v1.5.2

frontend/src/components/header/index.vue

@@ -123,6 +123,10 @@
                                     <img src="@/images/back.svg" alt="" class="back-staff">
                                     <span>{{ $t(`m.nav['普通成员']`) }}</span>
                                 </div>
+                            </div>
+                        </template>
+                        <template>
+                            <div class="operation right">
                                 <div class="user-dropdown-item " @click="handleLogout">
                                     <Icon type="logout" />
                                     {{ $t(`m.nav['注销']`) }}

frontend/src/views/perm-apply/components/resource-instance-table.vue

@@ -656,7 +656,7 @@
                 if (payload.length < 1) {
                     return
                 }
-
+        
                 payload.forEach(item => {
                     const curIndex = this.tableList.findIndex(sub => sub.id === item.id)
                     if (curIndex > -1) {
@@ -668,7 +668,7 @@
                         this.tableList.splice(
                             curIndex,
                             1,
-                            new Policy({ ...item, tag: 'add', isShowRelatedText: true, inOriginalList }, '', true)
+                            new Policy({ ...item, tag: item.tag || 'update', isShowRelatedText: true, inOriginalList }, '', false)
                         )
                     }
                 })
@@ -709,6 +709,7 @@
                                 // 是否带有下一层级的无限制
                                 const isHasNoLimit = v.some(({ id }) => id === '*')
                                 const isDisabled = v.some(_ => !!_.disabled)
+                                // 可编辑的才会计数
                                 if (!isHasNoLimit && !isDisabled) {
                                     ++newResourceCount
                                 }

frontend/src/views/perm/components/perm-table-edit.vue

@@ -66,6 +66,7 @@
             :title="sidesliderTitle"
             :width="725"
             quick-close
+            data-test-id="myPerm-sideslider-resourceInsance"
             @update:isShow="handleResourceCancel">
             <div slot="header" class="iam-my-custom-perm-silder-header">
                 <span>{{ sidesliderTitle}}</span>

frontend/src/views/perm/custom-perm/index.vue

@@ -2,6 +2,7 @@
     <div class="my-perm-custom-perm">
         <template v-if="hasPerm">
             <render-perm-item
+                data-test-id="myPerm_list_system"
                 v-for="(sys, sysIndex) in systemList"
                 :key="sys.id"
                 :expanded.sync="sys.expanded"
@@ -12,6 +13,7 @@
                 :one-perm="onePerm"
                 @on-expanded="handleExpanded(...arguments, sys)">
                 <perm-table
+                    data-test-id="myPerm_table_actionPerm"
                     :key="sys.id"
                     :system-id="sys.id"
                     @after-delete="handleAfterDelete(...arguments, sysIndex)" />

frontend/src/views/perm/group-perm/index.vue

@@ -1,6 +1,7 @@
 <template>
     <div class="my-perm-group-perm">
         <bk-table
+            data-test-id="myPerm_table_group"
             :data="curPageData"
             :size="'small'"
             :pagination="pageConf"

frontend/src/views/perm/index.vue

@@ -2,13 +2,15 @@
     <div class="iam-my-perm-wrapper">
         <div class="header">
             <bk-button
+                data-test-id="myPerm_btn_applyPerm"
                 type="button"
                 theme="primary"
                 style="margin-bottom: 16px;"
                 @click="handleGoApply">
                 {{ $t(`m.common['申请权限']`) }}
             </bk-button>
             <bk-button
+                data-test-id="myPerm_btn_batchRenewal"
                 style="margin: 0 0 16px 6px;"
                 :disabled="isEmpty || isNoRenewal"
                 @click="handleBatchRenewal">

release.md

@@ -1,3 +1,21 @@
+# V1.5.2
+
+### 功能优化
+* 更新paas v3 smart配置
+* 分享链接自动带上条件过滤
+
+### 缺陷修复
+* 修复权限策略部分删除报错问题
+* 修复由于资源实例名称中存在空格导致授权报错问题
+* 修复清理过期权限出错问题
+* 修改权限审批使用系统管理员审批流程审批人员为空问题
+* 修复管理类API创建用户组绑定分级管理员错误问题
+* 修复管理类API创建分级管理员时授权范围没有按照系统聚合导致后续授权问题
+* 修复未选择任何权限可保存为推荐权限模板
+* 修复从配置平台跳转到权限中心无法选择
+* 修复已有实例权限不应该纳入新实例申请限制数里
+* 修复普通用户没有任何分级管理员时无法注销问题
+
 # V1.5.1
 
 ### 缺陷修复

saas/VERSION

@@ -1 +1 @@
-1.5.1
+1.5.2

saas/backend/api/authorization/serializers.py

@@ -41,14 +41,14 @@ class ResourceInstanceSLZ(serializers.Serializer):
     system = serializers.CharField(label="系统ID", required=True)
     type = serializers.CharField(label="资源类型")
     id = serializers.CharField(label="资源ID")
-    name = serializers.CharField(label="资源名称")
+    name = serializers.CharField(label="资源名称", trim_whitespace=False)
 
 
 class PathNodeSLZ(serializers.Serializer):
     system = serializers.CharField(label="系统ID", default="", allow_blank=True, required=False)
     type = serializers.CharField(label="资源类型", required=True)
     id = serializers.CharField(label="资源实例ID", required=True)
-    name = serializers.CharField(label="资源实例ID名称", required=True, allow_blank=True)
+    name = serializers.CharField(label="资源实例ID名称", required=True, allow_blank=True, trim_whitespace=False)
 
 
 class ResourcePathSLZ(serializers.Serializer):
@@ -96,7 +96,7 @@ class AuthPathSLZ(BaseAuthSLZ, AuthActionSLZ):
 
 class SimpleInstanceSLZ(serializers.Serializer):
     id = serializers.CharField(label="资源ID")
-    name = serializers.CharField(label="资源名称")
+    name = serializers.CharField(label="资源名称", trim_whitespace=False)
 
 
 class BatchResourceInstanceSLZ(serializers.Serializer):
@@ -167,7 +167,7 @@ class AncestorSLZ(serializers.Serializer):
 
 class SingleInstanceSLZ(serializers.Serializer):
     id = serializers.CharField(label="资源ID")
-    name = serializers.CharField(label="资源名称")
+    name = serializers.CharField(label="资源名称", trim_whitespace=False)
     ancestors = serializers.ListField(label="祖先", child=AncestorSLZ(label="祖先层级"), allow_empty=True, required=False)
 
 

saas/backend/api/management/serializers.py

@@ -28,7 +28,9 @@ class ManagementResourcePathNodeSLZ(serializers.Serializer):
     system = serializers.CharField(label="系统ID")
     type = serializers.CharField(label="资源类型")
     id = serializers.CharField(label="资源实例ID")
-    name = serializers.CharField(label="资源实例ID名称", allow_blank=True)  # 路径节点存在无限制，当id="*"则name可以为空
+    name = serializers.CharField(
+        label="资源实例ID名称", allow_blank=True, trim_whitespace=False
+    )  # 路径节点存在无限制，当id="*"则name可以为空
 
 
 class ManagementResourcePathsSLZ(serializers.Serializer):

saas/backend/api/management/views/group.py

@@ -85,7 +85,7 @@ def create(self, request, *args, **kwargs):
         self.group_check_biz.batch_check_role_group_names_unique(role.id, group_names)
 
         groups = self.group_biz.batch_create(
-            request.role.id, parse_obj_as(List[GroupCreateBean], groups_data), request.user.username
+            role.id, parse_obj_as(List[GroupCreateBean], groups_data), request.user.username
         )
 
         # 添加审计信息
@@ -288,7 +288,7 @@ def destroy(self, request, *args, **kwargs):
         self.biz.remove_members(str(group.id), members)
 
         # 写入审计上下文
-        audit_context_setter(group=group, members=members)
+        audit_context_setter(group=group, members=[m.dict() for m in members])
 
         return Response({})
 

saas/backend/apps/application/base_serializers.py

@@ -17,7 +17,7 @@ class SystemInfoSLZ(serializers.Serializer):
 
 class AggResourceInstance(serializers.Serializer):
     id = serializers.CharField(label="实例ID", required=True)
-    name = serializers.CharField(label="实例名称", required=True)
+    name = serializers.CharField(label="实例名称", required=True, trim_whitespace=False)
 
 
 class AggResourceTypeSLZ(serializers.Serializer):

saas/backend/apps/policy/serializers.py

@@ -32,7 +32,7 @@ class ResourceSLZ(serializers.Serializer):
     type = serializers.CharField(label="资源类型", required=True)
     type_name = serializers.CharField(label="资源类型名称", required=True, allow_blank=True)
     id = serializers.CharField(label="资源实例ID", required=True)
-    name = serializers.CharField(label="资源实例ID名称", required=True, allow_blank=True)
+    name = serializers.CharField(label="资源实例ID名称", required=True, allow_blank=True, trim_whitespace=False)
 
 
 class InstanceSLZ(serializers.Serializer):

saas/backend/apps/subject/views.py

@@ -175,23 +175,26 @@ def update(self, request, *args, **kwargs):
         data = slz.validated_data
 
         policy_id = kwargs["pk"]
-        system_id = data["system_id"]
+        resource_system_id = data["system_id"]
         resource_type = data["type"]
         condition_ids = data["ids"]
         condition = data["condition"]
 
         permission_logger.info("subject policy delete partial by user: %s", request.user.username)
 
-        delete_policy = self.policy_operation_biz.delete_partial(
+        # 为避免需要忽略的变量与国际化翻译变量"_"冲突，所以使用"__"
+        system_id, __ = self.policy_query_biz.get_system_policy(subject, policy_id)
+        update_policy = self.policy_operation_biz.delete_partial(
+            system_id,
             subject,
             policy_id,
-            system_id,
+            resource_system_id,
             resource_type,
             condition_ids,
             [ConditionBean(attributes=[], **c) for c in condition],
         )
 
         # 写入审计上下文
-        audit_context_setter(subject=subject, system_id=system_id, policies=[delete_policy])
+        audit_context_setter(subject=subject, system_id=system_id, policies=[update_policy])
 
         return Response({})

saas/backend/apps/user/tasks.py

@@ -101,8 +101,8 @@ def user_cleanup_expired_policy():
                 continue
 
             # 分系统删除过期的策略
-            sorted_policies = sorted(policies, key=lambda p: p.system)
-            for system_id, per_policies in groupby(sorted_policies, lambda p: p.system):
+            sorted_policies = sorted(policies, key=lambda p: p.system.id)
+            for system_id, per_policies in groupby(sorted_policies, lambda p: p.system.id):
                 per_policies = list(per_policies)
                 policy_operation_biz.delete_by_ids(system_id, subject, [p.id for p in per_policies])
 

saas/backend/biz/application.py

@@ -241,7 +241,7 @@ def _get_approval_process_with_node_processor(
             processors = []
             if node.processor_type == RoleType.SUPER_MANAGER.value:
                 processors = self.approval_processor_biz.get_super_manager_members()
-            elif node.processor_type == RoleType.SUPER_MANAGER.value:
+            elif node.processor_type == RoleType.SYSTEM_MANAGER.value:
                 processors = self.approval_processor_biz.get_system_manager_members(system_id=kwargs["system_id"])
             elif node.processor_type == RoleType.RATING_MANAGER.value:
                 processors = self.approval_processor_biz.get_grade_manager_members_by_group_id(

saas/backend/biz/policy.py

@@ -1018,7 +1018,7 @@ def wrapper(*args, **kwargs):
         lock_key = f"bk_iam:lock:{system_id}:{subject.type}:{subject.id}"
         # 加 system + subject 锁
         with cache.lock(lock_key, timeout=10):
-            func(*args, **kwargs)
+            return func(*args, **kwargs)
 
     return wrapper
 

saas/backend/component/esb.py

@@ -35,7 +35,7 @@ def _call_esb_api(http_func, url_path, data, timeout=30):
     }
     data.update(common_params)
 
-    url = f"{settings.BK_PAAS_INNER_HOST}{url_path}"
+    url = f"{settings.BK_COMPONENT_API_URL}{url_path}"
     kwargs = {"url": url, "data": data, "headers": headers, "timeout": timeout}
 
     ok, data = http_func(**kwargs)

saas/backend/trans/open_management.py

@@ -8,6 +8,7 @@
 an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 """
+from collections import defaultdict
 from typing import Dict, List
 
 from pydantic.tools import parse_obj_as
@@ -106,21 +107,22 @@ def to_role_info(self, data: Dict) -> RoleInfoBean:
         }
         """
         # 将授权的权限范围数据转换为策略格式的auth_scopes
-        authorization_scopes = []
+        system_authorization_scope_dict = defaultdict(list)
         for auth_scope in data["authorization_scopes"]:
             system_id = auth_scope["system"]
             resources = auth_scope["resources"]
             action_ids = [action["id"] for action in auth_scope["actions"]]
             # 转换为策略列表(转换时会对action、实例视图等进行校验)
             policy_list = self.to_policy_list_for_batch_action_and_resources(system_id, action_ids, resources)
-            authorization_scopes.append(
-                {
-                    "system_id": system_id,
-                    # 由于RoleInfoBean需要的action_id是以id表示，而非action_id，所以PolicyBean转为字典时需要用其别名
-                    "actions": [p.dict(by_alias=True) for p in policy_list.policies],
-                }
-            )
+            # 由于RoleInfoBean需要的action_id是以id表示，而非action_id，所以PolicyBean转为字典时需要用其别名
+            policies = [p.dict(by_alias=True) for p in policy_list.policies]
+            system_authorization_scope_dict[system_id].extend(policies)
 
+        # 将按system分组的数据转为authorization_scopes
+        authorization_scopes = [
+            {"system_id": system_id, "actions": policies}
+            for system_id, policies in system_authorization_scope_dict.items()
+        ]
         # 替换掉data里原有的authorization_scopes
         data["authorization_scopes"] = authorization_scopes
 

saas/blueking/component/conf.py

@@ -16,7 +16,7 @@
 
     APP_CODE = settings.APP_ID
     SECRET_KEY = settings.APP_TOKEN
-    COMPONENT_SYSTEM_HOST = getattr(settings, 'BK_PAAS_INNER_HOST',
+    COMPONENT_SYSTEM_HOST = getattr(settings, 'BK_COMPONENT_API_URL',
                                     settings.BK_PAAS_HOST)
     DEFAULT_BK_API_VER = getattr(settings, 'DEFAULT_BK_API_VER', 'v2')
 except Exception:  # pylint: disable=broad-except

saas/build/v3/app_desc.yaml

@@ -24,6 +24,8 @@ modules:
     env_variables:
       - key: DISABLE_COLLECTSTATIC
         value: 1
+      - key: PIP_VERSION
+        value: 20.2.3
     processes:
       web:
         command: bash bin/start.sh
@@ -38,5 +40,5 @@ modules:
         replicas: 1
     svc_discovery:
       bk_saas:
-        - 'bk_iam'
-        - 'bk_itsm'
+        - bk_app_code: 'bk_iam'
+        - bk_app_code: 'bk_itsm'

saas/config/prod.py

@@ -42,12 +42,13 @@
     def get_app_service_url(app_code: str) -> str:
         value = os.environ["BKPAAS_SERVICE_ADDRESSES_BKSAAS"]
         decoded_value = json.loads(base64.b64decode(value).decode("utf-8"))
-        return decoded_value[app_code]
+        return {item["key"]["bk_app_code"]: item["value"]["prod"] for item in decoded_value}[app_code]
 
     # 兼容component的APP_ID,APP_TOKEN
     APP_CODE = APP_ID = os.environ.get("BKPAAS_APP_ID", APP_CODE)
     SECRET_KEY = APP_TOKEN = os.environ.get("BKPAAS_APP_SECRET", SECRET_KEY)
-    BK_PAAS_INNER_HOST = os.environ.get("BK_PAAS2_INNER_URL", BK_PAAS_INNER_HOST)
+    BK_PAAS_INNER_HOST = os.environ.get("BK_PAAS2_URL", BK_PAAS_INNER_HOST)
+    BK_COMPONENT_API_URL = os.environ.get("BK_COMPONENT_API_URL")
 
     # 正式环境数据库可以在这里配置
     DATABASES.update(  # 需要兼容V3环境变量
@@ -88,6 +89,8 @@ def get_app_service_url(app_code: str) -> str:
 
 # V2 Smart 配置
 else:
+    BK_COMPONENT_API_URL = BK_PAAS_INNER_HOST
+
     # 正式环境数据库可以在这里配置
     DATABASES.update(
         {

saas/resources/version_log/V1.5.2_2021-09-15.md

@@ -0,0 +1,17 @@
+# V1.5.2 版本更新日志
+
+### 功能优化
+* 更新paas v3 smart配置
+* 分享链接自动带上条件过滤
+
+### 缺陷修复
+* 修复权限策略部分删除报错问题
+* 修复由于资源实例名称中存在空格导致授权报错问题
+* 修复清理过期权限出错问题
+* 修改权限审批使用系统管理员审批流程审批人员为空问题
+* 修复管理类API创建用户组绑定分级管理员错误问题
+* 修复管理类API创建分级管理员时授权范围没有按照系统聚合导致后续授权问题
+* 修复未选择任何权限可保存为推荐权限模板
+* 修复从配置平台跳转到权限中心无法选择
+* 修复已有实例权限不应该纳入新实例申请限制数里
+* 修复普通用户没有任何分级管理员时无法注销问题

saas/resources/version_log/V1.5.2_2021-09-15_en.md

@@ -0,0 +1,17 @@
+# V1.5.2 ChangeLog
+
+### Optimization Updates
+* Update paas v3 smart settings
+* The sharing link is automatically filtered by conditions
+
+### Bug Fixes
+* Fixed the issue of error reporting due to partial deletion of policy
+* Fixed the issue of authorization error caused by spaces in resource instance name
+* Fixed the issue of error in cleaning expired policy
+* Fixed the issue of empty approval personnel in the approval process of system manager for approval
+* Fixed the issue of error in binding graded manager for creating user groups in management API
+* Fixed the issue of subsequent authorization caused by the authorization scope not being aggregated according to the system when creating graded manager in the management API.
+* Fix that no permission selected can be saved as a recommended permission template
+* Fixed the problem of not being able to select from the configuration platform to the permission center
+* Fix that the permission of existing instance should not be included in the limit of new instance application
+* Fixed the issue that ordinary users cannot log out when there is no hierarchical administrator