diff --git a/src/spaceone/identity/service/workspace_group_service.py b/src/spaceone/identity/service/workspace_group_service.py index af7fe04..5a4f6d4 100644 --- a/src/spaceone/identity/service/workspace_group_service.py +++ b/src/spaceone/identity/service/workspace_group_service.py @@ -2,11 +2,7 @@ from datetime import datetime from typing import Dict, List, Union -from spaceone.core.error import ( - ERROR_INVALID_PARAMETER, - ERROR_NOT_FOUND, - ERROR_PERMISSION_DENIED, -) +from spaceone.core.error import ERROR_INVALID_PARAMETER, ERROR_NOT_FOUND from spaceone.core.service import ( BaseService, authentication_handler, @@ -169,10 +165,6 @@ def add_users( Returns: WorkspaceGroupResponse: """ - role_type = self.transaction.get_meta("authorization.role_type") - if role_type != "DOMAIN_ADMIN": - raise ERROR_PERMISSION_DENIED() - new_users_info_list: List[Dict[str, str]] = params.users workspace_group_id = params.workspace_group_id domain_id = params.domain_id @@ -241,10 +233,6 @@ def remove_users( Returns: WorkspaceGroupResponse: """ - role_type = self.transaction.get_meta("authorization.role_type") - if role_type != "DOMAIN_ADMIN": - raise ERROR_PERMISSION_DENIED() - workspace_group_id = params.workspace_group_id users = params.users domain_id = params.domain_id @@ -295,10 +283,6 @@ def update_role( Returns: WorkspaceGroupResponse: """ - role_type = self.transaction.get_meta("authorization.role_type") - if role_type != "DOMAIN_ADMIN": - raise ERROR_PERMISSION_DENIED() - workspace_group_id = params.workspace_group_id user_id = params.user_id role_id = params.role_id @@ -348,10 +332,6 @@ def get( Returns: WorkspaceGroupResponse: """ - role_type = self.transaction.get_meta("authorization.role_type") - if role_type != "DOMAIN_ADMIN": - raise ERROR_PERMISSION_DENIED() - workspace_group_id = params.workspace_group_id domain_id = params.domain_id @@ -395,10 +375,6 @@ def list( Returns: WorkspaceGroupsResponse: """ - role_type = self.transaction.get_meta("authorization.role_type") - if role_type != "DOMAIN_ADMIN": - raise ERROR_PERMISSION_DENIED() - query = params.query workspace_group_vos, total_count = ( @@ -447,11 +423,6 @@ def stat(self, params: WorkspaceGroupStatQueryRequest) -> dict: 'total_count': 'int' } """ - - role_type = self.transaction.get_meta("authorization.role_type") - if role_type != "DOMAIN_ADMIN": - raise ERROR_PERMISSION_DENIED() - query = params.query return self.workspace_group_mgr.stat_workspace_group(query) diff --git a/src/spaceone/identity/service/workspace_service.py b/src/spaceone/identity/service/workspace_service.py index 6da0b69..71e755a 100644 --- a/src/spaceone/identity/service/workspace_service.py +++ b/src/spaceone/identity/service/workspace_service.py @@ -12,9 +12,12 @@ from spaceone.identity.manager.project_manager import ProjectManager from spaceone.identity.manager.resource_manager import ResourceManager from spaceone.identity.manager.role_binding_manager import RoleBindingManager -from spaceone.identity.manager.service_account_manager import ServiceAccountManager -from spaceone.identity.manager.trusted_account_manager import TrustedAccountManager -from spaceone.identity.manager.workspace_group_manager import WorkspaceGroupManager +from spaceone.identity.manager.service_account_manager import \ + ServiceAccountManager +from spaceone.identity.manager.trusted_account_manager import \ + TrustedAccountManager +from spaceone.identity.manager.workspace_group_manager import \ + WorkspaceGroupManager from spaceone.identity.manager.workspace_manager import WorkspaceManager from spaceone.identity.model import Workspace from spaceone.identity.model.workspace.request import * @@ -37,6 +40,7 @@ def __init__(self, *args, **kwargs): self.resource_mgr = ResourceManager() self.workspace_mgr = WorkspaceManager() self.service_account_mgr = ServiceAccountManager() + self.rb_mgr = RoleBindingManager() self.workspace_group_mgr = WorkspaceGroupManager() @transaction(permission="identity:Workspace.write", role_types=["DOMAIN_ADMIN"]) @@ -450,22 +454,37 @@ def _remove_workspace_from_group( workspace_vo = self.workspace_mgr.get_workspace( workspace_id=workspace_id, domain_id=domain_id ) - workspace_vo.changed_at = datetime.utcnow() - workspace_vo.workspace_group_id = None - self.workspace_mgr.update_workspace_by_vo( - {"changed_at": workspace_vo.changed_at, "workspace_group_id": None}, - workspace_vo, - ) + if workspace_vo: + workspace_vo.changed_at = datetime.utcnow() + workspace_vo.workspace_group_id = None + + user_rb_ids = self.rb_mgr.stat_role_bindings( + query={ + "distinct": "user_id", + "filter": [ + {"k": "workspace_id", "v": workspace_id, "o": "eq"}, + {"k": "domain_id", "v": domain_id, "o": "eq"}, + ], + } + ).get("results", []) + user_rb_total_count = len(user_rb_ids) + + self.workspace_mgr.update_workspace_by_vo( + { + "user_count": user_rb_total_count, + "changed_at": workspace_vo.changed_at, + "workspace_group_id": None, + }, + workspace_vo, + ) - @staticmethod - def _delete_role_bindings(existing_workspace_group_id: str, domain_id: str): - rb_mgr = RoleBindingManager() - rb_vos = rb_mgr.filter_role_bindings( + def _delete_role_bindings(self, existing_workspace_group_id: str, domain_id: str): + rb_vos = self.rb_mgr.filter_role_bindings( workspace_group_id=existing_workspace_group_id, domain_id=domain_id, ) for rb_vo in rb_vos: - rb_mgr.delete_role_binding_by_vo(rb_vo) + self.rb_mgr.delete_role_binding_by_vo(rb_vo) @staticmethod def _create_role_bindings(