fix(apiserver): change admin user iam perm migrate logic (#83)

apiserver/init.sh

@@ -303,7 +303,8 @@ ensure-service(){
 }
 
 migrate-perm(){
-    python manage.py migrate_bkpaas3_perm
+    # admin 用户拥有全量权限，不应占用配额且不需要授权
+    python manage.py migrate_bkpaas3_perm --exclude-users admin
 }
 
 call_steps ensure-apigw ensure-runtimes-fixtures ensure-init-data ensure-service ensure-smart-image migrate-perm

apiserver/paasng/paasng/accessories/iam/client.py

@@ -18,7 +18,7 @@
 """
 import json
 import logging
-from typing import Dict, List
+from typing import Dict, List, Optional
 
 from bkapi_client_core.exceptions import APIGatewayResponseError
 from django.conf import settings
@@ -60,20 +60,20 @@ def _prepare_headers(self) -> dict:
         }
         return headers
 
-    def create_grade_managers(self, app_code: str, app_name: str, creator: str) -> int:
+    def create_grade_managers(self, app_code: str, app_name: str, init_member: Optional[str] = None) -> int:
         """
         在权限中心上为应用注册分级管理员，若已存在，则返回
 
         :param app_code: 蓝鲸应用 ID
         :param app_name: 蓝鲸应用名称
-        :param creator: 创建人用户名，如 admin
+        :param init_member: 初始分级管理员用户名，如 admin，若为空值，则该用户组没有分级管理员
         :returns: 分级管理员 ID
         """
         data = {
             'system': settings.IAM_PAAS_V3_SYSTEM_ID,
             'name': utils.gen_grade_manager_name(app_code),
             'description': utils.gen_grade_manager_desc(app_code),
-            'members': [creator],
+            'members': [init_member] if init_member else [],
             # 仅可对指定的单个应用授权
             'authorization_scopes': [
                 {

apiserver/paasng/paasng/accessories/iam/helpers.py

@@ -94,6 +94,9 @@ def delete_role_members(app_code: str, role: ApplicationRole, usernames: Union[L
 
 def fetch_user_roles(app_code: str, username: str) -> List[ApplicationRole]:
     """原实现中用户只会有一个角色，但是接入权限中心后，角色表现为用户组，同一用户可能有多个角色"""
+    if username == settings.ADMIN_USERNAME:
+        return [ApplicationRole.ADMINISTRATOR]
+
     user_roles = []
     for group in ApplicationUserGroup.objects.filter(app_code=app_code).order_by('role'):
         if username in IAM_CLI.fetch_user_group_members(group.user_group_id):
@@ -107,6 +110,9 @@ def fetch_user_roles(app_code: str, username: str) -> List[ApplicationRole]:
 
 def fetch_user_main_role(app_code: str, username: str) -> ApplicationRole:
     """获取用户在某个应用中最高优先级的角色"""
+    if username == settings.ADMIN_USERNAME:
+        return ApplicationRole.ADMINISTRATOR
+
     for group in ApplicationUserGroup.objects.filter(app_code=app_code).order_by('role'):
         if username in IAM_CLI.fetch_user_group_members(group.user_group_id):
             return group.role

apiserver/paasng/paasng/accessories/iam/members/management/commands/migrate_bkpaas3_perm.py

@@ -169,7 +169,13 @@ def _migrate_single(self, idx: int, app: Dict) -> List:
         # 1。检查有没有该应用的分级管理员信息，如果没有，则需要创建
         grade_manager_id = self.grade_manager_map.get(app_code)
         if not grade_manager_id:
-            migrate_logs.append(f"grade manager not exists, create and add {first_grade_manager} as members...")
+            migrate_logs.append("grade manager not exists, create...")
+            if first_grade_manager in self.exclude_users:
+                first_grade_manager = None
+                migrate_logs.append(f"{first_grade_manager} in exclude users, skip add as members...")
+            else:
+                migrate_logs.append(f"add {first_grade_manager} as grade manager members...")
+
             grade_manager_id = self.cli.create_grade_managers(app_code, app_name, first_grade_manager)
 
             # 更新分级管理员映射表信息 & ApplicationGradeManager 表数据

apiserver/paasng/paasng/settings/__init__.py

@@ -188,6 +188,9 @@
     'django_prometheus.middleware.PrometheusAfterMiddleware',
 ]
 
+# 管理者用户：拥有全量应用权限（经权限中心鉴权）
+ADMIN_USERNAME = settings.get('ADMIN_USERNAME', 'admin')
+
 AUTH_USER_MODEL = 'bkpaas_auth.User'
 
 AUTHENTICATION_BACKENDS = ['bkpaas_auth.backends.UniversalAuthBackend', 'bkpaas_auth.backends.APIGatewayAuthBackend']