[ https://issues.apache.org/jira/browse/SCB-2093?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
little-cui resolved SCB-2093. ----------------------------- Fix Version/s: service-center-2.0.0 Resolution: Fixed > Supplement the role module of rbac > ---------------------------------- > > Key: SCB-2093 > URL: https://issues.apache.org/jira/browse/SCB-2093 > Project: Apache ServiceComb > Issue Type: New Feature > Components: Service-Center > Reporter: Smart Yang > Priority: Major > Fix For: service-center-2.0.0 > > > > *RBAC数据结构* > *账户信息* > ||accout||password||role||createTime||...|| > |{color:#4c9aff}root{color}| |{color:#4c9aff}admin{color}| | | > | | |developer| | | > | | |null| | | > 1. 创建用户时,{color:#4c9aff}用户名和密码{color}是必须项 > 2. 账户可以{color:#4c9aff}新增和删除{color},root用户不能删除,账户名不可以修改,账户均支持修改密码 > 3. 创建账号时若未添加角色信息,则默认为空角色,{color:#4c9aff}空角色不分配任何资源和权限{color} > 4. 删除普通用户时, 若用户存在active token,有两种方案: > a) 直接删除,包括该用户的角色(用户与角色为多对一关系) > b) 使token失效,然后再删除 > 选用a方案,删除用户账号会删除用户所有信息 > > *角色权限* > *角色以及对应的权限* > ||role||privilege|| > |admin| 允许超级用户在平台上的任何资源的所有操作。| > |developer| 允许对除account资源等的所有操作| > | | | > > 资源以及对应的操作: > {code:json} > { > "account": {Verbs: ["get", "create", "update", "delete"]}, > "role": {Verbs: ["get", "create", "update", "delete"]}, > "service": {Verbs: ["get", "create", "update", "delete"]}, > "edit": {Verbs: ["create", "update"]}, > "view": {Verbs: ["get"]}, > ..... > }} > {code} > 角色对应的资源(列表仅展示部分资源及api)以及相应的操作 > > || role ||resource|| api > || verbs > || > |admin|account|/v4/token、/v4/account、/v4/account/\{name}|["get", > "create", "update", "delete"]| > | |role|/v4/role、/v4/role/\{roleName}|["get", "create", "update", > "delete"]| > | > |service|/v4/\{project}/registry/microservices、/v4/\{project}/registry/microservices/\{serviceId}|["get", > "create", "update", "delete"]| > | |instance| |["get", "create", "update", "delete"]| > |developer|role|/v4/role、/v4/role/\{roleName}|["get", "create", "update", > "delete"]| > | > |service|/v4/\{project}/registry/microservices、/v4/\{project}/registry/microservices/\{serviceId}|["get", > "create", "update", "delete"]| > | |instance| |["get", "create", "update", "delete"]| > |edit|service|/v4/\{project}/registry/microservices/\{serviceId}|["create", > "update"]| > | |instance| |["create", "update"]| > |view|service|/v4/\{project}/registry/microservices|["get", "list"]| > | |instance| |["get", "list"]| > |null| | | | > > > {color:#4c9aff}1. admin角色{color}拥有最高权限,允许超级用户在平台上的任何资源的所有操作,该角色不可修改删除; > developer角色拥有除account资源的所有权限,且该角色不可修改删除; > edit角色对部分资源拥有编辑权限,但没有查看和删除权限; > view角色对部分资源只拥有查看权限 > 2. admin和developer角色所对应用户可以新增、删除角色 > 3. > 添加的新角色后,需要对角色进行{color:#4c9aff}资源的分配{color},以及资源对应的{color:#4c9aff}api列表和操作{color},支持修改角色可访问的服务资源列表 > 4. 删除角色时会删除该角色所对应的权限列表,账户对应的角色会变成空角色,空角色的账户没有任何权限 > > *REST API* > *账户管理(已有API)* > > ||Method||Request URI ||Parameter ||Request Body||Description || > |POST|/v4/token|null|{ "id": "string", "{color:#0747a6}name{color}": > "string", "{color:#0747a6}password{color}": "string", "role": "string", > "tokenExprirationTime": "string", "currentPassword": "string", " status": > "string" }|token is the only credential to access rest API, before you access > any API, you need to get a token| > |GET|/v4/account|token|null|list all user accounts| > |POST|/v4/account|token|{ "id": "string", "{color:#4c9aff}name{color}": > "string", "{color:#4c9aff}password{color}": "string", "role": "string", > "tokenExprirationTime": "string", "currentPassword": "string", "status": > "string" }|create user account| > |GET|/v4/account/ \{name}|token、name|null| | > |DELETE|v4/account/\{name}|token、name|null| | > |POST|/v4/account/ \{name}/password|token、name| { > "{color:#4c9aff}currentPassword{color}":"string", > "{color:#4c9aff}password{color}":"string" }| | > > *角色权限管理* > ||Method ||Request URI ||Parameter || Request Body || Description > || > |GET|{color:#403294}/v4/role{color}|token|null|{color:#0747a6}查询{color}系统的role以及role对应的资源| > |POST|{color:#403294}/v4/role{color}|token|{code:java} > { > roleId: "string" > privilege:{ > id: > resource: > apiList: > verbs: > } > }{code}|添加新角色并为新角色{color:#0747a6}添加API资源列表{color}| > |PUT|{color:#403294}/v4/role/\{roleName}{color}|token|{code:java} > { > roleId: "string" privilege:{ > id: > resource: > apiList: > verbs: > } }{code}|修改角色可访问的{color:#0747a6}API资源列表{color}| > |GET|{color:#403294}/v4/role/\{roleName}{color}| > roleId、token|null|查询相应角色可访问的{color:#0747a6}API资源列表{color},admin角色还将返回{color:#0747a6}account资源{color}| > |DELETE |{color:#403294}/v4/role/\{roleName}{color}|roleId、token |null | > 删除角色,但admin、developer角色不可删除| > > > -- This message was sent by Atlassian Jira (v8.3.4#803005)