add interface for iam

Signed-off-by: N shaowenchen <mail@chenshaowen.com>

add interface for iam
Signed-off-by: N shaowenchen <mail@chenshaowen.com>
895d8b83 · shaowenchen · de5f4c36 · 895d8b83 · 895d8b83 · 895d8b83
8 changed file
--- a/cmd/controller-manager/app/controllers.go
+++ b/cmd/controller-manager/app/controllers.go
@@ -230,8 +230,7 @@ func addControllers(
 		kubesphereInformer.Tenant().V1alpha2().WorkspaceTemplates(), multiClusterEnabled)

 	globalRoleBindingController := globalrolebinding.NewController(client.Kubernetes(), client.KubeSphere(),
-		kubesphereInformer.Iam().V1alpha2().GlobalRoleBindings(),
-		fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController, multiClusterEnabled)
+		kubesphereInformer.Iam().V1alpha2().GlobalRoleBindings(), fedGlobalRoleBindingCache, fedGlobalRoleBindingCacheController, multiClusterEnabled, devopsClient)

 	workspaceRoleBindingController := workspacerolebinding.NewController(client.Kubernetes(), client.KubeSphere(),
 		kubesphereInformer.Iam().V1alpha2().WorkspaceRoleBindings(),

--- a/pkg/controller/globalrolebinding/globalrolebinding_controller.go
+++ b/pkg/controller/globalrolebinding/globalrolebinding_controller.go
@@ -39,6 +39,9 @@ import (
 	iamv1alpha2informers "kubesphere.io/kubesphere/pkg/client/informers/externalversions/iam/v1alpha2"
 	iamv1alpha2listers "kubesphere.io/kubesphere/pkg/client/listers/iam/v1alpha2"
 	"kubesphere.io/kubesphere/pkg/constants"
+	modeldevops "kubesphere.io/kubesphere/pkg/models/devops"
+	devops "kubesphere.io/kubesphere/pkg/simple/client/devops"
+
 	"reflect"
 	"sigs.k8s.io/controller-runtime/pkg/controller/controllerutil"
 	"time"
@@ -70,10 +73,11 @@ type Controller struct {
 	// Kubernetes API.
 	recorder            record.EventRecorder
 	multiClusterEnabled bool
+	devopsClient        devops.Interface
 }

 func NewController(k8sClient kubernetes.Interface, ksClient kubesphere.Interface, globalRoleBindingInformer iamv1alpha2informers.GlobalRoleBindingInformer,
-	fedGlobalRoleBindingCache cache.Store, fedGlobalRoleBindingCacheController cache.Controller, multiClusterEnabled bool) *Controller {
+	fedGlobalRoleBindingCache cache.Store, fedGlobalRoleBindingCacheController cache.Controller, multiClusterEnabled bool, devopsClient devops.Interface) *Controller {
 	// Create event broadcaster
 	// Add sample-controller types to the default Kubernetes Scheme so Events can be
 	// logged for sample-controller types.
@@ -94,6 +98,7 @@ func NewController(k8sClient kubernetes.Interface, ksClient kubesphere.Interface
 		workqueue:                           workqueue.NewNamedRateLimitingQueue(workqueue.DefaultControllerRateLimiter(), "GlobalRoleBinding"),
 		recorder:                            recorder,
 		multiClusterEnabled:                 multiClusterEnabled,
+		devopsClient:                        devopsClient,
 	}
 	klog.Info("Setting up event handlers")
 	globalRoleBindingInformer.Informer().AddEventHandler(cache.ResourceEventHandlerFuncs{
@@ -228,6 +233,14 @@ func (c *Controller) reconcile(key string) error {
 			klog.Error(err)
 			return err
 		}
+		if c.devopsClient != nil {
+			username := findExpectUsername(globalRoleBinding)
+			err = c.devopsClient.AssignGlobalRole(modeldevops.JenkinsAdminRoleName, username)
+			if err != nil {
+				klog.Errorf("%+v", err)
+				return err
+			}
+		}
 	}

 	if c.multiClusterEnabled {

--- a/pkg/models/devops/common.go
+++ b/pkg/models/devops/common.go
@@ -17,7 +17,9 @@ limitations under the License.
 package devops

 import (
+	"fmt"
 	"github.com/fatih/structs"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops"
 	"kubesphere.io/kubesphere/pkg/utils/stringutils"
 )

@@ -64,3 +66,252 @@ const (
 const (
 	KS_ADMIN = "admin"
 )
+
+// define roles of DevOps
+const (
+	ProjectOwner      = "owner"
+	ProjectMaintainer = "maintainer"
+	ProjectDeveloper  = "developer"
+	ProjectReporter   = "reporter"
+)
+
+const (
+	JenkinsAllUserRoleName = "kubesphere-user"
+	JenkinsAdminRoleName   = "admin"
+)
+
+type Role struct {
+	Name        string `json:"name" description:"role's name e.g. owner'"`
+	Description string `json:"description" description:"role 's description'"`
+}
+
+var DefaultRoles = []*Role{
+	{
+		Name:        ProjectOwner,
+		Description: "Owner have access to do all the operations of a DevOps project and own the highest permissions as well.",
+	},
+	{
+		Name:        ProjectMaintainer,
+		Description: "Maintainer have access to manage pipeline and credential configuration in a DevOps project.",
+	},
+	{
+		Name:        ProjectDeveloper,
+		Description: "Developer is able to view and trigger the pipeline.",
+	},
+	{
+		Name:        ProjectReporter,
+		Description: "Reporter is only allowed to view the status of the pipeline.",
+	},
+}
+
+var AllRoleSlice = []string{ProjectDeveloper, ProjectReporter, ProjectMaintainer, ProjectOwner}
+
+// define the permission matrix of owner
+var JenkinsOwnerProjectPermissionIds = &devops.ProjectPermissionIds{
+	CredentialCreate:        true,
+	CredentialDelete:        true,
+	CredentialManageDomains: true,
+	CredentialUpdate:        true,
+	CredentialView:          true,
+	ItemBuild:               true,
+	ItemCancel:              true,
+	ItemConfigure:           true,
+	ItemCreate:              true,
+	ItemDelete:              true,
+	ItemDiscover:            true,
+	ItemMove:                true,
+	ItemRead:                true,
+	ItemWorkspace:           true,
+	RunDelete:               true,
+	RunReplay:               true,
+	RunUpdate:               true,
+	SCMTag:                  true,
+}
+
+// define the permission matrix of DevOps, including owner, maintainer, developer, reporter
+var JenkinsProjectPermissionMap = map[string]devops.ProjectPermissionIds{
+	ProjectOwner: {
+		CredentialCreate:        true,
+		CredentialDelete:        true,
+		CredentialManageDomains: true,
+		CredentialUpdate:        true,
+		CredentialView:          true,
+		ItemBuild:               true,
+		ItemCancel:              true,
+		ItemConfigure:           true,
+		ItemCreate:              true,
+		ItemDelete:              true,
+		ItemDiscover:            true,
+		ItemMove:                true,
+		ItemRead:                true,
+		ItemWorkspace:           true,
+		RunDelete:               true,
+		RunReplay:               true,
+		RunUpdate:               true,
+		SCMTag:                  true,
+	},
+	ProjectMaintainer: {
+		CredentialCreate:        true,
+		CredentialDelete:        true,
+		CredentialManageDomains: true,
+		CredentialUpdate:        true,
+		CredentialView:          true,
+		ItemBuild:               true,
+		ItemCancel:              true,
+		ItemConfigure:           false,
+		ItemCreate:              true,
+		ItemDelete:              false,
+		ItemDiscover:            true,
+		ItemMove:                false,
+		ItemRead:                true,
+		ItemWorkspace:           true,
+		RunDelete:               true,
+		RunReplay:               true,
+		RunUpdate:               true,
+		SCMTag:                  true,
+	},
+	ProjectDeveloper: {
+		CredentialCreate:        false,
+		CredentialDelete:        false,
+		CredentialManageDomains: false,
+		CredentialUpdate:        false,
+		CredentialView:          false,
+		ItemBuild:               true,
+		ItemCancel:              true,
+		ItemConfigure:           false,
+		ItemCreate:              false,
+		ItemDelete:              false,
+		ItemDiscover:            true,
+		ItemMove:                false,
+		ItemRead:                true,
+		ItemWorkspace:           true,
+		RunDelete:               true,
+		RunReplay:               true,
+		RunUpdate:               true,
+		SCMTag:                  false,
+	},
+	ProjectReporter: {
+		CredentialCreate:        false,
+		CredentialDelete:        false,
+		CredentialManageDomains: false,
+		CredentialUpdate:        false,
+		CredentialView:          false,
+		ItemBuild:               false,
+		ItemCancel:              false,
+		ItemConfigure:           false,
+		ItemCreate:              false,
+		ItemDelete:              false,
+		ItemDiscover:            true,
+		ItemMove:                false,
+		ItemRead:                true,
+		ItemWorkspace:           false,
+		RunDelete:               false,
+		RunReplay:               false,
+		RunUpdate:               false,
+		SCMTag:                  false,
+	},
+}
+
+// define the permission matrix of pipeline, including owner, maintainer, developer, reporter
+var JenkinsPipelinePermissionMap = map[string]devops.ProjectPermissionIds{
+	ProjectOwner: {
+		CredentialCreate:        true,
+		CredentialDelete:        true,
+		CredentialManageDomains: true,
+		CredentialUpdate:        true,
+		CredentialView:          true,
+		ItemBuild:               true,
+		ItemCancel:              true,
+		ItemConfigure:           true,
+		ItemCreate:              true,
+		ItemDelete:              true,
+		ItemDiscover:            true,
+		ItemMove:                true,
+		ItemRead:                true,
+		ItemWorkspace:           true,
+		RunDelete:               true,
+		RunReplay:               true,
+		RunUpdate:               true,
+		SCMTag:                  true,
+	},
+	ProjectMaintainer: {
+		CredentialCreate:        true,
+		CredentialDelete:        true,
+		CredentialManageDomains: true,
+		CredentialUpdate:        true,
+		CredentialView:          true,
+		ItemBuild:               true,
+		ItemCancel:              true,
+		ItemConfigure:           true,
+		ItemCreate:              true,
+		ItemDelete:              true,
+		ItemDiscover:            true,
+		ItemMove:                true,
+		ItemRead:                true,
+		ItemWorkspace:           true,
+		RunDelete:               true,
+		RunReplay:               true,
+		RunUpdate:               true,
+		SCMTag:                  true,
+	},
+	ProjectDeveloper: {
+		CredentialCreate:        false,
+		CredentialDelete:        false,
+		CredentialManageDomains: false,
+		CredentialUpdate:        false,
+		CredentialView:          false,
+		ItemBuild:               true,
+		ItemCancel:              true,
+		ItemConfigure:           false,
+		ItemCreate:              false,
+		ItemDelete:              false,
+		ItemDiscover:            true,
+		ItemMove:                false,
+		ItemRead:                true,
+		ItemWorkspace:           true,
+		RunDelete:               true,
+		RunReplay:               true,
+		RunUpdate:               true,
+		SCMTag:                  false,
+	},
+	ProjectReporter: {
+		CredentialCreate:        false,
+		CredentialDelete:        false,
+		CredentialManageDomains: false,
+		CredentialUpdate:        false,
+		CredentialView:          false,
+		ItemBuild:               false,
+		ItemCancel:              false,
+		ItemConfigure:           false,
+		ItemCreate:              false,
+		ItemDelete:              false,
+		ItemDiscover:            true,
+		ItemMove:                false,
+		ItemRead:                true,
+		ItemWorkspace:           false,
+		RunDelete:               false,
+		RunReplay:               false,
+		RunUpdate:               false,
+		SCMTag:                  false,
+	},
+}
+
+// get roleName of the project
+func GetProjectRoleName(projectId, role string) string {
+	return fmt.Sprintf("%s-%s-project", projectId, role)
+}
+
+// get roleName of the pipeline
+func GetPipelineRoleName(projectId, role string) string {
+	return fmt.Sprintf("%s-%s-pipeline", projectId, role)
+}
+
+// get pattern string of the project
+func GetProjectRolePattern(projectId string) string {
+	return fmt.Sprintf("^%s$", projectId)
+}
+
+// get pattern string of the project
+func GetPipelineRolePattern(projectId string) string {
+	return fmt.Sprintf("^%s/.*", projectId)
+}
--- a/pkg/simple/client/devops/fake/fakedevops.go
+++ b/pkg/simple/client/devops/fake/fakedevops.go
@@ -540,3 +540,39 @@ func (d *Devops) GetProjectPipelineConfig(projectId, pipelineId string) (*devops

 	return d.Pipelines[projectId][pipelineId], nil
 }
+
+func (d *Devops) AddGlobalRole(roleName string, ids devops.GlobalPermissionIds, overwrite bool) error {
+	return nil
+}
+
+func (d *Devops) AddProjectRole(roleName string, pattern string, ids devops.ProjectPermissionIds, overwrite bool) error {
+	return nil
+}
+
+func (d *Devops) DeleteProjectRoles(roleName ...string) error {
+	return nil
+}
+
+func (d *Devops) AssignProjectRole(roleName string, sid string) error {
+	return nil
+}
+
+func (d *Devops) UnAssignProjectRole(roleName string, sid string) error {
+	return nil
+}
+
+func (d *Devops) AssignGlobalRole(roleName string, sid string) error {
+	return nil
+}
+
+func (d *Devops) UnAssignGlobalRole(roleName string, sid string) error {
+	return nil
+}
+
+func (d *Devops) DeleteUserInProject(sid string) error {
+	return nil
+}
+
+func (d *Devops) GetGlobalRole(roleName string) (string, error) {
+	return "", nil
+}
--- a/pkg/simple/client/devops/interface.go
+++ b/pkg/simple/client/devops/interface.go
@@ -17,6 +17,8 @@ type Interface interface {
 	ProjectPipelineOperator

 	ProjectOperator
+
+	RoleOperator
 }

 func GetDevOpsStatusCode(devopsErr error) int {

--- a/pkg/simple/client/devops/jenkins/jenkins.go
+++ b/pkg/simple/client/devops/jenkins/jenkins.go
@@ -214,7 +214,9 @@ func (j *Jenkins) Poll() (int, error) {
 	return resp.StatusCode, nil
 }

-func (j *Jenkins) GetGlobalRole(roleName string) (*GlobalRole, error) {
+// query roleName exist or not
+// if return roleName means exist
+func (j *Jenkins) GetGlobalRole(roleName string) (string, error) {
 	roleResponse := &GlobalRoleResponse{
 		RoleName: roleName,
 	}
@@ -226,15 +228,29 @@ func (j *Jenkins) GetGlobalRole(roleName string) (*GlobalRole, error) {
 			"type":     GLOBAL_ROLE,
 		})
 	if err != nil {
-		return nil, err
+		return "", err
 	}
 	if response.StatusCode != http.StatusOK {
-		return nil, errors.New(strconv.Itoa(response.StatusCode))
+		return "", errors.New(strconv.Itoa(response.StatusCode))
 	}
 	if stringResponse == "{}" {
-		return nil, nil
+		return "", nil
 	}
 	err = json.Unmarshal([]byte(stringResponse), roleResponse)
+	if err != nil {
+		return "", err
+	}
+	return roleResponse.RoleName, nil
+}
+
+func (j *Jenkins) GetGlobalRoleHandler(roleName string) (*GlobalRole, error) {
+	name, err := j.GetGlobalRole(roleName)
+	if err != nil {
+		return nil, err
+	}
+	roleResponse := &GlobalRoleResponse{
+		RoleName: name,
+	}
 	if err != nil {
 		return nil, err
 	}
@@ -244,6 +260,50 @@ func (j *Jenkins) GetGlobalRole(roleName string) (*GlobalRole, error) {
 	}, nil
 }

+// assign a global roleName to username(sid)
+func (j *Jenkins) AssignGlobalRole(roleName string, sid string) error {
+	globalRole, err := j.GetGlobalRoleHandler(roleName)
+	if err != nil {
+		return err
+	}
+	param := map[string]string{
+		"type":     GLOBAL_ROLE,
+		"roleName": globalRole.Raw.RoleName,
+		"sid":      sid,
+	}
+	responseString := ""
+	response, err := j.Requester.Post("/role-strategy/strategy/assignRole", nil, &responseString, param)
+	if err != nil {
+		return err
+	}
+	if response.StatusCode != http.StatusOK {
+		return errors.New(strconv.Itoa(response.StatusCode))
+	}
+	return nil
+}
+
+// unassign a global roleName to username(sid)
+func (j *Jenkins) UnAssignGlobalRole(roleName string, sid string) error {
+	globalRole, err := j.GetGlobalRoleHandler(roleName)
+	if err != nil {
+		return err
+	}
+	param := map[string]string{
+		"type":     GLOBAL_ROLE,
+		"roleName": globalRole.Raw.RoleName,
+		"sid":      sid,
+	}
+	responseString := ""
+	response, err := j.Requester.Post("/role-strategy/strategy/unassignRole", nil, &responseString, param)
+	if err != nil {
+		return err
+	}
+	if response.StatusCode != http.StatusOK {
+		return errors.New(strconv.Itoa(response.StatusCode))
+	}
+	return nil
+}
+
 func (j *Jenkins) GetProjectRole(roleName string) (*ProjectRole, error) {
 	roleResponse := &ProjectRoleResponse{
 		RoleName: roleName,
@@ -274,13 +334,52 @@ func (j *Jenkins) GetProjectRole(roleName string) (*ProjectRole, error) {
 	}, nil
 }

-func (j *Jenkins) AddGlobalRole(roleName string, ids GlobalPermissionIds, overwrite bool) (*GlobalRole, error) {
-	responseRole := &GlobalRole{
-		Jenkins: j,
-		Raw: GlobalRoleResponse{
-			RoleName:      roleName,
-			PermissionIds: ids,
-		}}
+// assign a project roleName to username(sid)
+func (j *Jenkins) AssignProjectRole(roleName string, sid string) error {
+	projectRole, err := j.GetProjectRole(roleName)
+	if err != nil {
+		return err
+	}
+	param := map[string]string{
+		"type":     PROJECT_ROLE,
+		"roleName": projectRole.Raw.RoleName,
+		"sid":      sid,
+	}
+	responseString := ""
+	response, err := j.Requester.Post("/role-strategy/strategy/assignRole", nil, &responseString, param)
+	if err != nil {
+		return err
+	}
+	if response.StatusCode != http.StatusOK {
+		return errors.New(strconv.Itoa(response.StatusCode))
+	}
+	return nil
+}
+
+// unassign a project roleName to username(sid)
+func (j *Jenkins) UnAssignProjectRole(roleName string, sid string) error {
+	projectRole, err := j.GetProjectRole(roleName)
+	if err != nil {
+		return err
+	}
+	param := map[string]string{
+		"type":     PROJECT_ROLE,
+		"roleName": projectRole.Raw.RoleName,
+		"sid":      sid,
+	}
+	responseString := ""
+	response, err := j.Requester.Post("/role-strategy/strategy/unassignRole", nil, &responseString, param)
+	if err != nil {
+		return err
+	}
+	if response.StatusCode != http.StatusOK {
+		return errors.New(strconv.Itoa(response.StatusCode))
+	}
+	return nil
+}
+
+// add a global roleName
+func (j *Jenkins) AddGlobalRole(roleName string, ids devops.GlobalPermissionIds, overwrite bool) error {
 	var idArray []string
 	values := reflect.ValueOf(ids)
 	for i := 0; i < values.NumField(); i++ {
@@ -298,14 +397,15 @@ func (j *Jenkins) AddGlobalRole(roleName string, ids GlobalPermissionIds, overwr
 	responseString := ""
 	response, err := j.Requester.Post("/role-strategy/strategy/addRole", nil, &responseString, param)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	if response.StatusCode != http.StatusOK {
-		return nil, errors.New(strconv.Itoa(response.StatusCode))
+		return errors.New(strconv.Itoa(response.StatusCode))
 	}
-	return responseRole, nil
+	return nil
 }

+// delete roleName from the project
 func (j *Jenkins) DeleteProjectRoles(roleName ...string) error {
 	responseString := ""

@@ -323,14 +423,8 @@ func (j *Jenkins) DeleteProjectRoles(roleName ...string) error {
 	return nil
 }

-func (j *Jenkins) AddProjectRole(roleName string, pattern string, ids ProjectPermissionIds, overwrite bool) (*ProjectRole, error) {
-	responseRole := &ProjectRole{
-		Jenkins: j,
-		Raw: ProjectRoleResponse{
-			RoleName:      roleName,
-			PermissionIds: ids,
-			Pattern:       pattern,
-		}}
+// add roleName for project
+func (j *Jenkins) AddProjectRole(roleName string, pattern string, ids devops.ProjectPermissionIds, overwrite bool) error {
 	var idArray []string
 	values := reflect.ValueOf(ids)
 	for i := 0; i < values.NumField(); i++ {
@@ -349,12 +443,12 @@ func (j *Jenkins) AddProjectRole(roleName string, pattern string, ids ProjectPer
 	responseString := ""
 	response, err := j.Requester.Post("/role-strategy/strategy/addRole", nil, &responseString, param)
 	if err != nil {
-		return nil, err
+		return err
 	}
 	if response.StatusCode != http.StatusOK {
-		return nil, errors.New(strconv.Itoa(response.StatusCode))
+		return errors.New(strconv.Itoa(response.StatusCode))
 	}
-	return responseRole, nil
+	return nil
 }

 func (j *Jenkins) DeleteUserInProject(username string) error {

--- a/pkg/simple/client/devops/jenkins/role.go
+++ b/pkg/simple/client/devops/jenkins/role.go
@@ -2,6 +2,7 @@ package jenkins

 import (
 	"errors"
+	"kubesphere.io/kubesphere/pkg/simple/client/devops"
 	"net/http"
 	"reflect"
 	"strconv"
@@ -9,8 +10,8 @@ import (
 )

 type GlobalRoleResponse struct {
-	RoleName      string              `json:"roleName"`
-	PermissionIds GlobalPermissionIds `json:"permissionIds"`
+	RoleName      string                     `json:"roleName"`
+	PermissionIds devops.GlobalPermissionIds `json:"permissionIds"`
 }

 type GlobalRole struct {
@@ -18,71 +19,18 @@ type GlobalRole struct {
 	Raw     GlobalRoleResponse
 }

-type GlobalPermissionIds struct {
-	Administer              bool `json:"hudson.model.Hudson.Administer"`
-	GlobalRead              bool `json:"hudson.model.Hudson.Read"`
-	CredentialCreate        bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Create"`
-	CredentialUpdate        bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Update"`
-	CredentialView          bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.View"`
-	CredentialDelete        bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Delete"`
-	CredentialManageDomains bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains"`
-	SlaveCreate             bool `json:"hudson.model.Computer.Create"`
-	SlaveConfigure          bool `json:"hudson.model.Computer.Configure"`
-	SlaveDelete             bool `json:"hudson.model.Computer.Delete"`
-	SlaveBuild              bool `json:"hudson.model.Computer.Build"`
-	SlaveConnect            bool `json:"hudson.model.Computer.Connect"`
-	SlaveDisconnect         bool `json:"hudson.model.Computer.Disconnect"`
-	ItemBuild               bool `json:"hudson.model.Item.Build"`
-	ItemCreate              bool `json:"hudson.model.Item.Create"`
-	ItemRead                bool `json:"hudson.model.Item.Read"`
-	ItemConfigure           bool `json:"hudson.model.Item.Configure"`
-	ItemCancel              bool `json:"hudson.model.Item.Cancel"`
-	ItemMove                bool `json:"hudson.model.Item.Move"`
-	ItemDiscover            bool `json:"hudson.model.Item.Discover"`
-	ItemWorkspace           bool `json:"hudson.model.Item.Workspace"`
-	ItemDelete              bool `json:"hudson.model.Item.Delete"`
-	RunUpdate               bool `json:"hudson.model.Run.Update"`
-	RunDelete               bool `json:"hudson.model.Run.Delete"`
-	ViewCreate              bool `json:"hudson.model.View.Create"`
-	ViewConfigure           bool `json:"hudson.model.View.Configure"`
-	ViewRead                bool `json:"hudson.model.View.Read"`
-	ViewDelete              bool `json:"hudson.model.View.Delete"`
-	SCMTag                  bool `json:"hudson.scm.SCM.Tag"`
-}
-
 type ProjectRole struct {
 	Jenkins *Jenkins
 	Raw     ProjectRoleResponse
 }

 type ProjectRoleResponse struct {
-	RoleName      string               `json:"roleName"`
-	PermissionIds ProjectPermissionIds `json:"permissionIds"`
-	Pattern       string               `json:"pattern"`
-}
-
-type ProjectPermissionIds struct {
-	CredentialCreate        bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Create"`
-	CredentialUpdate        bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Update"`
-	CredentialView          bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.View"`
-	CredentialDelete        bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Delete"`
-	CredentialManageDomains bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains"`
-	ItemBuild               bool `json:"hudson.model.Item.Build"`
-	ItemCreate              bool `json:"hudson.model.Item.Create"`
-	ItemRead                bool `json:"hudson.model.Item.Read"`
-	ItemConfigure           bool `json:"hudson.model.Item.Configure"`
-	ItemCancel              bool `json:"hudson.model.Item.Cancel"`
-	ItemMove                bool `json:"hudson.model.Item.Move"`
-	ItemDiscover            bool `json:"hudson.model.Item.Discover"`
-	ItemWorkspace           bool `json:"hudson.model.Item.Workspace"`
-	ItemDelete              bool `json:"hudson.model.Item.Delete"`
-	RunUpdate               bool `json:"hudson.model.Run.Update"`
-	RunDelete               bool `json:"hudson.model.Run.Delete"`
-	RunReplay               bool `json:"hudson.model.Run.Replay"`
-	SCMTag                  bool `json:"hudson.scm.SCM.Tag"`
+	RoleName      string                      `json:"roleName"`
+	PermissionIds devops.ProjectPermissionIds `json:"permissionIds"`
+	Pattern       string                      `json:"pattern"`
 }

-func (j *GlobalRole) Update(ids GlobalPermissionIds) error {
+func (j *GlobalRole) Update(ids devops.GlobalPermissionIds) error {
 	var idArray []string
 	values := reflect.ValueOf(ids)
 	for i := 0; i < values.NumField(); i++ {
@@ -108,6 +56,7 @@ func (j *GlobalRole) Update(ids GlobalPermissionIds) error {
 	return nil
 }

+// call jenkins api to update global role
 func (j *GlobalRole) AssignRole(sid string) error {
 	param := map[string]string{
 		"type":     GLOBAL_ROLE,
@@ -142,7 +91,9 @@ func (j *GlobalRole) UnAssignRole(sid string) error {
 	return nil
 }

-func (j *ProjectRole) Update(pattern string, ids ProjectPermissionIds) error {
+// update ProjectPermissionIds to Project
+// pattern string means some project, like project-name/*
+func (j *ProjectRole) Update(pattern string, ids devops.ProjectPermissionIds) error {
 	var idArray []string
 	values := reflect.ValueOf(ids)
 	for i := 0; i < values.NumField(); i++ {

--- a/pkg/simple/client/devops/role.go
+++ b/pkg/simple/client/devops/role.go
+/*
+Copyright 2020 The KubeSphere Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package devops
+
+// define the id of global permission items
+type GlobalPermissionIds struct {
+	Administer              bool `json:"hudson.model.Hudson.Administer"`
+	GlobalRead              bool `json:"hudson.model.Hudson.Read"`
+	CredentialCreate        bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Create"`
+	CredentialUpdate        bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Update"`
+	CredentialView          bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.View"`
+	CredentialDelete        bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Delete"`
+	CredentialManageDomains bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains"`
+	SlaveCreate             bool `json:"hudson.model.Computer.Create"`
+	SlaveConfigure          bool `json:"hudson.model.Computer.Configure"`
+	SlaveDelete             bool `json:"hudson.model.Computer.Delete"`
+	SlaveBuild              bool `json:"hudson.model.Computer.Build"`
+	SlaveConnect            bool `json:"hudson.model.Computer.Connect"`
+	SlaveDisconnect         bool `json:"hudson.model.Computer.Disconnect"`
+	ItemBuild               bool `json:"hudson.model.Item.Build"`
+	ItemCreate              bool `json:"hudson.model.Item.Create"`
+	ItemRead                bool `json:"hudson.model.Item.Read"`
+	ItemConfigure           bool `json:"hudson.model.Item.Configure"`
+	ItemCancel              bool `json:"hudson.model.Item.Cancel"`
+	ItemMove                bool `json:"hudson.model.Item.Move"`
+	ItemDiscover            bool `json:"hudson.model.Item.Discover"`
+	ItemWorkspace           bool `json:"hudson.model.Item.Workspace"`
+	ItemDelete              bool `json:"hudson.model.Item.Delete"`
+	RunUpdate               bool `json:"hudson.model.Run.Update"`
+	RunDelete               bool `json:"hudson.model.Run.Delete"`
+	ViewCreate              bool `json:"hudson.model.View.Create"`
+	ViewConfigure           bool `json:"hudson.model.View.Configure"`
+	ViewRead                bool `json:"hudson.model.View.Read"`
+	ViewDelete              bool `json:"hudson.model.View.Delete"`
+	SCMTag                  bool `json:"hudson.scm.SCM.Tag"`
+}
+
+// define the id of project permission items
+type ProjectPermissionIds struct {
+	CredentialCreate        bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Create"`
+	CredentialUpdate        bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Update"`
+	CredentialView          bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.View"`
+	CredentialDelete        bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.Delete"`
+	CredentialManageDomains bool `json:"com.cloudbees.plugins.credentials.CredentialsProvider.ManageDomains"`
+	ItemBuild               bool `json:"hudson.model.Item.Build"`
+	ItemCreate              bool `json:"hudson.model.Item.Create"`
+	ItemRead                bool `json:"hudson.model.Item.Read"`
+	ItemConfigure           bool `json:"hudson.model.Item.Configure"`
+	ItemCancel              bool `json:"hudson.model.Item.Cancel"`
+	ItemMove                bool `json:"hudson.model.Item.Move"`
+	ItemDiscover            bool `json:"hudson.model.Item.Discover"`
+	ItemWorkspace           bool `json:"hudson.model.Item.Workspace"`
+	ItemDelete              bool `json:"hudson.model.Item.Delete"`
+	RunUpdate               bool `json:"hudson.model.Run.Update"`
+	RunDelete               bool `json:"hudson.model.Run.Delete"`
+	RunReplay               bool `json:"hudson.model.Run.Replay"`
+	SCMTag                  bool `json:"hudson.scm.SCM.Tag"`
+}
+
+// describe the interface of DevOps to operator role
+type RoleOperator interface {
+	AddGlobalRole(roleName string, ids GlobalPermissionIds, overwrite bool) error
+	GetGlobalRole(roleName string) (string, error)
+
+	AddProjectRole(roleName string, pattern string, ids ProjectPermissionIds, overwrite bool) error
+	DeleteProjectRoles(roleName ...string) error
+
+	AssignProjectRole(roleName string, sid string) error
+	UnAssignProjectRole(roleName string, sid string) error
+
+	AssignGlobalRole(roleName string, sid string) error
+	UnAssignGlobalRole(roleName string, sid string) error
+
+	DeleteUserInProject(sid string) error
+}