feat:支持初始化管理员帐户

Author: chuntaojun

admin/api.go

@@ -55,9 +55,9 @@ type AdminOperateServer interface {
 	// GetCMDBInfo get cmdb info
 	GetCMDBInfo(ctx context.Context) ([]model.LocationView, error)
 	// HasMainUser .
-	HasMainUser(ctx context.Context) (*apisecurity.User, error)
+	HasMainUser(ctx context.Context) *apiservice.Response
 	// InitMainUser .
-	InitMainUser(ctx context.Context, user apisecurity.User) error
+	InitMainUser(ctx context.Context, user *apisecurity.User) *apiservice.Response
 	// GetServerFunctions Get server functions
 	GetServerFunctions(ctx context.Context) []authcommon.ServerFunctionGroup
 }

admin/interceptor/auth/server.go

@@ -62,11 +62,11 @@ func (svr *Server) collectMaintainAuthContext(ctx context.Context, resourceOp au
 	)
 }
 
-func (s *Server) HasMainUser(ctx context.Context) (*apisecurity.User, error) {
+func (s *Server) HasMainUser(ctx context.Context) *apiservice.Response {
 	return s.nextSvr.HasMainUser(ctx)
 }
 
-func (s *Server) InitMainUser(ctx context.Context, user apisecurity.User) error {
+func (s *Server) InitMainUser(ctx context.Context, user *apisecurity.User) *apiservice.Response {
 	return s.nextSvr.InitMainUser(ctx, user)
 }
 

admin/job/clean_deleted_resource.go

@@ -48,6 +48,47 @@ var cleanFuncMapping = map[string]func(timeout time.Duration, job *cleanDeletedR
 	"config_file_release": cleanDeletedConfigFiles,
 }
 
+var defaultCleanDeletedResourceConfig = CleandeletedResourceConf{
+	Resources: []CleanDeletedResource{
+		{
+			Resource: "instance",
+			Enable:   true,
+		},
+		{
+			Resource: "service",
+			Enable:   true,
+		},
+		{
+			Resource: "clients",
+			Enable:   true,
+		},
+		{
+			Resource: "circuitbreaker_rule",
+			Enable:   true,
+		},
+		{
+			Resource: "ratelimit_rule",
+			Enable:   true,
+		},
+		{
+			Resource: "router_rule",
+			Enable:   true,
+		},
+		{
+			Resource: "faultdetect_rule",
+			Enable:   true,
+		},
+		{
+			Resource: "lane_rule",
+			Enable:   true,
+		},
+		{
+			Resource: "config_file_release",
+			Enable:   true,
+		},
+	},
+}
+
 type CleanDeletedResource struct {
 	// Resource 记录需要清理的资源类型
 	Resource string `mapstructure:"resource"`
@@ -59,7 +100,7 @@ type CleanDeletedResource struct {
 
 type CleandeletedResourceConf struct {
 	// ResourceTimeout 记录资源的额外超时时间，用户可自定义
-	Resources []CleanDeletedResource `json:"resourceTimeout"`
+	Resources []CleanDeletedResource `json:"resources" mapstructure:"resources"`
 	// Timeout 记录清理资源的超时时间，默认20分钟
 	Timeout time.Duration `mapstructure:"timeout"`
 }
@@ -90,6 +131,16 @@ func (job *cleanDeletedResourceJob) init(raw map[string]interface{}) error {
 		cfg.Timeout = 2 * time.Minute
 	}
 	job.cfg = cfg
+
+	if len(cfg.Resources) == 0 {
+		job.cfg.Resources = defaultCleanDeletedResourceConfig.Resources
+		for i := range job.cfg.Resources {
+			if job.cfg.Resources[i].Timeout == nil {
+				job.cfg.Resources[i].Timeout = &job.cfg.Timeout
+			}
+		}
+	}
+
 	return nil
 }
 

admin/maintain.go

@@ -41,30 +41,30 @@ import (
 )
 
 // HasMainUser 判断是否存在主用户
-func (s *Server) HasMainUser(ctx context.Context) (*apisecurity.User, error) {
+func (s *Server) HasMainUser(ctx context.Context) *apiservice.Response {
 	mainUser, err := s.storage.GetMainUser()
 	if err != nil {
 		log.Error("check hash main user", zap.Error(err), utils.RequestID(ctx))
-		return nil, err
+		return api.NewResponse(apimodel.Code_ExecuteException)
 	}
 	if mainUser == nil {
-		return nil, nil
+		return api.NewResponse(apimodel.Code_NotFoundResource)
 	}
 	ret := mainUser.ToSpec()
 	ret.AuthToken = wrapperspb.String("")
-	return ret, nil
+	return api.NewUserResponse(apimodel.Code_ExecuteSuccess, ret)
 }
 
 // InitMainUser 初始化主用户
-func (s *Server) InitMainUser(_ context.Context, user apisecurity.User) error {
+func (s *Server) InitMainUser(_ context.Context, user *apisecurity.User) *apiservice.Response {
+	if user.GetSource().GetValue() == "" {
+		user.Source = utils.NewStringValue("Polaris")
+	}
 	ctx := context.WithValue(context.Background(), authcommon.ContextKeyInitMainUser{}, true)
 	rsp := s.userSvr.CreateUsers(ctx, []*apisecurity.User{
-		&user,
+		user,
 	})
-	if !api.IsSuccess(rsp) {
-		return errors.New(rsp.GetInfo().GetValue())
-	}
-	return nil
+	return rsp.Responses[0]
 }
 
 func (s *Server) GetServerConnections(_ context.Context, req *admin.ConnReq) (*admin.ConnCountResp, error) {

apiserver/httpserver/admin_access.go

@@ -24,6 +24,7 @@ import (
 	"strconv"
 
 	"github.com/emicklei/go-restful/v3"
+	"github.com/golang/protobuf/jsonpb"
 	apimodel "github.com/polarismesh/specification/source/go/api/v1/model"
 	"github.com/polarismesh/specification/source/go/api/v1/security"
 	apiservice "github.com/polarismesh/specification/source/go/api/v1/service_manage"
@@ -314,12 +315,9 @@ func (h *HTTPServer) EnablePprof(req *restful.Request, rsp *restful.Response) {
 
 func (h *HTTPServer) HasMainUser(req *restful.Request, rsp *restful.Response) {
 	ctx := initContext(req)
-	ret, err := h.maintainServer.HasMainUser(ctx)
-	if err != nil {
-		_ = rsp.WriteErrorString(http.StatusBadRequest, err.Error())
-		return
-	}
-	_ = rsp.WriteAsJson(ret)
+	ret := h.maintainServer.HasMainUser(ctx)
+	marshaler := jsonpb.Marshaler{Indent: " ", EmitDefaults: true}
+	_ = marshaler.Marshal(rsp, ret)
 }
 
 func (h *HTTPServer) InitMainUser(req *restful.Request, rsp *restful.Response) {
@@ -335,11 +333,9 @@ func (h *HTTPServer) InitMainUser(req *restful.Request, rsp *restful.Response) {
 		return
 	}
 
-	if err := h.maintainServer.InitMainUser(ctx, *user); err != nil {
-		_ = rsp.WriteErrorString(http.StatusBadRequest, err.Error())
-		return
-	}
-	_ = rsp.WriteEntity("ok")
+	ret := h.maintainServer.InitMainUser(ctx, user)
+	marshaler := jsonpb.Marshaler{Indent: " ", EmitDefaults: true}
+	_ = marshaler.Marshal(rsp, ret)
 }
 
 // GetServerFunctions .

auth/policy/auth_checker.go

@@ -140,6 +140,10 @@ func (d *DefaultAuthChecker) CheckConsolePermission(preCtx *authcommon.AcquireCo
 	if d.IsOpenConsoleAuth() && !d.conf.ConsoleStrict {
 		preCtx.SetAllowAnonymous(true)
 	}
+	// 如果是初始化主用户的请求，直接放行
+	if authcommon.IsInitMainUser(preCtx.GetRequestContext()) {
+		return true, nil
+	}
 	return d.CheckPermission(preCtx)
 }
 

auth/policy/helper.go

@@ -83,7 +83,7 @@ func mainUserPrincipalPolicy(p authcommon.Principal) *authcommon.StrategyDetail
 		Name:          authcommon.BuildDefaultStrategyName(p.PrincipalType, p.Name),
 		Action:        apisecurity.AuthAction_ALLOW.String(),
 		Default:       true,
-		Owner:         p.Owner,
+		Owner:         p.PrincipalID,
 		Revision:      utils.NewUUID(),
 		Source:        "Polaris",
 		Resources:     resources,
@@ -114,14 +114,16 @@ func defaultReadWritePolicy(p authcommon.Principal) *authcommon.StrategyDetail {
 		Name:          "全局读写策略",
 		Action:        apisecurity.AuthAction_ALLOW.String(),
 		Default:       true,
-		Owner:         p.Owner,
+		Owner:         p.PrincipalID,
 		Revision:      utils.NewUUID(),
 		Source:        "Polaris",
 		Resources:     resources,
-		Principals:    []authcommon.Principal{p},
 		CalleeMethods: calleeMethods,
 		Valid:         true,
 		Comment:       "global resources read and write",
+		Metadata: map[string]string{
+			authcommon.MetadKeySystemDefaultPolicy: "true",
+		},
 	}
 }
 
@@ -149,14 +151,16 @@ func defaultReadOnlyPolicy(p authcommon.Principal) *authcommon.StrategyDetail {
 		Name:          "全局只读策略",
 		Action:        apisecurity.AuthAction_ALLOW.String(),
 		Default:       true,
-		Owner:         p.Owner,
+		Owner:         p.PrincipalID,
 		Revision:      utils.NewUUID(),
 		Source:        "Polaris",
 		Resources:     resources,
-		Principals:    []authcommon.Principal{p},
 		CalleeMethods: calleeMethods,
 		Valid:         true,
 		Comment:       "global resources read only policy rule",
+		Metadata: map[string]string{
+			authcommon.MetadKeySystemDefaultPolicy: "true",
+		},
 	}
 }
 

auth/policy/strategy.go

@@ -194,6 +194,11 @@ func (svr *Server) GetStrategies(ctx context.Context, filters map[string]string)
 	// 透传兼容模式信息数据
 	ctx = context.WithValue(ctx, model.ContextKeyCompatible{}, svr.options.Compatible)
 
+	// 这里需要框定大体的数据查询范围
+	if authcommon.ParseUserRole(ctx) != authcommon.AdminUserRole {
+		filters["owner"] = utils.ParseOwnerID(ctx)
+	}
+
 	total, strategies, err := svr.cacheMgr.AuthStrategy().Query(ctx, cachetypes.PolicySearchArgs{
 		Filters: filters,
 		Offset:  offset,

auth/user/user.go

@@ -62,19 +62,10 @@ func (svr *Server) CreateUser(ctx context.Context, req *apisecurity.User) *apise
 	ownerID := utils.ParseOwnerID(ctx)
 	req.Owner = utils.NewStringValue(ownerID)
 
-	if checkErrResp := checkCreateUser(req); checkErrResp != nil {
+	if checkErrResp := checkCreateUser(ctx, req); checkErrResp != nil {
 		return checkErrResp
 	}
 
-	// 如果创建的目标账户类型是非子账户，则 ownerId 需要设置为 “”
-	if convertCreateUserRole(authcommon.ParseUserRole(ctx)) != authcommon.SubAccountUserRole {
-		// 如果创建的不是子帐户，需要判断是否来自内部的 InitMainUser 请求
-		if !authcommon.IsInitMainUser(ctx) {
-			log.Error("[auth][user] can't create user which role is not sub-account", utils.RequestID(ctx))
-			return api.NewUserResponse(apimodel.Code_OperationRoleForbidden, req)
-		}
-	}
-
 	if ownerID != "" {
 		owner, err := svr.storage.GetUser(ownerID)
 		if err != nil {
@@ -579,7 +570,7 @@ func userRecordEntry(ctx context.Context, req *apisecurity.User, md *authcommon.
 }
 
 // checkCreateUser 检查创建用户的请求
-func checkCreateUser(req *apisecurity.User) *apiservice.Response {
+func checkCreateUser(ctx context.Context, req *apisecurity.User) *apiservice.Response {
 	if req == nil {
 		return api.NewUserResponse(apimodel.Code_EmptyRequest, req)
 	}
@@ -592,8 +583,15 @@ func checkCreateUser(req *apisecurity.User) *apiservice.Response {
 		return api.NewUserResponse(apimodel.Code_InvalidUserPassword, req)
 	}
 
-	if err := CheckOwner(req.Owner); err != nil {
-		return api.NewUserResponse(apimodel.Code_InvalidUserOwners, req)
+	if !authcommon.IsInitMainUser(ctx) {
+		if err := CheckOwner(req.Owner); err != nil {
+			return api.NewUserResponse(apimodel.Code_InvalidUserOwners, req)
+		}
+		// 如果创建的目标账户类型是非子账户，则 ownerId 需要设置为 “”
+		if convertCreateUserRole(authcommon.ParseUserRole(ctx)) != authcommon.SubAccountUserRole {
+			log.Error("[auth][user] can't create user which role is not sub-account", utils.RequestID(ctx))
+			return api.NewUserResponse(apimodel.Code_OperationRoleForbidden, req)
+		}
 	}
 	return nil
 }

common/model/auth/const.go

@@ -21,6 +21,10 @@ import (
 	apisecurity "github.com/polarismesh/specification/source/go/api/v1/security"
 )
 
+const (
+	MetadKeySystemDefaultPolicy = "internal-polaris-system-policy"
+)
+
 type ServerFunctionName string
 
 // SDK 接口