @@ abstract class AbstractPipelinePermissionService constructor( } override fun isControlPipelineListPermission(projectId: String): Boolean { - return true + return false } } diff --git a/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/RbacPipelinePermissionService.kt b/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/RbacPipelinePermissionService.kt index e841cecf1f0..e56409ea909 100644 --- a/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/RbacPipelinePermissionService.kt +++ b/src/backend/ci/core/process/biz-process/src/main/kotlin/com/tencent/devops/process/permission/RbacPipelinePermissionService.kt @@ -186,43 +186,19 @@ class RbacPipelinePermissionService( } } - override fun getResourceByPermission(userId: String, projectId: String, permission: AuthPermission): List { - logger.info("[rbac] get resource by permission|$userId|$projectId|$permission") - val startEpoch = System.currentTimeMillis() - try { - // 获取有权限的流水线、流水线组、项目列表 - val instanceMap = authPermissionApi.getUserResourceAndParentByPermission( - user = userId, - serviceCode = pipelineAuthServiceCode, - projectCode = projectId, - permission = permission, - resourceType = resourceType - ) - return when { - // 如果有项目下所有该资源权限,返回项目下流水线列表 - instanceMap[AuthResourceType.PROJECT.value]?.contains(projectId) == true -> - getAllAuthPipelineIds(projectId = projectId) - - else -> { - // 获取有权限流水线组下的流水线 - val authViewPipelineIds = instanceMap[AuthResourceType.PIPELINE_GROUP.value]?.let { authViewIds -> - pipelineViewGroupCommonService.listPipelineIdsByViewIds(projectId, authViewIds) - } ?: emptyList() - // 获取有权限的流水线列表 - val authPipelineIds = instanceMap[AuthResourceType.PIPELINE_DEFAULT.value] ?: emptyList() - - val pipelineIds = mutableSetOf() - pipelineIds.addAll(authViewPipelineIds) - pipelineIds.addAll(authPipelineIds) - pipelineIds.toList() - } - } - } finally { - logger.info( - "It take(${System.currentTimeMillis() - startEpoch})ms to get resource by permission|" + - "$userId|$projectId|$permission" - ) - } + override fun getResourceByPermission( + userId: String, + projectId: String, + permission: AuthPermission + ): List { + return authPermissionApi.getUserResourceByPermission( + user = userId, + serviceCode = pipelineAuthServiceCode, + resourceType = resourceType, + projectCode = projectId, + permission = permission, + supplier = null + ) } override fun filterPipelines(