You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2020/11/19 03:22:16 UTC
[GitHub] [servicecomb-service-center] SmartsYoung removed a comment on pull request #736: [SCB-2093]Add roles to control access to API resources
SmartsYoung removed a comment on pull request #736:
URL: https://github.com/apache/servicecomb-service-center/pull/736#issuecomment-730101800
现在pr的内容较多,支持多role的功能会在下一次提交中补全功能
| |
yangcong
|
|
yangcong_hit@163.com
|
签名由网易邮箱大师定制
On 11/18/2020 18:42,Shawn<no...@github.com> wrote:
@tianxiaoliang requested changes on this pull request.
In pkg/rbacframe/role.go:
> + */
+
+package rbacframe
+
+type RoleResponse struct {
+ Roles []*Role `json:"data,omitempty"`
+}
+
+type Role struct {
+ ID string `json:"id,omitempty"`
+ Name string `json:"name,omitempty"`
+ Permissions []*Permission `json:"permissions,omitempty"`
+}
+
+type Permission struct {
+ Resources []string
这里没有进行tag定义
In pkg/rbacframe/role.go:
> + * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package rbacframe
+
+type RoleResponse struct {
+ Roles []*Role `json:"data,omitempty"`
+}
+
+type Role struct {
+ ID string `json:"id,omitempty"`
+ Name string `json:"name,omitempty"`
+ Permissions []*Permission `json:"permissions,omitempty"`
简化为perms
In pkg/rbacframe/resource_dao.go:
> @@ -35,3 +35,12 @@ func GetResource(api string) string {
func MapResource(api, resource string) {
resourceMap[api] = resource
}
+
+//AddResourceType join the resource to an array
+func AddResourceType(resourceType ...string) []string {
没看到rt用在哪了
In docs/user-guides/rbac.md:
> + ]
+}
+```
+
+### create new role
+you can add new role for user.
+```shell script
+curl -X POST \
+ http://127.0.0.1:30100/v4/account \
+ -H 'Accept: */*' \
+ -H 'Authorization: Bearer {your_token}' \
+ -H 'Content-Type: application/json' \
+ -d '{
+ "name":"dev_test",
+ "password":"{strong_password}",
+ "role":"tester"
这个多role还没支持
In datasource/role.go:
> +
+import (
+ "context"
+ "errors"
+ "github.com/apache/servicecomb-service-center/pkg/rbacframe"
+)
+
+var (
+ ErrRoleDuplicated = errors.New("role is duplicated")
+ ErrRoleCanNotEdit = errors.New("role can not be edited")
+)
+
+// RoleManager contains the RBAC CRUD
+type RoleManager interface {
+ CreateRole(ctx context.Context, r *rbacframe.Role) error
+ RoleExist(ctx context.Context, key string) (bool, error)
input就别叫key了,改成name
In datasource/role.go:
> + "context"
+ "errors"
+ "github.com/apache/servicecomb-service-center/pkg/rbacframe"
+)
+
+var (
+ ErrRoleDuplicated = errors.New("role is duplicated")
+ ErrRoleCanNotEdit = errors.New("role can not be edited")
+)
+
+// RoleManager contains the RBAC CRUD
+type RoleManager interface {
+ CreateRole(ctx context.Context, r *rbacframe.Role) error
+ RoleExist(ctx context.Context, key string) (bool, error)
+ GetRole(ctx context.Context, key string) (*rbacframe.Role, error)
+ ListRole(ctx context.Context, key string) ([]*rbacframe.Role, int64, error)
list不需要name作为入参
In datasource/etcd/role.go:
> + return nil, err
+ }
+ if resp.Count != 1 {
+ return nil, client.ErrNotUnique
+ }
+ role := &rbacframe.Role{}
+ err = json.Unmarshal(resp.Kvs[0].Value, role)
+ if err != nil {
+ log.Errorf(err, "role info format invalid")
+ return nil, err
+ }
+ return role, nil
+}
+func (ds *DataSource) ListRole(ctx context.Context, key string) ([]*rbacframe.Role, int64, error) {
+ resp, err := client.Instance().Do(ctx, client.GET,
+ client.WithStrKey(kv.GenerateETCDRoleKey(key)), client.WithPrefix())
拿到role列表为何需要一个role的名字
In server/service/rbac/decision.go:
> - log.Warn("role is not allowed to access resource")
- return false, nil
+
+ for i := 0; i < len(ps); i++ {
+ pr := ps[i].Resources
+ contains := inStrSlice(pr, resource)
+ if contains {
+ return allowVerbs(ps[i].Verbs, verbs), nil
+ }
+ }
+
+ log.Warn("role is not allowed to operate resource")
+ return false, nil
+}
+
+func inStrSlice(haystack []string, needle string) bool {
inStrSlice方法名起的不够易懂,应该是ableToAccessResource
In server/service/rbac/decision.go:
> ps := r.Permissions
if len(ps) == 0 {
log.Warn("role has no any permissions")
return false, nil
}
- p, ok := ps[resource]
- if !ok || p == nil {
- log.Warn("role is not allowed to access resource")
- return false, nil
+
+ for i := 0; i < len(ps); i++ {
+ pr := ps[i].Resources
+ contains := inStrSlice(pr, resource)
+ if contains {
+ return allowVerbs(ps[i].Verbs, verbs), nil
allowVerbs不要最后返回这个方法的结果,虽然结果正确,但是代码不易读,应该是一个大方法判断resource和verbs,比如叫ableToOperateResource
In server/service/rbac/permission.go:
> +// AdminPerms allocate all resource permissions
+func AdminPerms() []*rbacframe.Permission {
+ resources := rbacframe.AddResourceType(ResourceAccount, ResourceRole, ResourceService, ResourceInstance,
+ ResourceDep, ResourceTag, ResourceRule, ResourceGovern, ResourceAdminister, ResourceSchema)
+ perm := []*rbacframe.Permission{
+ {
+ Resources: resources,
+ Verbs: []string{"*"},
+ },
+ }
+ return perm
+}
+
+// DevPerms allocate all resource permissions except account and role resources
+func DevPerms() []*rbacframe.Permission {
+ resources := rbacframe.AddResourceType(ResourceService, ResourceInstance,
我明白了AddResourceType是什么,你不如叫buildResourceList
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or unsubscribe.
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org