diff --git a/src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/api/ServiceUserClient.kt b/src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/api/ServiceUserClient.kt index 8da50928fa..58f9a258e6 100644 --- a/src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/api/ServiceUserClient.kt +++ b/src/backend/auth/api-auth/src/main/kotlin/com/tencent/bkrepo/auth/api/ServiceUserClient.kt @@ -109,4 +109,8 @@ interface ServiceUserClient { fun userTokenById( @PathVariable uid: String ): Response> + + @ApiOperation("获取admin用户") + @GetMapping("/admin/users") + fun listAdminUsers(): Response> } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServiceUserController.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServiceUserController.kt index e5e34829d7..1b2fff4ff2 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServiceUserController.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/controller/service/ServiceUserController.kt @@ -93,4 +93,8 @@ class ServiceUserController @Autowired constructor( override fun userTokenById(uid: String): Response> { return ResponseBuilder.success(userService.listValidToken(uid).map { it.id }) } + + override fun listAdminUsers(): Response> { + return ResponseBuilder.success(userService.listAdminUsers()) + } } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/UserDao.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/UserDao.kt index 4a4d379b88..03c883df73 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/UserDao.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/dao/UserDao.kt @@ -155,4 +155,9 @@ class UserDao : SimpleMongoDao() { return this.findOne(query) } + fun findAllAdminUsers(): List { + val query = Query(Criteria.where(TUser::admin.name).`is`(true)) + return this.find(query) + } + } \ No newline at end of file diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/UserService.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/UserService.kt index 55edc70202..ca84d5edb2 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/UserService.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/UserService.kt @@ -96,4 +96,6 @@ interface UserService { fun validateEntityUser(userId: String): Boolean fun getRelatedUserById(userId: String): List + + fun listAdminUsers(): List } diff --git a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/UserServiceImpl.kt b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/UserServiceImpl.kt index 59bb0ec346..172900c4ae 100644 --- a/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/UserServiceImpl.kt +++ b/src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/local/UserServiceImpl.kt @@ -399,6 +399,10 @@ class UserServiceImpl constructor( return userDao.getUserByAsstUser(userId).map { UserRequestUtil.convToUserInfo(it) } } + override fun listAdminUsers(): List { + return userDao.findAllAdminUsers().map { it.userId } + } + companion object { private val logger = LoggerFactory.getLogger(UserServiceImpl::class.java) } diff --git a/src/backend/common/common-metadata/metadata-service/src/main/kotlin/com/tencent/bkrepo/common/metadata/permission/PermissionManager.kt b/src/backend/common/common-metadata/metadata-service/src/main/kotlin/com/tencent/bkrepo/common/metadata/permission/PermissionManager.kt index 36fef6d4b7..d4046fdee7 100644 --- a/src/backend/common/common-metadata/metadata-service/src/main/kotlin/com/tencent/bkrepo/common/metadata/permission/PermissionManager.kt +++ b/src/backend/common/common-metadata/metadata-service/src/main/kotlin/com/tencent/bkrepo/common/metadata/permission/PermissionManager.kt @@ -104,6 +104,16 @@ open class PermissionManager( CacheBuilder.newBuilder().maximumSize(1).expireAfterWrite(30L, TimeUnit.MINUTES).build(cacheLoader) } + + private val adminUsersCache: LoadingCache> by lazy { + val cacheLoader = object : CacheLoader>() { + override fun load(userType: String): List { + return userResource.listAdminUsers().data ?: emptyList() + } + } + CacheBuilder.newBuilder().maximumSize(1).expireAfterWrite(2, TimeUnit.MINUTES).build(cacheLoader) + } + /** * 校验项目权限 * @param action 动作 @@ -557,7 +567,16 @@ open class PermissionManager( * 判断是否为管理员 */ open fun isAdminUser(userId: String): Boolean { - return userResource.userInfoById(userId).data?.admin == true + return if (!httpAuthProperties.adminCacheEnabled) { + userResource.userInfoById(userId).data?.admin == true + } else { + try { + adminUsersCache.get(ADMIN_USER).contains(userId) + } catch (e: Exception) { + logger.warn("search admin user cache error: ${e.message}") + userResource.userInfoById(userId).data?.admin == true + } + } } @@ -575,6 +594,7 @@ open class PermissionManager( private const val METADATA = "metadata" private const val NODES = "nodes" private const val PACKAGE_NAME_PREFIX = "com.tencent.bkrepo" + private const val ADMIN_USER = "admin" /** * 检查是否为匿名用户,如果是匿名用户则返回401并提示登录 diff --git a/src/backend/common/common-security/src/main/kotlin/com/tencent/bkrepo/common/security/http/core/HttpAuthProperties.kt b/src/backend/common/common-security/src/main/kotlin/com/tencent/bkrepo/common/security/http/core/HttpAuthProperties.kt index 2dbb95f47b..7ac5ece230 100644 --- a/src/backend/common/common-security/src/main/kotlin/com/tencent/bkrepo/common/security/http/core/HttpAuthProperties.kt +++ b/src/backend/common/common-security/src/main/kotlin/com/tencent/bkrepo/common/security/http/core/HttpAuthProperties.kt @@ -38,5 +38,9 @@ data class HttpAuthProperties( /** * 是否开启认证 */ - var enabled: Boolean = true + var enabled: Boolean = true, + /** + * 是否禁用管理员缓存 + */ + var adminCacheEnabled: Boolean = true, )