fix(region): allow disable default policy (#21585)

pkg/apigateway/service/policy.go

@@ -16,10 +16,19 @@ package service
 
 import (
 	_ "yunion.io/x/onecloud/pkg/cloudevent/policy"
-	_ "yunion.io/x/onecloud/pkg/compute/policy"
-	_ "yunion.io/x/onecloud/pkg/image/policy"
-	_ "yunion.io/x/onecloud/pkg/keystone/policy"
-	_ "yunion.io/x/onecloud/pkg/logger/policy"
-	_ "yunion.io/x/onecloud/pkg/notify/policy"
-	_ "yunion.io/x/onecloud/pkg/yunionconf/policy"
+	compute "yunion.io/x/onecloud/pkg/compute/policy"
+	image "yunion.io/x/onecloud/pkg/image/policy"
+	keystone "yunion.io/x/onecloud/pkg/keystone/policy"
+	logger "yunion.io/x/onecloud/pkg/logger/policy"
+	notify "yunion.io/x/onecloud/pkg/notify/policy"
+	yunionconf "yunion.io/x/onecloud/pkg/yunionconf/policy"
 )
+
+func InitDefaultPolicy() {
+	compute.Init()
+	image.Init()
+	keystone.Init()
+	logger.Init()
+	notify.Init()
+	yunionconf.Init()
+}

pkg/apigateway/service/service.go

@@ -39,6 +39,7 @@ func StartService() {
 	baseOpts := &opts.BaseOptions
 	commonOpts := &opts.CommonOptions
 	common_options.ParseOptions(opts, os.Args, "apigateway.conf", api.SERVICE_TYPE)
+	InitDefaultPolicy()
 	app_common.InitAuth(commonOpts, func() {
 		log.Infof("Auth complete.")
 	})

pkg/apis/identity/consts.go

@@ -236,6 +236,7 @@ var (
 			// kubeserver blacklist options
 			// ############################
 			"running_mode",
+			"enable_default_policy",
 		},
 	}
 )

pkg/cloudcommon/consts/db.go

@@ -31,8 +31,18 @@ var (
 	localTaskWorkerCount int
 
 	enableChangeOwnerAutoRename = false
+
+	enableDefaultPolicy = true
 )
 
+func SetDefaultPolicy(enable bool) {
+	enableDefaultPolicy = enable
+}
+
+func IsEnableDefaultPolicy() bool {
+	return enableDefaultPolicy == true
+}
+
 func SetDefaultDB(dialect, connStr string) {
 	defaultDBDialect = dialect
 	defaultDBConnectionString = connStr

pkg/cloudcommon/options/options.go

@@ -19,7 +19,7 @@ import (
 	"crypto/x509"
 	"encoding/pem"
 	"fmt"
-	"io/ioutil"
+	"io"
 	"net/http"
 	"net/url"
 	"os"
@@ -123,6 +123,7 @@ type BaseOptions struct {
 	EnableAppProfiling bool `help:"enable profiling API" default:"false"`
 
 	EnableChangeOwnerAutoRename bool `help:"Allows renaming when changing names" default:"false"`
+	EnableDefaultPolicy         bool `help:"Enable defualt policies" default:"true"`
 }
 
 const (
@@ -220,7 +221,7 @@ func (opt *EtcdOptions) GetEtcdTLSConfig() (*tls.Config, error) {
 		opt.EtcdUseTLS = true
 	}
 	if opt.EtcdCacert != "" {
-		data, err := ioutil.ReadFile(opt.EtcdCacert)
+		data, err := os.ReadFile(opt.EtcdCacert)
 		if err != nil {
 			return nil, errors.Wrap(err, "read cacert file")
 		}
@@ -377,7 +378,7 @@ func parseOptions(optStruct interface{}, args []string, configFileName string, s
 		h.Init()
 		log.DisableColors()
 		log.Logger().AddHook(h)
-		log.Logger().Out = ioutil.Discard
+		log.Logger().Out = io.Discard
 		atexit.Register(atexit.ExitHandler{
 			Prio:   atexit.PRIO_LOG_CLOSE,
 			Reason: "deinit log rotate hook",
@@ -393,6 +394,7 @@ func parseOptions(optStruct interface{}, args []string, configFileName string, s
 		consts.SetRegion(optionsRef.Region)
 	}
 
+	consts.SetDefaultPolicy(optionsRef.EnableDefaultPolicy)
 	consts.SetDomainizedNamespace(optionsRef.DomainizedNamespace)
 
 	consts.SetTaskWorkerCount(optionsRef.TaskWorkerCount)

pkg/cloudid/policy/defaults.go

@@ -18,6 +18,7 @@ import (
 	"yunion.io/x/pkg/util/rbacscope"
 
 	api "yunion.io/x/onecloud/pkg/apis/cloudid"
+	"yunion.io/x/onecloud/pkg/cloudcommon/consts"
 	common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy"
 	"yunion.io/x/onecloud/pkg/util/rbacutils"
 )
@@ -108,6 +109,8 @@ var (
 	}
 )
 
-func init() {
-	common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+func Init() {
+	if consts.IsEnableDefaultPolicy() {
+		common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+	}
 }

pkg/cloudid/service/service.go

@@ -35,7 +35,7 @@ import (
 	_ "yunion.io/x/onecloud/pkg/cloudid/drivers"
 	"yunion.io/x/onecloud/pkg/cloudid/models"
 	"yunion.io/x/onecloud/pkg/cloudid/options"
-	_ "yunion.io/x/onecloud/pkg/cloudid/policy"
+	"yunion.io/x/onecloud/pkg/cloudid/policy"
 	"yunion.io/x/onecloud/pkg/cloudid/saml"
 	_ "yunion.io/x/onecloud/pkg/cloudid/tasks"
 	"yunion.io/x/onecloud/pkg/mcclient/auth"
@@ -47,6 +47,7 @@ func StartService() {
 	baseOpts := &opts.BaseOptions
 	commonOpts := &opts.CommonOptions
 	common_options.ParseOptions(opts, os.Args, "cloudid.conf", api.SERVICE_TYPE)
+	policy.Init()
 
 	app_common.InitAuth(commonOpts, func() {
 		log.Infof("Auth complete!!")

pkg/compute/policy/defaults.go

@@ -18,6 +18,7 @@ import (
 	"yunion.io/x/pkg/util/rbacscope"
 
 	api "yunion.io/x/onecloud/pkg/apis/compute"
+	"yunion.io/x/onecloud/pkg/cloudcommon/consts"
 	common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy"
 	"yunion.io/x/onecloud/pkg/util/rbacutils"
 )
@@ -403,6 +404,8 @@ var (
 	}
 )
 
-func init() {
-	common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+func Init() {
+	if consts.IsEnableDefaultPolicy() {
+		common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+	}
 }

pkg/compute/service/service.go

@@ -48,7 +48,7 @@ import (
 	_ "yunion.io/x/onecloud/pkg/compute/hostdrivers"
 	"yunion.io/x/onecloud/pkg/compute/models"
 	"yunion.io/x/onecloud/pkg/compute/options"
-	_ "yunion.io/x/onecloud/pkg/compute/policy"
+	"yunion.io/x/onecloud/pkg/compute/policy"
 	_ "yunion.io/x/onecloud/pkg/compute/regiondrivers"
 	_ "yunion.io/x/onecloud/pkg/compute/storagedrivers"
 	"yunion.io/x/onecloud/pkg/compute/tasks"
@@ -67,6 +67,7 @@ func StartServiceWithJobs(jobs func(cron *cronman.SCronJobManager)) {
 	baseOpts := &options.Options.BaseOptions
 	dbOpts := &options.Options.DBOptions
 	common_options.ParseOptions(opts, os.Args, "region.conf", api.SERVICE_TYPE)
+	policy.Init()
 
 	if opts.PortV2 > 0 {
 		log.Infof("Port V2 %d is specified, use v2 port", opts.PortV2)

pkg/image/policy/defaults.go

@@ -18,6 +18,7 @@ import (
 	"yunion.io/x/pkg/util/rbacscope"
 
 	api "yunion.io/x/onecloud/pkg/apis/image"
+	"yunion.io/x/onecloud/pkg/cloudcommon/consts"
 	common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy"
 	"yunion.io/x/onecloud/pkg/util/rbacutils"
 )
@@ -65,6 +66,8 @@ var (
 	}
 )
 
-func init() {
-	common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+func Init() {
+	if consts.IsEnableDefaultPolicy() {
+		common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+	}
 }

pkg/image/service/service.go

@@ -40,7 +40,7 @@ import (
 	"yunion.io/x/onecloud/pkg/image/drivers/s3"
 	"yunion.io/x/onecloud/pkg/image/models"
 	"yunion.io/x/onecloud/pkg/image/options"
-	_ "yunion.io/x/onecloud/pkg/image/policy"
+	"yunion.io/x/onecloud/pkg/image/policy"
 	_ "yunion.io/x/onecloud/pkg/image/tasks"
 	"yunion.io/x/onecloud/pkg/image/torrent"
 	"yunion.io/x/onecloud/pkg/mcclient/auth"
@@ -55,6 +55,7 @@ func StartService() {
 	baseOpts := &opts.BaseOptions
 	dbOpts := &opts.DBOptions
 	common_options.ParseOptions(opts, os.Args, "glance-api.conf", api.SERVICE_TYPE)
+	policy.Init()
 
 	// no need to run glance as root any more
 	// isRoot := sysutils.IsRootPermission()

pkg/keystone/policy/defaults.go

@@ -18,6 +18,7 @@ import (
 	"yunion.io/x/pkg/util/rbacscope"
 
 	api "yunion.io/x/onecloud/pkg/apis/identity"
+	"yunion.io/x/onecloud/pkg/cloudcommon/consts"
 	common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy"
 	"yunion.io/x/onecloud/pkg/util/rbacutils"
 )
@@ -191,6 +192,8 @@ var (
 	}
 )
 
-func init() {
-	common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+func Init() {
+	if consts.IsEnableDefaultPolicy() {
+		common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+	}
 }

pkg/keystone/service/service.go

@@ -35,7 +35,7 @@ import (
 	"yunion.io/x/onecloud/pkg/keystone/cronjobs"
 	"yunion.io/x/onecloud/pkg/keystone/models"
 	"yunion.io/x/onecloud/pkg/keystone/options"
-	_ "yunion.io/x/onecloud/pkg/keystone/policy"
+	kpolicy "yunion.io/x/onecloud/pkg/keystone/policy"
 	"yunion.io/x/onecloud/pkg/keystone/saml"
 	_ "yunion.io/x/onecloud/pkg/keystone/tasks"
 	"yunion.io/x/onecloud/pkg/keystone/tokens"
@@ -63,6 +63,7 @@ func StartService() {
 
 	opts := &options.Options
 	common_options.ParseOptions(opts, os.Args, "keystone.conf", api.SERVICE_TYPE)
+	kpolicy.Init()
 
 	if opts.Port == 0 {
 		opts.Port = 5000 // keystone well-known port

pkg/logger/policy/defaults.go

@@ -18,6 +18,7 @@ import (
 	"yunion.io/x/pkg/util/rbacscope"
 
 	api "yunion.io/x/onecloud/pkg/apis/logger"
+	"yunion.io/x/onecloud/pkg/cloudcommon/consts"
 	common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy"
 	"yunion.io/x/onecloud/pkg/util/rbacutils"
 )
@@ -57,6 +58,8 @@ var (
 	}
 )
 
-func init() {
-	common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+func Init() {
+	if consts.IsEnableDefaultPolicy() {
+		common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+	}
 }

pkg/logger/service/service.go

@@ -30,7 +30,7 @@ import (
 	"yunion.io/x/onecloud/pkg/logger/extern"
 	"yunion.io/x/onecloud/pkg/logger/models"
 	"yunion.io/x/onecloud/pkg/logger/options"
-	_ "yunion.io/x/onecloud/pkg/logger/policy"
+	"yunion.io/x/onecloud/pkg/logger/policy"
 )
 
 func StartService() {
@@ -42,6 +42,7 @@ func StartService() {
 	commonOpts := &opts.CommonOptions
 	dbOpts := &opts.DBOptions
 	common_options.ParseOptions(opts, os.Args, "log.conf", api.SERVICE_TYPE)
+	policy.Init()
 
 	app_common.InitAuth(commonOpts, func() {
 		log.Infof("Auth complete!!")

pkg/notify/policy/defaults.go

@@ -18,6 +18,7 @@ import (
 	"yunion.io/x/pkg/util/rbacscope"
 
 	api "yunion.io/x/onecloud/pkg/apis/notify"
+	"yunion.io/x/onecloud/pkg/cloudcommon/consts"
 	common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy"
 	"yunion.io/x/onecloud/pkg/util/rbacutils"
 )
@@ -180,6 +181,8 @@ var (
 	}
 )
 
-func init() {
-	common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+func Init() {
+	if consts.IsEnableDefaultPolicy() {
+		common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+	}
 }

pkg/notify/service/service.go

@@ -30,7 +30,7 @@ import (
 	common_options "yunion.io/x/onecloud/pkg/cloudcommon/options"
 	"yunion.io/x/onecloud/pkg/notify/models"
 	"yunion.io/x/onecloud/pkg/notify/options"
-	_ "yunion.io/x/onecloud/pkg/notify/policy"
+	"yunion.io/x/onecloud/pkg/notify/policy"
 	_ "yunion.io/x/onecloud/pkg/notify/sender/smsdriver"
 	_ "yunion.io/x/onecloud/pkg/notify/tasks"
 )
@@ -42,6 +42,7 @@ func StartService() {
 	dbOpts := &options.Options.DBOptions
 	baseOpts := &options.Options.BaseOptions
 	common_options.ParseOptions(opts, os.Args, "notify.conf", api.SERVICE_TYPE)
+	policy.Init()
 
 	// init auth
 	app.InitAuth(commonOpts, func() {

pkg/yunionconf/policy/defaults.go

@@ -18,6 +18,7 @@ import (
 	"yunion.io/x/pkg/util/rbacscope"
 
 	api "yunion.io/x/onecloud/pkg/apis/yunionconf"
+	"yunion.io/x/onecloud/pkg/cloudcommon/consts"
 	common_policy "yunion.io/x/onecloud/pkg/cloudcommon/policy"
 	"yunion.io/x/onecloud/pkg/util/rbacutils"
 )
@@ -95,6 +96,8 @@ var (
 	}
 )
 
-func init() {
-	common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+func Init() {
+	if consts.IsEnableDefaultPolicy() {
+		common_policy.AppendDefaultPolicies(predefinedDefaultPolicies)
+	}
 }

pkg/yunionconf/service/service.go

@@ -32,7 +32,7 @@ import (
 	"yunion.io/x/onecloud/pkg/mcclient/auth"
 	"yunion.io/x/onecloud/pkg/yunionconf/models"
 	"yunion.io/x/onecloud/pkg/yunionconf/options"
-	_ "yunion.io/x/onecloud/pkg/yunionconf/policy"
+	"yunion.io/x/onecloud/pkg/yunionconf/policy"
 )
 
 func StartService() {
@@ -42,6 +42,7 @@ func StartService() {
 	commonOpts := &options.Options.CommonOptions
 	dbOpts := &options.Options.DBOptions
 	common_options.ParseOptions(opts, os.Args, "yunionconf.conf", api.SERVICE_TYPE)
+	policy.Init()
 	app_common.InitAuth(commonOpts, func() {
 		log.Infof("Auth complete!!")
 	})