Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat:超管接口增加模板列表和用户组添加成员API #2409 #2738

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

feat:超管接口增加模板列表和用户组添加成员API #2409 #2738

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions saas/backend/api/admin/constants.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,11 +25,13 @@ class AdminAPIEnum(BaseAPIEnum):

# 用户组成员
GROUP_MEMBER_LIST = auto()
GROUP_MEMBER_ADD = auto()

# 用户组权限
GROUP_POLICY_GRANT = auto()

# 模板
TEMPLATE_LIST = auto()
TEMPLATE_CREATE = auto()

# Subject
Expand Down
16 changes: 14 additions & 2 deletions saas/backend/api/admin/serializers.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,10 +12,10 @@

from backend.api.management.v2.serializers import ManagementGradeManagerGroupCreateSLZ
from backend.apps.group.models import Group
from backend.apps.group.serializers import GroupAuthorizationSLZ
from backend.apps.group.serializers import GroupAddMemberSLZ, GroupAuthorizationSLZ
from backend.apps.role.models import Role
from backend.apps.role.serializers import BaseGradeMangerSLZ
from backend.apps.template.serializers import TemplateCreateSLZ, TemplateIdSLZ
from backend.apps.template.serializers import TemplateCreateSLZ, TemplateIdSLZ, TemplateListSchemaSLZ, TemplateListSLZ
from backend.service.constants import GroupMemberType, RoleType


Expand All @@ -36,6 +36,10 @@ class AdminGroupMemberSLZ(serializers.Serializer):
expired_at = serializers.IntegerField(label="过期时间戳(单位秒)")


class AdminGroupAddMemberSLZ(GroupAddMemberSLZ):
pass


class AdminSubjectGroupSLZ(serializers.Serializer):
id = serializers.CharField(label="用户组id")
name = serializers.CharField(label="用户组名称")
Expand Down Expand Up @@ -91,6 +95,14 @@ class FreezeSubjectResponseSLZ(serializers.Serializer):
id = serializers.CharField(label="SubjectID")


class AdminTemplateListSchemaSLZ(TemplateListSchemaSLZ):
pass


class AdminTemplateListSLZ(TemplateListSLZ):
pass


class AdminTemplateCreateSLZ(TemplateCreateSLZ):
pass

Expand Down
8 changes: 6 additions & 2 deletions saas/backend/api/admin/urls.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@
# 用户组成员
path(
"groups/<int:id>/members/",
views.AdminGroupMemberViewSet.as_view({"get": "list"}),
views.AdminGroupMemberViewSet.as_view({"get": "list", "post": "create"}),
name="open.admin.group_member",
),
# 用户组授权
Expand All @@ -34,7 +34,11 @@
name="open.admin.group_policy",
),
# 模板
path("templates/", views.AdminTemplateViewSet.as_view({"post": "create"}), name="open.admin.template"),
path(
"templates/",
views.AdminTemplateViewSet.as_view({"get": "list", "post": "create"}),
name="open.admin.template",
),
# Subject
path(
"subjects/<str:subject_type>/<str:subject_id>/groups/",
Expand Down
50 changes: 48 additions & 2 deletions saas/backend/api/admin/views/group.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,14 +20,19 @@
from backend.api.admin.filters import GroupFilter
from backend.api.admin.permissions import AdminAPIPermission
from backend.api.admin.serializers import (
AdminGroupAddMemberSLZ,
AdminGroupAuthorizationSLZ,
AdminGroupBasicSLZ,
AdminGroupCreateSLZ,
AdminGroupMemberSLZ,
)
from backend.api.authentication import ESBAuthentication
from backend.api.management.v2.views import ManagementGroupViewSet
from backend.apps.group.audit import GroupCreateAuditProvider, GroupTemplateCreateAuditProvider
from backend.apps.group.audit import (
GroupCreateAuditProvider,
GroupMemberCreateAuditProvider,
GroupTemplateCreateAuditProvider,
)
from backend.apps.group.constants import OperateEnum
from backend.apps.group.models import Group
from backend.apps.group.views import check_readonly_group
Expand All @@ -36,9 +41,11 @@
from backend.audit.constants import AuditSourceType
from backend.biz.group import GroupBiz, GroupCheckBiz, GroupCreationBean
from backend.biz.role import RoleBiz
from backend.biz.utils import remove_not_exist_subject
from backend.common.lock import gen_group_upsert_lock
from backend.common.pagination import CompatiblePagination
from backend.service.constants import GroupSaaSAttributeEnum, RoleType
from backend.service.models import Subject
from backend.trans.group import GroupTrans


Expand Down Expand Up @@ -130,13 +137,17 @@ class AdminGroupMemberViewSet(GenericViewSet):
authentication_classes = [ESBAuthentication]
permission_classes = [AdminAPIPermission]

admin_api_permission = {"list": AdminAPIEnum.GROUP_MEMBER_LIST.value}
admin_api_permission = {
"list": AdminAPIEnum.GROUP_MEMBER_LIST.value,
"create": AdminAPIEnum.GROUP_MEMBER_ADD.value,
}

queryset = Group.objects.all()
lookup_field = "id"
pagination_class = CompatiblePagination

biz = GroupBiz()
group_check_biz = GroupCheckBiz()

@swagger_auto_schema(
operation_description="用户组成员列表",
Expand All @@ -153,6 +164,41 @@ def list(self, request, *args, **kwargs):
results = [one.dict(include={"type", "id", "name", "expired_at"}) for one in group_members]
return Response({"count": count, "results": results})

@swagger_auto_schema(
operation_description="用户组添加成员",
request_body=AdminGroupAddMemberSLZ(label="用户组成员"),
responses={status.HTTP_200_OK: serializers.Serializer()},
tags=["admin.group.member"],
)
@view_audit_decorator(GroupMemberCreateAuditProvider)
def create(self, request, *args, **kwargs):
group = self.get_object()

serializer = AdminGroupAddMemberSLZ(data=request.data)
serializer.is_valid(raise_exception=True)
data = serializer.validated_data

members_data = data["members"]
expired_at = data["expired_at"]
# 成员Dict结构转换为Subject结构,并去重
members = list(set(parse_obj_as(List[Subject], members_data)))

# 检测成员是否满足管理的授权范围
role = Role.objects.get(type=RoleType.SUPER_MANAGER.value)
self.group_check_biz.check_role_subject_scope(role, members)
self.group_check_biz.check_member_count(group.id, len(members))

# 排除组织架构中不存在的成员
members = remove_not_exist_subject(members)
if members:
# 添加成员
self.biz.add_members(group.id, members, expired_at)

# 写入审计上下文
audit_context_setter(group=group, members=[m.dict() for m in members])

return Response({})


class AdminGroupPolicyViewSet(GenericViewSet):
"""用户组授权"""
Expand Down
47 changes: 43 additions & 4 deletions saas/backend/api/admin/views/template.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,32 +1,71 @@
# -*- coding: utf-8 -*-
"""
TencentBlueKing is pleased to support the open source community by making 蓝鲸智云-权限中心(BlueKing-IAM) available.
Copyright (C) 2017-2021 THL A29 Limited, a Tencent company. All rights reserved.
Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License.
You may obtain a copy of the License at http://opensource.org/licenses/MIT
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
specific language governing permissions and limitations under the License.
"""
from drf_yasg.utils import swagger_auto_schema
from rest_framework import status
from rest_framework.response import Response
from rest_framework.viewsets import GenericViewSet

from backend.api.admin.constants import AdminAPIEnum
from backend.api.admin.permissions import AdminAPIPermission
from backend.api.admin.serializers import AdminTemplateCreateSLZ, AdminTemplateIdSLZ
from backend.api.admin.serializers import (
AdminTemplateCreateSLZ,
AdminTemplateIdSLZ,
AdminTemplateListSchemaSLZ,
AdminTemplateListSLZ,
)
from backend.api.authentication import ESBAuthentication
from backend.apps.role.models import Role
from backend.apps.template.audit import TemplateCreateAuditProvider
from backend.apps.template.views import TemplateQueryMixin
from backend.audit.audit import audit_context_setter, view_audit_decorator
from backend.biz.role import RoleAuthorizationScopeChecker
from backend.biz.role import RoleAuthorizationScopeChecker, RoleListQuery
from backend.biz.template import TemplateBiz, TemplateCheckBiz, TemplateCreateBean
from backend.common.lock import gen_template_upsert_lock
from backend.service.constants import RoleType


class AdminTemplateViewSet(GenericViewSet):
class AdminTemplateViewSet(TemplateQueryMixin, GenericViewSet):
"""模板"""

authentication_classes = [ESBAuthentication]
permission_classes = [AdminAPIPermission]

admin_api_permission = {"create": AdminAPIEnum.TEMPLATE_CREATE.value}
admin_api_permission = {
"list": AdminAPIEnum.TEMPLATE_LIST.value,
"create": AdminAPIEnum.TEMPLATE_CREATE.value,
}

template_biz = TemplateBiz()
template_check_biz = TemplateCheckBiz()

@swagger_auto_schema(
operation_description="模板列表",
responses={status.HTTP_200_OK: AdminTemplateListSchemaSLZ(label="模板", many=True)},
tags=["admin.template"],
)
def list(self, request, *args, **kwargs):
role = Role.objects.get(type=RoleType.SUPER_MANAGER.value)
queryset = RoleListQuery(role, request.user).query_template()

# 查询role的system-actions set
role_system_actions = RoleListQuery(role).get_scope_system_actions()
page = self.paginate_queryset(queryset)

if page is not None:
serializer = AdminTemplateListSLZ(page, many=True, role_system_actions=role_system_actions)
return self.get_paginated_response(serializer.data)

serializer = AdminTemplateListSLZ(queryset, many=True, role_system_actions=role_system_actions)
return Response(serializer.data)

@swagger_auto_schema(
operation_description="创建模板",
request_body=AdminTemplateCreateSLZ(label="模板"),
Expand Down
52 changes: 52 additions & 0 deletions saas/resources/apigateway/bk_apigw_resources_bk-iam.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3258,6 +3258,33 @@ paths:
resourcePermissionRequired: false
disabledStages: [ ]
descriptionEn:
/api/v1/open/admin/groups/{id}/members/:
post:
operationId: admin_add_group_members
description: 超管用户组添加成员
tags:
- open
- v2
responses:
default:
description: ''
x-bk-apigateway-resource:
isPublic: true
allowApplyPermission: true
matchSubpath: false
backend:
type: HTTP
method: post
path: /api/v1/open/admin/groups/{id}/members/
matchSubpath: false
timeout: 0
upstreams: {}
transformHeaders: {}
authConfig:
userVerifiedRequired: false
resourcePermissionRequired: false
disabledStages: []
descriptionEn:
/api/v1/open/admin/systems/{system_id}/provider_config/:
get:
operationId: admin_list_provider_config
Expand Down Expand Up @@ -3285,6 +3312,31 @@ paths:
disabledStages: [ ]
descriptionEn:
/api/v1/open/admin/templates/:
get:
operationId: admin_list_templates
description: 超管获取模板列表
tags:
- open
responses:
default:
description: ''
x-bk-apigateway-resource:
isPublic: true
allowApplyPermission: true
matchSubpath: false
backend:
type: HTTP
method: get
path: /api/v1/open/admin/templates/
matchSubpath: false
timeout: 0
upstreams: { }
transformHeaders: { }
authConfig:
userVerifiedRequired: false
resourcePermissionRequired: false
disabledStages: [ ]
descriptionEn:
post:
operationId: admin_create_templates
description: 超管创建模板
Expand Down
Loading