Skip to content

[ZCF-4419] Add SCIM source tracking contract#4338

Closed
ZStack-Robot wants to merge 1 commit into
5.5.28from
sync/hanyu.liang/zcf-4419@@2
Closed

[ZCF-4419] Add SCIM source tracking contract#4338
ZStack-Robot wants to merge 1 commit into
5.5.28from
sync/hanyu.liang/zcf-4419@@2

Conversation

@ZStack-Robot

@ZStack-Robot ZStack-Robot commented Jun 26, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Add generic ResourceSourceRefVO contract for resources synced from external identity sources.
  • Add scim.receiver.enabled GlobalConfig and reject SCIM requests while disabled.
  • Trigger SCIM sourced-resource cleanup when receiver is disabled, including startup compensation and request/cleanup synchronization.
  • Expose source metadata for role/IAM2 inventories and keep role source refs lazy.

Verification

  • cd header && mvn clean install -Dmaven.test.skip=true
  • cd core && mvn clean install -Dmaven.test.skip=true
  • cd identity && mvn clean install -Dmaven.test.skip=true
  • cd premium/test-premium && mvn test -Djacoco.skip=true -Dtest=IAM2ScimReceiverCase
  • git diff --check

Resolves: ZCF-4419

sync from gitlab !10299

@coderabbitai

coderabbitai Bot commented Jun 26, 2026
edited
Loading

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@MatheMatrix, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 51 minutes and 50 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: af4f18f5-a426-44ed-9476-24ef798d45e1

📥 Commits

Reviewing files that changed from the base of the PR and between dcf7c5f and f26017d.

⛔ Files ignored due to path filters (2)
  • conf/persistence.xml is excluded by !**/*.xml
  • conf/serviceConfig/rbac.xml is excluded by !**/*.xml
📒 Files selected for processing (29)
  • conf/db/upgrade/V5.5.28__schema.sql
  • core/src/main/java/org/zstack/core/scim/ScimGlobalConfig.java
  • core/src/main/java/org/zstack/core/scim/ScimService.java
  • header/src/main/java/org/zstack/header/identity/role/RoleInventory.java
  • header/src/main/java/org/zstack/header/identity/role/RoleType.java
  • header/src/main/java/org/zstack/header/identity/role/RoleVO.java
  • header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefMsg.java
  • header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefMsgDoc_zh_cn.groovy
  • header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefReply.java
  • header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefReplyDoc_zh_cn.groovy
  • header/src/main/java/org/zstack/header/resource/RBACInfo.java
  • header/src/main/java/org/zstack/header/resource/ResourceSourceConstant.java
  • header/src/main/java/org/zstack/header/resource/ResourceSourceRefInventory.java
  • header/src/main/java/org/zstack/header/resource/ResourceSourceRefInventoryDoc_zh_cn.groovy
  • header/src/main/java/org/zstack/header/resource/ResourceSourceRefVO.java
  • header/src/main/java/org/zstack/header/scim/ScimResourceHandler.java
  • identity/src/main/java/org/zstack/identity/rbac/RBACApiInterceptor.java
  • sdk/src/main/java/SourceClassMap.java
  • sdk/src/main/java/org/zstack/sdk/QueryResourceSourceRefAction.java
  • sdk/src/main/java/org/zstack/sdk/QueryResourceSourceRefResult.java
  • sdk/src/main/java/org/zstack/sdk/ResourceSourceRefInventory.java
  • sdk/src/main/java/org/zstack/sdk/iam2/api/ConfigureIAM2ScimReceiverAction.java
  • sdk/src/main/java/org/zstack/sdk/iam2/api/ConfigureIAM2ScimReceiverResult.java
  • sdk/src/main/java/org/zstack/sdk/iam2/entity/IAM2OrganizationInventory.java
  • sdk/src/main/java/org/zstack/sdk/iam2/entity/IAM2ProjectInventory.java
  • sdk/src/main/java/org/zstack/sdk/iam2/entity/IAM2VirtualIDGroupInventory.java
  • sdk/src/main/java/org/zstack/sdk/iam2/entity/IAM2VirtualIDInventory.java
  • sdk/src/main/java/org/zstack/sdk/identity/role/RoleInventory.java
  • sdk/src/main/java/org/zstack/sdk/identity/role/RoleType.java

Warning

.coderabbit.yaml has a parsing error

The CodeRabbit configuration file in this repository has a parsing error and default settings were used instead. Please fix the error(s) in the configuration file. You can initialize chat with CodeRabbit to get help with the configuration file.

💥 Parsing errors (1) 
Could not fetch remote config from http://open.zstack.ai:20001/code-reviews/zstack-cloud.yaml: TimeoutError: The operation was aborted due to timeout
⚙️ Configuration instructions
  • Please see the configuration documentation for more information.
  • You can also validate your configuration using the online YAML validator.
  • If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Walkthrough

新增资源来源引用表、实体、库存与查询接口,公开角色的来源信息展开;SCIM 接收端新增全局开关、禁用清理和本地修改拦截。

Changes

资源来源引用与 SCIM 控制

Layer / File(s) Summary
持久化模型与常量
conf/db/upgrade/V5.5.28__schema.sql, header/src/main/java/org/zstack/header/resource/ResourceSourceConstant.java, header/src/main/java/org/zstack/header/resource/ResourceSourceRefVO.java		 新增资源来源引用表、实体映射、生命周期回调和资源来源常量。
资源来源查询接口
header/src/main/java/org/zstack/header/resource/ResourceSourceRefInventory.java, header/src/main/java/org/zstack/header/resource/ResourceSourceRefInventoryDoc_zh_cn.groovy, header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRef*.java, header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRef*Doc_zh_cn.groovy, header/src/main/java/org/zstack/header/resource/RBACInfo.java		 新增资源来源引用库存、查询 API、RBAC 描述和中文文档。
角色来源展开
header/src/main/java/org/zstack/header/identity/role/RoleType.java, header/src/main/java/org/zstack/header/identity/role/RoleVO.java, header/src/main/java/org/zstack/header/identity/role/RoleInventory.java		 RoleVO 关联资源来源引用,RoleInventory 公开并填充来源字段,RoleType 增加 None
SCIM 接收端控制
core/src/main/java/org/zstack/core/scim/ScimGlobalConfig.java, core/src/main/java/org/zstack/core/scim/ScimService.java, header/src/main/java/org/zstack/header/scim/ScimResourceHandler.java		 新增 receiver.enabled 全局配置,ScimService 在初始化、清理和 apply() 校验中使用该配置,并通过 ScimResourceHandler 清理资源。
SCIM 角色变更拦截
identity/src/main/java/org/zstack/identity/rbac/RBACApiInterceptor.java		 RBACApiInterceptor 对 SCIM 管理角色的本地修改请求进行计数检查并阻断。

Sequence Diagram(s)

sequenceDiagram
  participant ScimService
  participant ThreadFacade
  participant ScimResourceHandler
  participant ReceiverEnabled as "ScimGlobalConfig.RECEIVER_ENABLED"

  ScimService->>ReceiverEnabled: register update extension
  ReceiverEnabled-->>ScimService: disabled update callback
  ScimService->>ThreadFacade: submit cleanupWhenDisabled
  ThreadFacade-->>ScimService: run cleanupScimResourcesIfPresent
  ScimService->>ScimResourceHandler: cleanupResources("SCIM")
Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~60 minutes

Poem

૮(ᵔᴥᵔ)ა 我蹦进资源源头里,
嗅到 SCIM 的小开关;
角色有了来处,引用有了名,
兔耳一抖,查询就亮堂;
啦啦,胡萝卜般清脆的同步光芒 ✨

Important

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

❌ Failed checks (1 error, 1 warning)

Check name Status Explanation Resolution
Title check ❌ Error 标题与变更相关,但未遵循要求的 <type>[scope]: <description> 格式。 改为例如 feat[scim]: Add SCIM source tracking contract 这类格式,并保持 72 字符以内。
Docstring Coverage ⚠️ Warning Docstring coverage is 1.09% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (3 passed)
Check name Status Explanation
Description check ✅ Passed 描述与本次 SCIM 源追踪、配置开关和清理联动改动一致。
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch sync/hanyu.liang/zcf-4419@@2

Comment @coderabbitai help to get the list of available commands.

@MatheMatrix

MatheMatrix commented Jun 26, 2026

Copy link
Copy Markdown
Owner

Comment from yaohua.wu:

Review: MR !10299 — ZCF-4419

背景:为 Cloud 侧 SCIM receiver 增加通用来源标记(ResourceSourceRefVO)、启停控制(scim.receiver.enabled GlobalConfig)及关闭时的资源清理机制,并为 Role/IAM2 Inventory 暴露来源元数据。

🟡 Warning 1 — ScimService.init() 仅在 receiver 已禁用时执行启动清理,逻辑反了

文件core/src/main/java/org/zstack/core/scim/ScimService.java

public void init() {
    ensureReceiverEnabledExtensionRegistered();
    if (!isEnabled(ScimGlobalConfig.RECEIVER_ENABLED.value())) {
        submitStartupCleanup();   // ← 只在 disabled 时清理
    }
}

当 SCIM receiver 被启用true)时,不执行清理——这是预期的。但问题在于:ensureReceiverEnabledExtensionRegistered()init() 里注册了 extension,之后 cleanupWhenDisabled 的逻辑依赖"从 true 变为 false"才触发清理。

然而如果系统以 receiver.enabled=false 启动,init() 会提交 submitStartupCleanup() 来补偿。这个补偿逻辑本身是正确的。

实际隐患:init() 何时被调用?从代码来看没有看到 Spring @PostConstruct 或 XML bean init-method 配置,ScimService 如果没有显式初始化入口,init() 可能永远不会被调用。请确认 init() 是否已在 Spring bean 配置中注册为 init-method(或加 @PostConstruct),否则启动补偿和 extension 注册都会失效。

🟡 Warning 2 — ensureReceiverEnabledExtensionRegisteredIfNeeded() 的无锁快速路径存在可见性问题

文件core/src/main/java/org/zstack/core/scim/ScimService.java

private void ensureReceiverEnabledExtensionRegisteredIfNeeded() {
    GlobalConfig receiverEnabled = ScimGlobalConfig.RECEIVER_ENABLED;
    // Lock-free fast path
    if (registeredReceiverEnabledConfig == receiverEnabled
            && receiverEnabled.getLocalUpdateExtensions().contains(cleanupWhenDisabledExtension)
            && receiverEnabled.getUpdateExtensions().contains(cleanupWhenDisabledExtension)) {
        return;
    }
    ensureReceiverEnabledExtensionRegistered();
}
  • registeredReceiverEnabledConfigvolatile,可见性没问题。
  • getLocalUpdateExtensions().contains(...)getUpdateExtensions().contains(...) 访问的集合不一定是线程安全的。如果底层是普通 List/Set,并发读写可能导致 ConcurrentModificationException 或脏读。
  • 如果 GlobalConfig 的 extension list 本身是线程安全的(如 CopyOnWriteArrayList),可忽略此项;否则建议直接移除无锁快速路径,仅保留 synchronized 慢路径——该方法在关键路径(每次 apply() 调用)上执行,但同步块内检查条件后快速返回,开销可接受。

🟡 Warning 3 — cleanupScimResourcesIfPresent() 在写锁内执行可能长时间阻塞请求

文件core/src/main/java/org/zstack/core/scim/ScimService.java

private void cleanupScimResourcesIfPresent() {
    receiverStateLock.writeLock().lock();
    try {
        // 先查 count,再 cleanupResources(可能涉及大量 DB 操作)
        resourceHandler.cleanupResources(ResourceSourceConstant.SYNC_TYPE_SCIM);
    } finally {
        receiverStateLock.writeLock().unlock();
    }
}

cleanupResources() 的实现在 premium 侧(本 MR 未包含),但从语义上看它会删除所有 SCIM 来源资源,可能是一个耗时的批量 DB 操作。写锁期间所有 apply() 请求都会被阻塞——这在正常关闭场景下(config 从 true→false)是可以接受的,因为 receiver 正在被禁用。

启动补偿路径submitStartupCleanup)是异步提交到线程池的,如果清理时间很长,整个服务启动期间都无法处理 SCIM 请求(尽管此时 receiver 处于 disabled 状态,请求会被 verifyEnabled() 拒绝,所以实际影响有限)。

建议在注释中明确说明此锁的持有时间预期,或添加超时保护。

🟢 Suggestion 1 — RoleVO.sourceRefs@Where clause 使用字符串硬编码类型名

文件header/src/main/java/org/zstack/header/identity/role/RoleVO.java

@Where(clause = "resourceType = 'RoleVO'")
private Set<ResourceSourceRefVO> sourceRefs = new HashSet<>();

'RoleVO' 是字符串常量,与 RoleVO.class.getSimpleName() 等价。若类名未来被重命名,@Where 子句不会跟随更新(编译器无法检测)。

建议:在 ResourceSourceRefVO 或常量类里定义一个 RESOURCE_TYPE_ROLE = "RoleVO" 常量(字符串),或至少加一行注释 // keep in sync with RoleVO.class.getSimpleName()

🟢 Suggestion 2 — RoleInventory.applySourceInfo() 仅取第一个 ZIAM SCIM ref,多来源场景下行为不透明

文件header/src/main/java/org/zstack/header/identity/role/RoleInventory.java

for (ResourceSourceRefVO ref : refs) {
    if (SOURCE_TYPE_ZIAM.equals(ref.getSourceType()) && SYNC_TYPE_SCIM.equals(ref.getSyncType())) {
        // 取第一个匹配,直接 return
        return;
    }
}

当前设计是取第一个匹配,ResourceSourceRefVO 的唯一约束 (resourceUuid, resourceType, sourceType, syncType) 保证了 (RoleVO, ZIAM, SCIM) 组合只有一条记录,所以目前不会出现多条,逻辑正确。

建议加一行注释说明唯一约束的依赖,方便后续维护者理解为何 return 而非 break

🟢 Suggestion 3 — ResourceSourceRefVO 缺少 @BaseResource 或与 ZStack 资源体系的集成说明

文件header/src/main/java/org/zstack/header/resource/ResourceSourceRefVO.java

该 VO 没有继承 ResourceVO 也没有 @BaseResource,这是有意为之的设计(它是引用表而非资源本身)。建议在类注释中明确说明这一点,避免后续维护者误加继承关系。

🔴 Critical — RBACApiInterceptor.rejectScimRoleMutation() 每次 API 调用都执行 DB 查询,无缓存

文件identity/src/main/java/org/zstack/identity/rbac/RBACApiInterceptor.java

Long count = SQL.New("select count(vo) from ResourceSourceRefVO vo" +
        " where vo.resourceUuid = :resourceUuid" + ...)
        .find();

此拦截器对所有 RoleMessage(除 APICreateRoleMsg)都会执行一次 count 查询。如果 Role 相关操作频繁,这会成为性能热点。

当前场景下,SCIM role 的数量应该是少数,且此拦截发生在写操作上,频率不会特别高,勉强可以接受。但建议:

  1. 添加注释说明此处接受每次查询的理由(写路径,频率低)
  2. 或考虑在 roleUuid 上加 DB 索引(ResourceSourceRefVO 已有 idxResourceSourceRefVOResourceSync 索引覆盖 resourceType, resourceUuid, syncType,查询时需要确认优化器能用上此索引)

实际上看 DDL,索引 idxResourceSourceRefVOResourceSync 的列顺序是 (resourceType, resourceUuid, syncType),而查询条件有 resourceUuid, resourceType, sourceType, syncType——其中包含 sourceType 而索引没有覆盖 sourceType,会导致索引扫描后再 filter。建议将此查询改为:先通过索引定位 (resourceType, resourceUuid),再 filter sourceType,或者为 (resourceUuid, resourceType, sourceType, syncType) 唯一约束本身(已有 UNIQUE KEY)提供使用路径。

实际上 ukResourceSourceRefVOResourceSourceSync 唯一键的列顺序是 (resourceUuid, resourceType, sourceType, syncType),与查询的四个 WHERE 条件完全匹配,MySQL 优化器应该会选择此唯一键做 index range scan,性能实际是 OK 的。这里降级为 Warning。

总结

严重级别 数量 说明
🔴 Critical 0
🟡 Warning 3 init() 初始化入口缺失确认、无锁快速路径线程安全、清理锁持有说明
🟢 Suggestion 3 硬编码类名、多来源注释、VO 设计说明

整体评价:设计思路清晰,通用 ResourceSourceRefVO 契约和 ReentrantReadWriteLock 用于请求/清理同步的方案合理。最重要的待确认项是 ScimService.init() 是否有 Spring 初始化入口(Warning 1),这直接影响启动补偿和 extension 注册是否生效。

🤖 Robot Reviewer

coderabbitai[bot]
coderabbitai Bot reviewed Jun 26, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In
`@header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefMsgDoc_zh_cn.groovy`:
- Around line 11-23: The request-level documentation strings in
APIQueryResourceSourceRefMsgDoc_zh_cn.groovy are still written in Chinese, which
violates the repository’s English-only docstring requirement. Update the
top-level desc in this document and the query description inside rest.request
for APIQueryResourceSourceRefMsg to clear English wording, keeping the meaning
intact and consistent with the surrounding API docs.

In
`@header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefReplyDoc_zh_cn.groovy`:
- Around line 10-31: The reply document text in
APIQueryResourceSourceRefReplyDoc_zh_cn.groovy still uses Chinese descriptions
for inventories, success, and error; update these doc entries to English only.
Edit the existing ref/field blocks for inventories, success, and error so their
desc strings are clear English equivalents, while keeping the same symbols and
schema fields unchanged.

In
`@header/src/main/java/org/zstack/header/resource/ResourceSourceRefInventoryDoc_zh_cn.groovy`:
- Around line 7-68: The documentation strings in
ResourceSourceRefInventoryDoc_zh_cn.groovy are still written in Chinese, which
conflicts with the repository text convention. Update the title and every field
desc in this doc generator to clear, correct English while keeping the same
meaning and matching the existing symbols like title and field blocks for uuid,
resourceUuid, resourceType, sourceType, sourceName, externalUuid, externalType,
syncType, createDate, and lastOpDate.

In `@identity/src/main/java/org/zstack/identity/rbac/RBACApiInterceptor.java`:
- Around line 57-73: Before running the SCIM reference check in
RBACApiInterceptor, normalize the roleUuid taken from RoleMessage by trimming
whitespace (and handling empty-after-trim as null/skip) so copied values with
spaces or newlines still match ResourceSourceRefVO correctly. Update the
existing roleUuid guard and the SQL.New lookup block together, keeping the
interception logic intact and ensuring the comparison uses the normalized value
before throwing ApiMessageInterceptionException.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: http://open.zstack.ai:20001/code-reviews/zstack-cloud.yaml (via .coderabbit.yaml)

Review profile: CHILL

Plan: Pro

Run ID: 3e4a1543-d8c1-4e42-b92f-2224599c4b80

📥 Commits

Reviewing files that changed from the base of the PR and between dd6b1c9 and dcf7c5f.

⛔ Files ignored due to path filters (14)
  • conf/persistence.xml is excluded by !**/*.xml
  • conf/serviceConfig/rbac.xml is excluded by !**/*.xml
  • sdk/src/main/java/SourceClassMap.java is excluded by !sdk/**
  • sdk/src/main/java/org/zstack/sdk/QueryResourceSourceRefAction.java is excluded by !sdk/**
  • sdk/src/main/java/org/zstack/sdk/QueryResourceSourceRefResult.java is excluded by !sdk/**
  • sdk/src/main/java/org/zstack/sdk/ResourceSourceRefInventory.java is excluded by !sdk/**
  • sdk/src/main/java/org/zstack/sdk/iam2/api/ConfigureIAM2ScimReceiverAction.java is excluded by !sdk/**
  • sdk/src/main/java/org/zstack/sdk/iam2/api/ConfigureIAM2ScimReceiverResult.java is excluded by !sdk/**
  • sdk/src/main/java/org/zstack/sdk/iam2/entity/IAM2OrganizationInventory.java is excluded by !sdk/**
  • sdk/src/main/java/org/zstack/sdk/iam2/entity/IAM2ProjectInventory.java is excluded by !sdk/**
  • sdk/src/main/java/org/zstack/sdk/iam2/entity/IAM2VirtualIDGroupInventory.java is excluded by !sdk/**
  • sdk/src/main/java/org/zstack/sdk/iam2/entity/IAM2VirtualIDInventory.java is excluded by !sdk/**
  • sdk/src/main/java/org/zstack/sdk/identity/role/RoleInventory.java is excluded by !sdk/**
  • sdk/src/main/java/org/zstack/sdk/identity/role/RoleType.java is excluded by !sdk/**
📒 Files selected for processing (17)
  • conf/db/upgrade/V5.5.28__schema.sql
  • core/src/main/java/org/zstack/core/scim/ScimGlobalConfig.java
  • core/src/main/java/org/zstack/core/scim/ScimService.java
  • header/src/main/java/org/zstack/header/identity/role/RoleInventory.java
  • header/src/main/java/org/zstack/header/identity/role/RoleType.java
  • header/src/main/java/org/zstack/header/identity/role/RoleVO.java
  • header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefMsg.java
  • header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefMsgDoc_zh_cn.groovy
  • header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefReply.java
  • header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefReplyDoc_zh_cn.groovy
  • header/src/main/java/org/zstack/header/resource/RBACInfo.java
  • header/src/main/java/org/zstack/header/resource/ResourceSourceConstant.java
  • header/src/main/java/org/zstack/header/resource/ResourceSourceRefInventory.java
  • header/src/main/java/org/zstack/header/resource/ResourceSourceRefInventoryDoc_zh_cn.groovy
  • header/src/main/java/org/zstack/header/resource/ResourceSourceRefVO.java
  • header/src/main/java/org/zstack/header/scim/ScimResourceHandler.java
  • identity/src/main/java/org/zstack/identity/rbac/RBACApiInterceptor.java

Comment thread header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefMsgDoc_zh_cn.groovy
Comment on lines +11 to +23
desc """查询资源来源引用,用于识别资源是否由 ZIAM SCIM 等外部身份源同步管理。"""

rest {
request {
url "GET /v1/resources/source-refs"

header (Authorization: 'OAuth the-session-uuid')

clz APIQueryResourceSourceRefMsg.class

desc """按资源UUID、资源类型、来源类型或同步类型查询资源来源引用。"""

params APIQueryMessage.class

@coderabbitai coderabbitai Bot Jun 26, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

请把接口文档描述改成英文。

当前请求级 desc 和查询说明都是中文,不符合仓库对代码与文档字符串的统一英文要求。As per path instructions, "**/*.*: - 代码里不应当有有中文,包括报错、注释等都应当使用正确的、无拼写错误的英文来写".

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefMsgDoc_zh_cn.groovy`
around lines 11 - 23, The request-level documentation strings in
APIQueryResourceSourceRefMsgDoc_zh_cn.groovy are still written in Chinese, which
violates the repository’s English-only docstring requirement. Update the
top-level desc in this document and the query description inside rest.request
for APIQueryResourceSourceRefMsg to clear English wording, keeping the meaning
intact and consistent with the surrounding API docs.

Source: Path instructions

Comment thread header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefReplyDoc_zh_cn.groovy
Comment on lines +10 to +31
ref {
name "inventories"
path "org.zstack.header.resource.APIQueryResourceSourceRefReply.inventories"
desc "资源来源引用清单"
type "List"
since "5.5.28"
clz ResourceSourceRefInventory.class
}
field {
name "success"
desc "API调用是否成功"
type "boolean"
since "5.5.28"
}
ref {
name "error"
path "org.zstack.header.resource.APIQueryResourceSourceRefReply.error"
desc "错误码,若不为null,则表示操作失败, 操作成功时该字段为null",false
type "ErrorCode"
since "5.5.28"
clz ErrorCode.class
}

@coderabbitai coderabbitai Bot Jun 26, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

请将返回体文档里的中文说明替换为英文。

inventoriessuccesserror 的说明文本现在都是中文,这会直接违反仓库的全局文本规范。As per path instructions, "**/*.*: - 代码里不应当有有中文,包括报错、注释等都应当使用正确的、无拼写错误的英文来写".

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@header/src/main/java/org/zstack/header/resource/APIQueryResourceSourceRefReplyDoc_zh_cn.groovy`
around lines 10 - 31, The reply document text in
APIQueryResourceSourceRefReplyDoc_zh_cn.groovy still uses Chinese descriptions
for inventories, success, and error; update these doc entries to English only.
Edit the existing ref/field blocks for inventories, success, and error so their
desc strings are clear English equivalents, while keeping the same symbols and
schema fields unchanged.

Source: Path instructions

Comment thread header/src/main/java/org/zstack/header/resource/ResourceSourceRefInventoryDoc_zh_cn.groovy
Comment on lines +7 to +68
title "资源来源引用"

field {
name "uuid"
desc "引用记录UUID"
type "String"
since "5.5.28"
}
field {
name "resourceUuid"
desc "资源UUID"
type "String"
since "5.5.28"
}
field {
name "resourceType"
desc "Cloud 侧资源类型,例如 IAM2VirtualIDVO、IAM2VirtualIDGroupVO、IAM2OrganizationVO、IAM2ProjectVO"
type "String"
since "5.5.28"
}
field {
name "sourceType"
desc "资源来源类型,ZIAM SCIM 同步资源固定为 ZIAM"
type "String"
since "5.5.28"
}
field {
name "sourceName"
desc "资源来源名称,ZIAM SCIM 同步资源固定为 ziam"
type "String"
since "5.5.28"
}
field {
name "externalUuid"
desc "上游身份源中的资源UUID"
type "String"
since "5.5.28"
}
field {
name "externalType"
desc "上游身份源中的资源类型"
type "String"
since "5.5.28"
}
field {
name "syncType"
desc "同步类型,SCIM 同步资源固定为 SCIM"
type "String"
since "5.5.28"
}
field {
name "createDate"
desc "创建时间"
type "Timestamp"
since "5.5.28"
}
field {
name "lastOpDate"
desc "最后一次修改时间"
type "Timestamp"
since "5.5.28"
}

@coderabbitai coderabbitai Bot Jun 26, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

请将文档字符串统一改成英文。

这里的 title 和各个 desc 都是中文,和仓库的全局文本规范冲突,生成出来的文档也会因此出现不符合约束的内容。As per path instructions, "**/*.*: - 代码里不应当有有中文,包括报错、注释等都应当使用正确的、无拼写错误的英文来写".

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In
`@header/src/main/java/org/zstack/header/resource/ResourceSourceRefInventoryDoc_zh_cn.groovy`
around lines 7 - 68, The documentation strings in
ResourceSourceRefInventoryDoc_zh_cn.groovy are still written in Chinese, which
conflicts with the repository text convention. Update the title and every field
desc in this doc generator to clear, correct English while keeping the same
meaning and matching the existing symbols like title and field blocks for uuid,
resourceUuid, resourceType, sourceType, sourceName, externalUuid, externalType,
syncType, createDate, and lastOpDate.

Source: Path instructions

Comment thread identity/src/main/java/org/zstack/identity/rbac/RBACApiInterceptor.java
@MatheMatrix MatheMatrix force-pushed the sync/hanyu.liang/zcf-4419@@2 branch 3 times, most recently from 6387996 to f26017d Compare June 26, 2026 03:49
@liang-hanyu
<fix>[scim]: add source tracking contract
28e3500 
Merge the Cloud side of ZCF-4419 into one reviewable source tracking change.

Add ResourceSourceRefVO schema/persistence, source constants, query API, RBAC contribution, inventory docs, and SDK classes for resources synchronized from external identity sources.

Expose SCIM source fields on IAM2 and role inventories, keep role source refs lazy, and avoid brittle RoleVO simple-name filtering when applying source information.

Add scim.receiver.enabled and receiver-disable cleanup through ScimResourceHandler.cleanupResources. Startup cleanup is compensated when the receiver is already disabled, cleanup and SCIM request handling are synchronized with a read/write lock, and GlobalConfig extension registration can self-heal after test/global-config re-linking.

Tighten ResourceSourceRefVO persistence semantics with non-null source key columns, non-null uuid mapping, and create/update timestamp initialization.

Verification:

git diff --check

./runMavenProfile premium

mvn -pl iam2,plugin-premium/iam2-script-plugin,test-premium -Djacoco.skip=true -Dtest=IAM2Test -DsubCaseCollectionStrategy=Designated -DcaseFilePath=/tmp/iam2_failed_cases.txt -DfailIfNoTests=false test

mvn -pl plugin-premium/sso-plugin -Dtest=IAM2RopcLoginBackendTest test

Resolves: ZCF-4419

Change-Id: Ibce13e7b792a16ba01f9c404ae46e2c1a83a1865
@MatheMatrix MatheMatrix force-pushed the sync/hanyu.liang/zcf-4419@@2 branch from f26017d to 28e3500 Compare June 26, 2026 09:24
@ZStack-Robot ZStack-Robot deleted the sync/hanyu.liang/zcf-4419@@2 branch June 26, 2026 16:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ZStack-Robot @MatheMatrix @liang-hanyu