tianxiaoliang commented on a change in pull request #736: URL: https://github.com/apache/servicecomb-service-center/pull/736#discussion_r519689528
########## File path: docs/user-guides/rbac.md ########## @@ -85,6 +85,74 @@ curl -X POST \ }' ``` ### Roles -currently, you can not custom and manage any role and role policy. there is only 2 build in roles. rbac feature is in early development stage. +currently, two default roles are provided. rbac feature is in early development stage. - admin: able to do anything, including manage account, even change other account password - developer: able to call most of API except account management. except account management +You can also create new role and allocate resources to new role. + +### API and resources +All APIs of the system are divided according to their attributes. For example, <u>_/v4/account/:name_</u> belong to resource type of **account**, has the permission to create or delete user account, <u>_/v4/account/:name/password_</u> belong to resource type of **account**, has the permission to change user password, <u>_/v4/:project/registry/microservices_</u> belong to resource type of **service**, has the permission to create, add or delete microservices. For more details to see [https://github.com/apache/servicecomb-service-center/blob/master/pkg/rbacframe/resource.go]() + +```json +{ + "resources": [ "account", "service"], + "permissions": { + "/v4/account/:name": "get,delete", + "/v4/account/:name/password": "create", Review comment: 这部分应该是设计文档,不是用户使用文档 api对应什么resource是内置的代码,没有对最终用户接口,用户不可自定义resource ########## File path: docs/user-guides/rbac.md ########## @@ -85,6 +85,74 @@ curl -X POST \ }' ``` ### Roles -currently, you can not custom and manage any role and role policy. there is only 2 build in roles. rbac feature is in early development stage. +currently, two default roles are provided. rbac feature is in early development stage. - admin: able to do anything, including manage account, even change other account password - developer: able to call most of API except account management. except account management +You can also create new role and allocate resources to new role. + +### API and resources +All APIs of the system are divided according to their attributes. For example, <u>_/v4/account/:name_</u> belong to resource type of **account**, has the permission to create or delete user account, <u>_/v4/account/:name/password_</u> belong to resource type of **account**, has the permission to change user password, <u>_/v4/:project/registry/microservices_</u> belong to resource type of **service**, has the permission to create, add or delete microservices. For more details to see [https://github.com/apache/servicecomb-service-center/blob/master/pkg/rbacframe/resource.go]() + +```json +{ + "resources": [ "account", "service"], + "permissions": { + "/v4/account/:name": "get,delete", + "/v4/account/:name/password": "create", + "/v4/:project/registry/microservices": "get,create,delete" + } +} +``` + +### create new role +you can add new role for user. +```shell script +curl -X POST \ + http://127.0.0.1:30100/v4/account \ + -H 'Accept: */*' \ + -H 'Authorization: Bearer {your_token}' \ + -H 'Content-Type: application/json' \ + -d '{ + "name":"dev_test", + "password":"{strong_password}", + "role":"tester" +}' +``` +then, allocate resources to new role +```shell script +curl -X POST \ + http://127.0.0.1:30100/v4/role \ + -H 'Accept: */*' \ + -H 'Authorization: Bearer {your_token}' \ + -H 'Content-Type: application/json' \ + -d '{ + "name": "tester", + "resources": ["services", "instance"], + "permissions": { + "/v4/:project/registry/microservices/:serviceId/instances": "get,create", + "/v4/:project/registry/microservices/:serviceId/instances/:instanceId": "get, delete", + "/v4/:project/registry/microservices/:serviceId/instances/:instanceId/heartbeat": "update", Review comment: 这样的定义也不太符合我的预期,role应该只对应resource的action权限,不会涉及API定义 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
