Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: 优化批量添加项目成员接口 #9660 #9661

Merged
merged 6 commits into from
Nov 13, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -46,6 +46,6 @@ object Versions {
const val jjwt = "0.11.5"
const val Okhttp = "4.9.0"
const val jgit = "5.13.1.202206130422-r"
const val iam = "1.0.39-SNAPSHOT"
const val iam = "1.0.0"
const val disklrucache = "2.0.2"
}
Original file line number Diff line number Diff line change
@@ -28,6 +28,8 @@

package com.tencent.devops.auth.service

import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
import com.tencent.bk.sdk.iam.dto.V2PageInfoDTO
import com.tencent.bk.sdk.iam.dto.manager.ManagerMember
import com.tencent.bk.sdk.iam.dto.manager.dto.ManagerMemberGroupDTO
import com.tencent.bk.sdk.iam.helper.AuthHelper
@@ -65,7 +67,8 @@ class RbacPermissionProjectService(
companion object {
private val logger = LoggerFactory.getLogger(RbacPermissionProjectService::class.java)
private const val expiredAt = 365L
private const val USER_TYPE = "user"
// 有效的过期时间,在30天内就是有效的
private const val VALID_EXPIRED_AT = 30L
}

override fun getProjectUsers(
@@ -160,16 +163,6 @@ class RbacPermissionProjectService(
members: List<String>
): Boolean {
logger.info("batchCreateProjectUser:$userId|$projectCode|$roleCode|$members")
members.forEach {
deptService.getUserInfo(
userId = "admin",
name = it
) ?: throw ErrorCodeException(
errorCode = AuthMessageCode.USER_NOT_EXIST,
params = arrayOf(it),
defaultMessage = "user $it not exist"
)
}
val iamGroupId = if (roleCode == BkAuthGroup.CI_MANAGER.value) {
authResourceGroupDao.getByGroupName(
dslContext = dslContext,
@@ -191,10 +184,42 @@ class RbacPermissionProjectService(
params = arrayOf(roleCode),
defaultMessage = "group $roleCode not exist"
)
val iamMemberInfos = members.map { ManagerMember(USER_TYPE, it) }
val expiredTime = System.currentTimeMillis() / 1000 + TimeUnit.DAYS.toSeconds(expiredAt)
val managerMemberGroup = ManagerMemberGroupDTO.builder().members(iamMemberInfos).expiredAt(expiredTime).build()
iamV2ManagerService.createRoleGroupMemberV2(iamGroupId.toInt(), managerMemberGroup)
val type = ManagerScopesEnum.getType(ManagerScopesEnum.USER)
val pageInfoDTO = V2PageInfoDTO().apply {
pageSize = 1000
page = 1
}
val groupMemberMap = iamV2ManagerService.getRoleGroupMemberV2(
iamGroupId.toInt(),
pageInfoDTO
).results.filter {
it.type == type
}.associateBy { it.name }
val addMembers = mutableListOf<String>()
// 预期的过期天数
val expectExpiredAt = System.currentTimeMillis() / 1000 + TimeUnit.DAYS.toSeconds(VALID_EXPIRED_AT)
members.forEach {
// 如果用户已经在用户组,并且过期时间超过30天,则不再添加
if (groupMemberMap.containsKey(it) && groupMemberMap[it]!!.expiredAt > expectExpiredAt) {
return@forEach
}
deptService.getUserInfo(
userId = "admin",
name = it
) ?: throw ErrorCodeException(
errorCode = AuthMessageCode.USER_NOT_EXIST,
params = arrayOf(it),
defaultMessage = "user $it not exist"
)
addMembers.add(it)
}
if (addMembers.isNotEmpty()) {
val iamMemberInfos = addMembers.map { ManagerMember(type, it) }
val expiredTime = System.currentTimeMillis() / 1000 + TimeUnit.DAYS.toSeconds(expiredAt)
val managerMemberGroup =
ManagerMemberGroupDTO.builder().members(iamMemberInfos).expiredAt(expiredTime).build()
iamV2ManagerService.createRoleGroupMemberV2(iamGroupId.toInt(), managerMemberGroup)
}
return true
}

Original file line number Diff line number Diff line change
@@ -41,12 +41,14 @@ import com.tencent.bk.sdk.iam.helper.AuthHelper
import com.tencent.bk.sdk.iam.service.PolicyService
import com.tencent.devops.auth.service.iam.PermissionService
import com.tencent.devops.common.api.util.HashUtil
import com.tencent.devops.common.api.util.Watcher
import com.tencent.devops.common.auth.api.AuthPermission
import com.tencent.devops.common.auth.api.AuthResourceType
import com.tencent.devops.common.auth.api.pojo.AuthResourceInstance
import com.tencent.devops.common.auth.utils.RbacAuthUtils
import com.tencent.devops.common.client.Client
import com.tencent.devops.common.service.trace.TraceTag
import com.tencent.devops.common.service.utils.LogUtils
import com.tencent.devops.process.api.user.UserPipelineViewResource
import org.slf4j.LoggerFactory
import org.slf4j.MDC
@@ -145,6 +147,7 @@ class RbacPermissionService constructor(
"[rbac] batch validate user resource permission|" +
"$userId|$action|$projectCode|${resource.resourceType}|${resource.resourceCode}"
)
val watcher = Watcher("validateUserResourcePermissionByInstance|$userId|$projectCode")
val startEpoch = System.currentTimeMillis()
try {
// action需要兼容repo只传AuthPermission的情况,需要组装为Rbac的action
@@ -208,6 +211,8 @@ class RbacPermissionService constructor(

return policyService.verifyPermissions(queryPolicyDTO)
} finally {
watcher.stop()
LogUtils.printCostTimeWE(watcher)
logger.info(
"It take(${System.currentTimeMillis() - startEpoch})ms to validate user resource permission|" +
"$userId|$action|$projectCode|${resource.resourceType}|${resource.resourceCode}"
Original file line number Diff line number Diff line change
@@ -89,7 +89,7 @@ class AuthDeptServiceImpl @Autowired constructor(

private val userInfoCache = CacheBuilder.newBuilder()
.maximumSize(10000)
.expireAfterWrite(1, TimeUnit.HOURS)
.expireAfterWrite(24, TimeUnit.HOURS)
.build<String/*userId*/, Optional<UserAndDeptInfoVo>>()

override fun getDeptByLevel(level: Int, accessToken: String?, userId: String): DeptInfoVo {
@@ -267,7 +267,7 @@ class AuthDeptServiceImpl @Autowired constructor(
userId = userId,
type = ManagerScopesEnum.USER,
exactLookups = true
).firstOrNull().also { if (it != null) userInfoCache.put(name, Optional.ofNullable(it)) }
).firstOrNull().also { if (it != null) userInfoCache.put(name, Optional.of(it)) }
}

private fun getUserDeptFamily(userId: String): String {
Original file line number Diff line number Diff line change
@@ -30,6 +30,7 @@ package com.tencent.devops.common.auth

import com.tencent.bk.sdk.iam.util.http.AuthUrlMapper
import com.tencent.bk.sdk.iam.util.http.DefaultApacheHttpClientBuilder.IdleConnectionMonitorThread
import com.tencent.bk.sdk.iam.util.http.IamHttpRequestRetryHandler
import io.micrometer.core.instrument.MeterRegistry
import io.micrometer.core.instrument.binder.httpcomponents.MicrometerHttpRequestExecutor
import io.micrometer.core.instrument.binder.httpcomponents.PoolingHttpClientConnectionManagerMetricsBinder
@@ -116,6 +117,7 @@ class RbacAuthHttpClientAutoConfiguration(
.setConnectionRequestTimeout(httpClientProperties.connectionRequestTimeout)
.build()
)
.setRetryHandler(IamHttpRequestRetryHandler.INSTANCE)
.setRequestExecutor(
MicrometerHttpRequestExecutor
.builder(meterRegistry)