feat(backend): 增加资源池相关权限管控 #7747

Author: iSecloud

dbm-ui/backend/db_dirty/views.py

@@ -37,8 +37,15 @@ class DBDirtyMachineViewSet(viewsets.SystemViewSet):
     pagination_class = AuditedLimitOffsetPagination
     filter_class = None
 
-    action_permission_map = {("query_operation_list",): []}
-    default_permission_class = [ResourceActionPermission([ActionEnum.DIRTY_POLL_MANAGE])]
+    action_permission_map = {
+        (
+            "list_machine_events",
+            "get_host_current_events",
+            "query_machine_pool",
+        ): [ResourceActionPermission([ActionEnum.RESOURCE_MANAGE])],
+        ("transfer_hosts_to_pool",): [ResourceActionPermission([ActionEnum.RESOURCE_POLL_MANAGE])],
+    }
+    default_permission_class = [ResourceActionPermission([ActionEnum.RESOURCE_POLL_MANAGE])]
 
     @common_swagger_auto_schema(
         operation_summary=_("将主机转移至待回收/故障池模块"),

dbm-ui/backend/db_services/dbresource/serializers.py

@@ -14,6 +14,7 @@
 from rest_framework import serializers
 
 from backend import env
+from backend.components.hcm.client import HCMApi
 from backend.configuration.constants import DBType
 from backend.constants import INT_MAX
 from backend.db_dirty.constants import MachineEventType
@@ -51,14 +52,24 @@ class ResourceHostSerializer(serializers.Serializer):
     return_resource = serializers.BooleanField(help_text=_("是否为退回资源"), required=False)
 
     def validate(self, attrs):
-        host_ids = [host["host_id"] for host in attrs["hosts"]]
+        host_id__ip_map = {host["host_id"]: host["ip"] for host in attrs["hosts"]}
+        host_ids = list(host_id__ip_map.keys())
 
         # 如果主机存在元数据，则拒绝导入
         exist_hosts = list(Machine.objects.filter(bk_host_id__in=host_ids).values_list("ip", flat=True))
         if exist_hosts:
             raise serializers.ValidationError(_("导入主机{}存在元数据，请检查后重新导入").format(exist_hosts))
 
-        # TODO：如果主机存在裁撤单 / uwork单，则不允许导入
+        # 存在uwork或者是待裁撤主机，则不允许导入
+        check_work = HCMApi.check_host_has_uwork(host_ids)
+        if check_work:
+            ips = [host_id__ip_map[host_id] for host_id in check_work.keys()]
+            raise serializers.ValidationError(_("导入主机{}存在uwork单据，请处理后重新导入").format(ips))
+
+        check_dissolved = HCMApi.check_host_is_dissolved(host_ids)
+        if check_dissolved:
+            ips = [host_id__ip_map[host_id] for host_id in check_dissolved]
+            raise serializers.ValidationError(_("导入主机包含裁撤主机:{}，无法进行导入").format(ips))
 
         return attrs
 

dbm-ui/backend/db_services/dbresource/views/resource.py

@@ -88,15 +88,19 @@ class DBResourceViewSet(viewsets.SystemViewSet):
             "resource_confirm",
             "resource_delete",
             "resource_update",
+            "append_labels",
         ): [ResourceActionPermission([ActionEnum.RESOURCE_POLL_MANAGE])],
         (
             "spec_resource_count",
+            "spec_cost_estimate",
             "get_mountpoints",
             "get_disktypes",
             "get_subzones",
             "get_device_class",
+            "list_dba_hosts",
+            "query_dba_hosts",
+            "resource_import_urls",
         ): [],
-        ("query_operation_list",): [ResourceActionPermission([ActionEnum.RESOURCE_OPERATION_VIEW])],
     }
     default_permission_class = [ResourceActionPermission([ActionEnum.RESOURCE_MANAGE])]
     filter_class = None

dbm-ui/backend/db_services/tag/views.py

@@ -21,6 +21,7 @@
 from backend.db_services.tag import serializers
 from backend.db_services.tag.filters import TagListFilter
 from backend.db_services.tag.handlers import TagHandler
+from backend.iam_app.handlers.drf_perm.tag import TagPermission
 
 SWAGGER_TAG = _("标签")
 
@@ -46,9 +47,8 @@ class TagViewSet(AuditedModelViewSet):
     filter_class = TagListFilter
     ordering_fields = ["create_at", "creator"]
 
-    action_permission_map = {("related_resources",): []}
-    # TODO：需要约定标签的权限
-    default_permission_class = []
+    action_permission_map = {("related_resources", "list", "verify_duplicated"): []}
+    default_permission_class = [TagPermission()]
 
     @common_swagger_auto_schema(
         operation_summary=_("查询标签关联资源"), request_body=serializers.QueryRelatedResourceSerializer(), tags=[SWAGGER_TAG]

dbm-ui/backend/iam_app/dataclass/actions.py

@@ -1058,7 +1058,7 @@ class ActionEnum:
 
     REDIS_ACCESS_ENTRY_VIEW = ActionMeta(
         id="redis_access_entry_view",
-        name=_("Redis 获取访问方式"),
+        name=_("Redis 集群访问"),
         name_en="redis_access_entry_view",
         type="view",
         related_actions=[DB_MANAGE.id],
@@ -1174,7 +1174,7 @@ class ActionEnum:
 
     ES_ACCESS_ENTRY_VIEW = ActionMeta(
         id="es_access_entry_view",
-        name=_("ES 获取访问方式"),
+        name=_("ES 集群访问"),
         name_en="es_access_entry_view",
         type="view",
         related_actions=[DB_MANAGE.id],
@@ -1229,7 +1229,7 @@ class ActionEnum:
 
     DORIS_ACCESS_ENTRY_VIEW = ActionMeta(
         id="doris_access_entry_view",
-        name=_("Doris 获取访问方式"),
+        name=_("Doris 集群访问"),
         name_en="doris_access_entry_view",
         type="view",
         related_actions=[DB_MANAGE.id],
@@ -1265,7 +1265,7 @@ class ActionEnum:
 
     KAFKA_ACCESS_ENTRY_VIEW = ActionMeta(
         id="kafka_access_entry_view",
-        name=_("Kafka 获取访问方式"),
+        name=_("Kafka 集群访问"),
         name_en="kafka_access_entry_view",
         type="view",
         related_actions=[DB_MANAGE.id],
@@ -1317,7 +1317,7 @@ class ActionEnum:
 
     HDFS_ACCESS_ENTRY_VIEW = ActionMeta(
         id="hdfs_access_entry_view",
-        name=_("HDFS 获取访问方式"),
+        name=_("HDFS 集群访问"),
         name_en="hdfs_access_entry_view",
         type="view",
         related_actions=[DB_MANAGE.id],
@@ -1361,7 +1361,7 @@ class ActionEnum:
 
     PULSAR_ACCESS_ENTRY_VIEW = ActionMeta(
         id="pulsar_access_entry_view",
-        name=_("Pulsar 获取访问方式"),
+        name=_("Pulsar 集群访问"),
         name_en="pulsar_access_entry_view",
         type="view",
         related_actions=[DB_MANAGE.id],
@@ -1406,7 +1406,7 @@ class ActionEnum:
 
     RIAK_ACCESS_ENTRY_VIEW = ActionMeta(
         id="riak_access_entry_view",
-        name=_("Riak 获取访问方式"),
+        name=_("Riak 集群访问"),
         name_en="riak_access_entry_view",
         type="view",
         related_actions=[DB_MANAGE.id],
@@ -1652,7 +1652,7 @@ class ActionEnum:
 
     RESOURCE_POLL_MANAGE = ActionMeta(
         id="resource_pool_manage",
-        name=_("资源池管理"),
+        name=_("资源管理"),
         name_en="resource_pool_manage",
         type="manage",
         related_actions=[RESOURCE_MANAGE.id],
@@ -1662,27 +1662,27 @@ class ActionEnum:
         hidden=True,
     )
 
-    RESOURCE_OPERATION_VIEW = ActionMeta(
-        id="resource_operation_view",
-        name=_("资源池操作记录查看"),
-        name_en="resource_operation_view",
-        type="view",
+    GLOBAL_RESOURCE_TAG_MANAGE = ActionMeta(
+        id="global_resource_tag_manage",
+        name=_("全局资源标签管理"),
+        name_en="global_resource_tag_manage",
+        type="manage",
         related_actions=[RESOURCE_MANAGE.id],
         related_resource_types=[],
         group=_("资源管理"),
-        subgroup=_("资源池"),
+        subgroup=_("标签"),
         hidden=True,
     )
 
-    DIRTY_POLL_MANAGE = ActionMeta(
-        id="dirty_pool_manage",
-        name=_("污点池管理"),
-        name_en="dirty_pool_manage",
+    RESOURCE_TAG_MANAGE = ActionMeta(
+        id="resource_tag_manage",
+        name=_("资源标签管理"),
+        name_en="resource_tag_manage",
         type="manage",
-        related_actions=[RESOURCE_MANAGE.id],
-        related_resource_types=[],
+        related_actions=[DB_MANAGE.id],
+        related_resource_types=[ResourceEnum.BUSINESS],
         group=_("资源管理"),
-        subgroup=_("污点池"),
+        subgroup=_("标签"),
         hidden=True,
     )
 

dbm-ui/backend/iam_app/handlers/drf_perm/tag.py

@@ -0,0 +1,37 @@
+# -*- coding: utf-8 -*-
+"""
+TencentBlueKing is pleased to support the open source community by making 蓝鲸智云-DB管理系统(BlueKing-BK-DBM) available.
+Copyright (C) 2017-2023 THL A29 Limited, a Tencent company. All rights reserved.
+Licensed under the MIT License (the "License"); you may not use this file except in compliance with the License.
+You may obtain a copy of the License at https://opensource.org/licenses/MIT
+Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.
+"""
+import logging
+
+from backend.iam_app.dataclass.actions import ActionEnum
+from backend.iam_app.dataclass.resources import ResourceEnum
+from backend.iam_app.handlers.drf_perm.base import ResourceActionPermission, get_request_key_id
+
+logger = logging.getLogger("root")
+
+
+class TagPermission(ResourceActionPermission):
+    """
+    标签管理相关权限
+    """
+
+    def __init__(self, actions=None, resource_meta=None, instance_ids_getter=None):
+        super().__init__(actions=actions, resource_meta=resource_meta, instance_ids_getter=self.instance_ids_getter)
+
+    def instance_ids_getter(self, request, view):
+        # Todo 后续要考虑集群标签权限
+        bk_biz_id = get_request_key_id(request, "bk_biz_id")
+        if bk_biz_id:
+            self.actions = [ActionEnum.RESOURCE_TAG_MANAGE]
+            self.resource_meta = ResourceEnum.BUSINESS
+            return [bk_biz_id]
+        else:
+            self.actions = [ActionEnum.GLOBAL_RESOURCE_TAG_MANAGE]
+            return []