Feat: add RBAC support (#3493)

* Feat: add the rbac data model Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Feat: add some api about the project Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Feat: add CRUD about the project and the project user Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Feat: add CRUD about the role and perm check filter function Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Feat: update swagger config Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Feat: add default roles and perm policies Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Feat: add perm check filter for all webservice Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Feat: change the method that find project name Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Feat: query applications and envs by user perm Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Feat: support get login user info Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Fix: change default permissions Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Feat: change PermPolicy to Permission Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Feat: add some unit test and fix the e2e test error Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Fix: change some comment word Signed-off-by: barnettZQG <barnett.zqg@gmail.com> * Fix: e2e api path error Signed-off-by: barnettZQG <barnett.zqg@gmail.com>
2026-05-17 14:57:12 +00:00 · 2022-03-28 16:03:11 +08:00
parent 795231ceb5
commit 044c4bf73c
69 changed files with 5026 additions and 932 deletions
--- a/pkg/apiserver/model/project.go
+++ b/pkg/apiserver/model/project.go
@@ -25,6 +25,7 @@ type Project struct {
 	BaseModel
 	Name        string `json:"name"`
 	Alias       string `json:"alias"`
+	Owner       string `json:"owner"`
 	Description string `json:"description,omitempty"`
 }

@@ -49,5 +50,8 @@ func (p *Project) Index() map[string]string {
 	if p.Name != "" {
 		index["name"] = p.Name
 	}
+	if p.Owner != "" {
+		index["owner"] = p.Owner
+	}
 	return index
 }
--- a/pkg/apiserver/model/target.go
+++ b/pkg/apiserver/model/target.go
@@ -26,6 +26,7 @@ type Target struct {
 	BaseModel
 	Name        string                 `json:"name"`
 	Alias       string                 `json:"alias,omitempty"`
+	Project     string                 `json:"project"`
 	Description string                 `json:"description,omitempty"`
 	Cluster     *ClusterTarget         `json:"cluster,omitempty"`
 	Variable    map[string]interface{} `json:"variable,omitempty"`
@@ -52,6 +53,9 @@ func (d *Target) Index() map[string]string {
 	if d.Name != "" {
 		index["name"] = d.Name
 	}
+	if d.Project != "" {
+		index["project"] = d.Project
+	}
 	return index
 }

--- a/pkg/apiserver/model/user.go
+++ b/pkg/apiserver/model/user.go
@@ -27,8 +27,14 @@ import (
 func init() {
 	RegisterModel(&User{})
 	RegisterModel(&ProjectUser{})
+	RegisterModel(&Role{})
+	RegisterModel(&Permission{})
+	RegisterModel(&PermissionTemplate{})
 }

+// DefaultAdminUserName default admin user name
+const DefaultAdminUserName = "admin"
+
 // User is the model of user
 type User struct {
 	BaseModel
@@ -38,6 +44,8 @@ type User struct {
 	Password      string    `json:"password,omitempty"`
 	Disabled      bool      `json:"disabled"`
 	LastLoginTime time.Time `json:"lastLoginTime,omitempty"`
+	// UserRoles binding the platform level roles
+	UserRoles []string `json:"userRoles"`
 }

 // TableName return custom table name
@@ -70,9 +78,10 @@ func (u *User) Index() map[string]string {
 // ProjectUser is the model of user in project
 type ProjectUser struct {
 	BaseModel
-	Username    string   `json:"username"`
-	ProjectName string   `json:"projectName"`
-	UserRoles   []string `json:"userRoles"`
+	Username    string `json:"username"`
+	ProjectName string `json:"projectName"`
+	// UserRoles binding the project level roles
+	UserRoles []string `json:"userRoles"`
 }

 // TableName return custom table name
@@ -114,3 +123,140 @@ type CustomClaims struct {
 	GrantType string `json:"grantType"`
 	jwt.StandardClaims
 }
+
+// Role is a model for a new RBAC mode.
+type Role struct {
+	BaseModel
+	Name        string   `json:"name"`
+	Alias       string   `json:"alias"`
+	Project     string   `json:"project,omitempty"`
+	Permissions []string `json:"permissions"`
+}
+
+// Permission is a model for a new RBAC mode.
+type Permission struct {
+	BaseModel
+	Name      string   `json:"name"`
+	Alias     string   `json:"alias"`
+	Project   string   `json:"project,omitempty"`
+	Resources []string `json:"resources"`
+	Actions   []string `json:"actions"`
+	// Effect option values: Allow,Deny
+	Effect    string     `json:"effect"`
+	Principal *Principal `json:"principal,omitempty"`
+	Condition *Condition `json:"condition,omitempty"`
+}
+
+// Principal is a model for a new RBAC mode.
+type Principal struct {
+	// Type options: User or Role
+	Type  string   `json:"type"`
+	Names []string `json:"names"`
+}
+
+// Condition is a model for a new RBAC mode.
+type Condition struct {
+}
+
+// TableName return custom table name
+func (r *Role) TableName() string {
+	return tableNamePrefix + "role"
+}
+
+// ShortTableName return custom table name
+func (r *Role) ShortTableName() string {
+	return "role"
+}
+
+// PrimaryKey return custom primary key
+func (r *Role) PrimaryKey() string {
+	if r.Project == "" {
+		return r.Name
+	}
+	return fmt.Sprintf("%s-%s", r.Project, r.Name)
+}
+
+// Index return custom index
+func (r *Role) Index() map[string]string {
+	index := make(map[string]string)
+	if r.Name != "" {
+		index["name"] = r.Name
+	}
+	if r.Project != "" {
+		index["project"] = r.Project
+	}
+	return index
+}
+
+// TableName return custom table name
+func (p *Permission) TableName() string {
+	return tableNamePrefix + "perm"
+}
+
+// ShortTableName return custom table name
+func (p *Permission) ShortTableName() string {
+	return "perm"
+}
+
+// PrimaryKey return custom primary key
+func (p *Permission) PrimaryKey() string {
+	if p.Project == "" {
+		return p.Name
+	}
+	return fmt.Sprintf("%s-%s", p.Project, p.Name)
+}
+
+// Index return custom index
+func (p *Permission) Index() map[string]string {
+	index := make(map[string]string)
+	if p.Name != "" {
+		index["name"] = p.Name
+	}
+	if p.Project != "" {
+		index["project"] = p.Project
+	}
+	if p.Principal != nil && p.Principal.Type != "" {
+		index["principal.type"] = p.Principal.Type
+	}
+	return index
+}
+
+// PermissionTemplate is a model for a new RBAC mode.
+type PermissionTemplate struct {
+	BaseModel
+	Name  string `json:"name"`
+	Alias string `json:"alias"`
+	// Scope options: project or platform
+	Scope     string     `json:"scope"`
+	Resources []string   `json:"resources"`
+	Actions   []string   `json:"actions"`
+	Effect    string     `json:"effect"`
+	Condition *Condition `json:"condition,omitempty"`
+}
+
+// TableName return custom table name
+func (p *PermissionTemplate) TableName() string {
+	return tableNamePrefix + "perm_temp"
+}
+
+// ShortTableName return custom table name
+func (p *PermissionTemplate) ShortTableName() string {
+	return "perm_temp"
+}
+
+// PrimaryKey return custom primary key
+func (p *PermissionTemplate) PrimaryKey() string {
+	return p.Name
+}
+
+// Index return custom index
+func (p *PermissionTemplate) Index() map[string]string {
+	index := make(map[string]string)
+	if p.Name != "" {
+		index["name"] = p.Name
+	}
+	if p.Scope != "" {
+		index["scope"] = p.Scope
+	}
+	return index
+}