Skip to content

fix(权限管理): 修复集群权限校验逻辑并更新相关UI文案 #188

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 4, 2025
Merged

fix(权限管理): 修复集群权限校验逻辑并更新相关UI文案 #188

merged 1 commit into from
Jun 4, 2025

Conversation

weibaohui
Copy link
Owner

修复集群权限校验逻辑,确保管理员权限也能正确校验命名空间权限
更新用户和管理员界面的授权相关文案,使其更清晰准确
在集群管理页面添加命名空间选择功能

@weibaohui
fix(权限管理): 修复集群权限校验逻辑并更新相关UI文案
bdf25f9 
修复集群权限校验逻辑,确保管理员权限也能正确校验命名空间权限
更新用户和管理员界面的授权相关文案,使其更清晰准确
在集群管理页面添加命名空间选择功能
@coderabbitai coderabbitai
Copy link
Contributor

coderabbitai bot commented Jun 4, 2025
edited
Loading

📝 Walkthrough

Summary by CodeRabbit

  • 新功能
    • 集群权限管理界面新增“限制命名空间”字段,可为集群管理员、只读和Exec权限用户设置命名空间限制,并支持动态选择和更新。
  • 改进
    • 集群管理员执行命令(Exec)时,权限校验更细化,需具备对应命名空间权限。
    • 集群只读和管理员角色均可访问读操作,权限提示信息同步更新。
    • 授权相关页面文案优化,明确各角色权限范围与操作指引,提升信息清晰度和一致性。
  • 样式/文案
    • 多处按钮、提示和页面标题文案调整,使授权流程和权限说明更易理解。

Walkthrough

本次变更对集群权限管理进行了细化:后端在“exec”操作时对集群管理员增加了命名空间级别的校验,前端则在多个页面引入了命名空间限制的可视化配置,并优化了授权相关的提示文案,提升了权限管理的透明度和可操作性。

Changes

文件/路径分组 变更摘要
pkg/cb/cb.go 优化权限校验逻辑:集群管理员执行 exec 操作需通过命名空间校验,读操作允许 cluster readonly 或 cluster admin;更新错误提示。
ui/public/pages/admin/cluster/cluster_all.json 集群权限管理 UI:新增“限制命名空间”字段及选择弹窗,完善角色说明,优化授权用户列表标题与提示。
ui/public/pages/admin/user/user.json 用户授权抽屉:按钮提示由“集群授权”改为“已获授权”,抽屉内提示简化为授权查看与批量删除说明。
ui/public/pages/user/profile/my_clusters.json 我的集群权限页面:优化说明文本,突出已授权集群及申请方式,明确 Exec 权限属于管理员能力。

Sequence Diagram(s)

sequenceDiagram
    participant User
    participant API
    participant PermissionChecker

    User->>API: 请求执行 exec 操作(含命名空间)
    API->>PermissionChecker: 校验用户权限(角色、命名空间)
    alt 用户为 cluster admin
        PermissionChecker->>PermissionChecker: 校验命名空间权限
        alt 通过
            PermissionChecker-->>API: 允许操作
        else 未通过
            PermissionChecker-->>API: 拒绝操作
        end
    else 用户为 cluster readonly + exec
        PermissionChecker->>PermissionChecker: 校验命名空间权限
        alt 通过
            PermissionChecker-->>API: 允许操作
        else 未通过
            PermissionChecker-->>API: 拒绝操作
        end
    else
        PermissionChecker-->>API: 拒绝操作
    end
    API-->>User: 返回操作结果
Loading

Possibly related PRs

Poem

🐇
权限细分更精妙,
管理员亦查命名空间。
前端弹窗随手点,
授权名单一目全。
兔子跳跃喜更新,
安全透明乐无边!

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f043a5c and bdf25f9.

📒 Files selected for processing (4)
  • pkg/cb/cb.go (3 hunks)
  • ui/public/pages/admin/cluster/cluster_all.json (3 hunks)
  • ui/public/pages/admin/user/user.json (2 hunks)
  • ui/public/pages/user/profile/my_clusters.json (2 hunks)
🧰 Additional context used
🧬 Code Graph Analysis (1)
pkg/cb/cb.go (3)
pkg/models/cluster_user_role.go (1)
  • ClusterUserRole (15-25)
pkg/comm/utils/slice.go (1)
  • AllIn (22-34)
pkg/constants/role.go (2)
  • RoleClusterReadonly (13-13)
  • RoleClusterAdmin (12-12)
🔇 Additional comments (11)
ui/public/pages/admin/user/user.json (2)

235-235: UI文案改进合理

将提示文本从"集群授权"改为"已获授权"更准确地描述了按钮的功能——显示已获得的授权而非执行授权操作。

247-247: 警告信息更加明确和实用

新的警告信息更简洁明了,明确指出了用户可以在此页面执行的操作(查看、批量删除),并提供了添加新授权的具体路径。这提高了用户体验。

ui/public/pages/user/profile/my_clusters.json (2)

5-5: 提示信息更加清晰

更新后的提示信息明确说明了页面显示的是"已获授权集群列表",并提供了增加授权的具体联系方式,改善了用户指引。

15-15: 权限说明更加完整和个性化

新的警告信息采用了更个性化的语调("我已经获得"),并明确将"Exec"操作包含在集群管理员权限中,这与后端权限逻辑的变更保持一致。

pkg/cb/cb.go (3)

123-126: 注释更新准确

注释更新准确反映了新的权限逻辑:集群管理员现在也需要通过命名空间级别的权限验证才能执行exec操作。

184-189: 读取权限逻辑改进合理

将读取操作的权限检查扩展为允许集群只读或集群管理员角色,这是合理的改进。集群管理员理应具有读取权限,错误信息也相应更新为"读取/管理员权限"。

127-162:

✅ Verification successful

集群管理员exec权限增强了安全性

新增的逻辑为集群管理员的exec操作添加了命名空间级别的权限验证,这是一个重要的安全改进。之前集群管理员拥有无限制的exec权限,现在需要满足命名空间限制条件。

逻辑实现正确:

  • 正确使用utils.AllIn函数验证请求的命名空间是否在允许范围内
  • 保持了对非集群管理员用户的现有权限验证逻辑
  • 错误信息包含了具体的命名空间信息,便于调试

验证utils.AllIn函数的正确性:

🏁 Script executed:

#!/bin/bash
# 验证 utils.AllIn 函数的实现是否正确处理命名空间权限验证
ast-grep --pattern 'func AllIn($_, $_) $_ {
  $$$
}'

Length of output: 54

为进一步验证 utils.AllIn 的实现,请运行以下脚本以定位其定义和具体实现:

🏁 Script executed:

#!/bin/bash
# 在整个仓库中查找 AllIn 函数的声明与实现
rg -n "func AllIn" .

Length of output: 84

请查看 AllIn 函数的具体实现以确认逻辑正确性:

🏁 Script executed:

#!/bin/bash
# 展示 AllIn 函数及其下方20行代码
rg -n "func AllIn" -A20 pkg/comm/utils/slice.go

Length of output: 316

确认 utils.AllIn 实现正确

  • AllIn(a, b []string) bool 位于 pkg/comm/utils/slice.go 第 22–33 行,使用 map 校验所有请求的命名空间是否包含于允许列表,逻辑完备且无漏判。
  • 原在 pkg/cb/cb.go 中对集群管理员执行权限按命名空间进行限制的改动是有效的安全增强,无需进一步调整。

批准合并。

ui/public/pages/admin/cluster/cluster_all.json (4)

99-99: 权限说明与后端逻辑保持一致

更新的警告信息明确包含了"Exec等操作"作为集群管理员权限的一部分,这与后端权限逻辑的变更完美对应,确保了前后端的一致性。

542-572: 命名空间限制管理功能完善

新增的命名空间限制字段和选择对话框为集群管理员角色提供了完整的命名空间权限管理界面,这与后端新增的命名空间级别权限验证逻辑完美匹配。

实现要点:

  • 使用transfer组件提供良好的多选体验
  • API端点配置正确(获取命名空间列表和更新权限)
  • 占位符和模板语法正确处理空值情况

605-605: 抽屉标题更符合上下文

将标题从用户维度("$username 已获得授权列表")改为集群维度("$clusterName 已授权用户列表")更符合页面上下文,因为这是在集群管理页面中查看特定集群的授权用户。

611-611: 简化的提示信息更加实用

简化后的警告信息专注于说明页面功能(查看、批量删除)和添加授权的操作路径,去除了冗余描述,提高了信息的实用性。

✨ Finishing Touches
  • 📝 Generate Docstrings

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share
🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

  • Review comments: Directly reply to a review comment made by CodeRabbit. Example:
    • I pushed a fix in commit <commit_id>, please review it.
    • Explain this complex logic.
    • Open a follow-up GitHub issue for this discussion.
  • Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
    • @coderabbitai explain this code block.
    • @coderabbitai modularize this function.
  • PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
    • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
    • @coderabbitai read src/utils.ts and explain its main purpose.
    • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
    • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

  • @coderabbitai pause to pause the reviews on a PR.
  • @coderabbitai resume to resume the paused reviews.
  • @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
  • @coderabbitai full review to do a full review from scratch and review all the files again.
  • @coderabbitai summary to regenerate the summary of the PR.
  • @coderabbitai generate docstrings to generate docstrings for this PR.
  • @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
  • @coderabbitai resolve resolve all the CodeRabbit review comments.
  • @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
  • @coderabbitai help to get help.

Other keywords and placeholders

  • Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
  • Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
  • Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

  • You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
  • Please see the configuration documentation for more information.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

  • Visit our Documentation for detailed information on how to use CodeRabbit.
  • Join our Discord Community to get help, request features, and share feedback.
  • Follow us on X/Twitter for updates and announcements.

@weibaohui weibaohui merged commit bdf25f9 into main Jun 4, 2025
6 checks passed
@weibaohui weibaohui deleted the update-cluster-mgm branch June 4, 2025 15:06
@coderabbitai coderabbitai bot mentioned this pull request Jun 5, 2025
Merged
@coderabbitai coderabbitai bot mentioned this pull request Jun 21, 2025
Merged
@coderabbitai coderabbitai bot mentioned this pull request Jul 18, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@weibaohui