feat: authentication users with group's RoleBindings in API Server

Signed-off-by: N Roland.Ma <rolandma@yunify.com>

feat: authentication users with group's RoleBindings in API Server
Signed-off-by: N Roland.Ma <rolandma@yunify.com>
80f3db3d · Roland.Ma · 447a5a56 · 80f3db3d · 80f3db3d · 80f3db3d
9 changed file
--- a/pkg/apiserver/apiserver.go
+++ b/pkg/apiserver/apiserver.go
@@ -20,6 +20,10 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+	"net/http"
+	rt "runtime"
+	"time"
+
 	"github.com/emicklei/go-restful"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	urlruntime "k8s.io/apimachinery/pkg/util/runtime"
@@ -77,9 +81,6 @@ import (
 	"kubesphere.io/kubesphere/pkg/simple/client/s3"
 	"kubesphere.io/kubesphere/pkg/simple/client/sonarqube"
 	utilnet "kubesphere.io/kubesphere/pkg/utils/net"
-	"net/http"
-	rt "runtime"
-	"time"
 )

 const (
@@ -290,7 +291,7 @@ func (s *APIServer) buildHandlerChain(stopCh <-chan struct{}) {
 	// authenticators are unordered
 	authn := unionauth.New(anonymous.NewAuthenticator(),
 		basictoken.New(basic.NewBasicAuthenticator(im.NewPasswordAuthenticator(s.KubernetesClient.KubeSphere(), s.InformerFactory.KubeSphereSharedInformerFactory().Iam().V1alpha2().Users().Lister(), s.Config.AuthenticationOptions))),
-		bearertoken.New(jwttoken.NewTokenAuthenticator(im.NewTokenOperator(s.CacheClient, s.Config.AuthenticationOptions))))
+		bearertoken.New(jwttoken.NewTokenAuthenticator(im.NewTokenOperator(s.CacheClient, s.Config.AuthenticationOptions), s.InformerFactory.KubeSphereSharedInformerFactory().Iam().V1alpha2().Users().Lister())))
 	handler = filters.WithAuthentication(handler, authn, loginRecorder)
 	handler = filters.WithRequestInfo(handler, requestInfoResolver)
 	s.Server.Handler = handler
@@ -378,6 +379,8 @@ func (s *APIServer) waitForResourceSync(stopCh <-chan struct{}) error {
 		{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "workspaceroles"},
 		{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "workspacerolebindings"},
 		{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "loginrecords"},
+		{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "groups"},
+		{Group: "iam.kubesphere.io", Version: "v1alpha2", Resource: "groupbindings"},
 		{Group: "cluster.kubesphere.io", Version: "v1alpha1", Resource: "clusters"},
 		{Group: "devops.kubesphere.io", Version: "v1alpha3", Resource: "devopsprojects"},
 	}

--- a/pkg/apiserver/authentication/authenticators/basic/basic.go
+++ b/pkg/apiserver/authentication/authenticators/basic/basic.go
@@ -18,6 +18,7 @@ package basic

 import (
 	"context"
+
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"kubesphere.io/kubesphere/pkg/models/iam/im"
@@ -50,7 +51,7 @@ func (t *basicAuthenticator) AuthenticatePassword(ctx context.Context, username,
 		User: &user.DefaultInfo{
 			Name:   providedUser.GetName(),
 			UID:    providedUser.GetUID(),
-			Groups: []string{user.AllAuthenticated},
+			Groups: append(providedUser.GetGroups(), user.AllAuthenticated),
 		},
 	}, true, nil
 }
--- a/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go
+++ b/pkg/apiserver/authentication/authenticators/jwttoken/jwt_token.go
@@ -18,9 +18,11 @@ package jwttoken

 import (
 	"context"
+
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authentication/user"
 	"k8s.io/klog"
+	iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2"
 	"kubesphere.io/kubesphere/pkg/models/iam/im"
 )

@@ -31,11 +33,13 @@ import (
 // because some resources are public accessible.
 type tokenAuthenticator struct {
 	tokenOperator im.TokenManagementInterface
+	userLister    iamv1alpha2listers.UserLister
 }

-func NewTokenAuthenticator(tokenOperator im.TokenManagementInterface) authenticator.Token {
+func NewTokenAuthenticator(tokenOperator im.TokenManagementInterface, userLister iamv1alpha2listers.UserLister) authenticator.Token {
 	return &tokenAuthenticator{
 		tokenOperator: tokenOperator,
+		userLister:    userLister,
 	}
 }

@@ -46,11 +50,16 @@ func (t *tokenAuthenticator) AuthenticateToken(ctx context.Context, token string
 		return nil, false, err
 	}

+	dbUser, err := t.userLister.Get(providedUser.GetName())
+	if err != nil {
+		return nil, false, err
+	}
+
 	return &authenticator.Response{
 		User: &user.DefaultInfo{
 			Name:   providedUser.GetName(),
 			UID:    providedUser.GetUID(),
-			Groups: []string{user.AllAuthenticated},
+			Groups: append(dbUser.Spec.Groups, user.AllAuthenticated),
 		},
 	}, true, nil
 }
--- a/pkg/apiserver/authorization/authorizerfactory/rbac.go
+++ b/pkg/apiserver/authorization/authorizerfactory/rbac.go
@@ -22,6 +22,7 @@ import (
 	"bytes"
 	"context"
 	"fmt"
+
 	"github.com/open-policy-agent/opa/rego"
 	"k8s.io/apiserver/pkg/authentication/serviceaccount"
 	iamv1alpha2 "kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
@@ -259,7 +260,7 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
 			workspace = requestAttributes.GetWorkspace()
 		}

-		if workspaceRoleBindings, err := r.am.ListWorkspaceRoleBindings("", workspace); err != nil {
+		if workspaceRoleBindings, err := r.am.ListWorkspaceRoleBindings("", nil, workspace); err != nil {
 			if !visitor(nil, "", nil, err) {
 				return
 			}
@@ -304,7 +305,7 @@ func (r *RBACAuthorizer) visitRulesFor(requestAttributes authorizer.Attributes,
 			}
 		}

-		if roleBindings, err := r.am.ListRoleBindings("", namespace); err != nil {
+		if roleBindings, err := r.am.ListRoleBindings("", nil, namespace); err != nil {
 			if !visitor(nil, "", nil, err) {
 				return
 			}

--- a/pkg/kapis/iam/v1alpha2/handler.go
+++ b/pkg/kapis/iam/v1alpha2/handler.go
@@ -18,6 +18,8 @@ package v1alpha2

 import (
 	"fmt"
+	"strings"
+
 	"github.com/emicklei/go-restful"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -34,7 +36,6 @@ import (
 	"kubesphere.io/kubesphere/pkg/models/iam/am"
 	"kubesphere.io/kubesphere/pkg/models/iam/im"
 	servererr "kubesphere.io/kubesphere/pkg/server/errors"
-	"strings"
 )

 type iamHandler struct {
@@ -141,7 +142,14 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo
 	if strings.HasSuffix(request.Request.URL.Path, iamv1alpha2.ResourcesPluralWorkspaceRole) {
 		workspace := request.PathParameter("workspace")
 		username := request.PathParameter("workspacemember")
-		workspaceRole, err := h.am.GetWorkspaceRoleOfUser(username, workspace)
+
+		user, err := h.im.DescribeUser(username)
+		if err != nil {
+			api.HandleInternalError(response, request, err)
+			return
+		}
+
+		workspaceRoles, err := h.am.GetWorkspaceRoleOfUser(username, user.Spec.Groups, workspace)
 		if err != nil {
 			// if role binding not exist return empty list
 			if errors.IsNotFound(err) {
@@ -151,19 +159,33 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo
 			api.HandleInternalError(response, request, err)
 			return
 		}
+		templateRoles := make(map[string]*rbacv1.Role)
+		for _, role := range workspaceRoles {
+			// merge template Role
+			result, err := h.am.ListWorkspaceRoles(&query.Query{
+				Pagination: query.NoPagination,
+				SortBy:     "",
+				Ascending:  false,
+				Filters:    map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(role.Name)},
+			})
+
+			if err != nil {
+				api.HandleInternalError(response, request, err)
+				return
+			}

-		result, err := h.am.ListWorkspaceRoles(&query.Query{
-			Pagination: query.NoPagination,
-			SortBy:     "",
-			Ascending:  false,
-			Filters:    map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(workspaceRole.Name)},
-		})
-		if err != nil {
-			api.HandleInternalError(response, request, err)
-			return
+			for _, obj := range result.Items {
+				templateRole := obj.(*rbacv1.Role)
+				templateRoles[templateRole.Name] = templateRole
+			}
 		}

-		response.WriteEntity(result.Items)
+		results := make([]*rbacv1.Role, 0, len(templateRoles))
+		for _, value := range templateRoles {
+			results = append(results, value)
+		}
+
+		response.WriteEntity(results)
 		return
 	}

@@ -175,8 +197,13 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo
 			return
 		}

-		role, err := h.am.GetNamespaceRoleOfUser(username, namespace)
+		user, err := h.im.DescribeUser(username)
+		if err != nil {
+			api.HandleInternalError(response, request, err)
+			return
+		}

+		roles, err := h.am.GetNamespaceRoleOfUser(username, user.Spec.Groups, namespace)
 		if err != nil {
 			// if role binding not exist return empty list
 			if errors.IsNotFound(err) {
@@ -187,19 +214,33 @@ func (h *iamHandler) RetrieveMemberRoleTemplates(request *restful.Request, respo
 			return
 		}

-		result, err := h.am.ListRoles(namespace, &query.Query{
-			Pagination: query.NoPagination,
-			SortBy:     "",
-			Ascending:  false,
-			Filters:    map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(role.Name)},
-		})
+		templateRoles := make(map[string]*rbacv1.Role)
+		for _, role := range roles {
+			// merge template Role
+			result, err := h.am.ListRoles(namespace, &query.Query{
+				Pagination: query.NoPagination,
+				SortBy:     "",
+				Ascending:  false,
+				Filters:    map[query.Field]query.Value{iamv1alpha2.AggregateTo: query.Value(role.Name)},
+			})
+
+			if err != nil {
+				api.HandleInternalError(response, request, err)
+				return
+			}

-		if err != nil {
-			api.HandleInternalError(response, request, err)
-			return
+			for _, obj := range result.Items {
+				templateRole := obj.(*rbacv1.Role)
+				templateRoles[templateRole.Name] = templateRole
+			}
 		}

-		response.WriteEntity(result.Items)
+		results := make([]*rbacv1.Role, 0, len(templateRoles))
+		for _, value := range templateRoles {
+			results = append(results, value)
+		}
+
+		response.WriteEntity(results)
 		return
 	}
 }

--- a/pkg/models/iam/am/am.go
+++ b/pkg/models/iam/am/am.go
@@ -18,6 +18,7 @@ package am
 import (
 	"encoding/json"
 	"fmt"
+
 	corev1 "k8s.io/api/core/v1"
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
@@ -33,21 +34,22 @@ import (
 	kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
 	"kubesphere.io/kubesphere/pkg/informers"
 	resourcev1alpha3 "kubesphere.io/kubesphere/pkg/models/resources/v1alpha3/resource"
+	"kubesphere.io/kubesphere/pkg/utils/sliceutil"
 )

 type AccessManagementInterface interface {
 	GetGlobalRoleOfUser(username string) (*iamv1alpha2.GlobalRole, error)
-	GetWorkspaceRoleOfUser(username, workspace string) (*iamv1alpha2.WorkspaceRole, error)
+	GetWorkspaceRoleOfUser(username string, groups []string, workspace string) ([]*iamv1alpha2.WorkspaceRole, error)
 	GetClusterRoleOfUser(username string) (*rbacv1.ClusterRole, error)
-	GetNamespaceRoleOfUser(username, namespace string) (*rbacv1.Role, error)
+	GetNamespaceRoleOfUser(username string, groups []string, namespace string) ([]*rbacv1.Role, error)
 	ListRoles(namespace string, query *query.Query) (*api.ListResult, error)
 	ListClusterRoles(query *query.Query) (*api.ListResult, error)
 	ListWorkspaceRoles(query *query.Query) (*api.ListResult, error)
 	ListGlobalRoles(query *query.Query) (*api.ListResult, error)
 	ListGlobalRoleBindings(username string) ([]*iamv1alpha2.GlobalRoleBinding, error)
 	ListClusterRoleBindings(username string) ([]*rbacv1.ClusterRoleBinding, error)
-	ListWorkspaceRoleBindings(username, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error)
-	ListRoleBindings(username, namespace string) ([]*rbacv1.RoleBinding, error)
+	ListWorkspaceRoleBindings(username string, groups []string, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error)
+	ListRoleBindings(username string, groups []string, namespace string) ([]*rbacv1.RoleBinding, error)
 	GetRoleReferenceRules(roleRef rbacv1.RoleRef, namespace string) (string, []rbacv1.PolicyRule, error)
 	GetGlobalRole(globalRole string) (*iamv1alpha2.GlobalRole, error)
 	GetWorkspaceRole(workspace string, name string) (*iamv1alpha2.WorkspaceRole, error)
@@ -124,9 +126,9 @@ func (am *amOperator) GetGlobalRoleOfUser(username string) (*iamv1alpha2.GlobalR
 	return nil, err
 }

-func (am *amOperator) GetWorkspaceRoleOfUser(username, workspace string) (*iamv1alpha2.WorkspaceRole, error) {
+func (am *amOperator) GetWorkspaceRoleOfUser(username string, groups []string, workspace string) ([]*iamv1alpha2.WorkspaceRole, error) {

-	userRoleBindings, err := am.ListWorkspaceRoleBindings(username, workspace)
+	userRoleBindings, err := am.ListWorkspaceRoleBindings(username, groups, workspace)

 	if err != nil {
 		klog.Error(err)
@@ -134,23 +136,29 @@ func (am *amOperator) GetWorkspaceRoleOfUser(username, workspace string) (*iamv1
 	}

 	if len(userRoleBindings) > 0 {
-		role, err := am.GetWorkspaceRole(workspace, userRoleBindings[0].RoleRef.Name)
+		roles := make([]*iamv1alpha2.WorkspaceRole, len(userRoleBindings))
+		for i, roleBinding := range userRoleBindings {
+			role, err := am.GetWorkspaceRole(workspace, roleBinding.RoleRef.Name)

-		if err != nil {
-			klog.Error(err)
-			return nil, err
+			if err != nil {
+				klog.Error(err)
+				return nil, err
+			}
+
+			out := role.DeepCopy()
+			if out.Annotations == nil {
+				out.Annotations = make(map[string]string, 0)
+			}
+			out.Annotations[iamv1alpha2.WorkspaceRoleAnnotation] = role.Name
+
+			roles[i] = out
 		}

 		if len(userRoleBindings) > 1 {
-			klog.Warningf("conflict workspace role binding, username: %s", username)
+			klog.Infof("conflict workspace role binding, username: %s", username)
 		}

-		out := role.DeepCopy()
-		if out.Annotations == nil {
-			out.Annotations = make(map[string]string, 0)
-		}
-		out.Annotations[iamv1alpha2.WorkspaceRoleAnnotation] = role.Name
-		return out, nil
+		return roles, nil
 	}

 	err = errors.NewNotFound(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularWorkspaceRoleBinding), username)
@@ -158,8 +166,9 @@ func (am *amOperator) GetWorkspaceRoleOfUser(username, workspace string) (*iamv1
 	return nil, err
 }

-func (am *amOperator) GetNamespaceRoleOfUser(username, namespace string) (*rbacv1.Role, error) {
-	userRoleBindings, err := am.ListRoleBindings(username, namespace)
+func (am *amOperator) GetNamespaceRoleOfUser(username string, groups []string, namespace string) ([]*rbacv1.Role, error) {
+
+	userRoleBindings, err := am.ListRoleBindings(username, groups, namespace)

 	if err != nil {
 		klog.Error(err)
@@ -167,21 +176,27 @@ func (am *amOperator) GetNamespaceRoleOfUser(username, namespace string) (*rbacv
 	}

 	if len(userRoleBindings) > 0 {
-		role, err := am.GetNamespaceRole(namespace, userRoleBindings[0].RoleRef.Name)
-		if err != nil {
-			klog.Error(err)
-			return nil, err
-		}
-		if len(userRoleBindings) > 1 {
-			klog.Warningf("conflict role binding, username: %s", username)
+		roles := make([]*rbacv1.Role, len(userRoleBindings))
+		for i, roleBinding := range userRoleBindings {
+			role, err := am.GetNamespaceRole(namespace, roleBinding.RoleRef.Name)
+			if err != nil {
+				klog.Error(err)
+				return nil, err
+			}
+
+			out := role.DeepCopy()
+			if out.Annotations == nil {
+				out.Annotations = make(map[string]string, 0)
+			}
+			out.Annotations[iamv1alpha2.RoleAnnotation] = role.Name
+
+			roles[i] = out
 		}

-		out := role.DeepCopy()
-		if out.Annotations == nil {
-			out.Annotations = make(map[string]string, 0)
+		if len(userRoleBindings) > 1 {
+			klog.Infof("conflict role binding, username: %s", username)
 		}
-		out.Annotations[iamv1alpha2.RoleAnnotation] = role.Name
-		return out, nil
+		return roles, nil
 	}

 	err = errors.NewNotFound(iamv1alpha2.Resource(iamv1alpha2.ResourcesSingularRoleBinding), username)
@@ -221,7 +236,7 @@ func (am *amOperator) GetClusterRoleOfUser(username string) (*rbacv1.ClusterRole
 	return nil, err
 }

-func (am *amOperator) ListWorkspaceRoleBindings(username, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error) {
+func (am *amOperator) ListWorkspaceRoleBindings(username string, groups []string, workspace string) ([]*iamv1alpha2.WorkspaceRoleBinding, error) {
 	roleBindings, err := am.resourceGetter.List(iamv1alpha2.ResourcesPluralWorkspaceRoleBinding, "", query.New())

 	if err != nil {
@@ -233,7 +248,7 @@ func (am *amOperator) ListWorkspaceRoleBindings(username, workspace string) ([]*
 	for _, obj := range roleBindings.Items {
 		roleBinding := obj.(*iamv1alpha2.WorkspaceRoleBinding)
 		inSpecifiedWorkspace := workspace == "" || roleBinding.Labels[tenantv1alpha1.WorkspaceLabel] == workspace
-		if contains(roleBinding.Subjects, username) && inSpecifiedWorkspace {
+		if contains(roleBinding.Subjects, username, groups) && inSpecifiedWorkspace {
 			result = append(result, roleBinding)
 		}
 	}
@@ -252,7 +267,7 @@ func (am *amOperator) ListClusterRoleBindings(username string) ([]*rbacv1.Cluste
 	result := make([]*rbacv1.ClusterRoleBinding, 0)
 	for _, obj := range roleBindings.Items {
 		roleBinding := obj.(*rbacv1.ClusterRoleBinding)
-		if contains(roleBinding.Subjects, username) {
+		if contains(roleBinding.Subjects, username, nil) {
 			result = append(result, roleBinding)
 		}
 	}
@@ -271,7 +286,7 @@ func (am *amOperator) ListGlobalRoleBindings(username string) ([]*iamv1alpha2.Gl

 	for _, obj := range roleBindings.Items {
 		roleBinding := obj.(*iamv1alpha2.GlobalRoleBinding)
-		if contains(roleBinding.Subjects, username) {
+		if contains(roleBinding.Subjects, username, nil) {
 			result = append(result, roleBinding)
 		}
 	}
@@ -279,7 +294,7 @@ func (am *amOperator) ListGlobalRoleBindings(username string) ([]*iamv1alpha2.Gl
 	return result, nil
 }

-func (am *amOperator) ListRoleBindings(username, namespace string) ([]*rbacv1.RoleBinding, error) {
+func (am *amOperator) ListRoleBindings(username string, groups []string, namespace string) ([]*rbacv1.RoleBinding, error) {
 	roleBindings, err := am.resourceGetter.List(iamv1alpha2.ResourcesPluralRoleBinding, namespace, query.New())
 	if err != nil {
 		klog.Error(err)
@@ -289,14 +304,14 @@ func (am *amOperator) ListRoleBindings(username, namespace string) ([]*rbacv1.Ro
 	result := make([]*rbacv1.RoleBinding, 0)
 	for _, obj := range roleBindings.Items {
 		roleBinding := obj.(*rbacv1.RoleBinding)
-		if contains(roleBinding.Subjects, username) {
+		if contains(roleBinding.Subjects, username, groups) {
 			result = append(result, roleBinding)
 		}
 	}
 	return result, nil
 }

-func contains(subjects []rbacv1.Subject, username string) bool {
+func contains(subjects []rbacv1.Subject, username string, groups []string) bool {
 	// if username is nil means list all role bindings
 	if username == "" {
 		return true
@@ -305,6 +320,9 @@ func contains(subjects []rbacv1.Subject, username string) bool {
 		if subject.Kind == rbacv1.UserKind && subject.Name == username {
 			return true
 		}
+		if subject.Kind == rbacv1.GroupKind && sliceutil.HasString(groups, subject.Name) {
+			return true
+		}
 	}
 	return false
 }
@@ -557,7 +575,7 @@ func (am *amOperator) CreateWorkspaceRoleBinding(username string, workspace stri
 		return err
 	}

-	roleBindings, err := am.ListWorkspaceRoleBindings(username, workspace)
+	roleBindings, err := am.ListWorkspaceRoleBindings(username, nil, workspace)
 	if err != nil {
 		klog.Error(err)
 		return err
@@ -666,7 +684,8 @@ func (am *amOperator) CreateNamespaceRoleBinding(username string, namespace stri
 		return err
 	}

-	roleBindings, err := am.ListRoleBindings(username, namespace)
+	// Don't pass user's groups.
+	roleBindings, err := am.ListRoleBindings(username, nil, namespace)
 	if err != nil {
 		klog.Error(err)
 		return err
@@ -714,7 +733,7 @@ func (am *amOperator) CreateNamespaceRoleBinding(username string, namespace stri

 func (am *amOperator) RemoveUserFromWorkspace(username string, workspace string) error {

-	roleBindings, err := am.ListWorkspaceRoleBindings(username, workspace)
+	roleBindings, err := am.ListWorkspaceRoleBindings(username, nil, workspace)
 	if err != nil {
 		klog.Error(err)
 		return err
@@ -736,7 +755,7 @@ func (am *amOperator) RemoveUserFromWorkspace(username string, workspace string)

 func (am *amOperator) RemoveUserFromNamespace(username string, namespace string) error {

-	roleBindings, err := am.ListRoleBindings(username, namespace)
+	roleBindings, err := am.ListRoleBindings(username, nil, namespace)
 	if err != nil {
 		klog.Error(err)
 		return err

--- a/pkg/models/iam/im/authenticator.go
+++ b/pkg/models/iam/im/authenticator.go
@@ -20,6 +20,8 @@ package im

 import (
 	"fmt"
+	"net/mail"
+
 	"github.com/go-ldap/ldap"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/labels"
@@ -32,7 +34,6 @@ import (
 	kubesphere "kubesphere.io/kubesphere/pkg/client/clientset/versioned"
 	iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2"
 	"kubesphere.io/kubesphere/pkg/constants"
-	"net/mail"
 )

 var (
@@ -131,8 +132,9 @@ func (im *passwordAuthenticator) Authenticate(username, password string) (authus

 	if checkPasswordHash(password, user.Spec.EncryptedPassword) {
 		return &authuser.DefaultInfo{
-			Name: user.Name,
-			UID:  string(user.UID),
+			Name:   user.Name,
+			UID:    string(user.UID),
+			Groups: user.Spec.Groups,
 		}, nil
 	}


--- a/pkg/models/tenant/devops.go
+++ b/pkg/models/tenant/devops.go
@@ -18,6 +18,7 @@ package tenant

 import (
 	"fmt"
+
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
@@ -66,7 +67,7 @@ func (t *tenantOperator) ListDevOpsProjects(user user.Info, workspace string, qu
 		return result, nil
 	}

-	roleBindings, err := t.am.ListRoleBindings(user.GetName(), "")
+	roleBindings, err := t.am.ListRoleBindings(user.GetName(), user.GetGroups(), "")
 	if err != nil {
 		klog.Error(err)
 		return nil, err

--- a/pkg/models/tenant/tenant.go
+++ b/pkg/models/tenant/tenant.go
@@ -20,6 +20,9 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
+	"strings"
+	"time"
+
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -53,8 +56,6 @@ import (
 	eventsclient "kubesphere.io/kubesphere/pkg/simple/client/events"
 	loggingclient "kubesphere.io/kubesphere/pkg/simple/client/logging"
 	"kubesphere.io/kubesphere/pkg/utils/stringutils"
-	"strings"
-	"time"
 )

 type Interface interface {
@@ -134,7 +135,7 @@ func (t *tenantOperator) ListWorkspaces(user user.Info, queryParam *query.Query)
 	}

 	// retrieving associated resources through role binding
-	workspaceRoleBindings, err := t.am.ListWorkspaceRoleBindings(user.GetName(), "")
+	workspaceRoleBindings, err := t.am.ListWorkspaceRoleBindings(user.GetName(), user.GetGroups(), "")
 	if err != nil {
 		klog.Error(err)
 		return nil, err
@@ -205,7 +206,7 @@ func (t *tenantOperator) ListFederatedNamespaces(user user.Info, workspace strin
 	}

 	// retrieving associated resources through role binding
-	roleBindings, err := t.am.ListRoleBindings(user.GetName(), "")
+	roleBindings, err := t.am.ListRoleBindings(user.GetName(), user.GetGroups(), "")
 	if err != nil {
 		klog.Error(err)
 		return nil, err
@@ -273,7 +274,7 @@ func (t *tenantOperator) ListNamespaces(user user.Info, workspace string, queryP
 	}

 	// retrieving associated resources through role binding
-	roleBindings, err := t.am.ListRoleBindings(user.GetName(), "")
+	roleBindings, err := t.am.ListRoleBindings(user.GetName(), user.GetGroups(), "")
 	if err != nil {
 		klog.Error(err)
 		return nil, err
@@ -472,7 +473,7 @@ func (t *tenantOperator) ListClusters(user user.Info) (*api.ListResult, error) {
 		return result, nil
 	}

-	workspaceRoleBindings, err := t.am.ListWorkspaceRoleBindings(user.GetName(), "")
+	workspaceRoleBindings, err := t.am.ListWorkspaceRoleBindings(user.GetName(), user.GetGroups(), "")

 	if err != nil {
 		klog.Error(err)