diff --git a/pkg/apis/cloudid/cloudid.go b/pkg/apis/cloudid/cloudid.go new file mode 100644 index 00000000000..262b635bbf6 --- /dev/null +++ b/pkg/apis/cloudid/cloudid.go @@ -0,0 +1,22 @@ +// Copyright 2019 Yunion +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package cloudid + +import "yunion.io/x/onecloud/pkg/apis" + +const ( + SERVICE_TYPE = apis.SERVICE_TYPE_CLOUDID + SERVICE_VERSION = "" +) diff --git a/pkg/cloudid/models/cloudgroup.go b/pkg/cloudid/models/cloudgroup.go index 52758f844c0..94ee426c4de 100644 --- a/pkg/cloudid/models/cloudgroup.go +++ b/pkg/cloudid/models/cloudgroup.go @@ -61,7 +61,7 @@ type SCloudgroup struct { } func (manager *SCloudgroupManager) AllowListItems(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject) bool { - return db.IsDomainAllowList(userCred, manager) + return true } // 权限组列表 diff --git a/pkg/cloudid/models/clouduser.go b/pkg/cloudid/models/clouduser.go index cb2e844ccee..2dca89f3529 100644 --- a/pkg/cloudid/models/clouduser.go +++ b/pkg/cloudid/models/clouduser.go @@ -1193,6 +1193,13 @@ func (self *SClouduser) AllowPerformChangeOwner(ctx context.Context, userCred mc // 变更子账号所属本地用户 func (self *SClouduser) PerformChangeOwner(ctx context.Context, userCred mcclient.TokenCredential, query jsonutils.JSONObject, input api.ClouduserChangeOwnerInput) (jsonutils.JSONObject, error) { + if len(self.OwnerId) > 0 { + user, err := db.UserCacheManager.FetchUserById(ctx, self.OwnerId) + if err != nil || user.DomainId != self.DomainId && !userCred.HasSystemAdminPrivilege() { + return nil, httperrors.NewForbiddenError("Not allow to change owner") + } + } + user, err := db.UserCacheManager.FetchUserById(ctx, input.UserId) if err != nil { return nil, httperrors.NewGeneralError(errors.Wrapf(err, "Not found user %s", input.UserId)) diff --git a/pkg/cloudid/policy/defaults.go b/pkg/cloudid/policy/defaults.go new file mode 100644 index 00000000000..7cd9f68e384 --- /dev/null +++ b/pkg/cloudid/policy/defaults.go @@ -0,0 +1,93 @@ +// Copyright 2019 Yunion +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package policy + +import ( + api "yunion.io/x/onecloud/pkg/apis/cloudid" + common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy" + "yunion.io/x/onecloud/pkg/util/rbacutils" +) + +const ( + PolicyActionPerform = common_policy.PolicyActionPerform + PolicyActionList = common_policy.PolicyActionList + PolicyActionGet = common_policy.PolicyActionGet + PolicyActionCreate = common_policy.PolicyActionCreate + PolicyActionUpdate = common_policy.PolicyActionUpdate + PolicyActionDelete = common_policy.PolicyActionDelete +) + +var ( + predefinedDefaultPolicies = []rbacutils.SRbacPolicy{ + { + Auth: true, + Scope: rbacutils.ScopeSystem, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "cloudpolicies", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cloudpolicies", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + }, + }, + { + Auth: true, + Scope: rbacutils.ScopeDomain, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "cloudgroups", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cloudgroups", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + }, + }, + { + Auth: true, + Scope: rbacutils.ScopeUser, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "cloudusers", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cloudusers", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + }, + }, + } +) + +func init() { + common_policy.AppendDefaultPolicies(predefinedDefaultPolicies) +} diff --git a/pkg/cloudid/policy/doc.go b/pkg/cloudid/policy/doc.go new file mode 100644 index 00000000000..9485bad10d9 --- /dev/null +++ b/pkg/cloudid/policy/doc.go @@ -0,0 +1 @@ +package policy // import "yunion.io/x/onecloud/pkg/cloudid/policy" diff --git a/pkg/cloudid/policy/resources.go b/pkg/cloudid/policy/resources.go new file mode 100644 index 00000000000..1b4478fb5c9 --- /dev/null +++ b/pkg/cloudid/policy/resources.go @@ -0,0 +1,38 @@ +// Copyright 2019 Yunion +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +package policy + +import ( + api "yunion.io/x/onecloud/pkg/apis/cloudid" + common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy" +) + +var ( + cloudidSystemResources = []string{ + "cloudpolicies", + } + cloudidDomainResources = []string{ + "cloudgroups", + } + cloudidUserResources = []string{ + "cloudusers", + } +) + +func init() { + common_policy.RegisterSystemResources(api.SERVICE_TYPE, cloudidSystemResources) + common_policy.RegisterDomainResources(api.SERVICE_TYPE, cloudidDomainResources) + common_policy.RegisterUserResources(api.SERVICE_TYPE, cloudidUserResources) +} diff --git a/pkg/cloudid/service/service.go b/pkg/cloudid/service/service.go index 4542d8d1253..83511ae4816 100644 --- a/pkg/cloudid/service/service.go +++ b/pkg/cloudid/service/service.go @@ -27,6 +27,7 @@ import ( common_options "yunion.io/x/onecloud/pkg/cloudcommon/options" "yunion.io/x/onecloud/pkg/cloudid/models" "yunion.io/x/onecloud/pkg/cloudid/options" + _ "yunion.io/x/onecloud/pkg/cloudid/policy" _ "yunion.io/x/onecloud/pkg/cloudid/tasks" _ "yunion.io/x/onecloud/pkg/multicloud/loader" ) diff --git a/pkg/cloudid/tasks/clouduser_reset_password_task.go b/pkg/cloudid/tasks/clouduser_reset_password_task.go index f8f1b054268..8d039588843 100644 --- a/pkg/cloudid/tasks/clouduser_reset_password_task.go +++ b/pkg/cloudid/tasks/clouduser_reset_password_task.go @@ -75,6 +75,7 @@ func (self *ClouduserResetPasswordTask) OnInit(ctx context.Context, obj db.IStan } clouduser.SavePassword(password) + clouduser.SetStatus(self.GetUserCred(), api.CLOUD_USER_STATUS_AVAILABLE, "") logclient.AddActionLogWithStartable(self, clouduser, logclient.ACT_RESET_PASSWORD, "", self.UserCred, true) self.SetStageComplete(ctx, nil) }