Fix issue error in minimal privileged account in AliCloud (#26)

gardener · May 22, 2019 · c49aea9 · c49aea9
1 parent aa2545c
commit c49aea9
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/pkg/controller/provider/alicloud/handler.go b/pkg/controller/provider/alicloud/handler.go
@@ -18,6 +18,7 @@ package alicloud
 
 import (
 	"fmt"
+	"github.com/aliyun/alibaba-cloud-sdk-go/sdk/errors"
 	"github.com/aliyun/alibaba-cloud-sdk-go/services/alidns"
 	"github.com/gardener/controller-manager-library/pkg/logger"
 	"github.com/gardener/external-dns-management/pkg/dns"
@@ -88,6 +89,11 @@ func (this *Handler) GetZones() (provider.DNSHostedZones, error) {
 			}
 			err := this.access.ListRecords(z.DomainName, f)
 			if err != nil {
+				if checkAccessForbiddern(err) {
+					// It is reasonable for some RAM user, it is only allowed to access certain domain's records detail
+					// As a result, this domain should not appended to the host zones
+					continue
+				}
 				return nil, err
 			}
 			hostedZone := provider.NewDNSHostedZone(
@@ -128,3 +134,17 @@ func (this *Handler) ExecuteRequests(logger logger.LogContext, zone provider.DNS
 	}
 	return exec.submitChanges()
 }
+
+func checkAccessForbiddern(err error) bool {
+	if err != nil {
+		switch err.(type) {
+		case *errors.ServerError:
+			serverErr := err.(*errors.ServerError)
+			if serverErr.ErrorCode() == "Forbidden.RAM" {
+				return true
+			}
+		}
+	}
+
+	return false
+}