fix: update job ticket allow list (#2392)

TencentBlueKing · Nov 28, 2023 · ea09f2b · ea09f2b
1 parent 8df1ed2
commit ea09f2b
Showing 1 changed file with 42 additions and 0 deletions.
diff --git a/saas/backend/api/authorization/migrations/0015_auto_20231128_1444.py b/saas/backend/api/authorization/migrations/0015_auto_20231128_1444.py
@@ -0,0 +1,42 @@
+# Generated by Django 3.2.16 on 2023-11-28 06:44
+
+from django.db import migrations
+
+from backend.api.authorization.constants import AuthorizationAPIEnum
+from backend.api.constants import ALLOW_ANY
+
+
+def init_allow_list(apps, schema_editor):
+    """初始化授权API白名单"""
+    AuthAPIAllowListConfig = apps.get_model("authorization", "AuthAPIAllowListConfig")
+    # 查询已存在白名单，避免重复
+    all_allow_list = AuthAPIAllowListConfig.objects.all()
+    allow_set = set([(a.type, a.system_id, a.object_id) for a in all_allow_list])
+    # 新建关联实例授权API 白名单
+    system_resource_types = {
+        "bk_job": ["ticket"],
+    }
+    auth_api_allow_list_config = []
+    for system_id, resource_types in system_resource_types.items():
+        for resource_type_id in resource_types:
+            # 已存在，则直接忽略
+            if (AuthorizationAPIEnum.CREATOR_AUTHORIZATION_INSTANCE.value, system_id, resource_type_id) in allow_set:
+                continue
+            auth_api_allow_list_config.append(
+                AuthAPIAllowListConfig(
+                    type=AuthorizationAPIEnum.CREATOR_AUTHORIZATION_INSTANCE.value,
+                    system_id=system_id,
+                    object_id=resource_type_id,
+                )
+            )
+    if len(auth_api_allow_list_config) != 0:
+        AuthAPIAllowListConfig.objects.bulk_create(auth_api_allow_list_config)
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('authorization', '0014_auto_20231109_1046'),
+    ]
+
+    operations = [migrations.RunPython(init_allow_list)]