zyc/AirGate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: restore preserves pre-disable Volcengine login state

Browse Source 
- Save volc_login_allowed state before disable
- Restore to original state (not always open)
- e.g. login=off before disable -> still off after restore

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
seaislee1209 2026-03-28 22:11:48 +08:00
parent bae68ea6a1
commit 413977361a
2 changed files with 19 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
backend/apps/monitor/views.py
View File

@ -584,6 +584,8 @@ def iam_user_disable_view(request, pk):
pass pass
user.status = IAMUser.Status.DISABLED user.status = IAMUser.Status.DISABLED
# 在策略快照里记住停用前的火山登录状态
saved_policies.append({"_volc_login_was": user.volc_login_allowed})
user.saved_policies_on_disable = saved_policies user.saved_policies_on_disable = saved_policies
user.volc_login_allowed = False user.volc_login_allowed = False
user.save(update_fields=['status', 'saved_policies_on_disable', 'volc_login_allowed']) user.save(update_fields=['status', 'saved_policies_on_disable', 'volc_login_allowed'])
@ -620,14 +622,23 @@ def iam_user_enable_view(request, pk):
svc = IAMService(ak, sk) svc = IAMService(ak, sk)
try: try:
# 1. 恢复控制台 + API 密钥 # 从快照中提取停用前的火山登录状态
svc.enable_user(user.username) saved_policies = user.saved_policies_on_disable or []
restore_login = False
actual_policies = []
for p in saved_policies:
if "_volc_login_was" in p:
restore_login = p["_volc_login_was"]
else:
actual_policies.append(p)
# 1. 恢复 API 密钥 + 控制台(按停用前状态)
svc.enable_user(user.username, restore_login=restore_login)
# 2. 重新附加停用时保存的策略 # 2. 重新附加停用时保存的策略
restored_count = 0 restored_count = 0
restore_errors = [] restore_errors = []
saved_policies = user.saved_policies_on_disable or [] for p in actual_policies:
for p in saved_policies:
try: try:
svc.attach_user_policy(user.username, p["name"], p["type"]) svc.attach_user_policy(user.username, p["name"], p["type"])
restored_count += 1 restored_count += 1
@ -636,7 +647,7 @@ def iam_user_enable_view(request, pk):
user.status = IAMUser.Status.ACTIVE user.status = IAMUser.Status.ACTIVE
user.saved_policies_on_disable = [] user.saved_policies_on_disable = []
user.volc_login_allowed = svc._has_login_profile(user.username) user.volc_login_allowed = restore_login
user.save(update_fields=['status', 'saved_policies_on_disable', 'volc_login_allowed']) user.save(update_fields=['status', 'saved_policies_on_disable', 'volc_login_allowed'])
error_info = f",恢复失败: {restore_errors}" if restore_errors else "" error_info = f",恢复失败: {restore_errors}" if restore_errors else ""

6
backend/utils/iam_service.py
View File

@ -233,11 +233,11 @@ class IAMService:
if errors: if errors:
raise VolcengineAPIError("DisableUser", "PartialFailure", "; ".join(errors)) raise VolcengineAPIError("DisableUser", "PartialFailure", "; ".join(errors))
def enable_user(self, username: str): def enable_user(self, username: str, restore_login: bool = True):
"""恢复用户:恢复控制台 + 恢复所有 AccessKey""" """恢复用户:恢复控制台(可选) + 恢复所有 AccessKey"""
errors = [] errors = []
if self._has_login_profile(username): if restore_login and self._has_login_profile(username):
try: try:
self.update_login_allowed(username, True) self.update_login_allowed(username, True)
except VolcengineAPIError as e: except VolcengineAPIError as e: