You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@servicecomb.apache.org by "Smart Yang (Jira)" <ji...@apache.org> on 2020/11/10 08:05:00 UTC
[jira] [Updated] (SCB-2093) Supplement the role module of rbac
[ https://issues.apache.org/jira/browse/SCB-2093?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Smart Yang updated SCB-2093:
----------------------------
Description:
*RBAC数据结构*
*账户信息*
||accout||password||role||createTime||...||
|{color:#4c9aff}root{color}| |{color:#4c9aff}admin{color}| | |
| | |developer| | |
| | |null| | |
1. 创建用户时,{color:#4c9aff}用户名和密码{color}是必须项
2. 账户可以{color:#4c9aff}新增和删除{color},root用户不能删除,账户名不可以修改,账户均支持修改密码
3. 创建账号时若未添加角色信息,则默认为空角色,{color:#4c9aff}空角色不分配任何资源和权限{color}
4. 删除普通用户时, 若用户存在active token,有两种方案:
a) 直接删除,包括该用户的角色(用户与角色为多对一关系)
b) 使token失效,然后再删除
选用a方案,删除用户账号会删除用户所有信息
*角色权限*
*角色以及对应的权限*
||role||privilege||
|admin| 允许超级用户在平台上的任何资源的所有操作。|
|developer| 允许对除account资源等的所有操作|
| | |
资源以及对应的操作:
{code:json}
{
"account": {Verbs: ["get", "create", "update", "delete"]},
"role": {Verbs: ["get", "create", "update", "delete"]},
"service": {Verbs: ["get", "create", "update", "delete"]},
"edit": {Verbs: ["create", "update"]},
"view": {Verbs: ["get"]},
.....
}}
{code}
角色对应的资源(列表仅展示部分资源及api)以及相应的操作
|| role ||resource|| api || verbs ||
|admin|account|/v4/token、/v4/account、/v4/account/\{name}|["get", "create", "update", "delete"]|
| |role|/v4/role、/v4/role/\{roleName}|["get", "create", "update", "delete"]|
| |service|/v4/\{project}/registry/microservices、/v4/\{project}/registry/microservices/\{serviceId}|["get", "create", "update", "delete"]|
| |instance| |["get", "create", "update", "delete"]|
|developer|role|/v4/role、/v4/role/\{roleName}|["get", "create", "update", "delete"]|
| |service|/v4/\{project}/registry/microservices、/v4/\{project}/registry/microservices/\{serviceId}|["get", "create", "update", "delete"]|
| |instance| |["get", "create", "update", "delete"]|
|edit|service|/v4/\{project}/registry/microservices/\{serviceId}|["create", "update"]|
| |instance| |["create", "update"]|
|view|service|/v4/\{project}/registry/microservices|["get", "list"]|
| |instance| |["get", "list"]|
|null| | | |
{color:#4c9aff}1. admin角色{color}拥有最高权限,允许超级用户在平台上的任何资源的所有操作,该角色不可修改删除;
developer角色拥有除account资源的所有权限,且该角色不可修改删除;
edit角色对部分资源拥有编辑权限,但没有查看和删除权限;
view角色对部分资源只拥有查看权限
2. admin和developer角色所对应用户可以新增、删除角色
3. 添加的新角色后,需要对角色进行{color:#4c9aff}资源的分配{color},以及资源对应的{color:#4c9aff}api列表和操作{color},支持修改角色可访问的服务资源列表
4. 删除角色时会删除该角色所对应的权限列表,账户对应的角色会变成空角色,空角色的账户没有任何权限
*REST API*
*账户管理(已有API)*
||Method||Request URI ||Parameter ||Request Body||Description ||
|POST|/v4/token|null|{ "id": "string", "{color:#0747a6}name{color}": "string", "{color:#0747a6}password{color}": "string", "role": "string", "tokenExprirationTime": "string", "currentPassword": "string", " status": "string" }|token is the only credential to access rest API, before you access
any API, you need to get a token|
|GET|/v4/account|token|null|list all user accounts|
|POST|/v4/account|token|{ "id": "string", "{color:#4c9aff}name{color}": "string", "{color:#4c9aff}password{color}": "string", "role": "string", "tokenExprirationTime": "string", "currentPassword": "string", "status": "string" }|create user account|
|GET|/v4/account/ \{name}|token、name|null| |
|DELETE|v4/account/\{name}|token、name|null| |
|POST|/v4/account/ \{name}/password|token、name| { "{color:#4c9aff}currentPassword{color}":"string", "{color:#4c9aff}password{color}":"string" }| |
*角色权限管理*
||Method ||Request URI ||Parameter || Request Body || Description ||
|GET|{color:#403294}/v4/role{color}|token|null|{color:#0747a6}查询{color}系统的role以及role对应的资源|
|POST|{color:#403294}/v4/role{color}|token|{code:java}
{
roleId: "string"
privilege:{
id:
resource:
apiList:
verbs:
}
}{code}|添加新角色并为新角色{color:#0747a6}添加API资源列表{color}|
|PUT|{color:#403294}/v4/role/\{roleName}{color}|token|{code:java}
{
roleId: "string" privilege:{
id:
resource:
apiList:
verbs:
} }{code}|修改角色可访问的{color:#0747a6}API资源列表{color}|
|GET|{color:#403294}/v4/role/\{roleName}{color}| roleId、token|null|查询相应角色可访问的{color:#0747a6}API资源列表{color},admin角色还将返回{color:#0747a6}account资源{color}|
|DELETE |{color:#403294}/v4/role/\{roleName}{color}|roleId、token |null | 删除角色,但admin、developer角色不可删除|
was:
*RBAC数据结构*
*账户信息*
||accout||password||role||createTime||...||
|{color:#4c9aff}root{color}| |{color:#4c9aff}admin{color}| | |
| | |developer| | |
| | |null| | |
1. 创建用户时,{color:#4c9aff}用户名和密码{color}是必须项
2. 账户可以{color:#4c9aff}新增和删除{color},root用户不能删除,账户名不可以修改,账户均支持修改密码
3. 创建账号时若未添加角色信息,则默认为空角色,{color:#4c9aff}空角色不分配任何资源和权限{color}
4. 删除普通用户时, 若用户存在active token,有两种方案:
a) 直接删除,包括该用户的角色(用户与角色为多对一关系)
b) 使token失效,然后再删除
选用a方案,删除用户账号会删除用户所有信息
*角色权限*
*角色以及对应的权限*
||role||privilege||
|admin| 允许超级用户在平台上的任何资源的所有操作。|
|developer| 允许对除account资源等的所有操作|
|edit|允许对对象进行读/写操作。 它不允许查看或者修改角色(Roles)或者角色绑定(RoleBindings)。|
|view| 对对象有只读权限。 它不允许查看角色(Roles)或角色绑定(RoleBindings)。 |
资源以及对应的操作:
{code:json}
{
"account": {Verbs: ["get", "create", "update", "delete"]},
"role": {Verbs: ["get", "create", "update", "delete"]},
"service": {Verbs: ["get", "create", "update", "delete"]},
"edit": {Verbs: ["create", "update"]},
"view": {Verbs: ["get"]},
.....
}}
{code}
角色对应的资源(列表仅展示部分资源及api)以及相应的操作
|| role ||resource|| api || verbs ||
|admin|account|/v4/token、/v4/account、/v4/account/\{name}|["get", "create", "update", "delete"]|
| |role|/v4/privilege/account/role、/v4/privilege/account/role/\{roleId}|["get", "create", "update", "delete"]|
| |service|/v4/\{project}/registry/microservices、/v4/\{project}/registry/microservices/\{serviceId}|["get", "create", "update", "delete"]|
| |instance| |["get", "create", "update", "delete"]|
|developer|role|/v4/privilege/account/role、/v4/privilege/account/role/\{roleId}|["get", "create", "update", "delete"]|
| |service|/v4/\{project}/registry/microservices、/v4/\{project}/registry/microservices/\{serviceId}|["get", "create", "update", "delete"]|
| |instance| |["get", "create", "update", "delete"]|
|edit|service|/v4/\{project}/registry/microservices/\{serviceId}|["create", "update"]|
| |instance| |["create", "update"]|
|view|service|/v4/\{project}/registry/microservices|["get", "list"]|
| |instance| |["get", "list"]|
|null| | | |
{color:#4c9aff}1. admin角色{color}拥有最高权限,允许超级用户在平台上的任何资源的所有操作,该角色不可修改删除;
developer角色拥有除account资源的所有权限,且该角色不可修改删除;
edit角色对部分资源拥有编辑权限,但没有查看和删除权限;
view角色对部分资源只拥有查看权限
2. admin和developer角色所对应用户可以新增、删除角色
3. 添加的新角色后,需要对角色进行{color:#4c9aff}资源的分配{color},以及资源对应的{color:#4c9aff}api列表和操作{color},支持修改角色可访问的服务资源列表
4. 删除角色时会删除该角色所对应的权限列表,账户对应的角色会变成空角色,空角色的账户没有任何权限
*REST API*
*账户管理(已有API)*
||Method||Request URI ||Parameter ||Request Body||Description ||
|POST|/v4/token|null|{ "id": "string", "{color:#0747a6}name{color}": "string", "{color:#0747a6}password{color}": "string", "role": "string", "tokenExprirationTime": "string", "currentPassword": "string", " status": "string" }|token is the only credential to access rest API, before you access
any API, you need to get a token|
|GET|/v4/account|token|null|list all user accounts|
|POST|/v4/account|token|{ "id": "string", "{color:#4c9aff}name{color}": "string", "{color:#4c9aff}password{color}": "string", "role": "string", "tokenExprirationTime": "string", "currentPassword": "string", "status": "string" }|create user account|
|GET|/v4/account/ \{name}|token、name|null| |
|DELETE|v4/account/\{name}|token、name|null| |
|POST|/v4/account/ \{name}/password|token、name| { "{color:#4c9aff}currentPassword{color}":"string", "{color:#4c9aff}password{color}":"string" }| |
*角色权限管理*
||Method ||Request URI ||Parameter || Request Body || Description ||
|GET|{color:#403294}/v4/privilege/account/role{color}|token|null|{color:#0747a6}查询{color}系统的role以及role对应的资源|
|POST|{color:#403294}/v4/privilege/account/role{color}|token|{code:java}
{
roleId: "string"
privilege:{
id:
resource:
apiList:
verbs:
}
}{code}|添加新角色并为新角色{color:#0747a6}添加API资源列表{color}|
|PUT|{color:#403294}/v4/privilege/account/role{color}|token|{code:java}
{
roleId: "string" privilege:{
id:
resource:
apiList:
verbs:
} }{code}|修改角色可访问的{color:#0747a6}API资源列表{color}|
|GET|{color:#403294}/v4/privilege/account/role/\{roleId}{color}| roleId、token|null|查询相应角色可访问的{color:#0747a6}API资源列表{color},admin角色还将返回{color:#0747a6}account资源{color}|
|DELETE |{color:#403294}/v4/privilege/account/role/\{roleId}{color}|roleId、token |null | 删除角色,但admin、developer角色不可删除|
> Supplement the role module of rbac
> ----------------------------------
>
> Key: SCB-2093
> URL: https://issues.apache.org/jira/browse/SCB-2093
> Project: Apache ServiceComb
> Issue Type: New Feature
> Components: Service-Center
> Reporter: Smart Yang
> Priority: Major
>
>
> *RBAC数据结构*
> *账户信息*
> ||accout||password||role||createTime||...||
> |{color:#4c9aff}root{color}| |{color:#4c9aff}admin{color}| | |
> | | |developer| | |
> | | |null| | |
> 1. 创建用户时,{color:#4c9aff}用户名和密码{color}是必须项
> 2. 账户可以{color:#4c9aff}新增和删除{color},root用户不能删除,账户名不可以修改,账户均支持修改密码
> 3. 创建账号时若未添加角色信息,则默认为空角色,{color:#4c9aff}空角色不分配任何资源和权限{color}
> 4. 删除普通用户时, 若用户存在active token,有两种方案:
> a) 直接删除,包括该用户的角色(用户与角色为多对一关系)
> b) 使token失效,然后再删除
> 选用a方案,删除用户账号会删除用户所有信息
>
> *角色权限*
> *角色以及对应的权限*
> ||role||privilege||
> |admin| 允许超级用户在平台上的任何资源的所有操作。|
> |developer| 允许对除account资源等的所有操作|
> | | |
>
> 资源以及对应的操作:
> {code:json}
> {
> "account": {Verbs: ["get", "create", "update", "delete"]},
> "role": {Verbs: ["get", "create", "update", "delete"]},
> "service": {Verbs: ["get", "create", "update", "delete"]},
> "edit": {Verbs: ["create", "update"]},
> "view": {Verbs: ["get"]},
> .....
> }}
> {code}
> 角色对应的资源(列表仅展示部分资源及api)以及相应的操作
>
> || role ||resource|| api || verbs ||
> |admin|account|/v4/token、/v4/account、/v4/account/\{name}|["get", "create", "update", "delete"]|
> | |role|/v4/role、/v4/role/\{roleName}|["get", "create", "update", "delete"]|
> | |service|/v4/\{project}/registry/microservices、/v4/\{project}/registry/microservices/\{serviceId}|["get", "create", "update", "delete"]|
> | |instance| |["get", "create", "update", "delete"]|
> |developer|role|/v4/role、/v4/role/\{roleName}|["get", "create", "update", "delete"]|
> | |service|/v4/\{project}/registry/microservices、/v4/\{project}/registry/microservices/\{serviceId}|["get", "create", "update", "delete"]|
> | |instance| |["get", "create", "update", "delete"]|
> |edit|service|/v4/\{project}/registry/microservices/\{serviceId}|["create", "update"]|
> | |instance| |["create", "update"]|
> |view|service|/v4/\{project}/registry/microservices|["get", "list"]|
> | |instance| |["get", "list"]|
> |null| | | |
>
>
> {color:#4c9aff}1. admin角色{color}拥有最高权限,允许超级用户在平台上的任何资源的所有操作,该角色不可修改删除;
> developer角色拥有除account资源的所有权限,且该角色不可修改删除;
> edit角色对部分资源拥有编辑权限,但没有查看和删除权限;
> view角色对部分资源只拥有查看权限
> 2. admin和developer角色所对应用户可以新增、删除角色
> 3. 添加的新角色后,需要对角色进行{color:#4c9aff}资源的分配{color},以及资源对应的{color:#4c9aff}api列表和操作{color},支持修改角色可访问的服务资源列表
> 4. 删除角色时会删除该角色所对应的权限列表,账户对应的角色会变成空角色,空角色的账户没有任何权限
>
> *REST API*
> *账户管理(已有API)*
>
> ||Method||Request URI ||Parameter ||Request Body||Description ||
> |POST|/v4/token|null|{ "id": "string", "{color:#0747a6}name{color}": "string", "{color:#0747a6}password{color}": "string", "role": "string", "tokenExprirationTime": "string", "currentPassword": "string", " status": "string" }|token is the only credential to access rest API, before you access
> any API, you need to get a token|
> |GET|/v4/account|token|null|list all user accounts|
> |POST|/v4/account|token|{ "id": "string", "{color:#4c9aff}name{color}": "string", "{color:#4c9aff}password{color}": "string", "role": "string", "tokenExprirationTime": "string", "currentPassword": "string", "status": "string" }|create user account|
> |GET|/v4/account/ \{name}|token、name|null| |
> |DELETE|v4/account/\{name}|token、name|null| |
> |POST|/v4/account/ \{name}/password|token、name| { "{color:#4c9aff}currentPassword{color}":"string", "{color:#4c9aff}password{color}":"string" }| |
>
> *角色权限管理*
> ||Method ||Request URI ||Parameter || Request Body || Description ||
> |GET|{color:#403294}/v4/role{color}|token|null|{color:#0747a6}查询{color}系统的role以及role对应的资源|
> |POST|{color:#403294}/v4/role{color}|token|{code:java}
> {
> roleId: "string"
> privilege:{
> id:
> resource:
> apiList:
> verbs:
> }
> }{code}|添加新角色并为新角色{color:#0747a6}添加API资源列表{color}|
> |PUT|{color:#403294}/v4/role/\{roleName}{color}|token|{code:java}
> {
> roleId: "string" privilege:{
> id:
> resource:
> apiList:
> verbs:
> } }{code}|修改角色可访问的{color:#0747a6}API资源列表{color}|
> |GET|{color:#403294}/v4/role/\{roleName}{color}| roleId、token|null|查询相应角色可访问的{color:#0747a6}API资源列表{color},admin角色还将返回{color:#0747a6}account资源{color}|
> |DELETE |{color:#403294}/v4/role/\{roleName}{color}|roleId、token |null | 删除角色,但admin、developer角色不可删除|
>
>
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)