def users_in_group(group_id):
'''
:return: 返回某个group下的所有用户信息
'''
checkexist = group_service.GroupService().get_group_info(group_id)
if not checkexist:
logging.info('no such group_id')
return json_helper.format_api_resp(code=ErrorCode.NOT_EXIST_USER)
params = {
'ORDER': [
['id', 'desc'],
],
'PAGINATION': {
'page_size': request.values.get('page_size', 20),
'page_no': request.values.get('page_no', 1),
}
}
total_nums, data = user_group_service.UserGroupService().get_alluser_group(
group_id)
resp = UsersGroup()
resp.total = total_nums
for i in data:
_user_group_info = user_group_info.UserGroupInfo().user_group_info(i)
resp.rows.append(_user_group_info)
return json_helper.format_api_resp(code=ErrorCode.SUCCESS,
data=resp.to_json())
def check(group_id, user_id):
if not user_id or not group_id:
logging.info(
'no user_id or group_id or rold_id when add user to a group')
return json_helper.format_api_resp(code=ErrorCode.PARAM_ERR)
group_info = group_s.GroupService().get_group_info(group_id)
if not group_info[1]:
logging.info('no such group_id %s when add user to a group', group_id)
return json_helper.format_api_resp(code=ErrorCode.NOT_EXIST_USER)
user_group = user_g_s.UserGroupService().query_user_role_group(
user_id, group_id)
if user_group[1]:
logging.info(
'same user %s already in group %s when add user to a group',
user_id, group_id)
return json_helper.format_api_resp(code=ErrorCode.DUPLICATED_ERR,
msg='用户已经存在于该组,请不要重复加入')
params = {
'WHERE_AND': {
'=': {
'group_id': group_id,
}
}
}
is_exist_role_group = access_service.AccessService().query_info(params)
if not is_exist_role_group[1]:
# 查询access表中是否存在这个role-group的对应关系,(不查area)没有就报错
logging.info('not such role_group_area mapping exist')
return json_helper.format_api_resp(code=ErrorCode.NOT_EXIST_USER,
msg="该组没有角色权限对应关系,不能添加新用户")
def user_permisson(user_id):
'''
获取用户的所有操作权限
:param user_id:
:return: {u'instance': [u'create', u'delete', u'shutdown'],u'host':[u'create', u'delete']}
'''
user_permisson_list = []
user_group_nums, user_group_data = user_g_s.UserGroupService(
).get_allgroup_user(user_id)
# 新用户没有组
if user_group_nums <= 0:
return None
for _user_group in user_group_data:
_group_id = _user_group['group_id']
_group_name = _user_group['group_name']
# 通过group_id找到access表中对应的role_id,这里是默认一个组只有一个角色的
# _role_info = access_service.AccessService().get_one('group_id', _group_id)
num, _role_info = user_g_s.UserGroupService().get_user_role(
user_id, _group_id)
if num <= 0:
_role_id = None
else:
_role_id = _role_info[0]['role_id']
# 查询role_permission表中role_id对应的全部permission_id
_role_permission_list = role_service.RolePermissionService(
).role_permission_list(_role_id)
if _role_permission_list < 0:
return None
_host_list = []
_instance_list = []
_permission_dict = {}
for _i in _role_permission_list:
if _i.keys()[0] == 'instance':
_instance_list.append(_i.values()[0])
if _i.keys()[0] == 'host':
_host_list.append(_i.values()[0])
_permission_dict['instance'] = _instance_list
_permission_dict['host'] = _host_list
_permission_dict['role_id'] = _role_id
_permission_dict['group_id'] = _group_id
_permission_dict['group_name'] = _group_name
user_permisson_list.append(_permission_dict)
return user_permisson_list
def current_user_groups_by_userid(user_id):
'''
获取指定用户的所属应用组
:return:
'''
groups_list = []
user_groups_num, user_groups_data = user_g_s.UserGroupService(
).get_allgroup_user(user_id)
for _user_group in user_groups_data:
_group_num, _group_data = group_s.GroupService().get_group_info(
_user_group['group_id'])
if _group_num > 0:
groups_list.append(_group_data[0])
return groups_list
def init_group_info(group_id):
'''
用户编辑组时的初始化信息
:param group_id:
:return:
'''
resp = {}
group_tuple = group_s.GroupService().get_group_info(group_id)
group_dict = group_tuple[1][0]
area_list = group_area_info(group_id)
# role_info = access_service.AccessService().get_one('group_id', group_id)
# role_id = role_info['role_id']
num, role_info = user_g_s.UserGroupService().get_user_role(
group_dict['owner'], group_id)
if num <= 0:
role_id = None
else:
role_id = role_info[0]['role_id']
used_area = []
result_dict = {
'vm': group_dict['vm'],
'disk': group_dict['disk'],
'cpu': group_dict['cpu'],
'mem': group_dict['mem'],
'owner': group_dict['owner'],
'role_id': role_id,
'name': group_dict['name'],
'area_list': area_list,
'p_cluster_id': group_dict['p_cluster_id']
}
used_area.append(result_dict)
# used_area = group_init_info.GroupInitInfo().init_group_info(result_dict)
resp['used_area'] = used_area
ret_init = area.get_area_info()
for i in ret_init:
if i["parent_id"] == -1:
i["parent_id"] = i["id"]
i["parent_name"] = i["name"]
i["name"] = None
i["id"] = None
all_area = []
for i in ret_init:
all_area = []
resp['all_area'] = ret_init
return json_helper.format_api_resp(code=ErrorCode.SUCCESS, data=resp)
def add_insideuser_to_group(group_id):
'''
在user_group表中将顺丰用户添加到某个组
'''
user_id = request.values.get('user_id')
group_name = request.values.get('group_name')
check_info = check(group_id, user_id)
if check_info:
return check_info
params = {
'WHERE_AND': {
'=': {
'userid': user_id,
'auth_type': '0',
}
}
}
user_info = user_service.UserService().query_data(**params)
if not user_info or not user_info[1]:
user_name = ''
# logging.error("query user error, no such user_id:%s", str(user_id))
# return json_helper.format_api_resp(code=ErrorCode.NOT_EXIST_USER, msg="该用户请先登录平台,再来添加")
else:
user_name = user_info[1][0]['username']
user_group_data = user_g_s.get_data_by_group_name(group_name)
if not user_group_data:
logging.error(
"group %s role id no exist in db when add insideuser to group",
group_name)
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
insert_user_data = {
'user_id': user_id,
'user_name': user_name,
'group_id': group_id,
'group_name': group_name,
'role_id': user_group_data['role_id'],
'status': '0',
'created_at': get_datetime_str()
}
ret = user_g_s.UserGroupService().add_user_group(insert_user_data)
if ret == -1:
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
return json_helper.format_api_resp(code=ErrorCode.SUCCESS)
def group_list():
'''
查询组列表,不传参直接返回所有group列表,传参owner或者group_name筛选group列表
'''
search = request.values.get('search')
params = {
'WHERE_AND': {
'=': {
'isdeleted': '0'
},
'like': {
'name': None,
'owner': None,
'user_id': None
}
},
'page_size': request.values.get('page_size', 20),
'page_no': request.values.get('page_no', 1),
}
if search:
json_search = json.loads(search)
owner = json_search.get('owner')
if owner:
params['WHERE_AND']['like']['owner'] = '%' + owner + '%'
group_name = json_search.get('group_name')
if group_name:
params['WHERE_AND']['like']['name'] = '%' + group_name + '%'
user_id = json_search.get('user_id')
if user_id:
params['WHERE_AND']['like']['user_id'] = '%' + user_id + '%'
# 超级管理员组内的成员可以看到所有组
user_groups_num, user_groups_data = user_g_s.UserGroupService().get_allgroup_user(get_user()['user_id'])
super_group_flag = False
for _user_group in user_groups_data:
if _user_group['group_name'] == "supergroup":
super_group_flag = True
break
total_nums, data = group.user_group_list(get_user()['user_id'], is_super_group=super_group_flag, **params)
resp = GroupListResp()
resp.total = total_nums
for i in data:
_user_info = group_info.GroupInitInfo().init_from_db(i)
resp.rows.append(_user_info)
return json_helper.format_api_resp(code=ErrorCode.SUCCESS, data=resp.to_json())
def current_user_group_ids():
'''
获取当前用户的所属应用组ID
:return:
'''
c_user = get_user()
c_user_id = c_user['user_id']
if not c_user_id:
return None
group_ids_list = []
user_groups_num, user_groups_data = user_g_s.UserGroupService(
).get_allgroup_user(c_user_id)
for _user_group in user_groups_data:
group_ids_list.append(_user_group['group_id'])
return list(set(group_ids_list))
def current_user_role_ids():
'''
获取当前用户的角色ID
:return:
'''
c_user = get_user()
c_user_id = c_user['user_id']
if not c_user_id:
return None
user_group_nums, user_group_data = user_g_s.UserGroupService(
).get_allgroup_user(c_user_id)
# 新用户没有组
if user_group_nums <= 0:
return None
role_ids_list = [user_group['role_id'] for user_group in user_group_data]
return list(set(role_ids_list))
def current_user_groups():
'''
获取当前用户的所属应用组
:return:
'''
c_user = get_user()
c_user_id = c_user['user_id']
if not c_user_id:
return None
groups_list = []
user_groups_num, user_groups_data = user_g_s.UserGroupService(
).get_allgroup_user(c_user_id)
for _user_group in user_groups_data:
_group_num, _group_data = group_s.GroupService().get_group_info(
_user_group['group_id'])
if _group_num > 0:
groups_list.append(_group_data[0])
return groups_list
def delete_user_group():
'''
将组中的某个用户删除
'''
user_id = request.values.get('user_id')
group_id = request.values.get('group_id')
if not user_id or not group_id:
logging.info('no user_id or group_id when delete user from a group')
return json_helper.format_api_resp(code=ErrorCode.PARAM_ERR)
user_group_num, user_group_data = user_g_s.UserGroupService(
).query_user_role_group(user_id, group_id)
if user_group_num < 0:
logging.info(
'no such user %s in group %s when delete user from a group',
user_id, group_id)
return json_helper.format_api_resp(code=ErrorCode.NOT_EXIST_USER)
groups_num, groups_data = group_s.GroupService().get_group_info(group_id)
if groups_num < 0:
logging.error('no group %s info in db when delete user from a group',
group_id)
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
# 不能删除组所有者
if groups_data[0]['owner'] == user_id:
logging.warn(
'not allow delete group %s owner %s when delete user from a group',
group_id, user_id)
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR,
msg='不能删除组的所有者!')
ret = user_g_s.delete_user(user_id, group_id)
if ret <= 0:
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
return json_helper.format_api_resp(code=ErrorCode.SUCCESS)
def add_outuser_to_group(group_id):
'''
为某个组增加外部用户,需要插入tb_user表,user_group表
'''
user_id = request.values.get('user_id')
user_name = request.values.get('user_name')
password = request.values.get('password')
email = request.values.get('email')
group_name = request.values.get('group_name')
auth_type = request.values.get('auth_type')
if not user_name or not email or not password:
logging.info('not enough params when add outuser to a group')
return json_helper.format_api_resp(code=ErrorCode.PARAM_ERR)
check_info = check(group_id, user_id)
if check_info:
return check_info
# 检查用户ID是否已存在,如果已经存在,直接将该用户添加至组中
userid_exist = user_service.UserService().check_userid_exist(user_id,
auth_type=1)
if userid_exist:
# todo:如果已经存在,直接将该用户添加至组中
logging.error(
"user %s has exist in group %s when add outuser to a group",
user_id, group_id)
return json_helper.format_api_resp(code=ErrorCode.EXIST_USER,
msg='该用户ID已被使用,请更换新用户ID')
user_group_data = user_g_s.get_data_by_group_name(group_name)
if not user_group_data:
logging.error(
"group %s role id no exist in db when add outuser to group",
group_name)
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
user_data = {
'userid': user_id,
'username': user_name,
'password': password,
'created_at': get_datetime_str(),
'email': email,
'auth_type': auth_type,
}
ret = user_service.UserService().add_user(user_data)
# 添加安全日志
field_data = {'User_name': user_name, 'Oper_type': 'add'}
# 先记录再返回
if ret == -1:
field_data.update({
'Oper_result': '0 Fail',
'fail_reason': 'insert new user info to db fail'
})
else:
field_data.update({'Oper_result': '1 Success'})
CloudLogger.audit(AuditType.USERMGR, field_data)
if ret == -1:
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
user_group_data = {
'user_id': user_id,
'user_name': user_name,
'group_id': group_id,
'group_name': group_name,
'role_id': user_group_data['role_id'],
'status': '0',
'created_at': get_datetime_str(),
}
rest = user_g_s.UserGroupService().add_user_group(user_group_data)
if rest == -1:
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
return json_helper.format_api_resp(code=ErrorCode.SUCCESS)
def add_group():
name = request.values.get('name')
owner = request.values.get('owner')
cpu = request.values.get('cpu')
mem = request.values.get('mem')
disk = request.values.get('disk')
vm = request.values.get('vm')
env = request.values.get('dc_type')
role_id = request.values.get('role_id')
area_str = request.values.get('area_str')
p_cluster_id = request.values.get('p_cluster_id')
if not name or not owner or not area_str or not str(env):
logging.info('no name or owner or area_str or env when add group')
return json_helper.format_api_resp(code=ErrorCode.PARAM_ERR)
role_exist = role_service.RoleService().query_role('id', role_id)
if not role_exist:
logging.info('no such role %s when add group', role_id)
return json_helper.format_api_resp(code=ErrorCode.PARAM_ERR)
# 应用组名不能重复
if _check_duplicated_group_name(name, str(env)):
logging.error('duplicated group name %s when add group', name)
return json_helper.format_api_resp(code=ErrorCode.DUPLICATED_ERR,
msg="应用组名不能重复,请更改应用组名!")
params_u = {
'WHERE_AND': {
'=': {
'userid': owner,
'isdeleted': '0',
},
},
}
user_num, user_data = user_s.UserService().query_data(**params_u)
if user_num <= 0:
username = ''
# 用户不存在,新增
user_data = {
'userid': owner,
'username': username,
'status': '0',
'created_at': get_datetime_str()
}
user_ret = user_s.UserService().add_user(user_data)
# 记录安全日志
field_data = {'User_name': owner or None, 'Oper_type': 'add'}
if user_ret.get('row_num') > 0:
field_data.update({'Oper_result': '1 Success'})
CloudLogger.audit(AuditType.USERMGR, field_data)
else:
field_data.update({
'Oper_result': '0 Fail',
'fail_reason': 'insert new user info to db fail'
})
CloudLogger.audit(AuditType.USERMGR, field_data)
return False, 'add new user info to db fail'
# logging.error('no user %s info when add group', owner)
# return json_helper.format_api_resp(code=ErrorCode.NOT_EXIST_USER, msg='不存在该用户,请检查用户ID')
else:
username = user_data[0]['username']
insert_data = {
'name': name,
'displayname': name,
'isdeleted': '0',
'owner': owner,
'cpu': cpu,
'mem': mem,
'disk': disk,
'vm': vm,
'dc_type': str(env),
'p_cluster_id': p_cluster_id,
'created_at': get_datetime_str()
}
ret = group_s.GroupService().add_group_info(insert_data)
if ret.get('row_num') <= 0:
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
group_id = ret.get('last_id')
ret_result = access_service.add_access_list(int(group_id), int(role_id),
str(area_str))
if ret_result.get('row_num') <= 0:
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
user_group_data = {
'user_id': owner,
'user_name': username,
'group_id': group_id,
'group_name': name,
'role_id': role_id,
'status': '0',
'created_at': get_datetime_str(),
'expire_at': get_datetime_str(), # todo
}
ret_u_g = user_g_s.UserGroupService().add_user_group(user_group_data)
if ret_u_g.get('row_num') <= 0:
logging.error(
'add user group info error when add group, insert_data:%s',
user_group_data)
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
return json_helper.format_api_resp(code=ErrorCode.SUCCESS)
def update_group(group_id):
'''
修改应用组信息
:param group_id:
:return:
'''
name_n = request.values.get('name')
owner_n = request.values.get('owner')
cpu_n = request.values.get('cpu')
mem_n = request.values.get('mem')
disk_n = request.values.get('disk')
vm_n = request.values.get('vm')
area_str_n = request.values.get('area_str')
role_id_c = request.values.get('role_id')
p_cluster_id = request.values.get('p_cluster_id')
if not cpu_n or not mem_n or not disk_n or not vm_n or not area_str_n or not role_id_c:
logging.info('param is invalid when update group')
return json_helper.format_api_resp(code=ErrorCode.PARAM_ERR)
group_num_c, group_data_c = group_s.GroupService().get_group_info(group_id)
if group_num_c <= 0:
logging.error('no group %s info when update group', group_id)
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
update_data = {
'cpu': cpu_n,
'mem': mem_n,
'disk': disk_n,
'vm': vm_n,
'updated_at': get_datetime_str()
}
# 只能超级管理员组成员和组所有者才能修改组名和所有者,超级管理员组ID为1
user_group_ids = current_user_group_ids()
if group_data_c[0]['owner'] != get_user(
)['user_id'] and 1 not in user_group_ids:
if name_n or owner_n:
logging.error(
'only allow super group member or group owner %s to update group %s name or owner',
group_data_c[0]['owner'], group_id)
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR,
msg='您没有权限修改该应用组的组名和所有者!')
if name_n:
if group_data_c[0]['name'] != name_n and _check_duplicated_group_name(
name_n):
logging.error('duplicated group name %s when update group', name_n)
return json_helper.format_api_resp(code=ErrorCode.DUPLICATED_ERR,
msg="应用组名不能重复,请更改应用组名!")
update_data['name'] = name_n
if owner_n:
# 新所有者一定要在该应用组里
group_user_num, group_user_data = user_g_s.UserGroupService(
).get_alluser_group(group_id)
in_group_flag = False
for _group in group_user_data:
if _group['user_id'] == owner_n:
in_group_flag = True
break
if not in_group_flag:
logging.error(
'new owner %s must exist in group %s when update group',
owner_n, group_id)
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR,
msg='应用组新所有者必须属于该组,请先添加入组!')
update_data['owner'] = owner_n
if p_cluster_id:
update_data['p_cluster_id'] = p_cluster_id
where_data = {
'id': group_id,
}
ret = group_s.update_group_info(update_data, where_data)
if ret < 0:
logging.error("update group error, update_data:%s, where_data:%s",
str(update_data), str(where_data))
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
# 删除access中所有group_id的数据,然后插入前端提交的数据
delete_access = access.delete_access_info(group_id)
if delete_access < 0:
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
ret_result = access_service.add_access_list(int(group_id), int(role_id_c),
str(area_str_n))
if ret_result < 0:
return json_helper.format_api_resp(code=ErrorCode.SYS_ERR)
return json_helper.format_api_resp(code=ErrorCode.SUCCESS)
def _user_group_check(env, sys_code, sys_opr_name, sys_opr_id, cluster_id):
# 检查应用系统管理员用户是否存在,不存在则新增
user = user_s.UserService().get_user_info_by_user_id(sys_opr_id)
if not user:
# 用户不存在,新增,并将用户锁定,待后续开放用户运维在解锁
user_data = {
'userid': sys_opr_id,
'username': sys_opr_name,
'status': '1',
'created_at': get_datetime_str()
}
user_ret = user_s.UserService().add_user(user_data)
# 记录安全日志
field_data = {'User_name': sys_opr_name or None, 'Oper_type': 'add'}
if user_ret.get('row_num') > 0:
field_data.update({'Oper_result': '1 Success'})
CloudLogger.audit(AuditType.USERMGR, field_data)
else:
field_data.update({
'Oper_result': '0 Fail',
'fail_reason': 'insert new user info to db fail'
})
CloudLogger.audit(AuditType.USERMGR, field_data)
return False, 'add new user info to db fail'
# 检查应用组是否存在,不存在新建
group = group_s.get_group_info_by_name_and_env(sys_code, env)
if not group:
group_data = {
'name': sys_code,
'displayname': sys_code,
'isdeleted': '0',
'dc_type': env,
'owner': sys_opr_id,
'cpu': 20000,
'mem': 40000,
'disk': 1000000,
'vm': 5000,
'p_cluster_id': cluster_id,
'created_at': get_datetime_str()
}
group_ret = group_s.GroupService().add_group_info(group_data)
if group_ret.get('row_num') <= 0:
return False, 'add group info to db fail'
group_id = group_ret.get('last_id')
role_id = 2
area_zb_ret = area_s.AreaService().get_area_zb_info()
if not area_zb_ret:
return False, 'get zongbu area id fail'
area_zb_id = area_zb_ret['id']
ret_result = access_service.add_access_list(int(group_id),
int(role_id),
str(area_zb_id))
if ret_result.get('row_num') <= 0:
return False, 'add access info to db fail'
user_group_data = {
'user_id': sys_opr_id,
'user_name': sys_opr_name,
'group_id': group_id,
'group_name': sys_code,
'role_id': role_id,
'status': '0',
'created_at': get_datetime_str(),
'expire_at': get_datetime_str(), # todo
}
ret_u_g = user_g_s.UserGroupService().add_user_group(user_group_data)
if ret_u_g.get('row_num') <= 0:
logging.error(
'add user group info error when add group, insert_data:%s',
user_group_data)
return False, 'add user group info to db fail'
else:
# 获取应用组对应用户信息
role_id = 2
opr_is_exist = False
group_id = group['id']
ret_num, ret_query_g_u = user_g_s.UserGroupService().get_alluser_group(
group_id)
for one_ret_query_g_u in ret_query_g_u:
if one_ret_query_g_u['user_id'] == sys_opr_id:
opr_is_exist = True
if not opr_is_exist:
# 将用户加入应用组中
user_group_data = {
'user_id': sys_opr_id,
'user_name': sys_opr_name,
'group_id': group_id,
'group_name': sys_code,
'role_id': role_id,
'status': '0',
'created_at': get_datetime_str(),
'expire_at': get_datetime_str(), # todo
}
ret_u_g = user_g_s.UserGroupService().add_user_group(
user_group_data)
if ret_u_g.get('row_num') <= 0:
logging.error(
'add user group info error when add group, insert_data:%s',
user_group_data)
return False, 'add user group info to db fail'
# 修改应用组owner
update_data = {'owner': sys_opr_id}
where_data = {
'id': group_id,
}
ret_change_owner = group_s.update_group_info(
update_data, where_data)
if ret_change_owner < 0:
logging.error(
"update group error, update_data:%s, where_data:%s",
str(update_data), str(where_data))
return False, 'update group owner to db fail'
return True, group_id