auth-module-architecture
30
总安装量
30
周安装量
#12086
全站排名
安装命令
npx skills add https://github.com/tencentblueking/bk-ci --skill auth-module-architecture
Agent 安装分布
gemini-cli
19
claude-code
19
opencode
17
codex
16
antigravity
15
cursor
15
Skill 文档
Auth æé认è¯æ¨¡åæ¶ææå
模åå®ä½: Auth æ¯ BK-CI çæé认è¯æ ¸å¿æ¨¡åï¼è´è´£ç¨æ·è®¤è¯ãæéæ ¡éªãç¨æ·ç»ç®¡çãOAuth2 认è¯çåè½ï¼éç¨ RBACï¼åºäºè§è²ç访é®æ§å¶ï¼æ¨¡åã
ä¸ã模åæ´ä½ç»æ
1.1 å模ååå
src/backend/ci/core/auth/
âââ api-auth/ # API æ¥å£å®ä¹å±
â âââ src/main/kotlin/com/tencent/devops/auth/
â âââ api/
â â âââ callback/ # åè°æ¥å£ï¼IAMãITSMï¼
â â âââ login/ # ç»å½æ¥å£
â â âââ manager/ # 管çåæ¥å£
â â âââ migrate/ # è¿ç§»æ¥å£
â â âââ oauth2/ # OAuth2 æ¥å£
â â âââ op/ # è¿ç»´æ¥å£
â â âââ open/ # å¼æ¾æ¥å£
â â âââ service/ # æå¡é´è°ç¨æ¥å£
â â âââ sync/ # åæ¥æ¥å£
â â âââ user/ # ç¨æ·æ¥å£
â âââ constant/ # 常éå®ä¹
â âââ pojo/ # æ°æ®å¯¹è±¡
â
âââ biz-auth/ # ä¸å¡é»è¾å±
â âââ src/main/kotlin/com/tencent/devops/auth/
â âââ aspect/ # AOP åé¢
â âââ common/ # éç¨é
ç½®
â âââ cron/ # å®æ¶ä»»å¡
â âââ dao/ # æ°æ®è®¿é®å±ï¼40+ æ件ï¼
â âââ entity/ # å®ä½å®ä¹
â âââ filter/ # è¿æ»¤å¨
â âââ provider/
â â âââ rbac/ # RBAC å®ç°ï¼æ ¸å¿ï¼
â â âââ sample/ # 示ä¾å®ç°
â âââ refresh/ # å·æ°æºå¶
â âââ resources/ # API å®ç°
â âââ service/ # ä¸å¡æå¡ï¼30+ æ件ï¼
â âââ sharding/ # åççç¥
â âââ utils/ # å·¥å
·ç±»
â
âââ boot-auth/ # Spring Boot å¯å¨æ¨¡å
âââ model-auth/ # æ°æ®æ¨¡åå±ï¼JOOQ çæï¼
1.2 模åèè´£ç©éµ
| 模å | èè´£ | æ ¸å¿ç±»æ°é |
|---|---|---|
| api-auth | REST API æ¥å£å®ä¹ | 50+ |
| biz-auth | ä¸å¡é»è¾ãRBAC å®ç° | 150+ |
| model-auth | JOOQ æ°æ®æ¨¡å | èªå¨çæ |
äºãæ ¸å¿æ¦å¿µ
2.1 RBAC æé模å
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â BK-CI RBAC æé模å â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¤
â â
â ââââââââââââ ââââââââââââââââ ââââââââââââââââ â
â â ç¨æ· ââââââºâ ç¨æ·ç» ââââââºâ æéçç¥ â â
â â (User) â â (Group) â â (Policy) â â
â ââââââââââââ ââââââââââââââââ ââââââââââââââââ â
â â â â â
â â â â¼ â
â â â ââââââââââââââââââââ â
â â â â æä½ â â
â â â â (Action) â â
â â â â create/view/edit â â
â â â â delete/execute â â
â â â ââââââââââ¬ââââââââââ â
â â â â â
â â¼ â¼ â¼ â
â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ â
â â èµæº (Resource) â â
â â âââââââââââ âââââââââââ âââââââââââ âââââââââââ â â
â â â project â âpipeline â â repo â â env â ... â â
â â âââââââââââ âââââââââââ âââââââââââ âââââââââââ â â
â âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ â
â â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
2.2 æ ¸å¿å®ä½å ³ç³»
| å®ä½ | 说æ | 对åºè¡¨ |
|---|---|---|
| ç¨æ· (User) | ç³»ç»ç¨æ· | T_AUTH_USER_INFO |
| ç¨æ·ç» (Group) | æéç»ï¼å ³èæéçç¥ | T_AUTH_RESOURCE_GROUP |
| ç»æå (Member) | ç¨æ·ç»æåå ³ç³» | T_AUTH_RESOURCE_GROUP_MEMBER |
| èµæº (Resource) | 被管ççèµæº | T_AUTH_RESOURCE |
| æä½ (Action) | èµæºä¸çæä½ | T_AUTH_ACTION |
| æé (Permission) | ç»å¯¹èµæºçæé | T_AUTH_RESOURCE_GROUP_PERMISSION |
2.3 é»è®¤ç¨æ·ç»ç±»å
enum class DefaultGroupType {
MANAGER, // 管çåç»
DEVELOPER, // å¼å人åç»
MAINTAINER, // è¿ç»´äººåç»
TESTER, // æµè¯äººåç»
PM, // 产å人åç»
QC, // è´¨é管çåç»
VIEWER // æ¥çè
ç»
}
ä¸ãåå±æ¶æå¾
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â 请æ±å
¥å£ â
â HTTP Request / æå¡é´è°ç¨ / IAM åè° / OAuth2 â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
â¼
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â API å± (api-auth) â
â ââââââââââââââââ ââââââââââââââââ ââââââââââââââââ ââââââââââââââââ â
â âUserAuth â âServicePerm â âOpenProject â âOauth2Service â â
â âApplyResource â âAuthResource â âAuthResource â âEndpointRes â â
â â(ç¨æ·æéç³è¯·) â â(æå¡é´é´æ) â â(å¼æ¾é¡¹ç®æé) â â(OAuth2认è¯) â â
â ââââââââââââââââ ââââââââââââââââ ââââââââââââââââ ââââââââââââââââ â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
â¼
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â ä¸å¡å± (biz-auth) â
â ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ â
â â ResourceImpl å®ç°å± â â
â â ServicePermissionAuthResourceImpl | OpenProjectAuthResourceImpl â â
â ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ â
â â â
â ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ â
â â RBAC Provider å± (æ ¸å¿) â â
â â RbacPermissionService - æéæ ¡éªæ ¸å¿æå¡ â â
â â RbacPermissionResourceGroupService - ç¨æ·ç»ç®¡çæå¡ â â
â â RbacPermissionResourceMemberService - ç»æå管çæå¡ â â
â â RbacPermissionResourceService - èµæºç®¡çæå¡ â â
â â PermissionGradeManagerService - å级管çåæå¡ â â
â ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ â
â â â
â ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ â
â â éç¨ Service å± â â
â â PermissionAuthorizationService - æææå¡ â â
â â AuthDeptServiceImpl - é¨é¨æå¡ â â
â â ManagerUserService - 管çåç¨æ·æå¡ â â
â â StrategyService - çç¥æå¡ â â
â â AuthMonitorSpaceService - çæ§ç©ºé´æå¡ â â
â ââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
â¼
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â DAO å± (biz-auth/dao) â
â AuthResourceGroupDao | AuthResourceGroupMemberDao | AuthResourceDao â
â AuthAuthorizationDao | AuthOauth2ClientDetailsDao | ... â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â
â¼
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â æ°æ®å± (model-auth + MySQL) â
â æ°æ®åºï¼devops_ci_authï¼å
± 30+ å¼ è¡¨ï¼ â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
åãæ ¸å¿æ°æ®åºè¡¨
4.1 ç¨æ·ç»ç¸å ³è¡¨
| 表å | 说æ | æ ¸å¿å段 |
|---|---|---|
T_AUTH_RESOURCE_GROUP |
èµæºç¨æ·ç» | ID, PROJECT_CODE, RESOURCE_TYPE, RESOURCE_CODE, GROUP_CODE, GROUP_NAME, IAM_GROUP_ID |
T_AUTH_RESOURCE_GROUP_MEMBER |
ç»æåå ³ç³» | ID, PROJECT_CODE, IAM_GROUP_ID, MEMBER_ID, MEMBER_TYPE, EXPIRED_TIME |
T_AUTH_RESOURCE_GROUP_PERMISSION |
ç»æé | ID, PROJECT_CODE, RESOURCE_TYPE, IAM_GROUP_ID, ACTION, RESOURCE_CODE |
T_AUTH_RESOURCE_GROUP_CONFIG |
ç»é ç½® | ID, RESOURCE_TYPE, GROUP_CODE, GROUP_NAME, ACTIONS |
4.2 èµæºç¸å ³è¡¨
| 表å | 说æ | æ ¸å¿å段 |
|---|---|---|
T_AUTH_RESOURCE |
èµæºä¿¡æ¯ | ID, PROJECT_CODE, RESOURCE_TYPE, RESOURCE_CODE, RESOURCE_NAME, IAM_RESOURCE_CODE |
T_AUTH_RESOURCE_TYPE |
èµæºç±»å | ID, RESOURCE_TYPE, NAME, PARENT, SYSTEM |
T_AUTH_ACTION |
æä½å®ä¹ | ACTION, RESOURCE_TYPE, ACTION_NAME, ACTION_TYPE |
4.3 ææç¸å ³è¡¨
| 表å | 说æ | æ ¸å¿å段 |
|---|---|---|
T_AUTH_AUTHORIZATION |
èµæºææ | ID, PROJECT_CODE, RESOURCE_TYPE, RESOURCE_CODE, HANDOVER_FROM, HANDOVER_TO |
T_AUTH_IAM_CALLBACK |
IAM åè° | ID, GATEWAY, PATH, RESOURCE, SYSTEM |
4.4 OAuth2 ç¸å ³è¡¨
| 表å | 说æ |
|---|---|
T_AUTH_OAUTH2_CLIENT_DETAILS |
OAuth2 客æ·ç«¯ä¿¡æ¯ |
T_AUTH_OAUTH2_ACCESS_TOKEN |
访é®ä»¤ç |
T_AUTH_OAUTH2_REFRESH_TOKEN |
å·æ°ä»¤ç |
T_AUTH_OAUTH2_CODE |
ææç |
T_AUTH_OAUTH2_SCOPE |
ææèå´ |
äºãæ ¸å¿ç±»éæ¥
5.1 API æ¥å£å±
| ç±»å | è·¯å¾åç¼ | èè´£ |
|---|---|---|
ServicePermissionAuthResource |
/service/auth/permission |
æå¡é´æéæ ¡éª |
ServiceProjectAuthResource |
/service/auth/project |
æå¡é´é¡¹ç®æé |
ServiceResourceGroupResource |
/service/auth/resource/group |
ç¨æ·ç»ç®¡ç |
ServiceResourceMemberResource |
/service/auth/resource/member |
ç»æå管ç |
UserAuthApplyResource |
/user/auth/apply |
ç¨æ·æéç³è¯· |
UserAuthAuthorizationResource |
/user/auth/authorization |
ç¨æ·ææ管ç |
OpenPermissionAuthResource |
/open/auth/permission |
å¼æ¾æéæ¥å£ |
OpenProjectAuthResource |
/open/auth/project |
å¼æ¾é¡¹ç®æé |
Oauth2ServiceEndpointResource |
/service/oauth2 |
OAuth2 æå¡ç«¯ç¹ |
5.2 RBAC Provider å±ï¼æ ¸å¿æå¡ï¼
| ç±»å | æä»¶å¤§å° | èè´£ |
|---|---|---|
RbacPermissionService |
32KB | æéæ ¡éªæ ¸å¿ï¼å¯¹æ¥ IAM SDK |
RbacPermissionResourceGroupService |
33KB | ç¨æ·ç» CRUD 管ç |
RbacPermissionResourceMemberService |
29KB | ç»æå管ç |
RbacPermissionResourceService |
21KB | èµæºæ³¨åä¸ç®¡ç |
RbacPermissionManageFacadeServiceImpl |
117KB | æé管çé¨é¢ï¼æå¤§ï¼ |
RbacPermissionResourceGroupPermissionService |
39KB | ç»æé管ç |
RbacPermissionResourceGroupSyncService |
37KB | ç»åæ¥æå¡ |
PermissionGradeManagerService |
27KB | å级管çå |
RbacPermissionApplyService |
30KB | æéç³è¯·æå¡ |
5.3 éç¨ Service å±
| ç±»å | èè´£ |
|---|---|
PermissionAuthorizationServiceImpl |
èµæºææï¼ä»£æ人ï¼ç®¡ç |
AuthDeptServiceImpl |
é¨é¨ä¿¡æ¯æå¡ |
ManagerUserService |
è¶ çº§ç®¡çå管ç |
StrategyService |
æéçç¥ç®¡ç |
ThirdLoginService |
第ä¸æ¹ç»å½ |
AuthUserBlackListService |
ç¨æ·é»åå |
5.4 DAO å±
| ç±»å | æä»¶å¤§å° | èè´£ |
|---|---|---|
AuthResourceGroupMemberDao |
34KB | ç»æåæ°æ®è®¿é®ï¼æå¤§ï¼ |
AuthResourceGroupDao |
19KB | ç¨æ·ç»æ°æ®è®¿é® |
AuthResourceDao |
15KB | èµæºæ°æ®è®¿é® |
AuthResourceGroupPermissionDao |
11KB | ç»æéæ°æ®è®¿é® |
AuthAuthorizationDao |
10KB | æææ°æ®è®¿é® |
å ãæ ¸å¿æµç¨
6.1 æéæ ¡éªæµç¨
ç¨æ·è¯·æ±
â
â¼
ServicePermissionAuthResource.validateUserResourcePermission()
â
â¼
ServicePermissionAuthResourceImpl
â
â¼
RbacPermissionService.validateUserResourcePermission()
â
ââ⺠æ£æ¥æ¯å¦è¶
级管çå (SuperManagerService)
ââ⺠æ£æ¥é¡¹ç®æåç¼å (BkInternalPermissionCache)
â
â¼
AuthHelper.isAllowed() â IAM SDK
â
ââ⺠æ建 ActionDTO (æä½)
ââ⺠æ建 ResourceDTO (èµæº)
ââ⺠è°ç¨ IAM çç¥å¼æ
6.2 ç¨æ·ç»å建æµç¨
UserAuthApplyResource.createGroup()
â
â¼
RbacPermissionResourceGroupService.createGroup()
â
âââº æ ¡éªç»åé¿åº¦ (5-32å符)
ââ⺠æ£æ¥ç»åæ¯å¦éå¤
â
â¼
iamV2ManagerService.createRoleGroup() â IAM SDK
â
â¼
authResourceGroupDao.create() â ä¿åå°æ¬å°æ°æ®åº
â
â¼
permissionResourceGroupPermissionService.grantGroupPermission() â æäºæé
6.3 OAuth2 认è¯æµç¨
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â OAuth2 ææç æ¨¡å¼ â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¤
â 1. 客æ·ç«¯è¯·æ±ææ â
â GET /oauth2/authorize?client_id=xxx&redirect_uri=xxx â
â â â
â â¼ â
â 2. ç¨æ·ç»å½å¹¶ææ â
â Oauth2DesktopEndpointResource.authorize() â
â â â
â â¼ â
â 3. è¿åææç â
â redirect_uri?code=xxx â
â â â
â â¼ â
â 4. 客æ·ç«¯ç¨ææç æ¢å Token â
â POST /oauth2/token â
â Oauth2ServiceEndpointResource.getToken() â
â â â
â â¼ â
â 5. è¿å Access Token + Refresh Token â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
ä¸ãä¸ IAM éæ
7.1 IAM SDK ä¾èµ
Auth 模å深度éæè ¾è®¯è鲸 IAMï¼æéä¸å¿ï¼ï¼æ ¸å¿ä¾èµï¼
// IAM SDK æ ¸å¿ç±»
import com.tencent.bk.sdk.iam.config.IamConfiguration
import com.tencent.bk.sdk.iam.helper.AuthHelper
import com.tencent.bk.sdk.iam.service.PolicyService
import com.tencent.bk.sdk.iam.service.v2.V2ManagerService
7.2 IAM åè°æ¥å£
// èµæºåè°æ¥å£ - IAM æåèµæºä¿¡æ¯
@Path("/open/auth/resource/callback")
interface OpenAuthResourceCallBackResource {
fun getResource(...) // è·åèµæºè¯¦æ
fun listResource(...) // ååºèµæº
fun searchResource(...) // æç´¢èµæº
}
7.3 èµæºç±»åå®ä¹
enum class AuthResourceType(val value: String) {
PROJECT("project"), // 项ç®
PIPELINE_DEFAULT("pipeline"), // æµæ°´çº¿
PIPELINE_GROUP("pipeline_group"), // æµæ°´çº¿ç»
PIPELINE_TEMPLATE("pipeline_template"),// æµæ°´çº¿æ¨¡æ¿
CREDENTIAL("credential"), // åè¯
CERT("cert"), // è¯ä¹¦
CGS("cgs"), // 代ç æ«æ
ENVIRONMENT_ENVIRONMENT("environment"),// ç¯å¢
ENVIRONMENT_ENV_NODE("env_node"), // ç¯å¢èç¹
CODE_REPERTORY("repertory"), // 代ç åº
EXPERIENCE_TASK("experience_task"), // ä½éªä»»å¡
EXPERIENCE_GROUP("experience_group"), // ä½éªç»
QUALITY_RULE("rule"), // è´¨éè§å
QUALITY_GROUP("quality_group"), // è´¨é红线ç»
}
å «ãé 置说æ
8.1 RBAC é 置类
// ä½ç½®ï¼biz-auth/provider/rbac/config/RbacAuthConfiguration.kt (37KB)
@Configuration
class RbacAuthConfiguration {
// IAM 客æ·ç«¯é
ç½®
// æéæå¡ Bean å®ä¹
// ç¼åé
ç½®
}
8.2 MQ é ç½®
// ä½ç½®ï¼biz-auth/provider/rbac/config/RbacMQConfiguration.kt
// å®ä¹æéç¸å
³çæ¶æ¯éå
// - ç»å建äºä»¶
// - ç»ä¿®æ¹äºä»¶
// - ITSM åè°äºä»¶
// - æéåæ¥äºä»¶
ä¹ãå¼åè§è
9.1 æ°å¢æéæä½
- å¨
T_AUTH_ACTION表添å æä½å®ä¹ - å¨
AuthPermissionæ举ä¸æ·»å 对åºå¼ - å¨ IAM ç³»ç»æ³¨åæä½
- æ´æ°
RbacAuthUtils.buildAction()æ å°
9.2 æ°å¢èµæºç±»å
- å¨
AuthResourceTypeæ举ä¸æ·»å ç±»å - å¨
T_AUTH_RESOURCE_TYPE表添å è®°å½ - å®ç°
AuthResourceCallBackResourceåè°æ¥å£ - å¨ IAM ç³»ç»æ³¨åèµæºç±»å
9.3 æéæ ¡éªç¤ºä¾
// æå¡é´è°ç¨æ ¡éªæé
client.get(ServicePermissionAuthResource::class).validateUserResourcePermission(
userId = userId,
token = token,
action = AuthPermission.EXECUTE.value,
projectCode = projectCode,
resourceCode = AuthResourceType.PIPELINE_DEFAULT.value
)
// ä½¿ç¨ AuthPermissionApi
authPermissionApi.validateUserResourcePermission(
user = userId,
serviceCode = authServiceCode,
resourceType = AuthResourceType.PIPELINE_DEFAULT,
projectCode = projectCode,
resourceCode = pipelineId,
permission = AuthPermission.EXECUTE
)
åã常è§é®é¢
Q: å¦ä½å¤æç¨æ·æ¯å¦æ¯é¡¹ç®æåï¼
A: è°ç¨ RbacPermissionService.validateUserProjectPermission() ææ£æ¥ç¨æ·æ¯å¦å¨ä»»æ项ç®ç¨æ·ç»ä¸ã
Q: å¦ä½ç»ç¨æ·ææï¼
A: å°ç¨æ·æ·»å å°å¯¹åºçç¨æ·ç» RbacPermissionResourceMemberService.addGroupMember()ã
Q: OAuth2 æ¯æåªäºææ模å¼ï¼ A: æ¯æææç 模å¼ï¼Authorization Codeï¼åå¯ç 模å¼ï¼Passwordï¼ã
Q: å¦ä½å¤çæéç¼åï¼
A: ä½¿ç¨ BkInternalPermissionCache è¿è¡ç¼åï¼éè¿ Redis åå¨ï¼æ¯æ主å¨å·æ°ã
çæ¬: 1.0.0 | æ´æ°æ¥æ: 2025-12-10