feat: Turbo编译加速对接权限中心RBAC TencentBlueKing#316

src/backend/turbo/biz-turbo/build.gradle.kts

@@ -20,7 +20,4 @@ dependencies {
     api("com.tencent.bk.devops.ci.auth:api-auth:${Versions.ciVersion}"){
         isTransitive = false
     }
-    api("com.tencent.bk.devops.ci.common:common-auth-api:${Versions.ciVersion}"){
-        isTransitive = false
-    }
 }

src/backend/turbo/biz-turbo/src/main/kotlin/com/tencent/devops/turbo/controller/UserTurboDaySummaryController.kt

@@ -1,11 +1,10 @@
 package com.tencent.devops.turbo.controller
 
 import com.tencent.devops.api.pojo.Response
-import com.tencent.devops.common.api.exception.TurboException
-import com.tencent.devops.common.api.exception.code.IS_NOT_ADMIN_MEMBER
-import com.tencent.devops.common.util.constants.NO_ADMIN_MEMBER_MESSAGE
+import com.tencent.devops.common.api.annotation.RequiresAuth
+import com.tencent.devops.common.util.enums.ResourceActionType
+import com.tencent.devops.common.util.enums.ResourceType
 import com.tencent.devops.turbo.api.IUserTurboDaySummaryController
-import com.tencent.devops.turbo.service.TurboAuthService
 import com.tencent.devops.turbo.service.TurboSummaryService
 import com.tencent.devops.turbo.vo.TurboOverviewStatRowVO
 import com.tencent.devops.turbo.vo.TurboOverviewTrendVO
@@ -14,47 +13,37 @@ import org.springframework.web.bind.annotation.RestController
 
 @RestController
 class UserTurboDaySummaryController @Autowired constructor(
-    private val turboSummaryService: TurboSummaryService,
-    private val turboAuthService: TurboAuthService
+    private val turboSummaryService: TurboSummaryService
 ) : IUserTurboDaySummaryController {
     /**
      * 获取总览页面统计栏数据
      */
+    @RequiresAuth(resourceType = ResourceType.PROJECT, permission = ResourceActionType.OVERVIEW)
     override fun getOverviewStatRowData(projectId: String, user: String): Response<TurboOverviewStatRowVO> {
-        // 判断是否是管理员
-        if (!turboAuthService.getAuthResult(projectId, user)) {
-            throw TurboException(errorCode = IS_NOT_ADMIN_MEMBER, errorMessage = NO_ADMIN_MEMBER_MESSAGE)
-        }
         return Response.success(turboSummaryService.getOverviewStatRowData(projectId))
     }
 
     /**
      * 获取总览页面耗时分布趋势图数据
      */
+    @RequiresAuth(resourceType = ResourceType.PROJECT, permission = ResourceActionType.OVERVIEW)
     override fun getTimeConsumingTrendData(
         dateType: String,
         projectId: String,
         user: String
     ): Response<List<TurboOverviewTrendVO>> {
-        // 判断是否是管理员
-        if (!turboAuthService.getAuthResult(projectId, user)) {
-            throw TurboException(errorCode = IS_NOT_ADMIN_MEMBER, errorMessage = NO_ADMIN_MEMBER_MESSAGE)
-        }
         return Response.success(turboSummaryService.getTimeConsumingTrendData(dateType, projectId))
     }
 
     /**
      * 获取总览页面编译次数趋势图数据
      */
+    @RequiresAuth(resourceType = ResourceType.PROJECT, permission = ResourceActionType.OVERVIEW)
     override fun getCompileNumberTrendData(
         dateType: String,
         projectId: String,
         user: String
     ): Response<List<TurboOverviewTrendVO>> {
-        // 判断是否是管理员
-        if (!turboAuthService.getAuthResult(projectId, user)) {
-            throw TurboException(errorCode = IS_NOT_ADMIN_MEMBER, errorMessage = NO_ADMIN_MEMBER_MESSAGE)
-        }
         return Response.success(turboSummaryService.getCompileNumberTrendData(dateType, projectId))
     }
 }

src/backend/turbo/biz-turbo/src/main/kotlin/com/tencent/devops/turbo/controller/UserTurboPlanController.kt

@@ -1,10 +1,13 @@
 package com.tencent.devops.turbo.controller
 
 import com.tencent.devops.api.pojo.Response
+import com.tencent.devops.common.api.annotation.RequiresAuth
 import com.tencent.devops.common.api.exception.TurboException
 import com.tencent.devops.common.api.exception.code.IS_NOT_ADMIN_MEMBER
 import com.tencent.devops.common.api.pojo.Page
 import com.tencent.devops.common.util.constants.NO_ADMIN_MEMBER_MESSAGE
+import com.tencent.devops.common.util.enums.ResourceActionType
+import com.tencent.devops.common.util.enums.ResourceType
 import com.tencent.devops.turbo.api.IUserTurboPlanController
 import com.tencent.devops.turbo.pojo.TurboPlanModel
 import com.tencent.devops.turbo.service.TurboAuthService
@@ -16,63 +19,82 @@ import com.tencent.devops.turbo.vo.TurboPlanStatusBatchUpdateReqVO
 import org.springframework.beans.factory.annotation.Autowired
 import org.springframework.web.bind.annotation.RestController
 
-@Suppress("MaxLineLength")
 @RestController
 class UserTurboPlanController @Autowired constructor(
     private val turboPlanService: TurboPlanService,
     private val turboAuthService: TurboAuthService
 ) : IUserTurboPlanController {
 
+    @RequiresAuth(resourceType = ResourceType.PROJECT, permission = ResourceActionType.CREATE)
     override fun addNewTurboPlan(turboPlanModel: TurboPlanModel, projectId: String, user: String): Response<String?> {
-        // 判断是否是管理员
-        if (!turboAuthService.getAuthResult(projectId, user)) {
-            throw TurboException(errorCode = IS_NOT_ADMIN_MEMBER, errorMessage = NO_ADMIN_MEMBER_MESSAGE)
-        }
         return Response.success(turboPlanService.addNewTurboPlan(turboPlanModel, user))
     }
 
-    override fun getTurboPlanStatRowData(projectId: String, pageNum: Int?, pageSize: Int?, user: String): Response<TurboPlanPageVO> {
-        // 判断是否是管理员
-        if (!turboAuthService.getAuthResult(projectId, user)) {
-            throw TurboException(errorCode = IS_NOT_ADMIN_MEMBER, errorMessage = NO_ADMIN_MEMBER_MESSAGE)
-        }
+    @RequiresAuth(resourceType = ResourceType.PROJECT, permission = ResourceActionType.LIST)
+    override fun getTurboPlanStatRowData(
+        projectId: String,
+        pageNum: Int?,
+        pageSize: Int?,
+        user: String
+    ): Response<TurboPlanPageVO> {
         return Response.success(turboPlanService.getTurboPlanStatRowData(projectId, pageNum, pageSize))
     }
 
-    override fun getTurboPlanDetailByPlanId(planId: String, projectId: String, user: String): Response<TurboPlanDetailVO> {
-        // 判断是否是管理员
-        if (!turboAuthService.getAuthResult(projectId, user)) {
-            throw TurboException(errorCode = IS_NOT_ADMIN_MEMBER, errorMessage = NO_ADMIN_MEMBER_MESSAGE)
-        }
+    @RequiresAuth
+    override fun getTurboPlanDetailByPlanId(
+        planId: String,
+        projectId: String,
+        user: String
+    ): Response<TurboPlanDetailVO> {
         return Response.success(turboPlanService.getTurboPlanDetailByPlanId(planId))
     }
 
-    override fun putTurboPlanDetailNameAndOpenStatus(turboPlanModel: TurboPlanModel, planId: String, user: String, projectId: String): Response<Boolean> {
-        // 判断是否是管理员
-        if (!turboAuthService.getAuthResult(projectId, user)) {
-            throw TurboException(errorCode = IS_NOT_ADMIN_MEMBER, errorMessage = NO_ADMIN_MEMBER_MESSAGE)
-        }
+    @RequiresAuth(permission = ResourceActionType.EDIT)
+    override fun putTurboPlanDetailNameAndOpenStatus(
+        turboPlanModel: TurboPlanModel,
+        planId: String,
+        user: String,
+        projectId: String
+    ): Response<Boolean> {
         return Response.success(turboPlanService.putTurboPlanDetailNameAndOpenStatus(turboPlanModel, planId, user))
     }
 
-    override fun putTurboPlanConfigParam(turboPlanModel: TurboPlanModel, planId: String, user: String, projectId: String): Response<Boolean> {
-        // 判断是否是管理员
-        if (!turboAuthService.getAuthResult(projectId, user)) {
-            throw TurboException(errorCode = IS_NOT_ADMIN_MEMBER, errorMessage = NO_ADMIN_MEMBER_MESSAGE)
-        }
+    @RequiresAuth(permission = ResourceActionType.EDIT)
+    override fun putTurboPlanConfigParam(
+        turboPlanModel: TurboPlanModel,
+        planId: String,
+        user: String,
+        projectId: String
+    ): Response<Boolean> {
         return Response.success(turboPlanService.putTurboPlanConfigParam(turboPlanModel, planId, user))
     }
 
+    @RequiresAuth(permission = ResourceActionType.EDIT)
     override fun putTurboPlanTopStatus(planId: String, topStatus: String, user: String): Response<Boolean> {
         return Response.success(turboPlanService.putTurboPlanTopStatus(planId, topStatus, user))
     }
 
-    override fun getAvailableTurboPlanList(projectId: String, pageNum: Int?, pageSize: Int?): Response<Page<TurboPlanDetailVO>> {
+    @RequiresAuth(resourceType = ResourceType.PROJECT, permission = ResourceActionType.LIST)
+    override fun getAvailableTurboPlanList(
+        projectId: String,
+        pageNum: Int?,
+        pageSize: Int?
+    ): Response<Page<TurboPlanDetailVO>> {
         return Response.success(turboPlanService.getAvailableProjectIdList(projectId, pageNum, pageSize))
     }
 
-    override fun findTurboPlanIdByProjectIdAndPipelineInfo(projectId: String, pipelineId: String, pipelineElementId: String): Response<TurboMigratedPlanVO?> {
-        return Response.success(turboPlanService.findMigratedTurboPlanByPipelineInfo(projectId, pipelineId, pipelineElementId))
+    override fun findTurboPlanIdByProjectIdAndPipelineInfo(
+        projectId: String,
+        pipelineId: String,
+        pipelineElementId: String
+    ): Response<TurboMigratedPlanVO?> {
+        return Response.success(
+            turboPlanService.findMigratedTurboPlanByPipelineInfo(
+                projectId,
+                pipelineId,
+                pipelineElementId
+            )
+        )
     }
 
     override fun manualRefreshStatus(

src/backend/turbo/biz-turbo/src/main/kotlin/com/tencent/devops/turbo/controller/UserTurboPlanInstanceController.kt

@@ -1,7 +1,10 @@
 package com.tencent.devops.turbo.controller
 
 import com.tencent.devops.api.pojo.Response
+import com.tencent.devops.common.api.annotation.RequiresAuth
 import com.tencent.devops.common.api.pojo.Page
+import com.tencent.devops.common.util.enums.ResourceActionType
+import com.tencent.devops.common.util.enums.ResourceType
 import com.tencent.devops.turbo.api.IUserTurboPlanInstanceController
 import com.tencent.devops.turbo.service.TurboPlanInstanceService
 import com.tencent.devops.turbo.vo.TurboPlanInstanceVO
@@ -14,13 +17,22 @@ class UserTurboPlanInstanceController @Autowired constructor(
     private val turboPlanInstanceService: TurboPlanInstanceService
 ) : IUserTurboPlanInstanceController {
 
+    @RequiresAuth(resourceType = ResourceType.PROJECT, permission = ResourceActionType.LIST_TASK)
     override fun getTurboPlanInstanceList(
         turboPlanId: String,
         pageNum: Int?,
         pageSize: Int?,
         sortField: String?,
         sortType: String?
     ): Response<Page<TurboPlanInstanceVO>> {
-        return Response.success(turboPlanInstanceService.getTurboPlanInstanceList(turboPlanId, pageNum, pageSize, sortField, sortType))
+        return Response.success(
+            turboPlanInstanceService.getTurboPlanInstanceList(
+                turboPlanId,
+                pageNum,
+                pageSize,
+                sortField,
+                sortType
+            )
+        )
     }
 }

src/backend/turbo/biz-turbo/src/main/kotlin/com/tencent/devops/turbo/controller/UserTurboRecordController.kt

@@ -1,11 +1,14 @@
 package com.tencent.devops.turbo.controller
 
 import com.tencent.devops.api.pojo.Response
+import com.tencent.devops.common.api.annotation.RequiresAuth
 import com.tencent.devops.common.api.exception.TurboException
 import com.tencent.devops.common.api.exception.code.IS_NOT_ADMIN_MEMBER
 import com.tencent.devops.common.api.exception.code.TURBO_PARAM_INVALID
 import com.tencent.devops.common.api.pojo.Page
 import com.tencent.devops.common.util.constants.NO_ADMIN_MEMBER_MESSAGE
+import com.tencent.devops.common.util.enums.ResourceActionType
+import com.tencent.devops.common.util.enums.ResourceType
 import com.tencent.devops.turbo.api.IUserTurboRecordController
 import com.tencent.devops.turbo.enums.EnumDistccTaskStatus
 import com.tencent.devops.turbo.pojo.TurboRecordModel
@@ -33,6 +36,7 @@ class UserTurboRecordController @Autowired constructor(
         private val logger = LoggerFactory.getLogger(UserTurboRecordController::class.java)
     }
 
+    @RequiresAuth(resourceType = ResourceType.PROJECT, permission = ResourceActionType.LIST_TASK)
     override fun getTurboRecordHistoryList(
         pageNum: Int?,
         pageSize: Int?,
@@ -67,12 +71,12 @@ class UserTurboRecordController @Autowired constructor(
         )
     }
 
-    override fun getTurboDisplayInfoById(turboRecordId: String, projectId: String, user: String): Response<TurboRecordDisplayVO> {
-        // 判断是否是管理员
-        if (!turboAuthService.getAuthResult(projectId, user)) {
-            throw TurboException(errorCode = IS_NOT_ADMIN_MEMBER, errorMessage = NO_ADMIN_MEMBER_MESSAGE)
-        }
-
+    @RequiresAuth(resourceType = ResourceType.PROJECT, permission = ResourceActionType.VIEW_TASK)
+    override fun getTurboDisplayInfoById(
+        turboRecordId: String,
+        projectId: String,
+        user: String
+    ): Response<TurboRecordDisplayVO> {
         val turboRecordEntity = turboRecordService.findByRecordId(turboRecordId)
         if (null == turboRecordEntity || turboRecordEntity.turboPlanId.isNullOrBlank()) {
             logger.info("no turbo record found with id: $turboRecordId")

src/backend/turbo/biz-turbo/src/main/kotlin/com/tencent/devops/turbo/service/TurboPlanService.kt

@@ -6,6 +6,7 @@ import com.tencent.devops.common.api.exception.code.TURBO_PARAM_INVALID
 import com.tencent.devops.common.api.exception.code.TURBO_THIRDPARTY_SYSTEM_FAIL
 import com.tencent.devops.common.api.pojo.Page
 import com.tencent.devops.common.api.util.OkhttpUtil
+import com.tencent.devops.common.auth.api.AuthRegisterApi
 import com.tencent.devops.common.client.Client
 import com.tencent.devops.common.db.PageUtils
 import com.tencent.devops.common.service.prometheus.BkTimed
@@ -40,6 +41,7 @@ import java.time.LocalDateTime
 @Suppress("MaxLineLength", "ComplexMethod", "NestedBlockDepth", "SpringJavaInjectionPointsAutowiringInspection")
 @Service
 class TurboPlanService @Autowired constructor(
+    private val authRegisterApi: AuthRegisterApi,
     private val turboPlanDao: TurboPlanDao,
     private val turboPlanRepository: TurboPlanRepository,
     private val turboPlanInstanceService: TurboPlanInstanceService,
@@ -176,6 +178,21 @@ class TurboPlanService @Autowired constructor(
                 createdDate = LocalDateTime.now()
             )
             turboPlanEntity = turboPlanRepository.save(turboPlanEntity!!)
+
+            // 2.1 注册到权限中心
+            try {
+                val registerTurboPlan = authRegisterApi.registerTurboPlan(
+                    user = user,
+                    turboPlanId = turboPlanEntity!!.id!!,
+                    turboPlanName = turboPlanEntity!!.planName,
+                    projectId = turboPlanEntity!!.projectId
+                )
+                if (!registerTurboPlan) {
+                    rollbackTurboPlan(turboPlanEntity!!, "Failed to register plan to permission center", null)
+                }
+            } catch (e: Exception) {
+                rollbackTurboPlan(turboPlanEntity!!, "Failed to register plan to permission center", e)
+            }
             // 3. 调用api,同步信息
             updateConfigParamByApi(
                 turboEngineConfigEntity = turboEngineConfigEntity,
@@ -189,6 +206,12 @@ class TurboPlanService @Autowired constructor(
         return turboPlanEntity?.id
     }
 
+    fun rollbackTurboPlan(turboPlanEntity: TTurboPlanEntity, errorMsg: String, e: Exception?) {
+        logger.error("$errorMsg user: ${turboPlanEntity.createdBy} turbo name: {}", turboPlanEntity.planName, e)
+        turboPlanRepository.delete(turboPlanEntity)
+        throw TurboException(TURBO_THIRDPARTY_SYSTEM_FAIL, errorMsg)
+    }
+
     /**
      * op系统更新编译加速方案信息
      */

src/backend/turbo/common-turbo/common-turbo-api/build.gradle.kts

@@ -1,4 +1,5 @@
 dependencies {
+    api(project(":common-turbo:common-turbo-util"))
     api("com.squareup.okhttp3:okhttp")
     api("com.tencent.devops:devops-boot-starter-api")
     compileOnly("org.springframework.boot:spring-boot-starter-web")

src/backend/turbo/common-turbo/common-turbo-api/src/main/kotlin/com/tencent/devops/common/api/annotation/RequiresAuth.kt

@@ -0,0 +1,19 @@
+package com.tencent.devops.common.api.annotation
+
+import com.tencent.devops.common.util.enums.ResourceActionType
+import com.tencent.devops.common.util.enums.ResourceType
+
+@MustBeDocumented
+@Target(AnnotationTarget.FUNCTION, AnnotationTarget.CLASS)
+@Retention(AnnotationRetention.RUNTIME)
+annotation class RequiresAuth(
+    /**
+     * 资源类型 选填，默认加速方案
+     */
+    val resourceType: ResourceType = ResourceType.TURBO_PLAN,
+
+    /**
+     * 对资源的操作权限id  选填，默认查看方案权限
+     */
+    val permission: ResourceActionType = ResourceActionType.VIEW
+)

src/backend/turbo/common-turbo/common-turbo-auth/build.gradle.kts

@@ -0,0 +1,9 @@
+dependencies {
+    api(project(":common-turbo:common-turbo-client"))
+    api("com.tencent.bk.devops.ci.auth:api-auth:${Versions.ciVersion}") {
+        isTransitive = false
+    }
+    api("com.tencent.bk.devops.ci.common:common-auth-api:${Versions.ciVersion}"){
+        isTransitive = false
+    }
+}

src/backend/turbo/common-turbo/common-turbo-auth/src/main/kotlin/com/tencent/devops/common/auth/RBACAuthAutoConfiguration.kt

@@ -0,0 +1,27 @@
+package com.tencent.devops.common.auth
+
+import com.tencent.devops.common.auth.api.RBACAuthProperties
+import com.tencent.devops.common.auth.api.external.RBACAuthPermissionApi
+import com.tencent.devops.common.auth.api.RBACAuthRegisterApi
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Configuration
+import com.tencent.devops.common.client.Client
+
+@Configuration
+class RBACAuthAutoConfiguration {
+
+    @Bean
+    fun rbacAuthProperties() = RBACAuthProperties()
+
+    @Bean
+    fun rbacAuthPermissionApi(
+        rbacAuthProperties: RBACAuthProperties,
+        client: Client
+    ) = RBACAuthPermissionApi(client, rbacAuthProperties)
+
+    @Bean
+    fun rbacAuthRegisterApi(
+        rbacAuthProperties: RBACAuthProperties,
+        client: Client
+    ) = RBACAuthRegisterApi(client, rbacAuthProperties)
+}