Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
KubeSphere
kubesphere
提交
8f4a6d9b
K
kubesphere
项目概览
KubeSphere
/
kubesphere
通知
144
Star
32
Fork
5
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
2
Wiki
分析
仓库
DevOps
项目成员
Pages
K
kubesphere
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
2
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
8f4a6d9b
编写于
11月 27, 2020
作者:
LinuxSuRen
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
Restrict only specific users or admin can approve a pipeline
Signed-off-by:
rick
<
rick@jenkins-zh.cn
>
上级
c5de21af
变更
5
隐藏空白更改
内联
并排
Showing
5 changed file
with
143 addition
and
15 deletion
+143
-15
pkg/apiserver/apiserver.go
pkg/apiserver/apiserver.go
+2
-1
pkg/kapis/devops/v1alpha2/devops.go
pkg/kapis/devops/v1alpha2/devops.go
+132
-5
pkg/kapis/devops/v1alpha2/handler.go
pkg/kapis/devops/v1alpha2/handler.go
+4
-1
pkg/kapis/devops/v1alpha2/register.go
pkg/kapis/devops/v1alpha2/register.go
+5
-4
pkg/models/devops/devops.go
pkg/models/devops/devops.go
+0
-4
未找到文件。
pkg/apiserver/apiserver.go
浏览文件 @
8f4a6d9b
...
...
@@ -210,7 +210,8 @@ func (s *APIServer) installKubeSphereAPIs() {
s
.
SonarClient
,
s
.
KubernetesClient
.
KubeSphere
(),
s
.
S3Client
,
s
.
Config
.
DevopsOptions
.
Host
))
s
.
Config
.
DevopsOptions
.
Host
,
am
.
NewOperator
(
s
.
InformerFactory
,
s
.
KubernetesClient
.
KubeSphere
(),
s
.
KubernetesClient
.
Kubernetes
())))
urlruntime
.
Must
(
devopsv1alpha3
.
AddToContainer
(
s
.
container
,
s
.
DevopsClient
,
s
.
KubernetesClient
.
Kubernetes
(),
...
...
pkg/kapis/devops/v1alpha2/devops.go
浏览文件 @
8f4a6d9b
...
...
@@ -17,10 +17,17 @@ limitations under the License.
package
v1alpha2
import
(
"encoding/json"
"errors"
"fmt"
"github.com/emicklei/go-restful"
"k8s.io/apiserver/pkg/authentication/user"
log
"k8s.io/klog"
"kubesphere.io/kubesphere/pkg/api"
iamv1alpha2
"kubesphere.io/kubesphere/pkg/apis/iam/v1alpha2"
"kubesphere.io/kubesphere/pkg/apiserver/request"
"kubesphere.io/kubesphere/pkg/models/devops"
clientDevOps
"kubesphere.io/kubesphere/pkg/simple/client/devops"
"net/http"
"strings"
)
...
...
@@ -202,20 +209,106 @@ func (h *ProjectPipelineHandler) GetPipelineRunNodes(req *restful.Request, resp
resp
.
WriteAsJson
(
res
)
}
func
(
h
*
ProjectPipelineHandler
)
SubmitInputStep
(
req
*
restful
.
Request
,
resp
*
restful
.
Response
)
{
func
(
h
*
ProjectPipelineHandler
)
hasSubmitPermission
(
req
*
restful
.
Request
)
(
hasPermit
bool
,
err
error
)
{
var
currentUserName
string
var
userInfo
user
.
Info
var
ok
bool
ctx
:=
req
.
Request
.
Context
()
if
userInfo
,
ok
=
request
.
UserFrom
(
ctx
);
ok
{
// check if current user belong to the admin group, grant it if it's true
var
role
*
iamv1alpha2
.
GlobalRole
currentUserName
=
userInfo
.
GetName
()
if
role
,
err
=
h
.
abc
.
GetGlobalRoleOfUser
(
currentUserName
);
err
==
nil
{
if
role
.
Name
==
iamv1alpha2
.
PlatformAdmin
{
hasPermit
=
true
return
}
}
else
{
return
}
}
// step 2, check if current user if was addressed
httpReq
:=
&
http
.
Request
{
URL
:
req
.
Request
.
URL
,
Header
:
req
.
Request
.
Header
,
Form
:
req
.
Request
.
Form
,
PostForm
:
req
.
Request
.
PostForm
,
}
projectName
:=
req
.
PathParameter
(
"devops"
)
pipelineName
:=
req
.
PathParameter
(
"pipeline"
)
runId
:=
req
.
PathParameter
(
"run"
)
nodeId
:=
req
.
PathParameter
(
"node"
)
stepId
:=
req
.
PathParameter
(
"step"
)
res
,
err
:=
h
.
devopsOperator
.
SubmitInputStep
(
projectName
,
pipelineName
,
runId
,
nodeId
,
stepId
,
req
.
Request
)
if
err
!=
nil
{
parseErr
(
err
,
resp
)
// find the expected submitter list which separated by common
var
expectedSubmitter
string
var
res
[]
clientDevOps
.
NodesDetail
if
res
,
err
=
h
.
devopsOperator
.
GetNodesDetail
(
projectName
,
pipelineName
,
runId
,
httpReq
);
err
==
nil
{
for
_
,
node
:=
range
res
{
if
node
.
ID
!=
nodeId
{
continue
}
for
_
,
step
:=
range
node
.
Steps
{
if
step
.
ID
!=
stepId
||
step
.
Input
==
nil
{
continue
}
expectedSubmitter
=
fmt
.
Sprintf
(
"%v"
,
step
.
Input
.
Submitter
)
break
}
break
}
}
else
{
log
.
Errorf
(
"cannot get nodes detail, error: %v"
,
err
)
err
=
errors
.
New
(
"cannot get the submitters of current pipeline run"
)
return
}
resp
.
Write
(
res
)
// grant all users if there's no specific one
if
expectedSubmitter
==
""
{
hasPermit
=
true
}
else
{
for
_
,
submitter
:=
range
strings
.
Split
(
expectedSubmitter
,
","
)
{
if
strings
.
TrimSpace
(
submitter
)
==
currentUserName
{
hasPermit
=
true
break
}
}
}
return
}
func
(
h
*
ProjectPipelineHandler
)
SubmitInputStep
(
req
*
restful
.
Request
,
resp
*
restful
.
Response
)
{
projectName
:=
req
.
PathParameter
(
"devops"
)
pipelineName
:=
req
.
PathParameter
(
"pipeline"
)
runId
:=
req
.
PathParameter
(
"run"
)
nodeId
:=
req
.
PathParameter
(
"node"
)
stepId
:=
req
.
PathParameter
(
"step"
)
var
(
response
[]
byte
err
error
ok
bool
)
if
ok
,
err
=
h
.
hasSubmitPermission
(
req
);
!
ok
||
err
!=
nil
{
msg
:=
map
[
string
]
string
{
"allow"
:
"false"
,
"message"
:
fmt
.
Sprintf
(
"%v"
,
err
),
}
response
,
_
=
json
.
Marshal
(
msg
)
}
else
{
response
,
err
=
h
.
devopsOperator
.
SubmitInputStep
(
projectName
,
pipelineName
,
runId
,
nodeId
,
stepId
,
req
.
Request
)
if
err
!=
nil
{
parseErr
(
err
,
resp
)
return
}
}
resp
.
Write
(
response
)
}
func
(
h
*
ProjectPipelineHandler
)
GetNodesDetail
(
req
*
restful
.
Request
,
resp
*
restful
.
Response
)
{
...
...
@@ -401,6 +494,40 @@ func (h *ProjectPipelineHandler) SubmitBranchInputStep(req *restful.Request, res
nodeId
:=
req
.
PathParameter
(
"node"
)
stepId
:=
req
.
PathParameter
(
"step"
)
var
currentUesrName
string
ctx
:=
req
.
Request
.
Context
()
if
user
,
ok
:=
request
.
UserFrom
(
ctx
);
ok
{
currentUesrName
=
user
.
GetName
()
}
fmt
.
Println
(
"current user"
,
currentUesrName
,
"nodeId"
,
nodeId
,
"stepid"
,
stepId
)
req
.
Request
.
UserAgent
()
if
res
,
err
:=
h
.
devopsOperator
.
GetNodesDetail
(
projectName
,
pipelineName
,
runId
,
req
.
Request
);
err
==
nil
{
for
_
,
node
:=
range
res
{
fmt
.
Println
(
"nodeid"
,
node
.
ID
)
if
node
.
ID
!=
nodeId
{
continue
}
for
_
,
step
:=
range
node
.
Steps
{
fmt
.
Println
(
"stepid"
,
step
.
ID
,
step
.
Input
)
if
step
.
ID
!=
stepId
&&
step
.
Input
!=
nil
{
continue
}
submitter
:=
step
.
Input
.
Submitter
fmt
.
Println
(
submitter
)
if
currentUesrName
!=
submitter
{
resp
.
Write
([]
byte
(
"no permission"
))
return
}
}
}
}
else
{
log
.
Infof
(
"cannot get the nodes detail when submit a branch input step"
)
}
res
,
err
:=
h
.
devopsOperator
.
SubmitBranchInputStep
(
projectName
,
pipelineName
,
branchName
,
runId
,
nodeId
,
stepId
,
req
.
Request
)
if
err
!=
nil
{
parseErr
(
err
,
resp
)
...
...
pkg/kapis/devops/v1alpha2/handler.go
浏览文件 @
8f4a6d9b
...
...
@@ -20,6 +20,7 @@ import (
"kubesphere.io/kubesphere/pkg/client/clientset/versioned"
"kubesphere.io/kubesphere/pkg/client/informers/externalversions"
"kubesphere.io/kubesphere/pkg/models/devops"
"kubesphere.io/kubesphere/pkg/models/iam/am"
devopsClient
"kubesphere.io/kubesphere/pkg/simple/client/devops"
"kubesphere.io/kubesphere/pkg/simple/client/s3"
"kubesphere.io/kubesphere/pkg/simple/client/sonarqube"
...
...
@@ -28,16 +29,18 @@ import (
type
ProjectPipelineHandler
struct
{
devopsOperator
devops
.
DevopsOperator
projectCredentialGetter
devops
.
ProjectCredentialGetter
abc
am
.
AccessManagementInterface
}
type
PipelineSonarHandler
struct
{
pipelineSonarGetter
devops
.
PipelineSonarGetter
}
func
NewProjectPipelineHandler
(
devopsClient
devopsClient
.
Interface
)
ProjectPipelineHandler
{
func
NewProjectPipelineHandler
(
devopsClient
devopsClient
.
Interface
,
abc
am
.
AccessManagementInterface
)
ProjectPipelineHandler
{
return
ProjectPipelineHandler
{
devopsOperator
:
devops
.
NewDevopsOperator
(
devopsClient
,
nil
,
nil
,
nil
,
nil
),
projectCredentialGetter
:
devops
.
NewProjectCredentialOperator
(
devopsClient
),
abc
:
abc
,
}
}
...
...
pkg/kapis/devops/v1alpha2/register.go
浏览文件 @
8f4a6d9b
...
...
@@ -28,6 +28,7 @@ import (
"kubesphere.io/kubesphere/pkg/client/clientset/versioned"
"kubesphere.io/kubesphere/pkg/client/informers/externalversions"
"kubesphere.io/kubesphere/pkg/constants"
"kubesphere.io/kubesphere/pkg/models/iam/am"
"kubesphere.io/kubesphere/pkg/simple/client/devops/jenkins"
"kubesphere.io/kubesphere/pkg/simple/client/s3"
"kubesphere.io/kubesphere/pkg/simple/client/sonarqube"
...
...
@@ -46,10 +47,10 @@ const (
var
GroupVersion
=
schema
.
GroupVersion
{
Group
:
GroupName
,
Version
:
"v1alpha2"
}
func
AddToContainer
(
container
*
restful
.
Container
,
ksInformers
externalversions
.
SharedInformerFactory
,
devopsClient
devops
.
Interface
,
sonarqubeClient
sonarqube
.
SonarInterface
,
ksClient
versioned
.
Interface
,
s3Client
s3
.
Interface
,
endpoint
string
)
error
{
func
AddToContainer
(
container
*
restful
.
Container
,
ksInformers
externalversions
.
SharedInformerFactory
,
devopsClient
devops
.
Interface
,
sonarqubeClient
sonarqube
.
SonarInterface
,
ksClient
versioned
.
Interface
,
s3Client
s3
.
Interface
,
endpoint
string
,
abc
am
.
AccessManagementInterface
)
error
{
ws
:=
runtime
.
NewWebService
(
GroupVersion
)
err
:=
AddPipelineToWebService
(
ws
,
devopsClient
)
err
:=
AddPipelineToWebService
(
ws
,
devopsClient
,
abc
)
if
err
!=
nil
{
return
err
}
...
...
@@ -74,12 +75,12 @@ func AddToContainer(container *restful.Container, ksInformers externalversions.S
return
nil
}
func
AddPipelineToWebService
(
webservice
*
restful
.
WebService
,
devopsClient
devops
.
Interface
)
error
{
func
AddPipelineToWebService
(
webservice
*
restful
.
WebService
,
devopsClient
devops
.
Interface
,
abc
am
.
AccessManagementInterface
)
error
{
projectPipelineEnable
:=
devopsClient
!=
nil
if
projectPipelineEnable
{
projectPipelineHandler
:=
NewProjectPipelineHandler
(
devopsClient
)
projectPipelineHandler
:=
NewProjectPipelineHandler
(
devopsClient
,
abc
)
webservice
.
Route
(
webservice
.
GET
(
"/devops/{devops}/credentials/{credential}/usage"
)
.
To
(
projectPipelineHandler
.
GetProjectCredentialUsage
)
.
...
...
pkg/models/devops/devops.go
浏览文件 @
8f4a6d9b
...
...
@@ -487,20 +487,16 @@ func (d devopsOperator) GetNodeSteps(projectName, pipelineName, runId, nodeId st
}
func
(
d
devopsOperator
)
GetPipelineRunNodes
(
projectName
,
pipelineName
,
runId
string
,
req
*
http
.
Request
)
([]
devops
.
PipelineRunNodes
,
error
)
{
res
,
err
:=
d
.
devopsClient
.
GetPipelineRunNodes
(
projectName
,
pipelineName
,
runId
,
convertToHttpParameters
(
req
))
if
err
!=
nil
{
klog
.
Error
(
err
)
return
nil
,
err
}
fmt
.
Println
()
return
res
,
err
}
func
(
d
devopsOperator
)
SubmitInputStep
(
projectName
,
pipelineName
,
runId
,
nodeId
,
stepId
string
,
req
*
http
.
Request
)
([]
byte
,
error
)
{
newBody
,
err
:=
getInputReqBody
(
req
.
Body
)
if
err
!=
nil
{
klog
.
Error
(
err
)
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录