From 3dc635154296136966749ba9aa2b873ed6c0c792 Mon Sep 17 00:00:00 2001 From: Qu Xuan Date: Thu, 5 Sep 2024 19:58:48 +0800 Subject: [PATCH] fix(cloudid): cloud policy sync --- go.mod | 4 +-- go.sum | 8 ++--- pkg/cloudid/drivers/base.go | 10 +++---- pkg/cloudid/models/cloudaccount.go | 26 +--------------- pkg/cloudid/models/cloudgroup.go | 30 +++---------------- pkg/cloudid/models/cloudpolicy.go | 22 ++++++++------ pkg/cloudid/models/clouduser.go | 25 ++-------------- pkg/cloudid/saml/providers/aws/driver.go | 2 +- pkg/cloudid/saml/providers/awscn/driver.go | 2 +- .../tasks/cloudaccount_sync_resources_task.go | 2 +- .../cloudprovider_sync_resources_task.go | 2 +- vendor/modules.txt | 4 +-- .../x/cloudmux/pkg/multicloud/aws/aws.go | 9 ------ .../cloudmux/pkg/multicloud/aws/iam_group.go | 25 ++++++++++++++-- .../cloudmux/pkg/multicloud/aws/iam_policy.go | 8 ++--- .../x/cloudmux/pkg/multicloud/aws/iam_role.go | 6 ++-- .../x/cloudmux/pkg/multicloud/aws/iam_user.go | 4 +-- .../x/pkg/util/cloudinit/cloudconfig.go | 5 +++- 18 files changed, 74 insertions(+), 120 deletions(-) diff --git a/go.mod b/go.mod index 07da48cb5fd..7cff9e178a7 100644 --- a/go.mod +++ b/go.mod @@ -94,12 +94,12 @@ require ( k8s.io/cri-api v0.22.17 k8s.io/klog/v2 v2.2.0 moul.io/http2curl/v2 v2.3.0 - yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240827090450-1fbc71ee1125 + yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240906024738-81a42135cb55 yunion.io/x/executor v0.0.0-20230705125604-c5ac3141db32 yunion.io/x/jsonutils v1.0.1-0.20240203102553-4096f103b401 yunion.io/x/log v1.0.1-0.20240305175729-7cf2d6cd5a91 yunion.io/x/ovsdb v0.0.0-20230306173834-f164f413a900 - yunion.io/x/pkg v1.10.1-0.20240826001854-ac73b70d75b7 + yunion.io/x/pkg v1.10.1-0.20240905110705-77c46e716318 yunion.io/x/s3cli v0.0.0-20190917004522-13ac36d8687e yunion.io/x/sqlchemy v1.1.3-0.20240831153043-4030cea8d4b9 yunion.io/x/structarg v0.0.0-20231017124457-df4d5009457c diff --git a/go.sum b/go.sum index 544d5c37c85..cbe7ecc0f27 100644 --- a/go.sum +++ b/go.sum @@ -1308,8 +1308,8 @@ sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o= sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= -yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240827090450-1fbc71ee1125 h1:ZzRhM1X82XsqjwGWpf6IP22yoeLc6drXDl3IwHKpmPc= -yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240827090450-1fbc71ee1125/go.mod h1:iLoBHVR2Eur/1WJSGcbZaEwpzh/iqXvbFCsX9/xt8CI= +yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240906024738-81a42135cb55 h1:A5MM002w5u9TSxRxwMPEEc3lN8ygf30k4Kll1Nu8us8= +yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240906024738-81a42135cb55/go.mod h1:iLoBHVR2Eur/1WJSGcbZaEwpzh/iqXvbFCsX9/xt8CI= yunion.io/x/executor v0.0.0-20230705125604-c5ac3141db32 h1:v7POYkQwo1XzOxBoIoRVr/k0V9Y5JyjpshlIFa9raug= yunion.io/x/executor v0.0.0-20230705125604-c5ac3141db32/go.mod h1:Uxuou9WQIeJXNpy7t2fPLL0BYLvLiMvGQwY7Qc6aSws= yunion.io/x/jsonutils v0.0.0-20190625054549-a964e1e8a051/go.mod h1:4N0/RVzsYL3kH3WE/H1BjUQdFiWu50JGCFQuuy+Z634= @@ -1323,8 +1323,8 @@ yunion.io/x/ovsdb v0.0.0-20230306173834-f164f413a900 h1:Hu/4ERvoWaN6aiFs4h4/yvVB yunion.io/x/ovsdb v0.0.0-20230306173834-f164f413a900/go.mod h1:0vLkNEhlmA64HViPBAnSTUMrx5QP1CLsxXmxDKQ80tc= yunion.io/x/pkg v0.0.0-20190620104149-945c25821dbf/go.mod h1:t6rEGG2sQ4J7DhFxSZVOTjNd0YO/KlfWQyK1W4tog+E= yunion.io/x/pkg v0.0.0-20190628082551-f4033ba2ea30/go.mod h1:t6rEGG2sQ4J7DhFxSZVOTjNd0YO/KlfWQyK1W4tog+E= -yunion.io/x/pkg v1.10.1-0.20240826001854-ac73b70d75b7 h1:ceNLYp6CKYccbFw/ug9ohSaUbEk5THipaA4K+SAHEKc= -yunion.io/x/pkg v1.10.1-0.20240826001854-ac73b70d75b7/go.mod h1:0Bwxqd9MA3ACi119/l02FprY/o9gHahmYC2bsSbnVpM= +yunion.io/x/pkg v1.10.1-0.20240905110705-77c46e716318 h1:Fm7I8ypXHxeObY4u/VUGz78NsambemzTZ9fECyGKNi8= +yunion.io/x/pkg v1.10.1-0.20240905110705-77c46e716318/go.mod h1:0Bwxqd9MA3ACi119/l02FprY/o9gHahmYC2bsSbnVpM= yunion.io/x/s3cli v0.0.0-20190917004522-13ac36d8687e h1:v+EzIadodSwkdZ/7bremd7J8J50Cise/HCylsOJngmo= yunion.io/x/s3cli v0.0.0-20190917004522-13ac36d8687e/go.mod h1:0iFKpOs1y4lbCxeOmq3Xx/0AcQoewVPwj62eRluioEo= yunion.io/x/sqlchemy v1.1.3-0.20240831153043-4030cea8d4b9 h1:vJSHj5jalKW7Vx5dqPmdI/jmpqMxR6nqHHtZSTQUZYM= diff --git a/pkg/cloudid/drivers/base.go b/pkg/cloudid/drivers/base.go index e57844844a9..e2f003bdbea 100644 --- a/pkg/cloudid/drivers/base.go +++ b/pkg/cloudid/drivers/base.go @@ -247,8 +247,8 @@ func (base SProviderBaseProviderDriver) RequestSyncCloudproviderResources(ctx co }() func() { - lockman.LockRawObject(ctx, account.Id, models.SAMLProviderManager.Keyword()) - defer lockman.ReleaseRawObject(ctx, account.Id, models.SAMLProviderManager.Keyword()) + lockman.LockRawObject(ctx, cp.Id, models.SAMLProviderManager.Keyword()) + defer lockman.ReleaseRawObject(ctx, cp.Id, models.SAMLProviderManager.Keyword()) samls, err := provider.GetICloudSAMLProviders() if err != nil { @@ -456,8 +456,8 @@ func (base SProviderBaseProviderDriver) RequestCreateSAMLProvider(ctx context.Co } for i := range providers { err = func() error { - lockman.LockRawObject(ctx, account.Id, models.SAMLProviderManager.Keyword()) - defer lockman.ReleaseRawObject(ctx, account.Id, models.SAMLProviderManager.Keyword()) + lockman.LockRawObject(ctx, providers[i].Id, models.SAMLProviderManager.Keyword()) + defer lockman.ReleaseRawObject(ctx, providers[i].Id, models.SAMLProviderManager.Keyword()) samlProviders, err := providers[i].GetSamlProviders() if err != nil { @@ -589,7 +589,7 @@ func (base SProviderBaseProviderDriver) RequestCreateRoleForSamlUser(ctx context return errors.Wrapf(err, "GetProvider") } opts := &cloudprovider.SRoleCreateOptions{ - Name: fmt.Sprintf("%s-%s", user.Name, group.Name), + Name: fmt.Sprintf("%s-%s", group.Name, utils.GenRequestId(5)), Desc: fmt.Sprintf("auto create by cloudpods"), SAMLProvider: samlProvider.ExternalId, } diff --git a/pkg/cloudid/models/cloudaccount.go b/pkg/cloudid/models/cloudaccount.go index 882cd8e2058..1f860d3fbf8 100644 --- a/pkg/cloudid/models/cloudaccount.go +++ b/pkg/cloudid/models/cloudaccount.go @@ -27,7 +27,6 @@ import ( "yunion.io/x/pkg/tristate" "yunion.io/x/onecloud/pkg/apis" - api "yunion.io/x/onecloud/pkg/apis/cloudid" "yunion.io/x/onecloud/pkg/cloudcommon/db" "yunion.io/x/onecloud/pkg/cloudcommon/db/taskman" "yunion.io/x/onecloud/pkg/cloudid/options" @@ -109,31 +108,8 @@ func (self *SCloudaccount) GetDriver() (IProviderDriver, error) { return GetProviderDriver(self.Provider) } -func (self *SCloudaccount) GetCloudpolicies() ([]SCloudpolicy, error) { +func (self *SCloudaccount) GetCloudpolicies(managerId string) ([]SCloudpolicy, error) { q := CloudpolicyManager.Query().Equals("cloudaccount_id", self.Id) - policies := []SCloudpolicy{} - err := db.FetchModelObjects(CloudpolicyManager, q, &policies) - if err != nil { - return nil, errors.Wrap(err, "db.FetchModelObjects") - } - return policies, nil -} - -func (self *SCloudaccount) GetSystemCloudpolicies(managerId string) ([]SCloudpolicy, error) { - q := CloudpolicyManager.Query().Equals("cloudaccount_id", self.Id).Equals("policy_type", api.CLOUD_POLICY_TYPE_SYSTEM) - if len(managerId) > 0 { - q = q.Equals("manager_id", managerId) - } - policies := []SCloudpolicy{} - err := db.FetchModelObjects(CloudpolicyManager, q, &policies) - if err != nil { - return nil, errors.Wrap(err, "db.FetchModelObjects") - } - return policies, nil -} - -func (self *SCloudaccount) GetCustomCloudpolicies(managerId string) ([]SCloudpolicy, error) { - q := CloudpolicyManager.Query().Equals("cloudaccount_id", self.Id).Equals("policy_type", api.CLOUD_POLICY_TYPE_CUSTOM) if len(managerId) > 0 { q = q.Equals("manager_id", managerId) } diff --git a/pkg/cloudid/models/cloudgroup.go b/pkg/cloudid/models/cloudgroup.go index ad897187937..4cb49ea2334 100644 --- a/pkg/cloudid/models/cloudgroup.go +++ b/pkg/cloudid/models/cloudgroup.go @@ -17,6 +17,7 @@ package models import ( "context" "database/sql" + "fmt" "gopkg.in/fatih/set.v0" @@ -382,26 +383,6 @@ func (self *SCloudgroup) GetCloudpolicies() ([]SCloudpolicy, error) { return policies, nil } -func (self *SCloudgroup) GetSystemCloudpolicies() ([]SCloudpolicy, error) { - policies := []SCloudpolicy{} - q := self.GetCloudpolicyQuery().Equals("policy_type", api.CLOUD_POLICY_TYPE_SYSTEM) - err := db.FetchModelObjects(CloudpolicyManager, q, &policies) - if err != nil { - return nil, errors.Wrap(err, "db.FetchModelObjects") - } - return policies, nil -} - -func (self *SCloudgroup) GetCustomCloudpolicies() ([]SCloudpolicy, error) { - policies := []SCloudpolicy{} - q := self.GetCloudpolicyQuery().Equals("policy_type", api.CLOUD_POLICY_TYPE_CUSTOM) - err := db.FetchModelObjects(CloudpolicyManager, q, &policies) - if err != nil { - return nil, errors.Wrap(err, "db.FetchModelObjects") - } - return policies, nil -} - func (self *SCloudgroup) GetCloudpolicy(policyId string) (*SCloudpolicy, error) { policies := []SCloudpolicy{} q := self.GetCloudpolicyQuery().Equals("id", policyId) @@ -773,8 +754,8 @@ func (self *SCloudgroup) attachPolicy(policyId string) error { } func (self *SCloudaccount) SyncCloudgroups(ctx context.Context, userCred mcclient.TokenCredential, iGroups []cloudprovider.ICloudgroup, managerId string) ([]SCloudgroup, []cloudprovider.ICloudgroup, compare.SyncResult) { - lockman.LockRawObject(ctx, CloudgroupManager.Keyword(), self.Id) - defer lockman.ReleaseRawObject(ctx, CloudgroupManager.Keyword(), self.Id) + lockman.LockRawObject(ctx, CloudgroupManager.Keyword(), fmt.Sprintf("%s-%s", self.Id, managerId)) + defer lockman.ReleaseRawObject(ctx, CloudgroupManager.Keyword(), fmt.Sprintf("%s-%s", self.Id, managerId)) result := compare.SyncResult{} dbGroups, err := self.GetCloudgroups(managerId) @@ -889,9 +870,6 @@ func (group *SCloudgroup) SyncWithCloudgroup(ctx context.Context, userCred mccli } func (self *SCloudaccount) newCloudgroup(ctx context.Context, userCred mcclient.TokenCredential, iGroup cloudprovider.ICloudgroup, managerId string) (*SCloudgroup, error) { - lockman.LockObject(ctx, self) - defer lockman.ReleaseObject(ctx, self) - group := &SCloudgroup{} group.SetModelManager(CloudgroupManager, group) group.Name = iGroup.GetName() @@ -1016,7 +994,7 @@ func (self *SCloudgroup) SyncPolicies(ctx context.Context, userCred mcclient.Tok return q.Equals("cloudaccount_id", self.CloudaccountId) }) if err != nil { - result.AddError(errors.Wrapf(err, "add %s", added[i].GetName())) + result.AddError(errors.Wrapf(err, "add %s(%s)", added[i].GetName(), added[i].GetGlobalId())) continue } err = self.attachPolicy(policy.GetId()) diff --git a/pkg/cloudid/models/cloudpolicy.go b/pkg/cloudid/models/cloudpolicy.go index a03b9dac292..e46c1ad16d1 100644 --- a/pkg/cloudid/models/cloudpolicy.go +++ b/pkg/cloudid/models/cloudpolicy.go @@ -313,14 +313,18 @@ func (manager *SCloudpolicyManager) FetchCustomizeColumns( func (self *SCloudpolicy) SyncWithCloudpolicy(ctx context.Context, userCred mcclient.TokenCredential, iPolicy cloudprovider.ICloudpolicy) error { _, err := db.Update(self, func() error { self.Name = iPolicy.GetName() - self.Description = iPolicy.GetDescription() + if self.PolicyType == api.CLOUD_POLICY_TYPE_CUSTOM || len(self.Description) == 0 { + self.Description = iPolicy.GetDescription() + } self.Status = apis.STATUS_AVAILABLE self.IsPublic = true - doc, err := iPolicy.GetDocument() - if err != nil { - return errors.Wrapf(err, "GetDocument") + if self.PolicyType == api.CLOUD_POLICY_TYPE_CUSTOM || gotypes.IsNil(self.Document) { + doc, err := iPolicy.GetDocument() + if err != nil { + return errors.Wrapf(err, "GetDocument") + } + self.Document = doc } - self.Document = doc return nil }) if err != nil { @@ -330,9 +334,6 @@ func (self *SCloudpolicy) SyncWithCloudpolicy(ctx context.Context, userCred mccl } func (self *SCloudaccount) newCloudpolicy(ctx context.Context, userCred mcclient.TokenCredential, iPolicy cloudprovider.ICloudpolicy, managerId string) (*SCloudpolicy, error) { - lockman.LockObject(ctx, self) - defer lockman.ReleaseObject(ctx, self) - policy := &SCloudpolicy{} policy.SetModelManager(CloudpolicyManager, policy) doc, err := iPolicy.GetDocument() @@ -352,6 +353,9 @@ func (self *SCloudaccount) newCloudpolicy(ctx context.Context, userCred mcclient } func (self *SCloudaccount) SyncPolicies(ctx context.Context, userCred mcclient.TokenCredential, iPolicies []cloudprovider.ICloudpolicy, managerId string) compare.SyncResult { + lockman.LockRawObject(ctx, CloudproviderManager.Keyword(), managerId) + defer lockman.ReleaseRawObject(ctx, CloudproviderManager.Keyword(), managerId) + result := compare.SyncResult{} removed := make([]SCloudpolicy, 0) @@ -359,7 +363,7 @@ func (self *SCloudaccount) SyncPolicies(ctx context.Context, userCred mcclient.T commonext := make([]cloudprovider.ICloudpolicy, 0) added := make([]cloudprovider.ICloudpolicy, 0) - dbPolicies, err := self.GetCloudpolicies() + dbPolicies, err := self.GetCloudpolicies(managerId) if err != nil { result.Error(errors.Wrapf(err, "GetCloudpolicies")) return result diff --git a/pkg/cloudid/models/clouduser.go b/pkg/cloudid/models/clouduser.go index f9f385b81c4..70a64911dd7 100644 --- a/pkg/cloudid/models/clouduser.go +++ b/pkg/cloudid/models/clouduser.go @@ -17,6 +17,7 @@ package models import ( "context" "database/sql" + "fmt" "gopkg.in/fatih/set.v0" @@ -669,26 +670,6 @@ func (self *SClouduser) GetCloudpolicies() ([]SCloudpolicy, error) { return policies, nil } -func (self *SClouduser) GetSystemCloudpolicies() ([]SCloudpolicy, error) { - policies := []SCloudpolicy{} - q := self.GetCloudpolicyQuery().Equals("policy_type", api.CLOUD_POLICY_TYPE_SYSTEM) - err := db.FetchModelObjects(CloudpolicyManager, q, &policies) - if err != nil { - return nil, errors.Wrap(err, "db.FetchModelObjects") - } - return policies, nil -} - -func (self *SClouduser) GetCustomCloudpolicies() ([]SCloudpolicy, error) { - policies := []SCloudpolicy{} - q := self.GetCloudpolicyQuery().Equals("policy_type", api.CLOUD_POLICY_TYPE_CUSTOM) - err := db.FetchModelObjects(CloudpolicyManager, q, &policies) - if err != nil { - return nil, errors.Wrap(err, "db.FetchModelObjects") - } - return policies, nil -} - func (self *SClouduser) joinGroup(groupId string) error { gu := &SCloudgroupUser{} gu.SetModelManager(CloudgroupUserManager, gu) @@ -1142,8 +1123,8 @@ func (self *SCloudaccount) SyncCloudusers( iUsers []cloudprovider.IClouduser, managerId string, ) ([]SClouduser, []cloudprovider.IClouduser, compare.SyncResult) { - lockman.LockRawObject(ctx, ClouduserManager.Keyword(), self.Id) - defer lockman.ReleaseRawObject(ctx, ClouduserManager.Keyword(), self.Id) + lockman.LockRawObject(ctx, ClouduserManager.Keyword(), fmt.Sprintf("%s-%s", self.Id, managerId)) + defer lockman.ReleaseRawObject(ctx, ClouduserManager.Keyword(), fmt.Sprintf("%s-%s", self.Id, managerId)) result := compare.SyncResult{} dbUsers, err := self.GetCloudusers(managerId) diff --git a/pkg/cloudid/saml/providers/aws/driver.go b/pkg/cloudid/saml/providers/aws/driver.go index 5fc9d00ba60..e8ca0b184b3 100644 --- a/pkg/cloudid/saml/providers/aws/driver.go +++ b/pkg/cloudid/saml/providers/aws/driver.go @@ -60,7 +60,7 @@ func (d *SAWSSAMLDriver) GetIdpInitiatedLoginData(ctx context.Context, userCred { name: "https://aws.amazon.com/SAML/Attributes/RoleSessionName", friendlyName: "RoleSessionName", - value: userCred.GetUserId(), + value: userCred.GetUserName(), }, { name: "urn:oid:1.3.6.1.4.1.5923.1.1.1.3", diff --git a/pkg/cloudid/saml/providers/awscn/driver.go b/pkg/cloudid/saml/providers/awscn/driver.go index 84333aedf61..3cca043d3d1 100644 --- a/pkg/cloudid/saml/providers/awscn/driver.go +++ b/pkg/cloudid/saml/providers/awscn/driver.go @@ -60,7 +60,7 @@ func (d *SAWSCNSAMLDriver) GetIdpInitiatedLoginData(ctx context.Context, userCre { name: "https://aws.amazon.com/SAML/Attributes/RoleSessionName", friendlyName: "RoleSessionName", - value: userCred.GetUserId(), + value: userCred.GetUserName(), }, { name: "urn:oid:1.3.6.1.4.1.5923.1.1.1.3", diff --git a/pkg/cloudid/tasks/cloudaccount_sync_resources_task.go b/pkg/cloudid/tasks/cloudaccount_sync_resources_task.go index 2548e0a8069..b8866c33315 100644 --- a/pkg/cloudid/tasks/cloudaccount_sync_resources_task.go +++ b/pkg/cloudid/tasks/cloudaccount_sync_resources_task.go @@ -36,7 +36,7 @@ var ( ) func init() { - CloudaccountSyncWorkerManager = appsrv.NewWorkerManager("CloudaccountSyncWorkerManager", 10, 1024, false) + CloudaccountSyncWorkerManager = appsrv.NewWorkerManager("CloudaccountSyncWorkerManager", 20, 1024, false) taskman.RegisterTaskAndWorker(CloudaccountSyncResourcesTask{}, CloudaccountSyncWorkerManager) } diff --git a/pkg/cloudid/tasks/cloudprovider_sync_resources_task.go b/pkg/cloudid/tasks/cloudprovider_sync_resources_task.go index 35a181407f8..6f8f3aa2499 100644 --- a/pkg/cloudid/tasks/cloudprovider_sync_resources_task.go +++ b/pkg/cloudid/tasks/cloudprovider_sync_resources_task.go @@ -36,7 +36,7 @@ var ( ) func init() { - CloudproviderSyncWorkerManager = appsrv.NewWorkerManager("CloudproviderSyncWorkerManager", 10, 1024, false) + CloudproviderSyncWorkerManager = appsrv.NewWorkerManager("CloudproviderSyncWorkerManager", 30, 1024, false) taskman.RegisterTaskAndWorker(CloudproviderSyncResourcesTask{}, CloudproviderSyncWorkerManager) } diff --git a/vendor/modules.txt b/vendor/modules.txt index 99323848cf7..8812de0dc60 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -1690,7 +1690,7 @@ sigs.k8s.io/structured-merge-diff/v4/value # sigs.k8s.io/yaml v1.2.0 ## explicit; go 1.12 sigs.k8s.io/yaml -# yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240827090450-1fbc71ee1125 +# yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240906024738-81a42135cb55 ## explicit; go 1.18 yunion.io/x/cloudmux/pkg/apis yunion.io/x/cloudmux/pkg/apis/billing @@ -1787,7 +1787,7 @@ yunion.io/x/log/hooks yunion.io/x/ovsdb/cli_util yunion.io/x/ovsdb/schema/ovn_nb yunion.io/x/ovsdb/types -# yunion.io/x/pkg v1.10.1-0.20240826001854-ac73b70d75b7 +# yunion.io/x/pkg v1.10.1-0.20240905110705-77c46e716318 ## explicit; go 1.18 yunion.io/x/pkg/appctx yunion.io/x/pkg/errors diff --git a/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/aws.go b/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/aws.go index 341dba92a62..f29c6a7b9ae 100644 --- a/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/aws.go +++ b/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/aws.go @@ -133,15 +133,6 @@ func (cli *SAwsClient) getIamArn(arn string) string { } } -func (cli *SAwsClient) getIamCommonArn(arn string) string { - switch cli.GetAccessEnv() { - case api.CLOUD_ACCESS_ENV_AWS_GLOBAL: - return strings.TrimPrefix(arn, AWS_GLOBAL_ARN_PREFIX) - default: - return strings.TrimPrefix(arn, AWS_CHINA_ARN_PREFIX) - } -} - func GetDefaultRegionId(accessUrl string) string { defaultRegion := AWS_INTERNATIONAL_DEFAULT_REGION switch accessUrl { diff --git a/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_group.go b/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_group.go index d3217079ea2..893e3ff4613 100644 --- a/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_group.go +++ b/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_group.go @@ -74,11 +74,11 @@ func (self *SGroup) GetICloudusers() ([]cloudprovider.IClouduser, error) { } func (self *SGroup) AttachPolicy(policyId string, policyType api.TPolicyType) error { - return self.client.AttachGroupPolicy(self.GroupName, self.client.getIamArn(policyId)) + return self.client.AttachGroupPolicy(self.GroupName, policyId) } func (self *SGroup) DetachPolicy(policyId string, policyType api.TPolicyType) error { - return self.client.DetachGroupPolicy(self.GroupName, self.client.getIamArn(policyId)) + return self.client.DetachGroupPolicy(self.GroupName, policyId) } func (self *SGroup) Delete() error { @@ -109,6 +109,26 @@ func (self *SGroup) ListPolicies() ([]SAttachedPolicy, error) { return policies, nil } +func (self *SGroup) ListGroupPolicies() ([]SPolicy, error) { + policies := []SPolicy{} + offset := "" + for { + part, err := self.client.ListGroupPolicies(self.GroupName, offset, 1000) + if err != nil { + return nil, errors.Wrapf(err, "ListGroupPolicies") + } + for i := range part.Policies { + part.Policies[i].client = self.client + policies = append(policies, part.Policies[i]) + } + offset = part.Marker + if len(offset) == 0 || !part.IsTruncated { + break + } + } + return policies, nil +} + func (self *SGroup) GetICloudpolicies() ([]cloudprovider.ICloudpolicy, error) { policies, err := self.ListPolicies() if err != nil { @@ -182,6 +202,7 @@ func (self *SAwsClient) CreateGroup(name string, path string) (*SGroup, error) { if err != nil { return nil, errors.Wrap(err, "iamRequest.CreateGroup") } + group.Group.client = self return &group.Group, nil } diff --git a/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_policy.go b/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_policy.go index a92a00e3cf9..2da26941c7a 100644 --- a/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_policy.go +++ b/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_policy.go @@ -56,7 +56,7 @@ func (self *SPolicy) GetName() string { } func (self *SPolicy) GetGlobalId() string { - return self.client.getIamCommonArn(self.Arn) + return self.Arn } func (self *SPolicy) GetPolicyType() cloudid.TPolicyType { @@ -127,7 +127,7 @@ func (self *SAwsClient) GetICloudpolicies() ([]cloudprovider.ICloudpolicy, error ret := []cloudprovider.ICloudpolicy{} marker := "" for { - part, err := self.ListPolicies(marker, 1000, false, "", "PermissionsPolicy", "AWS") + part, err := self.ListPolicies(marker, 1000, false, "", "", "AWS") if err != nil { return nil, errors.Wrapf(err, "ListPolicies") } @@ -143,7 +143,7 @@ func (self *SAwsClient) GetICloudpolicies() ([]cloudprovider.ICloudpolicy, error } for { - part, err := self.ListPolicies(marker, 1000, false, "", "PermissionsPolicy", "Local") + part, err := self.ListPolicies(marker, 1000, false, "", "", "Local") if err != nil { return nil, errors.Wrapf(err, "ListPolicies") } @@ -230,7 +230,7 @@ type SAttachedPolicy struct { } func (self *SAttachedPolicy) GetGlobalId() string { - return self.client.getIamCommonArn(self.PolicyArn) + return self.PolicyArn } func (self *SAttachedPolicy) GetName() string { diff --git a/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_role.go b/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_role.go index 6e38dcaa8e1..3befeac7dbc 100644 --- a/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_role.go +++ b/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_role.go @@ -70,7 +70,7 @@ func (self *SRole) GetDocument() *jsonutils.JSONDict { return document.(*jsonutils.JSONDict) } -//[{"Action":"sts:AssumeRoleWithSAML","Condition":{"StringEquals":{"SAML:aud":"https://signin.aws.amazon.com/saml"}},"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::879324515906:saml-provider/quxuan"}}] +// [{"Action":"sts:AssumeRoleWithSAML","Condition":{"StringEquals":{"SAML:aud":"https://signin.aws.amazon.com/saml"}},"Effect":"Allow","Principal":{"Federated":"arn:aws:iam::879324515906:saml-provider/quxuan"}}] func (self *SRole) GetSAMLProvider() string { document := self.GetDocument() if document != nil { @@ -90,11 +90,11 @@ func (self *SRole) GetSAMLProvider() string { } func (self *SRole) AttachPolicy(id string, policyType cloudid.TPolicyType) error { - return self.client.AttachRolePolicy(self.RoleName, self.client.getIamArn(id)) + return self.client.AttachRolePolicy(self.RoleName, id) } func (self *SRole) DetachPolicy(id string, polityType cloudid.TPolicyType) error { - return self.client.DetachRolePolicy(self.RoleName, self.client.getIamArn(id)) + return self.client.DetachRolePolicy(self.RoleName, id) } func (self *SRole) GetICloudpolicies() ([]cloudprovider.ICloudpolicy, error) { diff --git a/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_user.go b/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_user.go index 84c128d65c0..7f56c2c3b70 100644 --- a/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_user.go +++ b/vendor/yunion.io/x/cloudmux/pkg/multicloud/aws/iam_user.go @@ -53,11 +53,11 @@ func (user *SUser) GetInviteUrl() string { } func (user *SUser) AttachPolicy(policyArn string, policyType api.TPolicyType) error { - return user.client.AttachUserPolicy(user.UserName, user.client.getIamArn(policyArn)) + return user.client.AttachUserPolicy(user.UserName, policyArn) } func (user *SUser) DetachPolicy(policyArn string, policyType api.TPolicyType) error { - return user.client.DetachUserPolicy(user.UserName, user.client.getIamArn(policyArn)) + return user.client.DetachUserPolicy(user.UserName, policyArn) } func (user *SUser) GetGlobalId() string { diff --git a/vendor/yunion.io/x/pkg/util/cloudinit/cloudconfig.go b/vendor/yunion.io/x/pkg/util/cloudinit/cloudconfig.go index 36f3b77b823..c1440745843 100644 --- a/vendor/yunion.io/x/pkg/util/cloudinit/cloudconfig.go +++ b/vendor/yunion.io/x/pkg/util/cloudinit/cloudconfig.go @@ -236,12 +236,15 @@ func (conf *SCloudConfig) UserDataScript() string { if conf.DisableRoot == 0 { shells = append(shells, `sed -i "s/.*PermitRootLogin.*/PermitRootLogin yes/g" /etc/ssh/sshd_config`) + shells = append(shells, `sed -i "s/.*PermitRootLogin.*/PermitRootLogin yes/g" /etc/ssh/sshd_config.d/*.conf`) } if conf.SshPwauth == SSH_PASSWORD_AUTH_ON { shells = append(shells, `sed -i 's/.*PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config`) + shells = append(shells, `sed -i 's/.*PasswordAuthentication.*/PasswordAuthentication yes/' /etc/ssh/sshd_config.d/*.conf`) } if conf.DisableRoot == 0 || conf.SshPwauth == SSH_PASSWORD_AUTH_ON { - shells = append(shells, `systemctl restart sshd`) + // ubuntu24.04 sshd -> ssh + shells = append(shells, `systemctl restart sshd ssh`) } for _, pkg := range conf.Packages {