From 003ad678f6e63a9d4d8924ea841c4d4377243955 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E5=B1=88=E8=BD=A9?= Date: Tue, 23 Apr 2024 19:17:18 +0800 Subject: [PATCH] fix: revert default policy (#20111) --- pkg/cloudid/policy/defaults.go | 133 +++--- pkg/compute/policy/defaults.go | 720 +++++++++++++++--------------- pkg/image/policy/defaults.go | 34 +- pkg/logger/policy/defaults.go | 49 +- pkg/notify/policy/defaults.go | 277 ++++++------ pkg/yunionconf/policy/defaults.go | 70 ++- 6 files changed, 632 insertions(+), 651 deletions(-) diff --git a/pkg/cloudid/policy/defaults.go b/pkg/cloudid/policy/defaults.go index f3d30db0810..a0ca1a7633d 100644 --- a/pkg/cloudid/policy/defaults.go +++ b/pkg/cloudid/policy/defaults.go @@ -15,6 +15,9 @@ package policy import ( + "yunion.io/x/pkg/util/rbacscope" + + api "yunion.io/x/onecloud/pkg/apis/cloudid" common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/util/rbacutils" ) @@ -30,80 +33,78 @@ const ( var ( predefinedDefaultPolicies = []rbacutils.SRbacPolicy{ - /* - { - Auth: true, - Scope: rbacscope.ScopeSystem, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "cloudpolicies", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "cloudpolicies", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, + { + Auth: true, + Scope: rbacscope.ScopeSystem, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "cloudpolicies", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cloudpolicies", + Action: PolicyActionGet, + Result: rbacutils.Allow, }, }, - { - Auth: true, - Scope: rbacscope.ScopeDomain, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "cloudgroups", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "cloudgroups", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, + }, + { + Auth: true, + Scope: rbacscope.ScopeDomain, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "cloudgroups", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cloudgroups", + Action: PolicyActionGet, + Result: rbacutils.Allow, }, }, - { - Auth: true, - Scope: rbacscope.ScopeUser, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "cloudusers", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "cloudusers", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, + }, + { + Auth: true, + Scope: rbacscope.ScopeUser, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "cloudusers", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cloudusers", + Action: PolicyActionGet, + Result: rbacutils.Allow, }, }, - { - Auth: true, - Scope: rbacscope.ScopeUser, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "samlusers", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "samlusers", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, + }, + { + Auth: true, + Scope: rbacscope.ScopeUser, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "samlusers", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "samlusers", + Action: PolicyActionGet, + Result: rbacutils.Allow, }, }, - */ + }, } ) diff --git a/pkg/compute/policy/defaults.go b/pkg/compute/policy/defaults.go index b59f5dfb236..e511b1eadf0 100644 --- a/pkg/compute/policy/defaults.go +++ b/pkg/compute/policy/defaults.go @@ -37,147 +37,133 @@ var ( Auth: true, Scope: rbacscope.ScopeSystem, Rules: []rbacutils.SRbacRule{ - /* - { - Service: api.SERVICE_TYPE, - Resource: "zones", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "zones", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "cloudregions", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "cloudregions", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "cachedimages", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "cachedimages", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "dbinstance_skus", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "dbinstance_skus", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "serverskus", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "serverskus", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "secgrouprules", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "elasticcacheskus", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "elasticcacheskus", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "secgrouprules", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "loadbalancerclusters", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "schedtags", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "dns_recordsets", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "dns_recodsets", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "dns_zonecaches", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "dns_zonecaches", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "cloudaccounts", - Action: PolicyActionGet, - Extra: []string{"saml"}, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "waf_rules", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "waf_rules", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - */ + { + Service: api.SERVICE_TYPE, + Resource: "zones", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "zones", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cloudregions", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cloudregions", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cachedimages", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cachedimages", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "dbinstance_skus", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "dbinstance_skus", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "serverskus", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "serverskus", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "secgrouprules", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "elasticcacheskus", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "elasticcacheskus", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "secgrouprules", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "loadbalancerclusters", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "schedtags", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "dns_recordsets", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "dns_recodsets", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cloudaccounts", + Action: PolicyActionGet, + Extra: []string{"saml"}, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "waf_rules", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "waf_rules", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, { Service: api.SERVICE_TYPE, Resource: "capabilities", @@ -186,238 +172,234 @@ var ( }, }, }, - /* - { - Auth: true, - Scope: rbacscope.ScopeUser, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "keypairs", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "keypairs", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "keypairs", - Action: PolicyActionCreate, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "keypairs", - Action: PolicyActionUpdate, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "keypairs", - Action: PolicyActionDelete, - Result: rbacutils.Allow, - }, - }, - }, - { - Auth: true, - Scope: rbacscope.ScopeDomain, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "cloudaccounts", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "cloudaccounts", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "cloudproviders", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "cloudproviders", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "domain_quotas", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "domain_quotas", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "infras_quotas", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "infras_quotas", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "vpcs", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "vpcs", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "wires", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "wires", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "proxysettings", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "proxysettings", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "nat_skus", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "nat_skus", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "nas_skus", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "nas_skus", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "modelarts_skus", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "modelarts_skus", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, + { + Auth: true, + Scope: rbacscope.ScopeUser, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "keypairs", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "keypairs", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "keypairs", + Action: PolicyActionCreate, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "keypairs", + Action: PolicyActionUpdate, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "keypairs", + Action: PolicyActionDelete, + Result: rbacutils.Allow, + }, + }, + }, + { + Auth: true, + Scope: rbacscope.ScopeDomain, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "cloudaccounts", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cloudaccounts", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cloudproviders", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "cloudproviders", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "domain_quotas", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "domain_quotas", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "infras_quotas", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "infras_quotas", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "vpcs", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "vpcs", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "wires", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "wires", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "proxysettings", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "proxysettings", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "nat_skus", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "nat_skus", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "nas_skus", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "nas_skus", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "modelarts_skus", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "modelarts_skus", + Action: PolicyActionGet, + Result: rbacutils.Allow, }, }, - */ - /* - { - Auth: true, - Scope: rbacscope.ScopeProject, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "quotas", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "quotas", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "region_quotas", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "region_quotas", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "zone_quotas", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "zone_quotas", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "project_quotas", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "project_quotas", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "networks", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "networks", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, + }, + { + Auth: true, + Scope: rbacscope.ScopeProject, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "quotas", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "quotas", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "region_quotas", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "region_quotas", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "zone_quotas", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "zone_quotas", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "project_quotas", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "project_quotas", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "networks", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "networks", + Action: PolicyActionList, + Result: rbacutils.Allow, }, }, - */ + }, } ) diff --git a/pkg/image/policy/defaults.go b/pkg/image/policy/defaults.go index 44beb40e428..6f77e2bcd2b 100644 --- a/pkg/image/policy/defaults.go +++ b/pkg/image/policy/defaults.go @@ -30,26 +30,24 @@ const ( var ( predefinedDefaultPolicies = []rbacutils.SRbacPolicy{ - /* - { - Auth: true, - Scope: rbacscope.ScopeProject, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "image_quotas", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "image_quotas", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, + { + Auth: true, + Scope: rbacscope.ScopeProject, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "image_quotas", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "image_quotas", + Action: PolicyActionList, + Result: rbacutils.Allow, }, }, - */ + }, { // for anonymous update torrent status Auth: false, diff --git a/pkg/logger/policy/defaults.go b/pkg/logger/policy/defaults.go index ac85dcfebdf..1545ca9fd64 100644 --- a/pkg/logger/policy/defaults.go +++ b/pkg/logger/policy/defaults.go @@ -15,6 +15,9 @@ package policy import ( + "yunion.io/x/pkg/util/rbacscope" + + api "yunion.io/x/onecloud/pkg/apis/logger" common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/util/rbacutils" ) @@ -27,32 +30,30 @@ const ( var ( predefinedDefaultPolicies = []rbacutils.SRbacPolicy{ - /* - { - Auth: true, - Scope: rbacscope.ScopeUser, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "actions", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "actions", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "actions", - Action: PolicyActionCreate, - Result: rbacutils.Allow, - }, + { + Auth: true, + Scope: rbacscope.ScopeUser, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "actions", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "actions", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "actions", + Action: PolicyActionCreate, + Result: rbacutils.Allow, }, }, - */ + }, } ) diff --git a/pkg/notify/policy/defaults.go b/pkg/notify/policy/defaults.go index c0d70c1e0a6..509b2efba7d 100644 --- a/pkg/notify/policy/defaults.go +++ b/pkg/notify/policy/defaults.go @@ -15,6 +15,9 @@ package policy import ( + "yunion.io/x/pkg/util/rbacscope" + + api "yunion.io/x/onecloud/pkg/apis/notify" common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy" "yunion.io/x/onecloud/pkg/util/rbacutils" ) @@ -30,152 +33,150 @@ const ( var ( predefinedDefaultPolicies = []rbacutils.SRbacPolicy{ - /* - { - Auth: true, - Scope: rbacscope.ScopeUser, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "receivers", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "receivers", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "receivers", - Action: PolicyActionCreate, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "receivers", - Action: PolicyActionUpdate, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "receivers", - Action: PolicyActionDelete, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "receivers", - Action: PolicyActionPerform, - Result: rbacutils.Allow, - }, + { + Auth: true, + Scope: rbacscope.ScopeUser, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "receivers", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "receivers", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "receivers", + Action: PolicyActionCreate, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "receivers", + Action: PolicyActionUpdate, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "receivers", + Action: PolicyActionDelete, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "receivers", + Action: PolicyActionPerform, + Result: rbacutils.Allow, }, }, - { - Auth: true, - Scope: rbacscope.ScopeSystem, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "topics", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "topics", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, + }, + { + Auth: true, + Scope: rbacscope.ScopeSystem, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "topics", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "topics", + Action: PolicyActionList, + Result: rbacutils.Allow, }, }, - { - Auth: true, - Scope: rbacscope.ScopeSystem, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "subscribers", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "subscribers", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "subscribers", - Action: PolicyActionCreate, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "subscribers", - Action: PolicyActionUpdate, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "subscribers", - Action: PolicyActionDelete, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "subscribers", - Action: PolicyActionPerform, - Result: rbacutils.Allow, - }, + }, + { + Auth: true, + Scope: rbacscope.ScopeSystem, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "subscribers", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "subscribers", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "subscribers", + Action: PolicyActionCreate, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "subscribers", + Action: PolicyActionUpdate, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "subscribers", + Action: PolicyActionDelete, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "subscribers", + Action: PolicyActionPerform, + Result: rbacutils.Allow, }, }, - { - Auth: true, - Scope: rbacscope.ScopeDomain, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "subscribers", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "subscribers", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "subscribers", - Action: PolicyActionCreate, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "subscribers", - Action: PolicyActionUpdate, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "subscribers", - Action: PolicyActionDelete, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "subscribers", - Action: PolicyActionPerform, - Result: rbacutils.Allow, - }, + }, + { + Auth: true, + Scope: rbacscope.ScopeDomain, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "subscribers", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "subscribers", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "subscribers", + Action: PolicyActionCreate, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "subscribers", + Action: PolicyActionUpdate, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "subscribers", + Action: PolicyActionDelete, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "subscribers", + Action: PolicyActionPerform, + Result: rbacutils.Allow, }, }, - */ + }, } ) diff --git a/pkg/yunionconf/policy/defaults.go b/pkg/yunionconf/policy/defaults.go index b43dfa31283..fd0d2caeb6e 100644 --- a/pkg/yunionconf/policy/defaults.go +++ b/pkg/yunionconf/policy/defaults.go @@ -32,44 +32,42 @@ const ( var ( predefinedDefaultPolicies = []rbacutils.SRbacPolicy{ - /* - { - Auth: true, - Scope: rbacscope.ScopeUser, - Rules: []rbacutils.SRbacRule{ - { - Service: api.SERVICE_TYPE, - Resource: "parameters", - Action: PolicyActionGet, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "parameters", - Action: PolicyActionList, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "parameters", - Action: PolicyActionCreate, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "parameters", - Action: PolicyActionUpdate, - Result: rbacutils.Allow, - }, - { - Service: api.SERVICE_TYPE, - Resource: "parameters", - Action: PolicyActionDelete, - Result: rbacutils.Allow, - }, + { + Auth: true, + Scope: rbacscope.ScopeUser, + Rules: []rbacutils.SRbacRule{ + { + Service: api.SERVICE_TYPE, + Resource: "parameters", + Action: PolicyActionGet, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "parameters", + Action: PolicyActionList, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "parameters", + Action: PolicyActionCreate, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "parameters", + Action: PolicyActionUpdate, + Result: rbacutils.Allow, + }, + { + Service: api.SERVICE_TYPE, + Resource: "parameters", + Action: PolicyActionDelete, + Result: rbacutils.Allow, }, }, - */ + }, { Auth: true, Scope: rbacscope.ScopeProject,