feat(workspace): migrate controller from owner-based auth to workspace model

Author: duanhongyi

rootfs/api/admin.py

@@ -6,35 +6,21 @@
 
 
 from django.contrib import admin
-from guardian.admin import GuardedModelAdmin
 
-from .models import App
 from .models import Build
 from .models import Config
 from .models import Domain
 from .models import Key
 from .models import Release
 
 
-class AppAdmin(GuardedModelAdmin):
-    """Set presentation options for :class:`~api.models.App` models
-    in the Django admin.
-    """
-    date_hierarchy = 'created'
-    list_display = ('id', 'owner')
-    list_filter = ('owner',)
-
-
-admin.site.register(App, AppAdmin)
-
-
 class BuildAdmin(admin.ModelAdmin):
     """Set presentation options for :class:`~api.models.Build` models
     in the Django admin.
     """
     date_hierarchy = 'created'
-    list_display = ('created', 'owner', 'app')
-    list_filter = ('owner', 'app')
+    list_display = ('created', 'app',)
+    list_filter = ('app',)
 
 
 admin.site.register(Build, BuildAdmin)
@@ -45,8 +31,8 @@ class ConfigAdmin(admin.ModelAdmin):
     in the Django admin.
     """
     date_hierarchy = 'created'
-    list_display = ('created', 'owner', 'app')
-    list_filter = ('owner', 'app')
+    list_display = ('created', 'app',)
+    list_filter = ('app',)
 
 
 admin.site.register(Config, ConfigAdmin)
@@ -57,8 +43,8 @@ class DomainAdmin(admin.ModelAdmin):
     in the Django admin.
     """
     date_hierarchy = 'created'
-    list_display = ('owner', 'app', 'domain')
-    list_filter = ('owner', 'app')
+    list_display = ('app', 'domain')
+    list_filter = ('app',)
 
 
 admin.site.register(Domain, DomainAdmin)
@@ -81,9 +67,9 @@ class ReleaseAdmin(admin.ModelAdmin):
     in the Django admin.
     """
     date_hierarchy = 'created'
-    list_display = ('created', 'version', 'owner', 'app')
+    list_display = ('created', 'version', 'app')
     list_display_links = ('created', 'version')
-    list_filter = ('owner', 'app')
+    list_filter = ('app',)
 
 
 admin.site.register(Release, ReleaseAdmin)

rootfs/api/consumers.py

@@ -4,6 +4,7 @@
 import ssl
 import aiohttp
 import asyncio
+from collections import namedtuple
 from urllib.parse import urljoin
 from django.conf import settings
 from django.core.cache import cache
@@ -22,11 +23,12 @@
 
 from .models.app import App
 from .models.volume import Volume
-from .permissions import has_app_permission
+from .permissions import IsAppUser, get_app_status
 
 
 class AppPermChecker(object):
     timeout = 60 * 60
+    check_permission = IsAppUser().has_object_permission
 
     def __init__(self, scope):
         self.scope = scope
@@ -40,8 +42,11 @@ async def has_perm(self):
         if permission is None:
             try:
                 app = await App.objects.aget(id=app_id)
-                permission = await sync_to_async(has_app_permission)(
-                    self.scope["user"], app, "GET")
+                request = namedtuple("Request", ["user", "method"])(self.scope["user"], "GET")
+                if await sync_to_async(self.check_permission)(request, None, app):
+                    permission = await sync_to_async(get_app_status)(app)
+                else:
+                    permission = (False, "permission denied")
                 if permission[0]:
                     await cache.aset(key, permission, timeout=self.timeout)
             except App.DoesNotExist:

rootfs/api/management/commands/upload_network_usage.py

@@ -27,7 +27,7 @@ def _upload_network_usage(self, start_time, app_map, timestamp):
             pod_name = metric['pod']
             networks.append({
                 "app_id":  str(app_map[metric['namespace']].uuid),
-                "owner": app_map[metric['namespace']].owner_id,
+                "workspace": app_map[metric['namespace']].workspace_id,
                 "type": "network",
                 "unit": "bytes",
                 "name": metric['direction'],

rootfs/api/management/commands/upload_volume_usage.py

@@ -27,7 +27,7 @@ def _upload_volume_usage(self, start_time, app_map, timestamp):
             pvc_name = metric['persistentvolumeclaim']
             volumes.append({
                 "app_id":  str(app_map[metric['namespace']].uuid),
-                "owner": app_map[metric['namespace']].owner_id,
+                "workspace": app_map[metric['namespace']].workspace_id,
                 "type": "volume",
                 "unit": "bytes",
                 "name": metric["storageclass"],

rootfs/api/manager.py

@@ -54,38 +54,42 @@ def delete(self, url, **kwargs):
         return self.request('delete', url, **kwargs)
 
 
-class UserAPI(ManagerAPI):
+class WorkspaceAPI(ManagerAPI):
 
-    def get_status(self, id):
+    def get_status(self, workspace_id):
         """
         {
             "is_active": False,
             "message": "The user is in arrears"
         }
         """
-        key = f"user:status:{id}"
+        key = f"workspace:status:{workspace_id}"
         status = cache.get(key)
         if not status:
-            url = f"{settings.WORKFLOW_MANAGER_URL}/users/{id}/status/"
+            url = f"{settings.WORKFLOW_MANAGER_URL}/workspaces/{workspace_id}/status/"
             try:
                 status = self.get(url=url, timeout=self.timeout).json()
             except requests.exceptions.Timeout as ex:
-                msg = f"request user {id} timeout, skipping verification."
+                msg = f"request workspace {workspace_id} timeout, skipping verification."
                 status = {"is_active": True, "message": msg}
                 logger.error(msg)
                 logger.exception(ex)
             cache.set(key, status, timeout=settings.DRYCC_CACHE_USER_TIME)
         return status
 
 
+class UserAPI(WorkspaceAPI):
+    """Backward-compatible alias for legacy call sites."""
+
+
 class UsageAPI(ManagerAPI):
 
     def post(self, usages: List[Dict[str, str]]):
         """
         [
             {
                 "app_id":  "test",
-                "owner": "test",
+                "workspace": "test",
                 "name": "web",
                 "type": "limits",
                 "unit": "std1.large.c1m1",

rootfs/api/migrations/0013_migration_permissions_and_certificates.py

@@ -1,21 +1,10 @@
 # Generated by Django 4.2.15 on 2024-09-03 03:48
 
 from django.db import migrations
-from guardian.shortcuts import assign_perm, get_users_with_perms, remove_perm
-from api.models.app import VIEW_APP_PERMISSION, CHANGE_APP_PERMISSION
 from api.models.domain import Domain
 from api.models.certificate import Certificate
 
 
-def migration_permission(apps, schema_editor):
-    App = apps.get_model('api', 'App')
-    for app in App.objects.all():
-        for user in get_users_with_perms(app):
-            remove_perm('use_app', user, app)
-            assign_perm(VIEW_APP_PERMISSION.codename, user, app)
-            assign_perm(CHANGE_APP_PERMISSION.codename, user, app)
-
-
 def migration_certificate(apps, schema_editor):
     for domain in Domain.objects.all():
         if domain.certificate:
@@ -38,6 +27,5 @@ class Migration(migrations.Migration):
     ]
 
     operations = [
-        migrations.RunPython(migration_permission),
         migrations.RunPython(migration_certificate),
     ]

rootfs/api/migrations/0028_workspace_remove_app_owner_remove_appsettings_owner_and_more.py

@@ -0,0 +1,119 @@
+# Generated by Django 5.2.9 on 2026-03-23 05:42
+
+import api.models.workspace
+import django.db.models.deletion
+from django.conf import settings
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0027_rename_lifecycle_post_start_config_lifecycle_and_more'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='Workspace',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('name', models.SlugField(max_length=150, unique=True, validators=[api.models.workspace.validate_workspace_name], verbose_name='workspace name')),
+                ('email', models.EmailField(max_length=254, verbose_name='email address')),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('updated', models.DateTimeField(auto_now=True)),
+            ],
+        ),
+        migrations.RemoveField(
+            model_name='app',
+            name='owner',
+        ),
+        migrations.RemoveField(
+            model_name='appsettings',
+            name='owner',
+        ),
+        migrations.RemoveField(
+            model_name='build',
+            name='owner',
+        ),
+        migrations.RemoveField(
+            model_name='certificate',
+            name='owner',
+        ),
+        migrations.RemoveField(
+            model_name='config',
+            name='owner',
+        ),
+        migrations.RemoveField(
+            model_name='domain',
+            name='owner',
+        ),
+        migrations.RemoveField(
+            model_name='gateway',
+            name='owner',
+        ),
+        migrations.RemoveField(
+            model_name='release',
+            name='owner',
+        ),
+        migrations.RemoveField(
+            model_name='route',
+            name='owner',
+        ),
+        migrations.RemoveField(
+            model_name='resource',
+            name='owner',
+        ),
+        migrations.RemoveField(
+            model_name='service',
+            name='owner',
+        ),
+        migrations.RemoveField(
+            model_name='tls',
+            name='owner',
+        ),
+        migrations.RemoveField(
+            model_name='volume',
+            name='owner',
+        ),
+        migrations.AlterField(
+            model_name='blocklist',
+            name='type',
+            field=models.PositiveIntegerField(choices=[(1, 'app'), (2, 'workspace')]),
+        ),
+        migrations.AddField(
+            model_name='app',
+            name='workspace',
+            field=models.ForeignKey(default=None, on_delete=django.db.models.deletion.CASCADE, to='api.workspace'),
+            preserve_default=False,
+        ),
+        migrations.CreateModel(
+            name='WorkspaceInvitation',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('email', models.EmailField(max_length=254, verbose_name='email address')),
+                ('token', models.CharField(max_length=128, unique=True)),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('accepted', models.BooleanField(default=False, verbose_name='accepted')),
+                ('inviter', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+                ('workspace', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.workspace')),
+            ],
+            options={
+                'unique_together': {('email', 'workspace')},
+            },
+        ),
+        migrations.CreateModel(
+            name='WorkspaceMember',
+            fields=[
+                ('id', models.BigAutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
+                ('role', models.CharField(choices=[('admin', 'Admin'), ('member', 'Member'), ('viewer', 'Viewer')], max_length=50)),
+                ('alerts', models.BooleanField(default=True)),
+                ('created', models.DateTimeField(auto_now_add=True)),
+                ('updated', models.DateTimeField(auto_now=True)),
+                ('user', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to=settings.AUTH_USER_MODEL)),
+                ('workspace', models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to='api.workspace')),
+            ],
+            options={
+                'unique_together': {('user', 'workspace')},
+            },
+        ),
+    ]

rootfs/api/migrations/0029_key_api_key_fingerp_4e77c5_idx_and_more.py

@@ -0,0 +1,25 @@
+# Generated by Django 5.2.9 on 2026-03-26 08:26
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('api', '0028_workspace_remove_app_owner_remove_appsettings_owner_and_more'),
+    ]
+
+    operations = [
+        migrations.AddIndex(
+            model_name='key',
+            index=models.Index(fields=['fingerprint'], name='api_key_fingerp_4e77c5_idx'),
+        ),
+        migrations.AddIndex(
+            model_name='limitplan',
+            index=models.Index(fields=['spec', 'cpu', 'memory'], name='api_limitpl_spec_id_f95ef2_idx'),
+        ),
+        migrations.AddIndex(
+            model_name='release',
+            index=models.Index(fields=['app', 'failed', 'state'], name='api_release_app_id_9849f2_idx'),
+        ),
+    ]