zyc/AirGate
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: Volcengine API does not support project-level policy scope

Browse Source 
AttachUserPolicy ignores Scope=Project parameter - policies always
attach globally. Project isolation now relies entirely on Deny policy
(AirGate_Deny_{username}) which blocks access to non-whitelisted projects.

Updated report with this finding.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
seaislee1209 2026-03-28 23:21:08 +08:00
parent 765c80a47a
commit d7b40beff7
2 changed files with 17 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
backend/utils/iam_service.py
View File

@ -92,24 +92,22 @@ class IAMService:
def attach_policy_in_project(self, username: str, policy_name: str, def attach_policy_in_project(self, username: str, policy_name: str,
project_name: str, policy_type: str = "System") -> dict: project_name: str, policy_type: str = "System") -> dict:
"""在项目范围内授权(限定到指定项目)""" """授权策略(全局),项目隔离靠 Deny 策略实现。
注意火山 Open API 不支持项目级授权Scope=Project 无效
所以统一走全局授权 + AirGate_Deny_{username} 策略隔离"""
return self.client.call("AttachUserPolicy", { return self.client.call("AttachUserPolicy", {
"UserName": username, "UserName": username,
"PolicyName": policy_name, "PolicyName": policy_name,
"PolicyType": policy_type, "PolicyType": policy_type,
"ProjectName": project_name,
"Scope": "Project",
}) })
def detach_policy_in_project(self, username: str, policy_name: str, def detach_policy_in_project(self, username: str, policy_name: str,
project_name: str, policy_type: str = "System") -> dict: project_name: str, policy_type: str = "System") -> dict:
"""在项目范围内回收权限""" """回收策略(全局)"""
return self.client.call("DetachUserPolicy", { return self.client.call("DetachUserPolicy", {
"UserName": username, "UserName": username,
"PolicyName": policy_name, "PolicyName": policy_name,
"PolicyType": policy_type, "PolicyType": policy_type,
"ProjectName": project_name,
"Scope": "Project",
}) })
# === Deny Policy (project isolation) === # === Deny Policy (project isolation) ===

19
火山引擎IAM子账号管控工具_深度研究报告.md
View File

@ -1278,15 +1278,22 @@ PUT /api/v1/iam-users/{id}/projects/{pid}/policies/ # 更新项目级授权
└── AirGate_Deny_{username} ← 自定义 Deny 策略,禁止访问非授权项目 └── AirGate_Deny_{username} ← 自定义 Deny 策略,禁止访问非授权项目
使用 NotResource 限定只能访问已关联的项目 使用 NotResource 限定只能访问已关联的项目
项目级权限(通过 AttachUserPolicy + ProjectName 全局业务权限(通过 AttachUserPolicy全局生效
├── ArkFullAccess ← API 层面有完整方舟操作权限 ├── ArkFullAccess ← 方舟操作权限(全局,但被 Deny 策略限定到白名单项目)
└── TOSFullAccess ← API 层面有 TOS 操作权限(按需) └── TOSFullAccess ← TOS 操作权限(按需)
⚠️ 重要发现2026-03-28 实测):
火山 Open API 的 AttachUserPolicy 不支持 Scope=Project 参数。
即使传了 ProjectName + Scope=Project策略仍然以 Global 方式挂载。
项目级限制只能在火山控制台网页上手动操作(「限制到项目资源」按钮)。
因此 AirGate 的项目隔离完全依赖 Deny 策略实现。
火山控制台登录默认关闭AirGate 提供开关可随时切换) 火山控制台登录默认关闭AirGate 提供开关可随时切换)
Deny 策略自动管理: Deny 策略自动管理(项目隔离的唯一可靠手段):
- 添加关联项目时 → 自动将项目加入 NotResource 白名单 - 添加关联项目时 → 自动更新 Deny 策略,将新项目加入白名单
- 移除关联项目时 → 自动将项目从 NotResource 白名单移除 - 移除关联项目时 → 自动更新 Deny 策略,将项目从白名单移除
- Deny 策略列出所有非白名单项目并明确拒绝
- 策略命名AirGate_Deny_{username} - 策略命名AirGate_Deny_{username}
``` ```