hityc2019 commented on a change in pull request #736: URL: https://github.com/apache/servicecomb-service-center/pull/736#discussion_r531575013
########## File path: docs/user-guides/rbac.md ########## @@ -70,21 +70,111 @@ curl -X PUT \ }' ``` -### create a new account by account which has admin role +### create a new account ```shell script curl -X POST \ http://127.0.0.1:30100/v4/account \ -H 'Accept: */*' \ - -H 'Authorization: Bearer {your_token}' \ + -H 'Authorization: Bearer {root_token}' \ -H 'Content-Type: application/json' \ -d '{ "name":"peter", - "password":"{strong_password}", - "role":"developer" - + "password":"{strong_password}" }' ``` ### Roles -currently, you can not custom and manage any role and role policy. there is only 2 build in roles. rbac feature is in early development stage. -- admin: able to do anything, including manage account, even change other account password -- developer: able to call most of API except account management. except account management +currently, two default roles are provided. rbac feature is in early development stage. +You can also create new role and allocate resources to new role. + +### API and resources +All APIs of the system are divided according to their attributes. For example, resource account has the permission to create or update or delete user account when assign the corresponding permissions, resource service has all permission to create, get, add or delete microservices when permissions equal to "*". For more details to see [https://github.com/apache/servicecomb-service-center/blob/master/server/service/rbac/resource.go]() + + ```json +{ + "name": "tester", + "perms": [ + { + "resources": ["service","instance"], + "verbs": ["get", "create", "update"] + }, + { + "resources": ["rule"], + "verbs": ["get"] + } + ] +} +``` + +### create new role +1. You can add new role for user. Now, a user can be own more roles. +```shell script +curl -X POST \ + http://127.0.0.1:30100/v4/account \ Review comment: 这个是创建用户时为用户添加了两个空角色,这两个空角色还没有任何资源,第二步才是为角色分配资源;对于 1. 先创建角色并分配资源,然后再为用户添加角色; 2. 先为用户添加空角色,再为角色分配资源; 个人理解这两种方式都是可以的 ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected]
