feat(auth): optimize the performance of localidentity list interface (#…

…728)
tkestack · Dec 1, 2020 · fac27db · fac27db
1 parent 48d6a0f
commit fac27db
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 20 deletions.
diff --git a/pkg/auth/registry/localidentity/storage/storage.go b/pkg/auth/registry/localidentity/storage/storage.go
@@ -312,7 +312,10 @@ func (r *REST) Get(ctx context.Context, name string, options *metav1.GetOptions)
 		return obj, err
 	}
 	localIdentity := obj.(*auth.LocalIdentity)
-	util.SetAdministrator(ctx, r.enforcer, r.authClient, localIdentity)
+	idp, err := r.authClient.IdentityProviders().Get(ctx, localIdentity.Spec.TenantID, metav1.GetOptions{})
+	if err == nil {
+		util.SetAdministrator(r.enforcer, localIdentity, idp)
+	}
 	return localIdentity, nil
 }
 

diff --git a/pkg/auth/util/user.go b/pkg/auth/util/user.go
@@ -24,17 +24,17 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/casbin/casbin/v2"
-	"k8s.io/apimachinery/pkg/util/errors"
+	"tkestack.io/tke/api/auth"
+	authv1 "tkestack.io/tke/api/auth/v1"
+	authinternalclient "tkestack.io/tke/api/client/clientset/internalversion/typed/auth/internalversion"
 	"tkestack.io/tke/pkg/util"
 	"tkestack.io/tke/pkg/util/log"
 
+	"github.com/casbin/casbin/v2"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/fields"
-	"tkestack.io/tke/api/auth"
-	authv1 "tkestack.io/tke/api/auth/v1"
-	authinternalclient "tkestack.io/tke/api/client/clientset/internalversion/typed/auth/internalversion"
+	"k8s.io/apimachinery/pkg/util/errors"
 )
 
 const (
@@ -216,7 +216,7 @@ func HandleUserPoliciesUpdate(ctx context.Context, authClient authinternalclient
 	return errors.NewAggregate([]error{berr, uerr})
 }
 
-func SetAdministrator(ctx context.Context, enforcer *casbin.SyncedEnforcer, authClient authinternalclient.AuthInterface, localIdentity *auth.LocalIdentity) {
+func SetAdministrator(enforcer *casbin.SyncedEnforcer, localIdentity *auth.LocalIdentity, idp *auth.IdentityProvider) {
 	if localIdentity.Spec.Extra == nil {
 		localIdentity.Spec.Extra = make(map[string]string)
 	}
@@ -235,16 +235,12 @@ func SetAdministrator(ctx context.Context, enforcer *casbin.SyncedEnforcer, auth
 		}
 	}
 
-	idp, err := authClient.IdentityProviders().Get(ctx, localIdentity.Spec.TenantID, v1.GetOptions{})
-	if err != nil {
-		log.Error("get idp for tenant failed", log.String("tenantID", localIdentity.Spec.TenantID))
-		return
-	}
-
-	for _, name := range idp.Spec.Administrators {
-		if name == localIdentity.Spec.Username {
-			localIdentity.Spec.Extra[administratorKey] = "true"
-			return
+	if idp != nil {
+		for _, name := range idp.Spec.Administrators {
+			if name == localIdentity.Spec.Username {
+				localIdentity.Spec.Extra[administratorKey] = "true"
+				return
+			}
 		}
 	}
 }
@@ -256,17 +252,32 @@ func IsPlatformAdministrator(user authv1.User) bool {
 	return false
 }
 
-func FillUserPolicies(ctx context.Context, authClient authinternalclient.AuthInterface, enforcer *casbin.SyncedEnforcer, localidentityList *auth.LocalIdentityList) {
+func FillUserPolicies(ctx context.Context, authClient authinternalclient.AuthInterface, enforcer *casbin.SyncedEnforcer,
+	localidentityList *auth.LocalIdentityList) {
 	if enforcer == nil || enforcer.GetRoleManager() == nil || enforcer.GetAdapter() == nil {
 		return
 	}
 
+	idpList, err := authClient.IdentityProviders().List(ctx, v1.ListOptions{})
+	if err != nil || idpList == nil {
+		return
+	}
+
+	idpMap := make(map[string]*auth.IdentityProvider)
+	for i := 0; i < len(idpList.Items); i++ {
+		idpMap[idpList.Items[i].GetName()] = &idpList.Items[i]
+	}
+
 	policyDisplayNameMap := make(map[string]string)
 	for i, item := range localidentityList.Items {
-		SetAdministrator(ctx, enforcer, authClient, &localidentityList.Items[i])
+		if idp, ok := idpMap[localidentityList.Items[i].Spec.TenantID]; ok {
+			SetAdministrator(enforcer, &localidentityList.Items[i], idp)
+		} else {
+			SetAdministrator(enforcer, &localidentityList.Items[i], nil)
+		}
 
 		// Use direct roles to fill policies
-		roles := enforcer.GetRolesForUserInDomain(UserKey(item.Spec.TenantID, item.Spec.Username), DefaultDomain)
+		roles, _ := enforcer.GetRoleManager().GetRoles(UserKey(item.Spec.TenantID, item.Spec.Username), DefaultDomain)
 		var policies []string
 		for _, r := range roles {
 			if strings.HasPrefix(r, "pol-") {