feature: bcs-client supports apply permission commond . issue Tencent…

…BlueKing#434

Makefile

@@ -270,4 +270,4 @@ bcs-networkpolicy:pre
 user-manager:pre
 	mkdir -p ${PACKAGEPATH}/bcs-services
 	cp -R ./install/conf/bcs-services/bcs-user-manager ${PACKAGEPATH}/bcs-services
-	CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build ${LDFLAG} -o ${PACKAGEPATH}/bcs-services/bcs-user-manager/bcs-user-manager ./bcs-services/bcs-user-manager/main.go
+	go build ${LDFLAG} -o ${PACKAGEPATH}/bcs-services/bcs-user-manager/bcs-user-manager ./bcs-services/bcs-user-manager/main.go

bcs-common/common/types/meta.go

@@ -37,6 +37,7 @@ const (
 	BcsDataType_WebConsole       BcsDataType = "webconsole"
 	BcsDataType_Admissionwebhook BcsDataType = "admissionwebhook"
 	BcsDataType_CRD              BcsDataType = "customresourcedefinition"
+	BcsDataType_PERMISSION       BcsDataType = "permission"
 )
 
 //TypeMeta for bcs data type

bcs-common/common/types/permission.go

@@ -0,0 +1,32 @@
+/*
+ * Tencent is pleased to support the open source community by making Blueking Container Service available.
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved.
+ * Licensed under the MIT License (the "License"); you may not use this file except
+ * in compliance with the License. You may obtain a copy of the License at
+ * http://opensource.org/licenses/MIT
+ * Unless required by applicable law or agreed to in writing, software distributed under
+ * the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND,
+ * either express or implied. See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package types
+
+type BcsPermission struct {
+	TypeMeta   `json:",inline"`
+	ObjectMeta `json:"metadata"`
+
+	Spec BcsPermissionSpec `json:"spec"`
+}
+
+type BcsPermissionSpec struct {
+	Permissions []Permission `json:"permissions"`
+}
+
+type Permission struct {
+	UserName     string `json:"user_name"`
+	ResourceType string `json:"resource_type"`
+	Resource     string `json:"resource"`
+	Role         string `json:"role"`
+}

bcs-services/bcs-client/cmd/batch/apply.go

@@ -17,6 +17,7 @@ import (
 	"bytes"
 	"fmt"
 	"io/ioutil"
+	"net/http"
 	"net/url"
 	"os"
 	"strings"
@@ -26,6 +27,7 @@ import (
 	"bk-bcs/bcs-services/bcs-client/pkg/metastream"
 	"bk-bcs/bcs-services/bcs-client/pkg/scheduler/v4"
 	"bk-bcs/bcs-services/bcs-client/pkg/storage/v1"
+	userV1 "bk-bcs/bcs-services/bcs-client/pkg/usermanager/v1"
 
 	"github.com/urfave/cli"
 )
@@ -103,6 +105,7 @@ func apply(cxt *utils.ClientContext) error {
 	//step: initialize storage client & scheduler client
 	storage := v1.NewBcsStorage(utils.GetClientOption())
 	scheduler := v4.NewBcsScheduler(utils.GetClientOption())
+	userManager := userV1.NewBcsUserManager(utils.GetClientOption())
 
 	//step: create/update all resource according json list
 	for metaList.HasNext() {
@@ -160,6 +163,11 @@ func apply(cxt *utils.ClientContext) error {
 			update = func(cluster, ns string, data []byte, urlv url.Values) error {
 				return scheduler.UpdateCustomResourceDefinition(cluster, info.name, data)
 			}
+		case mesostype.BcsDataType_PERMISSION:
+			inspectStatus = fmt.Errorf("resource does not exist")
+			create = func(cluster string, ns string, data []byte) error {
+				return userManager.GrantOrRevokePermission(http.MethodPost, data)
+			}
 		default:
 			//unkown type, try custom resource
 			crdapiVersion, plural, crdErr := utils.GetCustomResourceTypeByKind(scheduler, cxt.ClusterID(), info.kind)

bcs-services/bcs-client/cmd/get/get.go

@@ -205,7 +205,7 @@ func getPermission(c *utils.ClientContext) error {
 	if err != nil {
 		return err
 	}
-	permissions, err := userManager.ActPermission(http.MethodGet, data)
+	permissions, err := userManager.GetPermission(http.MethodGet, data)
 	if err != nil {
 		return fmt.Errorf("failed to grant permission: %v", err)
 	}

bcs-services/bcs-client/cmd/grant/permission.go

@@ -40,7 +40,7 @@ func grantPermission(c *utils.ClientContext) error {
 	}
 
 	userManager := v1.NewBcsUserManager(utils.GetClientOption())
-	_, err = userManager.ActPermission(http.MethodPost, data)
+	err = userManager.GrantOrRevokePermission(http.MethodPost, data)
 	if err != nil {
 		return fmt.Errorf("failed to grant permission: %v", err)
 	}

bcs-services/bcs-client/cmd/revoke/permission.go

@@ -40,9 +40,9 @@ func revokePermission(c *utils.ClientContext) error {
 	}
 
 	userManager := v1.NewBcsUserManager(utils.GetClientOption())
-	_, err = userManager.ActPermission(http.MethodDelete, data)
+	err = userManager.GrantOrRevokePermission(http.MethodDelete, data)
 	if err != nil {
-		return fmt.Errorf("failed to grant permission: %v", err)
+		return fmt.Errorf("failed to revoke permission: %v", err)
 	}
 
 	fmt.Printf("success to revoke permission\n")

bcs-services/bcs-client/pkg/usermanager/v1/user.go

@@ -27,7 +27,8 @@ import (
 type UserManager interface {
 	CreateOrGetUser(userType string, userName string, method string) (*models.BcsUser, error)
 	RefreshUsertoken(userType string, userName string) (*models.BcsUser, error)
-	ActPermission(method string, data []byte) ([]v1http.PermissionsResp, error)
+	GrantOrRevokePermission(method string, data []byte) error
+	GetPermission(method string, data []byte) ([]v1http.PermissionsResp, error)
 	AddVpcCidrs(data []byte) error
 }
 
@@ -95,7 +96,30 @@ func (b *bcsUserManager) RefreshUsertoken(userType string, userName string) (*mo
 	return &result, err
 }
 
-func (b *bcsUserManager) ActPermission(method string, data []byte) ([]v1http.PermissionsResp, error) {
+func (b *bcsUserManager) GrantOrRevokePermission(method string, data []byte) error {
+	resp, err := b.requester.Do(
+		fmt.Sprintf(BcsUserManagerPermissionURI, b.bcsAPIAddress),
+		method,
+		data,
+	)
+
+	if err != nil {
+		return err
+	}
+
+	code, msg, data, err := parseResponse(resp)
+	if err != nil {
+		return err
+	}
+
+	if code != 0 {
+		return fmt.Errorf("failed to act permission: %s", msg)
+	}
+
+	return nil
+}
+
+func (b *bcsUserManager) GetPermission(method string, data []byte) ([]v1http.PermissionsResp, error) {
 	resp, err := b.requester.Do(
 		fmt.Sprintf(BcsUserManagerPermissionURI, b.bcsAPIAddress),
 		method,
@@ -112,7 +136,7 @@ func (b *bcsUserManager) ActPermission(method string, data []byte) ([]v1http.Per
 	}
 
 	if code != 0 {
-		return nil, fmt.Errorf("failed to act permission: %s", msg)
+		return nil, fmt.Errorf("failed to get permission: %s", msg)
 	}
 
 	var result []v1http.PermissionsResp

bcs-services/bcs-user-manager/app/user-manager/v1http/permission.go

@@ -21,6 +21,7 @@ import (
 
 	"bk-bcs/bcs-common/common"
 	"bk-bcs/bcs-common/common/blog"
+	"bk-bcs/bcs-common/common/types"
 	"bk-bcs/bcs-services/bcs-user-manager/app/metrics"
 	"bk-bcs/bcs-services/bcs-user-manager/app/user-manager/models"
 	"bk-bcs/bcs-services/bcs-user-manager/app/user-manager/storages/sqlstore"
@@ -107,10 +108,23 @@ func initCache() {
 func GrantPermission(request *restful.Request, response *restful.Response) {
 	start := time.Now()
 
-	var form []PermissionForm
-	_ = request.ReadEntity(&form)
+	//var form []PermissionForm
+	var bp types.BcsPermission
+	_ = request.ReadEntity(&bp)
+	if bp.Kind != types.BcsDataType_PERMISSION {
+		blog.Warnf("BcsPermission kind must be permission")
+		message := fmt.Sprintf("errcode: %d, BcsPermission kind must be permission", common.BcsErrApiBadRequest)
+		utils.WriteClientError(response, common.BcsErrApiBadRequest, message)
+		return
+	}
+	if bp.APIVersion != "v1" {
+		blog.Warnf("BcsPermission apiVersion must be v1")
+		message := fmt.Sprintf("errcode: %d, BcsPermission apiVersion must be v1", common.BcsErrApiBadRequest)
+		utils.WriteClientError(response, common.BcsErrApiBadRequest, message)
+		return
+	}
 
-	for _, v := range form {
+	for _, v := range bp.Spec.Permissions {
 		if v.ResourceType == "" {
 			metrics.RequestErrorCount.WithLabelValues("permission", request.Request.Method).Inc()
 			metrics.RequestErrorLatency.WithLabelValues("permission", request.Request.Method).Observe(time.Since(start).Seconds())
@@ -209,9 +223,10 @@ func GetPermission(request *restful.Request, response *restful.Response) {
 func RevokePermission(request *restful.Request, response *restful.Response) {
 	start := time.Now()
 
-	var form []PermissionForm
-	_ = request.ReadEntity(&form)
-	for _, v := range form {
+	//var form []PermissionForm
+	var bp types.BcsPermission
+	_ = request.ReadEntity(&bp)
+	for _, v := range bp.Spec.Permissions {
 		user := &models.BcsUser{
 			Name: v.UserName,
 		}