fix: add predefined log policy

yunionio · Apr 23, 2024 · 42300a5 · 42300a5
1 parent 15bd94a
commit 42300a5
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 7 deletions.
diff --git a/pkg/keystone/locale/genpolicy.go b/pkg/keystone/locale/genpolicy.go
@@ -19,6 +19,7 @@ import (
 
 	"yunion.io/x/jsonutils"
 	"yunion.io/x/pkg/util/rbacscope"
+	"yunion.io/x/pkg/utils"
 )
 
 var (
@@ -180,6 +181,8 @@ type SPolicyData struct {
 
 	Description   string
 	DescriptionCN string
+
+	AvailableRoles []string
 }
 
 func generatePolicies(scope rbacscope.TRbacScope, def sPolicyDefinition) []SPolicyData {
@@ -205,25 +208,30 @@ func generatePolicies(scope rbacscope.TRbacScope, def sPolicyDefinition) []SPoli
 
 	var roleConfs []sRoleConf
 	if len(def.Services) > 0 {
-		roleConfs = []sRoleConf{
-			{
+		var roleConfs []sRoleConf
+		if len(def.AvailableRoles) == 0 || utils.IsInStringArray("admin", def.AvailableRoles) {
+			roleConfs = append(roleConfs, sRoleConf{
 				name:       "admin",
 				policyFunc: getAdminPolicy,
 				fullNameCN: "管理",
 				fullName:   "full",
-			},
-			{
+			})
+		}
+		if len(def.AvailableRoles) == 0 || utils.IsInStringArray("editor", def.AvailableRoles) {
+			roleConfs = append(roleConfs, sRoleConf{
 				name:       "editor",
 				policyFunc: getEditorPolicy,
 				fullNameCN: "编辑/操作",
 				fullName:   "editor/operator",
-			},
-			{
+			})
+		}
+		if len(def.AvailableRoles) == 0 || utils.IsInStringArray("viewer", def.AvailableRoles) {
+			roleConfs = append(roleConfs, sRoleConf{
 				name:       "viewer",
 				policyFunc: getViewerPolicy,
 				fullNameCN: "只读",
 				fullName:   "read-only",
-			},
+			})
 		}
 	} else {
 		roleConfs = []sRoleConf{

diff --git a/pkg/keystone/locale/predefined_policies.go b/pkg/keystone/locale/predefined_policies.go
@@ -41,6 +41,8 @@ type sPolicyDefinition struct {
 	Scope    rbacscope.TRbacScope
 	Services map[string][]string
 	Extra    map[string]map[string][]string
+
+	AvailableRoles []string
 }
 
 type SRoleDefiniton struct {
@@ -520,6 +522,18 @@ var (
 				"notify": nil,
 			},
 		},
+		{
+			Name:   "log",
+			DescCN: "日志服务相关资源",
+			Desc:   "resources of logger service",
+			Scope:  rbacscope.ScopeSystem,
+			Services: map[string][]string{
+				"log": nil,
+			},
+			AvailableRoles: []string{
+				"viewer",
+			},
+		},
 	}
 
 	adminPerformActions = map[string]map[string][]string{

diff --git a/pkg/keystone/locale/predefined_yaml.go b/pkg/keystone/locale/predefined_yaml.go
@@ -82,6 +82,8 @@ policy:
   log:
     actions:
       list:
+        list: allow
+        get: allow
         '*': deny
         splitable: deny
 `