[SCB-2093] Supplement the role module of rbac - ASF JIRA

XML

Word

Printable

JSON

Details

Type: New Feature
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: service-center-2.0.0
Component/s: Service-Center
Labels:
None

Description

RBAC数据结构

账户信息

accout	password	role	createTime	...
root		admin
		developer
		null

1. 创建用户时，用户名和密码是必须项

2. 账户可以新增和删除，root用户不能删除，账户名不可以修改，账户均支持修改密码

3. 创建账号时若未添加角色信息，则默认为空角色，空角色不分配任何资源和权限

4. 删除普通用户时，若用户存在active token，有两种方案：

a) 直接删除，包括该用户的角色（用户与角色为多对一关系）

b) 使token失效，然后再删除

选用a方案，删除用户账号会删除用户所有信息

角色权限

角色以及对应的权限

role	privilege
admin	允许超级用户在平台上的任何资源的所有操作。
developer	允许对除account资源等的所有操作

资源以及对应的操作：

{
"account": {Verbs: ["get", "create", "update", "delete"]},
"role":    {Verbs: ["get", "create", "update", "delete"]},
"service": {Verbs: ["get", "create", "update", "delete"]},
"edit":    {Verbs: ["create", "update"]},
"view":    {Verbs: ["get"]},
.....                    
 }}

角色对应的资源（列表仅展示部分资源及api）以及相应的操作

role	resource	api	verbs
admin	account	/v4/token、/v4/account、/v4/account/{name}	["get", "create", "update", "delete"]
	role	/v4/role、/v4/role/{roleName}	["get", "create", "update", "delete"]
	service	/v4/{project}/registry/microservices、/v4/{project}/registry/microservices/{serviceId}	["get", "create", "update", "delete"]
	instance		["get", "create", "update", "delete"]
developer	role	/v4/role、/v4/role/{roleName}	["get", "create", "update", "delete"]
	service	/v4/{project}/registry/microservices、/v4/{project}/registry/microservices/{serviceId}	["get", "create", "update", "delete"]
	instance		["get", "create", "update", "delete"]
edit	service	/v4/{project}/registry/microservices/{serviceId}	["create", "update"]
	instance		["create", "update"]
view	service	/v4/{project}/registry/microservices	["get", "list"]
	instance		["get", "list"]
null

1. admin角色拥有最高权限，允许超级用户在平台上的任何资源的所有操作，该角色不可修改删除；

developer角色拥有除account资源的所有权限，且该角色不可修改删除；

edit角色对部分资源拥有编辑权限，但没有查看和删除权限；

view角色对部分资源只拥有查看权限

2. admin和developer角色所对应用户可以新增、删除角色

3. 添加的新角色后，需要对角色进行资源的分配，以及资源对应的api列表和操作，支持修改角色可访问的服务资源列表

4. 删除角色时会删除该角色所对应的权限列表，账户对应的角色会变成空角色，空角色的账户没有任何权限

REST API

账户管理(已有API）

Method	Request URI	Parameter	Request Body	Description
POST	/v4/token	null	{ "id": "string", "name": "string", "password": "string", "role": "string", "tokenExprirationTime": "string", "currentPassword": "string", " status": "string" }	token is the only credential to access rest API, before you access any API, you need to get a token
GET	/v4/account	token	null	list all user accounts
POST	/v4/account	token	{ "id": "string", "name": "string", "password": "string", "role": "string", "tokenExprirationTime": "string", "currentPassword": "string", "status": "string" }	create user account
GET	/v4/account/ {name}	token、name	null
DELETE	v4/account/{name}	token、name	null
POST	/v4/account/ {name}/password	token、name	{ "currentPassword":"string", "password":"string" }

角色权限管理

Method	Request URI	Parameter	Request Body	Description
GET	/v4/role	token	null	查询系统的role以及role对应的资源
POST	/v4/role	token	{ roleId: "string" privilege：{ id: resource: apiList: verbs: } }	添加新角色并为新角色添加API资源列表
PUT	/v4/role/{roleName}	token	{ roleId: "string" privilege：{ id: resource: apiList: verbs: } }	修改角色可访问的API资源列表
GET	/v4/role/{roleName}	roleId、token	null	查询相应角色可访问的API资源列表，admin角色还将返回account资源
DELETE	/v4/role/{roleName}	roleId、token	null	删除角色，但admin、developer角色不可删除

Attachments

Issue Links

links to

GitHub Pull Request #736

Activity

People

Assignee:: Unassigned

Reporter:: Smart Yang

Votes:: 0 Vote for this issue

Watchers:: 1 Start watching this issue

Dates

Created:: 13/Oct/20 11:48

Updated:: 02/Jun/21 09:48

Resolved:: 02/Jun/21 09:48