def alter_detail_data_to_serialize(self, request, data):
helper = getattr(self._meta, "iam_resource_helper", None)
if not helper:
return data
bundle = data
# 1. get resources
resources = helper.get_resources(bundle)
# 2. make request
request = MultiActionRequest(
helper.system,
helper.get_subject_for_alter_detail(request, data),
[Action(action) for action in helper.actions],
resources,
helper.get_environment_for_alter_detail(request, data),
)
actions_allowed = helper.iam.resource_multi_actions_allowed(request)
logger.debug(
"tastypie alter_detail_data_to_serialize resource_multi_actions_allowed request({}) result: {}".format(
request.to_dict(), actions_allowed
)
)
# 3. assemble action allowed data
bundle.data["auth_actions"] = [action for action, allowed in actions_allowed.items() if allowed]
return data
def iam_get_instance_auth_actions(self, request, instance):
helper = getattr(self, "iam_resource_helper", None)
if not helper:
return None
# 1. get resources
resources = helper.get_resources(instance)
# 2. make request
request = MultiActionRequest(
helper.system,
helper.get_subject_for_alter_detail(request, instance),
[Action(action) for action in helper.actions],
resources,
helper.get_environment_for_alter_detail(request, instance),
)
actions_allowed = helper.iam.resource_multi_actions_allowed(request)
iam_logger.debug(
"[drf iam_get_instance_auth_actions] resource_multi_actions_allowed request({}) result: {}"
.format(request.to_dict(), actions_allowed))
# 3. assemble action allowed data
auth_actions = [
action for action, allowed in actions_allowed.items() if allowed
]
return auth_actions
def get_resources_allowed_actions_for_user(username, system_id, actions, resources_list):
subject = Subject("user", username)
actions = [Action(act) for act in actions]
request = MultiActionRequest(system_id, subject, actions, [], {})
iam = get_iam_client()
return iam.batch_resource_multi_actions_allowed(request, resources_list)
def resource_inst_multi_actions_allowed(self, username, actions_ids,
resource_id):
resource = Resource(settings.APP_ID, self.resource_type_id,
resource_id, {})
actions = [Action(action_id) for action_id in actions_ids]
request = MultiActionRequest(settings.APP_ID,
Subject("user", username), actions,
[resource], None)
return self.iam.resource_multi_actions_allowed(request)
def batch_resource_multi_actions_allowed(
self, username: str, action_ids: List[str], resources: List[Resource]
) -> Dict[str, Dict[str, bool]]:
"""
判断用户对某些资源是否具有多个指定操作的权限. 当前sdk仅支持同类型的资源
:return 示例 {'0ad86c25363f4ef8adcb7ac67a483837': {'project_view': True, 'project_edit': False}}
"""
actions = [Action(action_id) for action_id in action_ids]
request = MultiActionRequest(settings.BK_IAM_SYSTEM_ID, Subject("user", username), actions, [], None)
resources_list = [[res] for res in resources]
return self.iam.batch_resource_multi_actions_allowed(request, resources_list)
def resource_inst_multi_actions_allowed(
self, username: str, action_ids: List[str], resources: List[Resource]
) -> Dict[str, bool]:
"""
判断用户对某个(单个)资源实例是否具有多个操作的权限.
note: 权限判断与资源实例有关,如更新某个具体资源
:return 示例 {'project_view': True, 'project_edit': False}
"""
actions = [Action(action_id) for action_id in action_ids]
request = MultiActionRequest(settings.BK_IAM_SYSTEM_ID, Subject("user", username), actions, resources, None)
return self.iam.resource_multi_actions_allowed(request)
def iam_get_instances_auth_actions(self, request, instances):
helper = getattr(self, "iam_resource_helper", None)
if not helper:
return None
# 1. collect resources
resources_list = []
for instance in instances:
resources_list.append(helper.get_resources(instance))
if not resources_list:
return None
# 2. make request
request = MultiActionRequest(
helper.system,
helper.get_subject_for_alter_list(request, instances),
[Action(action) for action in helper.actions],
[],
helper.get_environment_for_alter_list(request, instances),
)
resource_actions_allowed = helper.iam.batch_resource_multi_actions_allowed(
request, resources_list)
iam_logger.debug(
"[drf iam_get_instances_auth_actions] batch_resource_multi_actions_allowed request({}) result: {}"
.format(request.to_dict(), resource_actions_allowed))
# 3. assemble action allowed data
auth_actions = dict()
for instance in instances:
rid = str(helper.get_resources_id(instance))
auth_actions[instance.id] = [
action for action, allowed in resource_actions_allowed.get(
rid, {}).items() if allowed
]
return auth_actions
def alter_list_data_to_serialize(self, request, data):
helper = getattr(self._meta, "iam_resource_helper", None)
if not helper:
return data
# 1. collect resources
resources_list = []
for bundle in data["objects"]:
resources_list.append(helper.get_resources(bundle))
if not resources_list:
return data
# 2. make request
request = MultiActionRequest(
helper.system,
helper.get_subject_for_alter_list(request, data),
[Action(action) for action in helper.actions],
[],
helper.get_environment_for_alter_list(request, data),
)
resource_actions_allowed = helper.iam.batch_resource_multi_actions_allowed(request, resources_list)
logger.debug(
"tastypie alter_list_data_to_serialize batch_resource_multi_actions_allowed request({}) result: {}".format(
request.to_dict(), resource_actions_allowed
)
)
# 3. assemble action allowed data
for bundle in data["objects"]:
rid = str(helper.get_resources_id(bundle))
bundle.data["auth_actions"] = [
action for action, allowed in resource_actions_allowed.get(rid, {}).items() if allowed
]
return data
def batch_resource_multi_actions_allowed(self, username, actions_ids,
resource_ids):
actions = [Action(action_id) for action_id in actions_ids]
request = MultiActionRequest(settings.APP_ID,
Subject("user",
username), actions, [], None)
resources = []
for resource_id in resource_ids:
resources.append([
Resource(settings.APP_ID, self.resource_type_id, resource_id,
{})
])
return self.iam.batch_resource_multi_actions_allowed(
request, resources)