Skip to content

Fix cluster role cleanup on cluster deletion #5399

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
nobodyiam wants to merge 2 commits into from
Closed

Fix cluster role cleanup on cluster deletion #5399

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
bac6b49
Clean up roles when deleting cluster
nobodyiam Jun 4, 2025
268e84d
fix: add missing imports in ClusterService
nobodyiam Jun 4, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions ...rtal/src/main/java/com/ctrip/framework/apollo/portal/repository/PermissionRepository.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ List<Permission> findByPermissionTypeInAndTargetId(Collection<String> permission
+ "OR p.targetId like CONCAT(?1, '+', ?2, '+%')")
List<Long> findPermissionIdsByAppIdAndNamespace(String appId, String namespaceName);

@Query("SELECT p.id from Permission p where p.targetId = CONCAT(?1, '+', ?2, '+', ?3)")
List<Long> findPermissionIdsByAppIdAndCluster(String appId, String env, String clusterName);

@Modifying
@Query("UPDATE Permission SET IsDeleted = true, DeletedAt = ROUND(UNIX_TIMESTAMP(NOW(4))*1000), DataChange_LastModifiedBy = ?2 WHERE Id in ?1 and IsDeleted = false")
Integer batchDelete(List<Long> permissionIds, String operator);
Expand Down
6 changes: 6 additions & 0 deletions apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/repository/RoleRepository.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,8 @@ public interface RoleRepository extends PagingAndSortingRepository<Role, Long> {
@Query("SELECT r.id from Role r where r.roleName like CONCAT('Master+', ?1) "
+ "OR r.roleName like CONCAT('ModifyNamespace+', ?1, '+%') "
+ "OR r.roleName like CONCAT('ReleaseNamespace+', ?1, '+%') "
+ "OR r.roleName like CONCAT('ModifyNamespacesInCluster+', ?1, '+%') "
+ "OR r.roleName like CONCAT('ReleaseNamespacesInCluster+', ?1, '+%') "
+ "OR r.roleName like CONCAT('ManageAppMaster+', ?1)")
List<Long> findRoleIdsByAppId(String appId);

Expand All @@ -44,6 +46,10 @@ public interface RoleRepository extends PagingAndSortingRepository<Role, Long> {
+ "OR r.roleName like CONCAT('ReleaseNamespace+', ?1, '+', ?2, '+%')")
List<Long> findRoleIdsByAppIdAndNamespace(String appId, String namespaceName);

@Query("SELECT r.id from Role r where r.roleName = CONCAT('ModifyNamespacesInCluster+', ?1, '+', ?2, '+', ?3) "
+ "OR r.roleName = CONCAT('ReleaseNamespacesInCluster+', ?1, '+', ?2, '+', ?3)")
List<Long> findRoleIdsByAppIdAndCluster(String appId, String env, String clusterName);

@Modifying
@Query("UPDATE Role SET IsDeleted = true, DeletedAt = ROUND(UNIX_TIMESTAMP(NOW(4))*1000), DataChange_LastModifiedBy = ?2 WHERE Id in ?1 and IsDeleted = false")
Integer batchDelete(List<Long> roleIds, String operator);
Expand Down
10 changes: 8 additions & 2 deletions apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/ClusterService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,8 @@
import com.ctrip.framework.apollo.portal.api.AdminServiceAPI;
import com.ctrip.framework.apollo.portal.constant.TracerEventType;
import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
import com.ctrip.framework.apollo.portal.service.RoleInitializationService;
import com.ctrip.framework.apollo.portal.service.RolePermissionService;
import com.ctrip.framework.apollo.tracer.Tracer;
import org.springframework.stereotype.Service;

Expand All @@ -33,12 +35,14 @@ public class ClusterService {
private final UserInfoHolder userInfoHolder;
private final AdminServiceAPI.ClusterAPI clusterAPI;
private final RoleInitializationService roleInitializationService;
private final RolePermissionService rolePermissionService;

public ClusterService(final UserInfoHolder userInfoHolder, final AdminServiceAPI.ClusterAPI clusterAPI,
RoleInitializationService roleInitializationService) {
RoleInitializationService roleInitializationService, final RolePermissionService rolePermissionService) {
this.userInfoHolder = userInfoHolder;
this.clusterAPI = clusterAPI;
this.roleInitializationService = roleInitializationService;
this.rolePermissionService = rolePermissionService;
}

public List<ClusterDTO> findClusters(Env env, String appId) {
Expand All @@ -60,7 +64,9 @@ public ClusterDTO createCluster(Env env, ClusterDTO cluster) {
}

public void deleteCluster(Env env, String appId, String clusterName){
clusterAPI.delete(env, appId, clusterName, userInfoHolder.getUser().getUserId());
String operator = userInfoHolder.getUser().getUserId();
rolePermissionService.deleteRolePermissionsByAppIdAndCluster(appId, env.getName(), clusterName, operator);
clusterAPI.delete(env, appId, clusterName, operator);
}

public ClusterDTO loadCluster(String appId, Env env, String clusterName){
Expand Down
5 changes: 5 additions & 0 deletions ...portal/src/main/java/com/ctrip/framework/apollo/portal/service/RolePermissionService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -87,4 +87,9 @@ Set<String> assignRoleToUsers(String roleName, Set<String> userIds,
* delete permissions when delete app namespace.
*/
void deleteRolePermissionsByAppIdAndNamespace(String appId, String namespaceName, String operator);

/**
* delete permissions when delete cluster.
*/
void deleteRolePermissionsByAppIdAndCluster(String appId, String env, String clusterName, String operator);
}
28 changes: 28 additions & 0 deletions .../java/com/ctrip/framework/apollo/portal/spi/defaultimpl/DefaultRolePermissionService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -348,4 +348,32 @@ public void deleteRolePermissionsByAppIdAndNamespace(String appId, String namesp
consumerRoleRepository.batchDeleteByRoleIds(roleIds, operator);
}
}

@Transactional
@Override
public void deleteRolePermissionsByAppIdAndCluster(String appId, String env, String clusterName, String operator) {
appId = EscapeCharacter.DEFAULT.escape(appId);
List<Long> permissionIds = permissionRepository.findPermissionIdsByAppIdAndCluster(appId, env, clusterName);

if (!permissionIds.isEmpty()) {
// 1. delete Permission
permissionRepository.batchDelete(permissionIds, operator);

// 2. delete Role Permission
rolePermissionRepository.batchDeleteByPermissionIds(permissionIds, operator);
}

List<Long> roleIds = roleRepository.findRoleIdsByAppIdAndCluster(appId, env, clusterName);

if (!roleIds.isEmpty()) {
// 3. delete Role
roleRepository.batchDelete(roleIds, operator);

// 4. delete User Role
userRoleRepository.batchDeleteByRoleIds(roleIds, operator);

// 5. delete Consumer Role
consumerRoleRepository.batchDeleteByRoleIds(roleIds, operator);
}
}
}
48 changes: 48 additions & 0 deletions ...lo-portal/src/test/java/com/ctrip/framework/apollo/portal/service/ClusterServiceTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,48 @@
package com.ctrip.framework.apollo.portal.service;
Copy link

@github-actions github-actions bot Jun 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
package com.ctrip.framework.apollo.portal.service;
/*
* Copyright 2025 Apollo Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package com.ctrip.framework.apollo.portal.service;


import com.ctrip.framework.apollo.portal.environment.Env;
import com.ctrip.framework.apollo.portal.api.AdminServiceAPI;
import com.ctrip.framework.apollo.portal.entity.bo.UserInfo;
import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
import com.ctrip.framework.apollo.portal.service.RoleInitializationService;
import com.ctrip.framework.apollo.portal.service.RolePermissionService;
import org.junit.Before;
import org.junit.Test;
import org.mockito.InjectMocks;
import org.mockito.Mock;

import static org.mockito.Mockito.*;

public class ClusterServiceTest extends com.ctrip.framework.apollo.portal.AbstractUnitTest {

@Mock
private AdminServiceAPI.ClusterAPI clusterAPI;
@Mock
private RoleInitializationService roleInitializationService;
@Mock
private RolePermissionService rolePermissionService;
@Mock
private UserInfoHolder userInfoHolder;

@InjectMocks
private ClusterService clusterService;

private String appId = "clusterApp";
private String clusterName = "default";
private Env env = Env.DEV;

@Before
public void setUp() {
UserInfo user = new UserInfo();
user.setUserId("operator");
when(userInfoHolder.getUser()).thenReturn(user);
}

@Test
public void testDeleteClusterShouldCleanupRoles() {
clusterService.deleteCluster(env, appId, clusterName);

verify(rolePermissionService).deleteRolePermissionsByAppIdAndCluster(appId, env.getName(), clusterName, "operator");
verify(clusterAPI).delete(env, appId, clusterName, "operator");
}
}
35 changes: 35 additions & 0 deletions ...est/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RolePermissionServiceTest.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,7 @@
import com.ctrip.framework.apollo.portal.repository.RoleRepository;
import com.ctrip.framework.apollo.portal.repository.UserRoleRepository;
import com.ctrip.framework.apollo.portal.service.RolePermissionService;
import com.ctrip.framework.apollo.portal.util.RoleUtils;
import com.google.common.collect.Sets;
import java.util.List;
import java.util.Set;
Expand Down Expand Up @@ -320,6 +321,40 @@ public void testUserHasPermission() throws Exception {

}

@Test
@Sql(scripts = "/sql/permission/RolePermissionServiceTest.deleteRolePermissionsByAppIdWithClusterRoles.sql",
executionPhase = Sql.ExecutionPhase.BEFORE_TEST_METHOD)
@Sql(scripts = "/sql/cleanup.sql", executionPhase = Sql.ExecutionPhase.AFTER_TEST_METHOD)
public void testDeleteRolePermissionsByAppIdWithClusterRoles() {
String appId = "clusterApp";
String operator = "test";

rolePermissionService.deleteRolePermissionsByAppId(appId, operator);

String modifyRoleName = RoleUtils.buildModifyNamespacesInClusterRoleName(appId, "DEV", "default");
String releaseRoleName = RoleUtils.buildReleaseNamespacesInClusterRoleName(appId, "DEV", "default");

assertNull(roleRepository.findTopByRoleName(modifyRoleName));
assertNull(roleRepository.findTopByRoleName(releaseRoleName));
}
Comment on lines +324 to +339
Copy link
Contributor

@coderabbitai coderabbitai bot Jun 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix missing import for assertNull.

The test method logic is correct, but assertNull is used without the proper import.

Add the missing import for assertNull:

+import static org.junit.Assert.assertNull;

The test correctly verifies that cluster-related roles are deleted when calling deleteRolePermissionsByAppId.

🤖 Prompt for AI Agents 
In
apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RolePermissionServiceTest.java
around lines 324 to 339, the test method uses assertNull but lacks the necessary
import. Add the missing import statement for assertNull from the appropriate
testing framework (e.g., org.junit.Assert.assertNull) at the top of the file to
resolve the compilation error.


@Test
@Sql(scripts = "/sql/permission/RolePermissionServiceTest.deleteRolePermissionsByAppIdWithClusterRoles.sql",
executionPhase = Sql.ExecutionPhase.BEFORE_TEST_METHOD)
@Sql(scripts = "/sql/cleanup.sql", executionPhase = Sql.ExecutionPhase.AFTER_TEST_METHOD)
public void testDeleteRolePermissionsByCluster() {
String appId = "clusterApp";
String operator = "test";

rolePermissionService.deleteRolePermissionsByAppIdAndCluster(appId, "DEV", "default", operator);

String modifyRoleName = RoleUtils.buildModifyNamespacesInClusterRoleName(appId, "DEV", "default");
String releaseRoleName = RoleUtils.buildReleaseNamespacesInClusterRoleName(appId, "DEV", "default");

assertNull(roleRepository.findTopByRoleName(modifyRoleName));
assertNull(roleRepository.findTopByRoleName(releaseRoleName));
}
Comment on lines +341 to +356
Copy link
Contributor

@coderabbitai coderabbitai bot Jun 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue

Fix missing import for assertNull.

The test method logic is correct and properly tests the cluster-specific deletion functionality, but assertNull is used without the proper import.

Add the missing import for assertNull:

+import static org.junit.Assert.assertNull;

The test correctly verifies that only the specified cluster's roles are deleted when calling deleteRolePermissionsByAppIdAndCluster.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
@Test
@Sql(scripts = "/sql/permission/RolePermissionServiceTest.deleteRolePermissionsByAppIdWithClusterRoles.sql",
executionPhase = Sql.ExecutionPhase.BEFORE_TEST_METHOD)
@Sql(scripts = "/sql/cleanup.sql", executionPhase = Sql.ExecutionPhase.AFTER_TEST_METHOD)
public void testDeleteRolePermissionsByCluster() {
String appId = "clusterApp";
String operator = "test";
rolePermissionService.deleteRolePermissionsByAppIdAndCluster(appId, "DEV", "default", operator);
String modifyRoleName = RoleUtils.buildModifyNamespacesInClusterRoleName(appId, "DEV", "default");
String releaseRoleName = RoleUtils.buildReleaseNamespacesInClusterRoleName(appId, "DEV", "default");
assertNull(roleRepository.findTopByRoleName(modifyRoleName));
assertNull(roleRepository.findTopByRoleName(releaseRoleName));
}
// at the top of RolePermissionServiceTest.java, alongside the other imports
import static org.junit.Assert.assertNull;
@Test
@Sql(scripts = "/sql/permission/RolePermissionServiceTest.deleteRolePermissionsByAppIdWithClusterRoles.sql",
executionPhase = Sql.ExecutionPhase.BEFORE_TEST_METHOD)
@Sql(scripts = "/sql/cleanup.sql", executionPhase = Sql.ExecutionPhase.AFTER_TEST_METHOD)
public void testDeleteRolePermissionsByCluster() {
String appId = "clusterApp";
String operator = "test";
rolePermissionService.deleteRolePermissionsByAppIdAndCluster(appId, "DEV", "default", operator);
String modifyRoleName = RoleUtils.buildModifyNamespacesInClusterRoleName(appId, "DEV", "default");
String releaseRoleName = RoleUtils.buildReleaseNamespacesInClusterRoleName(appId, "DEV", "default");
assertNull(roleRepository.findTopByRoleName(modifyRoleName));
assertNull(roleRepository.findTopByRoleName(releaseRoleName));
}
🤖 Prompt for AI Agents 
In
apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RolePermissionServiceTest.java
around lines 341 to 356, the test method uses assertNull but the import for
assertNull is missing. Add the import statement for assertNull from the
appropriate testing framework (e.g., org.junit.Assert.assertNull) at the top of
the file to fix the compilation error.


private Role assembleRole(String roleName) {
Role role = new Role();
role.setRoleName(roleName);
Expand Down
11 changes: 11 additions & 0 deletions ...sql/permission/RolePermissionServiceTest.deleteRolePermissionsByAppIdWithClusterRoles.sql
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
INSERT INTO "Permission" (`Id`, `PermissionType`, `TargetId`, `DataChange_CreatedBy`, `DataChange_LastModifiedBy`) VALUES
Copy link

@github-actions github-actions bot Jun 4, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
INSERT INTO "Permission" (`Id`, `PermissionType`, `TargetId`, `DataChange_CreatedBy`, `DataChange_LastModifiedBy`) VALUES
-- Copyright 2025 Apollo Authors
--
-- Licensed under the Apache License, Version 2.0 (the "License");
-- you may not use this file except in compliance with the License.
-- You may obtain a copy of the License at
--
-- http://www.apache.org/licenses/LICENSE-2.0
--
-- Unless required by applicable law or agreed to in writing, software
-- distributed under the License is distributed on an "AS IS" BASIS,
-- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-- See the License for the specific language governing permissions and
-- limitations under the License.
INSERT INTO "Permission" (`Id`, `PermissionType`, `TargetId`, `DataChange_CreatedBy`, `DataChange_LastModifiedBy`) VALUES

(1500, 'ModifyNamespacesInCluster', 'clusterApp+DEV+default', 'someOperator', 'someOperator'),
(1501, 'ReleaseNamespacesInCluster', 'clusterApp+DEV+default', 'someOperator', 'someOperator');

INSERT INTO "Role" (`Id`, `RoleName`, `DataChange_CreatedBy`, `DataChange_LastModifiedBy`) VALUES
(1500, 'ModifyNamespacesInCluster+clusterApp+DEV+default', 'someOperator', 'someOperator'),
(1501, 'ReleaseNamespacesInCluster+clusterApp+DEV+default', 'someOperator', 'someOperator');

INSERT INTO "RolePermission" (`Id`, `RoleId`, `PermissionId`) VALUES
(1500, 1500, 1500),
(1501, 1501, 1501);
Loading