新增权限 query_all_instances

sql/models.py

@@ -599,6 +599,7 @@ class Meta:
             ('query_mgtpriv', '管理查询权限'),
             ('query_review', '审核查询权限'),
             ('query_submit', '提交SQL查询'),
+            ('query_all_instances', '可查询所有实例'),
             ('process_view', '查看会话'),
             ('process_kill', '终止会话'),
             ('tablespace_view', '查看表空间'),

sql/query_privileges.py

@@ -44,8 +44,9 @@ def query_priv_check(user, instance, db_name, sql_content, limit_num):
     :return:
     """
     result = {'status': 0, 'msg': 'ok', 'data': {'priv_check': True, 'limit_num': 0}}
-    # 管理员不做权限校验，仅获取limit值信息
-    if user.is_superuser:
+    # 如果有can_query_all_instance, 视为管理员, 仅获取limit值信息
+    # superuser 拥有全部权限, 不需做特别修改
+    if user.has_perm('sql.query_all_instances'):
         priv_limit = int(SysConfig().get('admin_query_limit', 5000))
         result['data']['limit_num'] = min(priv_limit, limit_num) if limit_num else priv_limit
         return result
@@ -418,6 +419,7 @@ def _db_priv(user, instance, db_name):
     :param instance: 实例对象
     :param db_name: 库名
     :return: 权限存在则返回对应权限的limit_num，否则返回False
+    TODO 返回统一为 int 类型, 不存在返回0 (虽然其实在python中 0==False)
     """
     # 获取用户库权限
     user_privileges = QueryPrivileges.objects.filter(user_name=user.username, instance=instance, db_name=str(db_name),

sql/tests.py

@@ -109,6 +109,9 @@ class TestQueryPrivilegesCheck(TestCase):
 
     def setUp(self):
         self.superuser = User.objects.create(username='super', is_superuser=True)
+        self.user_can_query_all = User.objects.create(username='normaluser')
+        query_all_instance_perm = Permission.objects.get(codename='query_all_instances')
+        self.user_can_query_all.user_permissions.add(query_all_instance_perm)
         self.user = User.objects.create(username='user')
         # 使用 travis.ci 时实例和测试service保持一致
         self.slave = Instance.objects.create(instance_name='test_instance', type='slave', db_type='mysql',
@@ -252,6 +255,12 @@ def test_query_priv_check_super(self):
                                                   sql_content="select * from archery.sql_users;",
                                                   limit_num=100)
         self.assertDictEqual(r, {'status': 0, 'msg': 'ok', 'data': {'priv_check': True, 'limit_num': 100}})
+        r = sql.query_privileges.query_priv_check(user=self.user_can_query_all,
+                                                  instance=self.slave, db_name=self.db_name,
+                                                  sql_content="select * from archery.sql_users;",
+                                                  limit_num=100)
+        self.assertDictEqual(r, {'status': 0, 'msg': 'ok', 'data': {'priv_check': True, 'limit_num': 100}})
+
 
     @patch('sql.query_privileges._table_ref', return_value=[{'db': 'archery', 'table': 'sql_users'}])
     @patch('sql.query_privileges._tb_priv', return_value=False)

sql/utils/resource_group.py

@@ -30,7 +30,7 @@ def user_instances(user, type='all', db_type='all', tags=None):
     # 先获取用户关联资源组列表
     group_list = user_groups(user)
     group_ids = [group.group_id for group in group_list]
-    if user.is_superuser == 1:
+    if user.has_perm('sql.query_all_instances'):
         instance_ids = [master['id'] for master in Instance.objects.all().values('id')]
     else:
         # 获取资源组关联的实例列表

src/init_sql/v1.5.3_v1.6.0.sql

@@ -50,4 +50,5 @@ select id,1,1,now() from sql_instance where type='master';
 insert into sql_instance_tag_relations (instance_id, instance_tag_id, active, create_time)
 select id,2,1,now() from sql_instance where type='slave';
 
-
+set @content_type_id=(select id from django_content_type where app_label='sql' and model='permission');
+INSERT INTO auth_permission (name, content_type_id, codename) VALUES ('可查询所有实例', @content_type_id, 'query_all_instances');