Merge pull request #8298 from swordqiu/automated-cherry-pick-of-#8297…

…-upstream-release-3.4 Automated cherry pick of #8297: fix: filter role assignments by project domains id or name
yunionio · Oct 15, 2020 · f5a45fc · f5a45fc
2 parents a583bbc + 8042b94
commit f5a45fc
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 11 deletions.
diff --git a/cmd/climc/shell/identity/role_assignments.go b/cmd/climc/shell/identity/role_assignments.go
@@ -37,11 +37,13 @@ func init() {
 		RoleDomain    string   `help:"Domain for role"`
 		Limit         int64    `help:"maximal returned number of rows"`
 		Offset        int64    `help:"offset index of returned results"`
-		Users         []string `help:"fitler by users id or name"`
-		Groups        []string `help:"fitler by users id or name"`
-		Roles         []string `help:"fitler by users id or name"`
-		Projects      []string `help:"fitler by users id or name"`
-		Domains       []string `help:"fitler by users id or name"`
+		Users         []string `help:"fitler by user id or name"`
+		Groups        []string `help:"fitler by group id or name"`
+		Roles         []string `help:"fitler by role id or name"`
+		Projects      []string `help:"fitler by project id or name"`
+		Domains       []string `help:"fitler by domain id or name"`
+
+		ProjectDomains []string `help:"filter by project's domain id or name"`
 	}
 	R(&RoleAssignmentsOptions{}, "role-assignments", "List all role assignments", func(s *mcclient.ClientSession, args *RoleAssignmentsOptions) error {
 		query := jsonutils.NewDict()
@@ -105,6 +107,9 @@ func init() {
 		if len(args.Domains) > 0 {
 			query.Add(jsonutils.NewStringArray(args.Domains), "domains")
 		}
+		if len(args.ProjectDomains) > 0 {
+			query.Add(jsonutils.NewStringArray(args.ProjectDomains), "project_domains")
+		}
 		if args.Limit > 0 {
 			query.Add(jsonutils.NewInt(args.Limit), "limit")
 		}

diff --git a/pkg/apis/identity/assignments.go b/pkg/apis/identity/assignments.go
@@ -87,6 +87,8 @@ type RoleAssignmentsInput struct {
 	Projects []string `json:"projects"`
 	Domains  []string `json:"domains"`
 
+	ProjectDomains []string `json:"project_domains"`
+
 	IncludeNames    *bool `json:"include_names"`
 	Effective       *bool `json:"effective"`
 	IncludeSubtree  *bool `json:"include_subtree"`

diff --git a/pkg/keystone/models/assignments.go b/pkg/keystone/models/assignments.go
@@ -463,6 +463,7 @@ func roleAssignmentHandler(ctx context.Context, w http.ResponseWriter, r *http.R
 		input.Roles,
 		input.Domains,
 		input.Projects,
+		input.ProjectDomains,
 		includeNames, effective, includeSub, includeSystem, includePolicies,
 		limit, offset)
 
@@ -481,7 +482,7 @@ func roleAssignmentHandler(ctx context.Context, w http.ResponseWriter, r *http.R
 
 func (manager *SAssignmentManager) queryAll(
 	userId, groupId, roleId, domainId, projectId string,
-	users, groups, roles, domains, projects []string,
+	users, groups, roles, domains, projects, projectDomains []string,
 ) *sqlchemy.SQuery {
 	assigments := manager.Query().SubQuery()
 	q := assigments.Query(
@@ -562,6 +563,17 @@ func (manager *SAssignmentManager) queryAll(
 		))
 		q = q.In("project_id", subq.SubQuery()).In("type", []string{api.AssignmentUserProject, api.AssignmentGroupProject})
 	}
+	if len(projectDomains) > 0 {
+		subq := ProjectManager.Query("id")
+		domainQ := DomainManager.Query("id", "name").SubQuery()
+		subq = subq.Join(domainQ, sqlchemy.Equals(subq.Field("domain_id"), domainQ.Field("id")))
+		subq = subq.Filter(sqlchemy.OR(
+			sqlchemy.In(domainQ.Field("id"), projectDomains),
+			sqlchemy.ContainsAny(domainQ.Field("name"), projectDomains),
+		))
+		q = q.In("project_id", subq.SubQuery()).In("type", []string{api.AssignmentUserProject, api.AssignmentGroupProject})
+	}
+
 	if len(domainId) > 0 {
 		q = q.Equals("domain_id", domainId).In("type", []string{api.AssignmentUserDomain, api.AssignmentGroupDomain})
 	}
@@ -626,16 +638,16 @@ func (assign *sAssignmentInternal) getRoleAssignment(domains, projects, groups,
 
 func (manager *SAssignmentManager) FetchAll(
 	userId, groupId, roleId, domainId, projectId string,
-	userStrs, groupStrs, roleStrs, domainStrs, projectStrs []string,
+	userStrs, groupStrs, roleStrs, domainStrs, projectStrs, projectDomainStrs []string,
 	includeNames, effective, includeSub, includeSystem, includePolicies bool,
 	limit, offset int) ([]api.SRoleAssignment, int64, error) {
 	var q *sqlchemy.SQuery
 	if effective {
-		usrq := manager.queryAll(userId, "", roleId, domainId, projectId, userStrs, nil, roleStrs, domainStrs, projectStrs).In("type", []string{api.AssignmentUserProject, api.AssignmentUserDomain})
+		usrq := manager.queryAll(userId, "", roleId, domainId, projectId, userStrs, nil, roleStrs, domainStrs, projectStrs, projectDomainStrs).In("type", []string{api.AssignmentUserProject, api.AssignmentUserDomain})
 
 		memberships := UsergroupManager.Query("user_id", "group_id").SubQuery()
 
-		grpproj := manager.queryAll("", groupId, roleId, domainId, projectId, nil, groupStrs, roleStrs, domainStrs, projectStrs).In("type", []string{api.AssignmentGroupProject, api.AssignmentGroupDomain}).SubQuery()
+		grpproj := manager.queryAll("", groupId, roleId, domainId, projectId, nil, groupStrs, roleStrs, domainStrs, projectStrs, projectDomainStrs).In("type", []string{api.AssignmentGroupProject, api.AssignmentGroupDomain}).SubQuery()
 		q2 := grpproj.Query(
 			grpproj.Field("type"),
 			memberships.Field("user_id"),
@@ -659,7 +671,7 @@ func (manager *SAssignmentManager) FetchAll(
 
 		q = sqlchemy.Union(usrq, q2).Query().Distinct()
 	} else {
-		q = manager.queryAll(userId, groupId, roleId, domainId, projectId, userStrs, groupStrs, roleStrs, domainStrs, projectStrs).Distinct()
+		q = manager.queryAll(userId, groupId, roleId, domainId, projectId, userStrs, groupStrs, roleStrs, domainStrs, projectStrs, projectDomainStrs).Distinct()
 	}
 
 	if !includeSystem {

diff --git a/pkg/keystone/tokens/token.go b/pkg/keystone/tokens/token.go
@@ -292,7 +292,7 @@ func (t *SAuthToken) getTokenV3(
 			token.Token.Projects[i].Domain.Name = extProjs[i].DomainName
 		}*/
 		assigns, _, err := models.AssignmentManager.FetchAll(user.Id, "", "", "", "",
-			nil, nil, nil, nil, nil,
+			nil, nil, nil, nil, nil, nil,
 			true, true, true, true, true, 0, 0)
 		if err != nil {
 			return nil, errors.Wrap(err, "models.AssignmentManager.FetchAll")

diff --git a/pkg/mcclient/modules/mod_roleassignments.go b/pkg/mcclient/modules/mod_roleassignments.go
@@ -141,6 +141,10 @@ func (this *RoleAssignmentManagerV3) GetProjectUsers(s *mcclient.ClientSession,
 		query.Add(jsonutils.JSONNull, "effective")
 	}
 
+	if jsonutils.QueryBoolean(params, "system", false) {
+		query.Add(jsonutils.JSONNull, "include_system")
+	}
+
 	resource, e := params.GetString("resource")
 	if e != nil {
 		return jsonutils.JSONNull, e
@@ -224,6 +228,10 @@ func (this *RoleAssignmentManagerV3) GetProjectRole(s *mcclient.ClientSession, i
 		query.Add(jsonutils.JSONNull, "effective")
 	}
 
+	if jsonutils.QueryBoolean(params, "system", false) {
+		query.Add(jsonutils.JSONNull, "include_system")
+	}
+
 	resource, err := params.GetString("resource")
 	if err != nil {
 		return jsonutils.JSONNull, err