feat(auth): update load casbin model from rule (#767)

tkestack · Oct 14, 2020 · 9f3c6b5 · 9f3c6b5
1 parent 3b67f2d
commit 9f3c6b5
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 31 deletions.
diff --git a/pkg/auth/controller/group/deletion/grouped_resources_deleter.go b/pkg/auth/controller/group/deletion/grouped_resources_deleter.go
@@ -328,13 +328,10 @@ func deleteRelatedProjectPolicyBinding(ctx context.Context, deleter *groupedReso
 	var errs []error
 	belongsProjectPolicies := make(map[string][]string)
 	for _, r := range rules {
-		// Comment out here is the cause of the PR modified casbin loading rule model token number:
-		// https://github.com/tkestack/tke/pull/744
-		//
-		//if len(r) != 3 {
-		//	log.Warn("invalid rule", log.Strings("rule", r))
-		//	continue
-		//}
+		if len(r) != util.GRuleFieldNumber {
+			log.Warn("invalid rule", log.Strings("rule", r))
+			continue
+		}
 		project := r[2]
 		role := r[1]
 		if strings.HasPrefix(project, "prj-") {

diff --git a/pkg/auth/controller/localidentity/deletion/localidentity_resources_deleter.go b/pkg/auth/controller/localidentity/deletion/localidentity_resources_deleter.go
@@ -348,13 +348,10 @@ func deleteRelatedProjectPolicyBinding(ctx context.Context, deleter *loalIdentit
 	var errs []error
 	belongsProjectPolicies := make(map[string][]string)
 	for _, r := range rules {
-		// Comment out here is the cause of the PR modified casbin loading rule model token number:
-		// https://github.com/tkestack/tke/pull/744
-		//
-		//if len(r) != 3 {
-		//	log.Warn("invalid rule", log.Strings("rule", r))
-		//	continue
-		//}
+		if len(r) != util.GRuleFieldNumber {
+			log.Warn("invalid rule", log.Strings("rule", r))
+			continue
+		}
 		project := r[2]
 		role := r[1]
 		if strings.HasPrefix(project, "prj-") {

diff --git a/pkg/auth/registry/user/storage/project.go b/pkg/auth/registry/user/storage/project.go
@@ -25,6 +25,7 @@ import (
 	"tkestack.io/tke/api/auth"
 	authinternalclient "tkestack.io/tke/api/client/clientset/internalversion/typed/auth/internalversion"
 	"tkestack.io/tke/pkg/auth/util"
+	"tkestack.io/tke/pkg/util/log"
 
 	"github.com/casbin/casbin/v2"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -90,13 +91,10 @@ func (r *ProjectREST) List(ctx context.Context, options *metainternalversion.Lis
 
 	rules := r.enforcer.GetFilteredGroupingPolicy(0, util.UserKey(user.Spec.TenantID, user.Spec.Name))
 	for _, r := range rules {
-		// Comment out here is the cause of the PR modified casbin loading rule model token number:
-		// https://github.com/tkestack/tke/pull/744
-		//
-		//if len(r) != 3 {
-		//	log.Warn("invalid rule", log.Strings("rule", r))
-		//	continue
-		//}
+		if len(r) != util.GRuleFieldNumber {
+			log.Warn("invalid rule", log.Strings("rule", r))
+			continue
+		}
 		prj := r[2]
 		role := r[1]
 

diff --git a/pkg/auth/util/adapter.go b/pkg/auth/util/adapter.go
@@ -38,8 +38,15 @@ const (
 	DefaultDomain = "*"
 	DefaultAll    = "*"
 
-	// The maximum number of valid fields in the Rule object: PType, V0, V1, V2, V3, V4
-	MaxFieldNumber = 6
+	// GRule represents user groups to which users belongs or the associated Policies
+	GRule = "g"
+	// PRule represents RBAC rules
+	PRule = "p"
+
+	// PRuleFieldNumber represents the maximum number of valid value fields in the Rule object: V0, V1, V2, V3, V4
+	PRuleFieldNumber = 5
+	// GRuleFieldNumber represents the maximum number of valid value fields in the Rule object: V0, V1, V2
+	GRuleFieldNumber = 3
 )
 
 // RestAdapter is the policy storage adapter for Casbin. With this library, Casbin can load policy
@@ -80,13 +87,18 @@ func (a *RestAdapter) LoadPolicy(model model.Model) error {
 
 func (a *RestAdapter) loadPolicy(rule *authv1.Rule, model model.Model) {
 	casRule := rule.Spec
-	// Currently, Casbin Model only needs to load the first MaxFieldNumber fields
 	lineText := casRule.PType
-	lineText += ", " + casRule.V0
-	lineText += ", " + casRule.V1
-	lineText += ", " + casRule.V2
-	lineText += ", " + casRule.V3
-	lineText += ", " + casRule.V4
+	if casRule.PType == PRule {
+		lineText += ", " + casRule.V0
+		lineText += ", " + casRule.V1
+		lineText += ", " + casRule.V2
+		lineText += ", " + casRule.V3
+		lineText += ", " + casRule.V4
+	} else {
+		lineText += ", " + casRule.V0
+		lineText += ", " + casRule.V1
+		lineText += ", " + casRule.V2
+	}
 
 	persist.LoadPolicyLine(lineText, model)
 }
@@ -101,13 +113,13 @@ func (a *RestAdapter) SavePolicy(model model.Model) error {
 
 	var rules []authv1.Rule
 
-	for ptype, ast := range model["p"] {
+	for ptype, ast := range model[PRule] {
 		for _, line := range ast.Policy {
 			rules = append(rules, ConvertRule(ptype, line))
 		}
 	}
 
-	for ptype, ast := range model["g"] {
+	for ptype, ast := range model[GRule] {
 		for _, line := range ast.Policy {
 			rules = append(rules, ConvertRule(ptype, line))
 		}