zyc/AirGate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: project policy update compares against Volcengine actual state

Browse Source 
Was comparing against local DB which could be stale.
Now queries Volcengine for actual project-level policies before diffing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
seaislee1209 2026-03-28 23:10:13 +08:00
parent c4c6a03f61
commit 765c80a47a
1 changed files with 19 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
backend/apps/monitor/views.py
View File

@ -994,19 +994,35 @@ def iam_user_project_policies_view(request, pk, pid):
return Response({'error': 'not_found'}, status=status.HTTP_404_NOT_FOUND) return Response({'error': 'not_found'}, status=status.HTTP_404_NOT_FOUND)
new_policies = request.data.get('policies', []) new_policies = request.data.get('policies', [])
old_policies = project.attached_policies or []
account, ak, sk = _get_volc_account(user.volc_account_id) account, ak, sk = _get_volc_account(user.volc_account_id)
if not ak: if not ak:
return Response({'error': 'no_credentials'}, status=status.HTTP_400_BAD_REQUEST) return Response({'error': 'no_credentials'}, status=status.HTTP_400_BAD_REQUEST)
svc = IAMService(ak, sk) svc = IAMService(ak, sk)
# Get actual current policies from Volcengine (not local DB)
actual_old = []
try:
resp = svc.client.call('ListAttachedUserPolicies', {
'UserName': user.username,
'ProjectName': project.project_name,
})
for p in resp.get('Result', {}).get('AttachedPolicyMetadata', []):
scopes = p.get('PolicyScope', [])
for s in scopes:
if s.get('PolicyScopeType') == 'Project' and s.get('ProjectName') == project.project_name:
actual_old.append(p.get('PolicyName', ''))
break
except Exception:
actual_old = project.attached_policies or []
attached = [] attached = []
detached = [] detached = []
errors = [] errors = []
# Remove policies that were removed # Remove policies that were removed
to_remove = [p for p in old_policies if p not in new_policies] to_remove = [p for p in actual_old if p not in new_policies]
for policy_name in to_remove: for policy_name in to_remove:
try: try:
svc.detach_policy_in_project(user.username, policy_name, project.project_name) svc.detach_policy_in_project(user.username, policy_name, project.project_name)
@ -1015,7 +1031,7 @@ def iam_user_project_policies_view(request, pk, pid):
errors.append(f"移除 {policy_name}: {e}") errors.append(f"移除 {policy_name}: {e}")
# Add policies that are new # Add policies that are new
to_add = [p for p in new_policies if p not in old_policies] to_add = [p for p in new_policies if p not in actual_old]
for policy_name in to_add: for policy_name in to_add:
try: try:
svc.attach_policy_in_project(user.username, policy_name, project.project_name) svc.attach_policy_in_project(user.username, policy_name, project.project_name)