fix: role sync and some unnecessary logs

api/auth/v1/types.go

@@ -20,6 +20,7 @@ package v1
 
 import (
  "fmt"
+
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -75,7 +76,7 @@ const (
  PolicyFinalize FinalizerName = "policy"
 
  // GroupFinalize is an internal finalizer values to Group.
- GroupFinalize FinalizerName = "group"
+ GroupFinalize FinalizerName = "localgroup"
 
  // RoleFinalize is an internal finalizer values to Role.
  RoleFinalize FinalizerName = "role"

go.sum

@@ -19,6 +19,7 @@ github.com/Azure/go-autorest v10.8.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSW
 github.com/Azure/go-autorest v13.3.1+incompatible h1:IwJyD1VqWPEbOfq50o1OV3JQr92uz8q/CCbcm9zvnsE=
 github.com/Azure/go-autorest v13.3.1+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
 github.com/Azure/go-autorest/autorest v0.3.0/go.mod h1:AKyIcETwSUFxIcs/Wnq/C+kwCtlEYGUVd7FPNb2slmg=
+github.com/Azure/go-autorest/autorest v0.3.0/go.mod h1:AKyIcETwSUFxIcs/Wnq/C+kwCtlEYGUVd7FPNb2slmg=
 github.com/Azure/go-autorest/autorest v0.9.0 h1:MRvx8gncNaXJqOoLmhNjUAKh33JJF8LyxPhomEtOsjs=
 github.com/Azure/go-autorest/autorest v0.9.0/go.mod h1:xyHB1BMZT0cuDHU7I0+g046+BFDTQ8rEZB0s4Yfa6bI=
 github.com/Azure/go-autorest/autorest/adal v0.1.0/go.mod h1:MeS4XhScH55IST095THyTxElntu7WqB7pNbZo8Q5G3E=

hack/auth/policy.json

@@ -1 +1 @@
-[{"metadata":{"creationTimestamp":null},"spec":{"displayName":"MonitorFullAccess","tenantID":"default","category":"monitor","type":"default","username":"","description":"该策略允许您管理平台租户监控告警策略","statement":{"actions":["*Metric*","*Metrics*","*Alarmpolicy*","*Alarmpolicies*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"ClusterFullAccess","tenantID":"default","category":"cluster","type":"default","username":"","description":"该策略允许您管理平台租户内集群相关的资源, 包括集群管理、节点和优先级等","statement":{"actions":["*Runtimeclass*","*Runtimeclasses*","*Priorityclass*","*Priorityclasses*","*Node*","*Nodes*","*Machine*","*Machines*","*Cluster*","*Clusters*","*Clustercredential*","*Clustercredentials*","*Apply*","*Applies*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"AddonFullAccess","tenantID":"default","category":"addon","type":"default","username":"","description":"该策略允许您管理平台租户内扩展组件相关资源，如Helm，prometheus等","statement":{"actions":["*Csi*","*Csis*","*Persistentevent*","*Persistentevents*","*Clusteraddontype*","*Clusteraddontypes*","*Prometheuse*","*Prometheuses*","*Addon*","*Addons*","*Addontype*","*Addontypes*","*Coredns*","*Cronhpa*","*Cronhpas*","*Logcollector*","*Logcollectors*","*Lbcf*","*Lbcfs*","*Logc*","*Logcs*","*Galaxy*","*Galaxies*","*Helm*","*Helms*","*Tappcontroller*","*Tappcontrollers*","*Ipam*","*Ipams*","*Gpumanager*","*Gpumanagers*","*Volumedecorator*","*Volumedecorators*","*Csioperator*","*Csioperators*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"ProjectFullAccess","tenantID":"default","category":"project","type":"default","username":"","description":"该策略允许您管理平台租户业务业务相关资源","statement":{"actions":["*Event*","*Events*","*Namespace*","*Namespaces*","*Resourcequota*","*Project*","*Projects*","*Platform*","*Platforms*","*Portal*","*Portals*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"NotifyFullAccess","tenantID":"default","category":"notify","type":"default","username":"","description":"该策略允许您管理平台租户通知设置","statement":{"actions":["*Receiver*","*Receivers*","*Message*","*Messages*","*Channel*","*Channels*","*Receivergroup*","*Receivergroups*","*Template*","*Templates*","*Messagerequest*","*Messagerequests*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"VolumeFullAccess","tenantID":"default","category":"volume","type":"default","username":"","description":"该策略允许您管理平台租户云盘资源","statement":{"actions":["*Volumeattachment*","*Volumeattachments*","*Storageclass*","*Storageclasses*","*Persistentvolume*","*Persistentvolumes*","*Persistentvolumeclaim*","*Persistentvolumeclaims*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"NetworkFullAccess","tenantID":"default","category":"network","type":"default","username":"","description":"该策略允许您管理平台租户内网络资源，如网络策略，service，ignress等","statement":{"actions":["*Networkpolicy*","*Networkpolicies*","*Ingress*","*Ingresses*","*Lbcflb*","*Lbcflbs*","*Service*","*Services*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"ConfigFullAccess","tenantID":"default","category":"config","type":"default","username":"","description":"该策略允许您管理平台租户k8s配置组资源，包括configmap、secret等","statement":{"actions":["*Configmap*","*Configmaps*","*Secret*","*Secrets*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"AuthFullAccess","tenantID":"default","category":"auth","type":"default","username":"","description":"该策略允许您管理平台租户内所有用户及其权限","statement":{"actions":["*Permission*","*Permissions*","*Role*","*Roles*","*Clusterrolebinding*","*Clusterrolebindings*","*Category*","*Categories*","*Identityprovider*","*Identityproviders*","*Apikey*","*Apikeys*","*Policy*","*Policies*","*Localgroup*","*Localgroups*","*Localidentity*","*Localidentities*","*User*","*Users*","*Client*","*Clients*","*Clusterrole*","*Clusterroles*","*Group*","*Groups*","*Rolebinding*","*Rolebindings*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"RegistryFullAccess","tenantID":"default","category":"registry","type":"default","username":"","description":"该策略允许您管理平台租户镜像仓库资源","statement":{"actions":["*Registry*","*Registries*","*Chart*","*Charts*","*Registrynamespace*","*Registrynamespaces*","*Repository*","*Repositories*","*Chartgroup*","*Chartgroups*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"AdministratorAccess","tenantID":"default","category":"common","type":"default","username":"","description":"该策略允许管理平台租户内所有用户及其权限、容器服务资产","statement":{"actions":["*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"ReadOnlyAccess","tenantID":"default","category":"common","type":"default","username":"","description":"该策略允许您只读访问账户内所有支持接口级鉴权或资源级鉴权的容器服务资产","statement":{"actions":["get*","list*","watch*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}}]
+[{"metadata":{"creationTimestamp":null},"spec":{"displayName":"VolumeFullAccess","tenantID":"default","category":"volume","type":"default","username":"","description":"该策略允许您管理平台租户云盘资源","statement":{"actions":["*Persistentvolume*","*Persistentvolumes*","*Storageclass*","*Storageclasses*","*Volumeattachment*","*Volumeattachments*","*Persistentvolumeclaim*","*Persistentvolumeclaims*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"NotifyFullAccess","tenantID":"default","category":"notify","type":"default","username":"","description":"该策略允许您管理平台租户通知设置","statement":{"actions":["*Template*","*Templates*","*Receivergroup*","*Receivergroups*","*Message*","*Messages*","*Channel*","*Channels*","*Messagerequest*","*Messagerequests*","*Receiver*","*Receivers*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"ProjectFullAccess","tenantID":"default","category":"project","type":"default","username":"","description":"该策略允许您管理平台租户业务业务相关资源","statement":{"actions":["*Namespace*","*Namespaces*","*Portal*","*Portals*","*Event*","*Events*","*Project*","*Projects*","*Platform*","*Platforms*","*Resourcequota*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"ClusterFullAccess","tenantID":"default","category":"cluster","type":"default","username":"","description":"该策略允许您管理平台租户内集群相关的资源, 包括集群管理、节点和优先级等","statement":{"actions":["*Runtimeclass*","*Runtimeclasses*","*Priorityclass*","*Priorityclasses*","*Machine*","*Machines*","*Clustercredential*","*Clustercredentials*","*Apply*","*Applies*","*Cluster*","*Clusters*","*Node*","*Nodes*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"MonitorFullAccess","tenantID":"default","category":"monitor","type":"default","username":"","description":"该策略允许您管理平台租户监控告警策略","statement":{"actions":["*Alarmpolicy*","*Alarmpolicies*","*Metric*","*Metrics*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"AddonFullAccess","tenantID":"default","category":"addon","type":"default","username":"","description":"该策略允许您管理平台租户内扩展组件相关资源，如Helm，prometheus等","statement":{"actions":["*Coredns*","*Logcollector*","*Logcollectors*","*Addon*","*Addons*","*Helm*","*Helms*","*Cronhpa*","*Cronhpas*","*Csioperator*","*Csioperators*","*Ipam*","*Ipams*","*Addontype*","*Addontypes*","*Tappcontroller*","*Tappcontrollers*","*Prometheuse*","*Prometheuses*","*Persistentevent*","*Persistentevents*","*Galaxy*","*Galaxies*","*Clusteraddontype*","*Clusteraddontypes*","*Csi*","*Csis*","*Logc*","*Logcs*","*Volumedecorator*","*Volumedecorators*","*Lbcf*","*Lbcfs*","*Gpumanager*","*Gpumanagers*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"AuthFullAccess","tenantID":"default","category":"auth","type":"default","username":"","description":"该策略允许您管理平台租户内所有用户及其权限","statement":{"actions":["*Role*","*Roles*","*Apikey*","*Apikeys*","*Group*","*Groups*","*Clusterrolebinding*","*Clusterrolebindings*","*Category*","*Categories*","*Rolebinding*","*Rolebindings*","*Permission*","*Permissions*","*Identityprovider*","*Identityproviders*","*Clusterrole*","*Clusterroles*","*Localidentity*","*Localidentities*","*User*","*Users*","*Localgroup*","*Localgroups*","*Client*","*Clients*","*Policy*","*Policies*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"NetworkFullAccess","tenantID":"default","category":"network","type":"default","username":"","description":"该策略允许您管理平台租户内网络资源，如网络策略，service，ignress等","statement":{"actions":["*Ingress*","*Ingresses*","*Lbcflb*","*Lbcflbs*","*Service*","*Services*","*Networkpolicy*","*Networkpolicies*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"RegistryFullAccess","tenantID":"default","category":"registry","type":"default","username":"","description":"该策略允许您管理平台租户镜像仓库资源","statement":{"actions":["*Repository*","*Repositories*","*Registrynamespace*","*Registrynamespaces*","*Chartgroup*","*Chartgroups*","*Chart*","*Charts*","*Registry*","*Registries*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"ConfigFullAccess","tenantID":"default","category":"config","type":"default","username":"","description":"该策略允许您管理平台租户k8s配置组资源，包括configmap、secret等","statement":{"actions":["*Configmap*","*Configmaps*","*Secret*","*Secrets*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"AdministratorAccess","tenantID":"default","category":"common","type":"default","username":"","description":"该策略允许管理平台租户内所有用户及其权限、容器服务资产","statement":{"actions":["*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}},{"metadata":{"creationTimestamp":null},"spec":{"displayName":"ReadOnlyAccess","tenantID":"default","category":"common","type":"default","username":"","description":"该策略允许您只读访问账户内所有支持接口级鉴权或资源级鉴权的容器服务资产","statement":{"actions":["get*","list*","watch*"],"resources":["*"],"effect":"allow"}},"status":{"phase":"","users":null,"groups":null}}]

pkg/apiserver/authentication/authenticator/oidc/oidc.go

@@ -513,7 +513,6 @@ func (a *Authenticator) AuthenticateToken(ctx context.Context, token string) (*a
  return nil, false, fmt.Errorf("oidc: could not expand distributed claims: %v", err)
  }
  }
- log.Info("calims", log.Any("claims", c))
 
  var username string
  if err := c.unmarshalClaim(a.usernameClaim, &username); err != nil {

pkg/auth/controller/config/config_controller.go

@@ -125,9 +125,6 @@ func (c *Controller) Run(workers int, stopCh <-chan struct{}) {
  log.Error("Failed to wait for identyProvider caches to sync")
  }
 
- idps, _ := c.identityProviderLister.List(labels.Everything())
- log.Info("Cache sync success", log.Any("idps", idps))
-
  c.stopCh = stopCh
  if err := c.loadConfig(); err != nil {
  log.Errorf("Preload config failed", log.Err(err))
@@ -368,7 +365,7 @@ func (c *Controller) loadPolicy(tenantID string) error {
  if len(result.Items) > 0 {
  exists := result.Items[0]
  if !reflect.DeepEqual(exists.Spec, pol.Spec) {
- log.Info("Update default policy", log.String("id", pol.Name), log.String("displayName", pol.Spec.DisplayName))
+ log.Info("Update default policy", log.String("displayName", pol.Spec.DisplayName))
  exists.Spec = pol.Spec
  _, err = c.client.AuthV1().Policies().Update(&exists)
 

pkg/auth/controller/group/deletion/grouped_resources_deleter.go

@@ -22,6 +22,7 @@ package deletion
 import (
  "fmt"
  "strings"
+
  "tkestack.io/tke/pkg/auth/util"
 
  "github.com/casbin/casbin/v2"
@@ -158,7 +159,7 @@ func (d *groupedResourcesDeleter) deleteGroup(group *v1.LocalGroup) error {
  if len(uid) > 0 {
  opts = &metav1.DeleteOptions{Preconditions: &metav1.Preconditions{UID: &uid}}
  }
- log.Info("group", log.Any("group", group))
+
  err := d.groupClient.Delete(group.Name, opts)
  if err != nil && !errors.IsNotFound(err) {
  log.Error("error", log.Err(err))
@@ -227,22 +228,19 @@ func (d *groupedResourcesDeleter) finalizeGroup(group *v1.LocalGroup) (*v1.Local
  groupFinalize.Spec.Finalizers = append(groupFinalize.Spec.Finalizers, v1.FinalizerName(value))
  }
 
- group = &v1.LocalGroup{}
+ updated := &v1.LocalGroup{}
  err := d.authClient.RESTClient().Put().
  Resource("localgroups").
  Name(groupFinalize.Name).
  SubResource("finalize").
  Body(&groupFinalize).
  Do().
- Into(group)
+ Into(updated)
 
  if err != nil {
- // it was removed already, so life is good
- if errors.IsNotFound(err) {
- return group, nil
- }
+ return nil, err
  }
- return group, err
+ return updated, err
 }
 
 type deleteResourceFunc func(deleter *groupedResourcesDeleter, group *v1.LocalGroup) error

pkg/auth/controller/group/group_controller.go

@@ -240,7 +240,9 @@ func (c *Controller) handleSubjects(key string, group *v1.LocalGroup) error {
 
  var errs []error
  added, removed := util.DiffStringSlice(existMembers, expectedMembers)
- log.Info("Handle group subjects changed", log.String("group", key), log.Strings("added", added), log.Strings("removed", removed))
+ if len(added) != 0 || len(removed) != 0 {
+ log.Info("Handle group subjects changed", log.String("group", key), log.Strings("added", added), log.Strings("removed", removed))
+ }
  if len(added) > 0 {
  for _, add := range added {
  if _, err := c.enforcer.AddRoleForUser(authutil.UserKey(group.Spec.TenantID, add), authutil.GroupKey(group.Spec.TenantID, group.Name)); err != nil {

pkg/auth/controller/localidentity/deletion/localidentity_resources_deleter.go

@@ -20,14 +20,15 @@ package deletion
 
 import (
  "fmt"
+ "strings"
+
  "github.com/casbin/casbin/v2"
  "k8s.io/apimachinery/pkg/api/errors"
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  "k8s.io/apimachinery/pkg/fields"
  utilerrors "k8s.io/apimachinery/pkg/util/errors"
  "k8s.io/apimachinery/pkg/util/sets"
- "strings"
- "tkestack.io/tke/api/auth/v1"
+ v1 "tkestack.io/tke/api/auth/v1"
  v1clientset "tkestack.io/tke/api/client/clientset/versioned/typed/auth/v1"
  "tkestack.io/tke/pkg/auth/util"
  "tkestack.io/tke/pkg/util/log"
@@ -157,7 +158,6 @@ func (d *loalIdentitiedResourcesDeleter) deleteLocalIdentity(localIdentity *v1.L
  if len(uid) > 0 {
  opts = &metav1.DeleteOptions{Preconditions: &metav1.Preconditions{UID: &uid}}
  }
- log.Info("localIdentity", log.Any("localIdentity", localIdentity))
  err := d.localIdentityClient.Delete(localIdentity.Name, opts)
  if err != nil && !errors.IsNotFound(err) {
  log.Error("error", log.Err(err))
@@ -226,22 +226,19 @@ func (d *loalIdentitiedResourcesDeleter) finalizeLocalIdentity(localIdentity *v1
  localIdentityFinalize.Spec.Finalizers = append(localIdentityFinalize.Spec.Finalizers, v1.FinalizerName(value))
  }
 
- localIdentity = &v1.LocalIdentity{}
+ updated := &v1.LocalIdentity{}
  err := d.authClient.RESTClient().Put().
  Resource("localidentities").
  Name(localIdentityFinalize.Name).
  SubResource("finalize").
  Body(&localIdentityFinalize).
  Do().
- Into(localIdentity)
+ Into(updated)
 
  if err != nil {
- // it was removed already, so life is good
- if errors.IsNotFound(err) {
- return localIdentity, nil
- }
+ return nil, err
  }
- return localIdentity, err
+ return updated, err
 }
 
 type deleteResourceFunc func(deleter *loalIdentitiedResourcesDeleter, localIdentity *v1.LocalIdentity) error
@@ -311,7 +308,6 @@ func deleteRelatedRoles(deleter *loalIdentitiedResourcesDeleter, localIdentity *
  SubResource("unbinding").
  Body(&binding).
  Do().Into(grp)
- log.Info("errr", log.Err(err))
  if err != nil {
  log.Error("Unbind group for user failed", log.String("user", localIdentity.Spec.Username),
  log.String("group", role), log.Err(err))

pkg/auth/controller/policy/deletion/policied_resources_deleter.go

@@ -224,22 +224,19 @@ func (d *policiedResourcesDeleter) finalizePolicy(policy *v1.Policy) (*v1.Policy
  policyFinalize.Spec.Finalizers = append(policyFinalize.Spec.Finalizers, v1.FinalizerName(value))
  }
 
- policy = &v1.Policy{}
+ updated := &v1.Policy{}
  err := d.authClient.RESTClient().Put().
  Resource("policies").
  Name(policyFinalize.Name).
  SubResource("finalize").
  Body(&policyFinalize).
  Do().
- Into(policy)
+ Into(updated)
 
  if err != nil {
- // it was removed already, so life is good
- if errors.IsNotFound(err) {
- return policy, nil
- }
+ return nil, err
  }
- return policy, err
+ return updated, err
 }
 
 type deleteResourceFunc func(deleter *policiedResourcesDeleter, policy *v1.Policy) error