permission-model-change-guide
27
总安装量
21
周安装量
#13574
全站排名
安装命令
npx skills add https://github.com/tencentblueking/bk-ci --skill permission-model-change-guide
Agent 安装分布
claude-code
13
gemini-cli
11
opencode
10
codex
9
cursor
9
Skill 文档
IAM æéä¸å¿èµæºç±»åæ¥å ¥æä½³å®è·µæå
æ¦è¿°
æ¬æååºäº creative_stream èµæºç±»åæ¥å
¥æéä¸å¿çå®è·µç»éªæ»ç»ï¼æä¾ä¸å¥å¯å¤ç¨çæ åæµç¨ï¼å¸®å©å¢éæåå¿«éå®ææ°èµæºç±»åçæéæ¥å
¥ã
æ¥å ¥æµç¨æ»è§
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
â IAM èµæºç±»åæ¥å
¥æµç¨ â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ¤
â â
â ââââââââââââ ââââââââââââ ââââââââââââ ââââââââââââââââââââââââ â
â â 1.éæ± âââââ¶â 2.å端 âââââ¶â 3.IAM âââââ¶â 4.æ°æ®åºé
ç½® â â
â â åæ â â æ举 â â é
ç½® â â (SQL æ API äºéä¸) â â
â ââââââââââââ ââââââââââââ ââââââââââââ ââââââââââââââââââââââââ â
â â
â ââââââââââââ ââââââââââââ ââââââââââââ â
â â 5.å½é
å âââââ¶â 6.ç¨æ·ç» âââââ¶â 7.éªè¯ â â
â â é
ç½® â â é
ç½® â â æµè¯ â â
â ââââââââââââ ââââââââââââ ââââââââââââ â
â â
â â¡ æ¨èï¼ä½¿ç¨ API æ¥å£æ¿ä»£ SQL èæ¬ï¼æ´ç®åãæ´å®å
¨ â
â â
âââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââââ
第ä¸æ¥ï¼éæ±åæä¸è§å
1.1 ç¡®å®èµæºç±»åä¿¡æ¯
| é¡¹ç® | 说æ | ç¤ºä¾ |
|---|---|---|
| èµæºç±»å ID | å ¨å±å¯ä¸æ è¯ï¼ä½¿ç¨ snake_case | creative_stream |
| ä¸æå称 | ç¨äº UI æ¾ç¤º | åä½æµ |
| è±æå称 | ç¨äº UI æ¾ç¤ºåæ¥å¿ | Creative Stream |
| ç¶èµæº | é常为 project |
project |
1.2 ç¡®å®æéæä½å表
åèå·²æèµæºç±»åï¼å¦ pipelineï¼è®¾è®¡æä½å表ï¼
| æä½ç±»å | å½åè§è | 说æ | å ³èèµæºç±»å |
|---|---|---|---|
| create | {resource}_create |
å建èµæº | projectï¼ç¹æ®ï¼ |
| list | {resource}_list |
å表æ¥ç | {resource} |
| view | {resource}_view |
æ¥ç详æ | {resource} |
| edit | {resource}_edit |
ç¼è¾èµæº | {resource} |
| delete | {resource}_delete |
å é¤èµæº | {resource} |
| execute | {resource}_execute |
æ§è¡èµæº | {resource} |
| manage | {resource}_manage |
æé管ç | {resource} |
| å ¶ä» | æéå®ä¹ | å¦ downloadãshareãarchive | {resource} |
注æ:
createæä½çrelated_resource_typeå¿ é¡»æ¯projectï¼å 为å建æ¶èµæºè¿ä¸åå¨ã
1.3 设计æéä¾èµå ³ç³»
project_visit (åºç¡æé)
â
âââ {resource}_create âââââââââââââââââââââââââââââââ
â â
âââ {resource}_list â
â â
âââ {resource}_view â
â â
âââ {resource}_edit âââââââââââââââââ¤
â â â
â âââ {resource}_manage â
â âââ {resource}_archive â
â â
âââ {resource}_delete â
âââ {resource}_execute â
âââ {resource}_download â
âââ {resource}_share â
第äºæ¥ï¼å端æ举å®ä¹
2.1 ä¿®æ¹ AuthResourceType.kt
æ件路å¾: src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/AuthResourceType.kt
enum class AuthResourceType(val value: String) {
// ... å·²ææ举 ...
PIPELINE_DEFAULT("pipeline"),
PIPELINE_GROUP("pipeline_group"),
PIPELINE_TEMPLATE("pipeline_template"),
CREATIVE_STREAM("creative_stream"), // æ°å¢ï¼åä½æµç±»å
// ... å
¶ä»æ举 ...
}
å½åè§è:
- æ举åï¼å¤§åä¸å线
CREATIVE_STREAM - valueï¼å°åä¸å线
creative_stream
第ä¸æ¥ï¼IAM RBAC é ç½®æ件
éè¦ä¿®æ¹ support-files/bkiam-rbac/ ç®å½ä¸ç 5 个 JSON æ件ï¼
3.1 èµæºç±»åå®ä¹ (0003_resource_*.json)
{
"operation": "upsert_resource_type",
"data": {
"id": "creative_stream",
"name": "åä½æµ",
"name_en": "Creative Stream",
"parents": [
{
"system_id": "bk_ci_rbac",
"id": "project"
}
],
"provider_config": {
"path": "/api/open/auth/resource/instances/list?x-devops-project-id=rbac-project"
},
"version": 1
}
}
3.2 å®ä¾éæ©å¨ (0004_instance-views_*.json)
{
"operation": "upsert_instance_selection",
"data": {
"id": "creative_stream_instance",
"name": "åä½æµ",
"name_en": "Creative Stream",
"resource_type_chain": [
{
"system_id": "bk_ci_rbac",
"id": "project"
},
{
"system_id": "bk_ci_rbac",
"id": "creative_stream"
}
]
}
}
3.3 æä½å®ä¹ (0005_action_*.json)
æ¯ä¸ªæä½éè¦å®ä¹ï¼
{
"operation": "upsert_action",
"data": {
"id": "creative_stream_view",
"name": "æ¥çåä½æµ",
"name_en": "Creative Stream View",
"type": "view",
"related_resource_types": [
{
"system_id": "bk_ci_rbac",
"id": "creative_stream",
"selection_mode": "instance",
"related_instance_selections": [
{
"system_id": "bk_ci_rbac",
"id": "creative_stream_instance"
}
]
}
],
"related_actions": ["project_visit", "creative_stream_list"],
"version": 1
}
}
å ³é®å段说æ:
| å段 | 说æ |
|---|---|
type |
æä½ç±»åï¼view/edit/delete/create/execute |
related_resource_types |
æä½å ³èçèµæºç±»å |
selection_mode |
éæ©æ¨¡å¼ï¼instanceï¼å®ä¾çº§ï¼/ allï¼å ¨é¨ï¼ |
related_actions |
ä¾èµçåç½®æä½ |
create æä½çç¹æ®é ç½®:
{
"id": "creative_stream_create",
"related_resource_types": [
{
"system_id": "bk_ci_rbac",
"id": "project", // å
³è project èé creative_stream
"selection_mode": "instance",
"related_instance_selections": [
{
"system_id": "bk_ci_rbac",
"id": "project_instance"
}
]
}
],
"related_actions": ["project_visit"]
}
3.4 æéåç» (0006_group_*.json)
å°æææä½å½å ¥ä¸ä¸ªåç»ï¼ä¾¿äº IAM çé¢å±ç¤ºï¼
{
"operation": "upsert_action_groups",
"data": {
"action_groups": [
{
"name": "åä½æµ",
"name_en": "Creative Stream",
"actions": [
{"id": "creative_stream_create"},
{"id": "creative_stream_list"},
{"id": "creative_stream_view"},
{"id": "creative_stream_edit"},
{"id": "creative_stream_delete"},
{"id": "creative_stream_execute"},
{"id": "creative_stream_download"},
{"id": "creative_stream_share"},
{"id": "creative_stream_manage"},
{"id": "creative_stream_archive"}
]
}
]
}
}
3.5 èµæºå建è
å
³èæä½ (0007_create-related_*.json)
å®ä¹å建èµæºåèªå¨æäºå建è çæéï¼
{
"id": "creative_stream",
"actions": [
{"id": "creative_stream_list", "required": false},
{"id": "creative_stream_view", "required": false},
{"id": "creative_stream_edit", "required": false},
{"id": "creative_stream_delete", "required": false},
{"id": "creative_stream_execute", "required": false},
{"id": "creative_stream_download", "required": false},
{"id": "creative_stream_share", "required": false},
{"id": "creative_stream_manage", "required": false},
{"id": "creative_stream_archive", "required": false}
]
}
第åæ¥ï¼æ°æ®åº DML èæ¬
4.1 èæ¬ç±»åä¸ç¨é
| èæ¬ç±»å | æ件ä½ç½® | ç¨é | æ¯å¦å¿ é¡» |
|---|---|---|---|
| åå§åèæ¬ | support-files/sql/5001_init_dml/5001_ci_auth-init_dml_mysql.sql |
å¼æºç¤¾åºé¨ç½²æ¶çæ°æ®åå§å | â å¿ é¡» |
| å¢éèæ¬ | openspec/changes/{change-id}/specs/auth-resource-type/xxx_dml.sql |
å é¨çº¿ä¸å·²ææ°æ®çå¢éåæ´ | å é¨ä½¿ç¨ |
| API æ¥å£ | /api/op/auth/resourceTypeConfig/* |
å é¨çº¿ä¸å·²ææ°æ®çè¿è¡æ¶åæ´ | å é¨ä½¿ç¨ |
éè¦:
- åå§åèæ¬æ¯å¿ é¡»çï¼ç¨äºå¼æºç¤¾åºæ°é¨ç½²æ¶åå§åæéæ°æ®
- å¢éèæ¬å API æ¥å£äºéä¸ï¼ç¨äºå é¨çº¿ä¸ç¯å¢çæ°æ®åæ´
4.2 表ç»æ说æ
| 表å | 说æ |
|---|---|
T_AUTH_RESOURCE_TYPE |
èµæºç±»åå®ä¹ |
T_AUTH_ACTION |
æä½å®ä¹ |
T_AUTH_RESOURCE_GROUP_CONFIG |
ç¨æ·ç»é ç½®ï¼èµæºçº§ + 项ç®çº§ï¼ |
4.3 æ°å¢èµæºç±»å
REPLACE INTO T_AUTH_RESOURCE_TYPE (
`ID`, RESOURCE_TYPE, NAME, ENGLISH_NAME, `DESC`, ENGLISH_DESC,
PARENT, `SYSTEM`, CREATE_USER, CREATE_TIME, UPDATE_USER, UPDATE_TIME, `DELETE`
) VALUES (
22, -- æ¥è¯¢ç°ææ大 ID + 1
'creative_stream',
'åä½æµ',
'Creative Stream',
'åä½æµ',
'Creative Stream',
'project',
'bk_ci_rbac',
'system',
NOW(),
'system',
NOW(),
0
);
4.4 æ°å¢æä½å®ä¹
REPLACE INTO T_AUTH_ACTION(
`ACTION`, RESOURCE_TYPE, RELATED_RESOURCE_TYPE, ACTION_NAME,
ENGLISH_NAME, CREATE_USER, CREATE_TIME, UPDATE_TIME, `DELETE`, ACTION_TYPE
) VALUES
('creative_stream_view', 'creative_stream', 'creative_stream',
'æ¥çåä½æµ', 'Creative Stream View', 'system', NOW(), NOW(), 0, 'view'),
('creative_stream_create', 'creative_stream', 'project', -- 注æï¼å
³è project
'å建åä½æµ', 'Creative Stream Create', 'system', NOW(), NOW(), 0, 'create'),
-- ... å
¶ä»æä½
;
4.5 æ°å¢èµæºçº§ç¨æ·ç»
èµæºçº§ç¨æ·ç»ç¨äºå个èµæºå®ä¾çæé管çï¼
-- æ¥æè
ç» (å
¨é¨æé)
REPLACE INTO T_AUTH_RESOURCE_GROUP_CONFIG(
`ID`, `RESOURCE_TYPE`, `GROUP_CODE`, `GROUP_NAME`, `CREATE_MODE`, `GROUP_TYPE`,
`DESCRIPTION`, `AUTHORIZATION_SCOPES`, `ACTIONS`
) VALUES (
70, -- æ¥è¯¢ç°ææ大 ID + 1
'creative_stream',
'manager',
'æ¥æè
',
0,
0,
'åä½æµæ¥æè
ï¼å¯ä»¥ç®¡çå½ååä½æµçæé',
'[ææèå´ JSON]',
'["creative_stream_view","creative_stream_edit",...]'
);
èµæºçº§ç¨æ·ç»æ åé ç½®:
| ç»ä»£ç | ç»å | å ¸åæé |
|---|---|---|
| manager | æ¥æè | å ¨é¨æéï¼é¤ createï¼ |
| editor | ç¼è¾è | view + edit + execute + list + download + share |
| executor | æ§è¡è | view + execute + list + download + share |
| viewer | æ¥çè | view + list + download + share |
4.6 æ´æ°é¡¹ç®çº§ç¨æ·ç»
为ç°æ项ç®çº§ç¨æ·ç»æ·»å æ°èµæºçæéï¼
-- ä½¿ç¨ JSON_ARRAY_APPEND 追å æé
UPDATE T_AUTH_RESOURCE_GROUP_CONFIG
SET AUTHORIZATION_SCOPES = JSON_ARRAY_APPEND(
AUTHORIZATION_SCOPES,
'$',
JSON_OBJECT(
'system', '#system#',
'actions', JSON_ARRAY(
JSON_OBJECT('id', 'creative_stream_list'),
JSON_OBJECT('id', 'creative_stream_download'),
JSON_OBJECT('id', 'creative_stream_share')
),
'resources', JSON_ARRAY(
JSON_OBJECT(
'system', '#system#',
'type', 'creative_stream',
'paths', JSON_ARRAY(
JSON_ARRAY(
JSON_OBJECT('system', '#system#', 'type', 'project',
'id', '#projectId#', 'name', '#projectName#')
)
)
)
)
)
)
WHERE ID = 2; -- developer ç»
项ç®çº§ç¨æ·ç»æéåé 建议:
| ID | ç»å | 建议æé |
|---|---|---|
| 1 | 管çå (manager) | create + å ¨é¨èµæºæä½ |
| 2 | å¼å人å (developer) | create + list + download + share |
| 3 | è¿ç»´äººå (maintainer) | create + list + download + share |
| 4 | 产å人å (pm) | list |
| 5 | æµè¯äººå (tester) | create + list + download + share |
| 6 | 质管人å (qc) | list |
| 7 | 访客 (visitor) | list |
第äºæ¥ï¼ä½¿ç¨ API æ¥å£é ç½®æ°æ®ï¼å é¨çº¿ä¸åæ´ï¼
éç¨åºæ¯: å é¨çº¿ä¸ç¯å¢å·²ææ°æ®çå¢éåæ´ï¼å¯æ¿ä»£å¢é SQL èæ¬ï¼æ´ç®åãæ´å®å ¨ãæ´ä¸æåºéã
注æ: API æ¥å£ä¸è½æ¿ä»£åå§åèæ¬ï¼åå§åèæ¬ç¨äºå¼æºç¤¾åºæ°é¨ç½²ã
5.1 API æ¥å£æ¦è§
æ¥å£è·¯å¾: /api/op/auth/resourceTypeConfig
| åè½ | æ¹æ³ | è·¯å¾ | 说æ |
|---|---|---|---|
| è·åèµæºç±»åå表 | GET | /resourceTypes |
æ¥è¯¢ææèµæºç±»å |
| å建èµæºç±»å | POST | /resourceTypes |
æ°å¢èµæºç±»å |
| è·åæä½å表 | GET | /actions |
æ¥è¯¢æä½å®ä¹ |
| æ¹éå建æä½ | POST | /actions/batch |
æ¹éæ°å¢æä½ |
| è·åç¨æ·ç»é ç½® | GET | /groupConfigs |
æ¥è¯¢ç¨æ·ç»é ç½® |
| æ¹éå建ç¨æ·ç» | POST | /groupConfigs/batch |
æ¹éæ°å¢èµæºçº§ç¨æ·ç» |
| 追å æ°æéå | PUT | /groupConfigs/{id}/appendActions |
æ°å¢ä¸ä¸ªå®æ´çèµæºç±»åæéå |
| 追å å°å·²æå | PUT | /groupConfigs/{id}/appendActionsToExistingScope |
å¨å·²ææéåç actions ä¸è¿½å |
| æºè½è¿½å | PUT | /groupConfigs/{id}/smartAppendActions |
èªå¨å¤æï¼åå¨å追å ï¼ä¸åå¨åæ°å»º |
| æ¹é追å ï¼æ°å»ºåï¼ | POST | /groupConfigs/batchAppendActions |
æ¹éæ°å¢æéå |
| æ¹éæºè½è¿½å | POST | /groupConfigs/batchSmartAppendActions |
æ¹éèªå¨å¤æ追å æ¹å¼ |
| ä¸é®å建å®æ´é ç½® | POST | /resourceTypes/full |
ä¸æ¬¡æ§å建èµæºç±»å+æä½+ç¨æ·ç» |
5.2 追å Actions çä¸ç§æ¹å¼
æ¹å¼ä¸ï¼è¿½å æ°æéåï¼appendActionsï¼
éç¨åºæ¯ï¼ä¸ºç¨æ·ç»æ·»å ä¸ä¸ªå ¨æ°èµæºç±»åçæé
# å¨ AUTHORIZATION_SCOPES æ°ç»æ«å°¾æ°å¢ä¸ä¸ªå®æ´çæéå
curl -X PUT \
"http://devops.example.com/api/op/auth/resourceTypeConfig/groupConfigs/1/appendActions\
?resourceType=creative_stream" \
-H "Content-Type: application/json" \
-d '["creative_stream_create", "creative_stream_list"]'
æ¹å¼äºï¼è¿½å å°å·²ææéåï¼appendActionsToExistingScopeï¼â
éç¨åºæ¯ï¼æ个èµæºç±»åçæéåå·²åå¨ï¼åªéè¦å¨å ¶ actions æ°ç»ä¸è¿½å æ°ç action
# å¨å·²æç project æéåç actions æ°ç»ä¸è¿½å creative_stream_create
curl -X PUT \
"http://devops.example.com/api/op/auth/resourceTypeConfig/groupConfigs/1/\
appendActionsToExistingScope?targetResourceType=project" \
-H "Content-Type: application/json" \
-d '["creative_stream_create"]'
示ä¾ææï¼
// ä¿®æ¹å
{
"system": "#system#",
"actions": [{"id": "project_visit"}, {"id": "project_edit"}],
"resources": [{"type": "project", ...}]
}
// ä¿®æ¹åï¼è¿½å äº creative_stream_createï¼
{
"system": "#system#",
"actions": [
{"id": "project_visit"}, {"id": "project_edit"}, {"id": "creative_stream_create"}
],
"resources": [{"type": "project", ...}]
}
æ¹å¼ä¸ï¼æºè½è¿½å ï¼smartAppendActionsï¼ââ
éç¨åºæ¯ï¼ä¸ç¡®å®æéåæ¯å¦åå¨ï¼è®©ç³»ç»èªå¨å¤æ
- å¦æç®æ èµæºç±»åçæéåå·²åå¨ â 追å å°è¯¥åç actions ä¸
- å¦æä¸åå¨ â å建æ°çæéå
# æºè½è¿½å ï¼ç³»ç»èªå¨å¤ææ¯è¿½å å°å·²æåè¿æ¯æ°å»ºå
curl -X PUT \
"http://devops.example.com/api/op/auth/resourceTypeConfig/groupConfigs/1/\
smartAppendActions?resourceType=project" \
-H "Content-Type: application/json" \
-d '["creative_stream_create"]'
5.3 æ¹éæä½ç¤ºä¾
5.3.1 å建èµæºç±»å
curl -X POST "http://devops.example.com/api/op/auth/resourceTypeConfig/resourceTypes" \
-H "Content-Type: application/json" \
-d '{
"resourceType": "creative_stream",
"name": "åä½æµ",
"englishName": "Creative Stream",
"desc": "åä½æµ",
"englishDesc": "Creative Stream",
"parent": "project",
"system": "bk_ci_rbac"
}'
5.3.2 æ¹éå建æä½
curl -X POST "http://devops.example.com/api/op/auth/resourceTypeConfig/actions/batch" \
-H "Content-Type: application/json" \
-d '[
{
"action": "creative_stream_create",
"resourceType": "creative_stream",
"relatedResourceType": "project",
"actionName": "å建åä½æµ",
"englishName": "Creative Stream Create",
"actionType": "create"
},
{
"action": "creative_stream_list",
"resourceType": "creative_stream",
"relatedResourceType": "creative_stream",
"actionName": "åä½æµå表",
"englishName": "Creative Stream List",
"actionType": "list"
},
{
"action": "creative_stream_view",
"resourceType": "creative_stream",
"relatedResourceType": "creative_stream",
"actionName": "æ¥çåä½æµ",
"englishName": "Creative Stream View",
"actionType": "view"
}
]'
5.3.3 æ¹éå建èµæºçº§ç¨æ·ç»
curl -X POST \
"http://devops.example.com/api/op/auth/resourceTypeConfig/groupConfigs/batch" \
-H "Content-Type: application/json" \
-d '[
{
"resourceType": "creative_stream",
"groupCode": "manager",
"groupName": "æ¥æè
",
"description": "åä½æµæ¥æè
ï¼å¯ä»¥ç®¡çå½ååä½æµçæé",
"createMode": false,
"groupType": 0,
"actions": [
"creative_stream_view", "creative_stream_edit", "creative_stream_delete",
"creative_stream_execute", "creative_stream_download", "creative_stream_share",
"creative_stream_manage", "creative_stream_archive"
],
"authorizationScopes": "[ææèå´JSON]"
},
{
"resourceType": "creative_stream",
"groupCode": "editor",
"groupName": "ç¼è¾è
",
"description": "åä½æµç¼è¾è
",
"createMode": false,
"groupType": 0,
"actions": [
"creative_stream_view", "creative_stream_edit", "creative_stream_execute",
"creative_stream_download", "creative_stream_share"
],
"authorizationScopes": "[ææèå´JSON]"
}
]'
5.3.4 æ¹éæºè½è¿½å å°é¡¹ç®çº§ç¨æ·ç»
# ä½¿ç¨ batchSmartAppendActionsï¼èªå¨å¤æ追å æ¹å¼
curl -X POST \
"http://devops.example.com/api/op/auth/resourceTypeConfig/groupConfigs/batchSmartAppendActions" \
-H "Content-Type: application/json" \
-d '[
{
"groupConfigId": 1,
"resourceType": "project",
"actions": ["creative_stream_create"]
},
{
"groupConfigId": 2,
"resourceType": "project",
"actions": ["creative_stream_create"]
},
{
"groupConfigId": 7,
"resourceType": "creative_stream",
"actions": ["creative_stream_list"]
}
]'
说æ:
- ID 1ã2 ç
projectæéåå·²åå¨ï¼ä¼å¨å ¶ actions ä¸è¿½åcreative_stream_create- ID 7 ç
creative_streamæéåä¸åå¨ï¼ä¼æ°å»ºä¸ä¸ªæéå
5.4 API vs å¢é SQL èæ¬å¯¹æ¯
注æ: 以ä¸å¯¹æ¯ä» é对å é¨çº¿ä¸ç¯å¢çå¢éåæ´ï¼ä¸æ¶ååå§åèæ¬ã
| 维度 | API æ¥å£ | å¢é SQL èæ¬ |
|---|---|---|
| æç¨æ§ | ç®åï¼æ éäºè§£è¡¨ç»æ | éçæ表ç»æå JSON æ ¼å¼ |
| ID 管ç | èªå¨åé ï¼æ å²çªé£é© | éæå¨æ¥è¯¢å¹¶åé |
| å¹çæ§ | æ¥å£å ç½®å¤ç | éä½¿ç¨ REPLACE INTO |
| éªè¯ | æ¥å£å±åæ°æ ¡éª | æ æ ¡éªï¼æåºé |
| äºå¡ | èªå¨äºå¡ç®¡ç | éæå¨ç®¡ç |
| éç¨åºæ¯ | å é¨çº¿ä¸è¿è¡æ¶é ç½® | å é¨çº¿ä¸çæ¬å级 |
5.5 请æ±/ååº DTO 说æ
ResourceTypeCreateRequest
data class ResourceTypeCreateRequest(
val resourceType: String, // èµæºç±»å代ç
val name: String, // ä¸æå称
val englishName: String, // è±æå称
val desc: String? = null, // ä¸ææè¿°
val englishDesc: String? = null, // è±ææè¿°
val parent: String? = "project", // ç¶èµæºç±»å
val system: String? = "bk_ci_rbac" // ç³»ç»æ è¯
)
ActionCreateRequest
data class ActionCreateRequest(
val action: String, // æä½ä»£ç
val resourceType: String, // æå±èµæºç±»å
val relatedResourceType: String, // å
³èèµæºç±»åï¼create æä½ä¸º projectï¼
val actionName: String, // ä¸æå称
val englishName: String, // è±æå称
val actionType: String // æä½ç±»åï¼create/list/view/edit/delete/execute
)
ResourceGroupConfigCreateRequest
data class ResourceGroupConfigCreateRequest(
val resourceType: String, // èµæºç±»å
val groupCode: String, // ç»ä»£ç
val groupName: String, // ç»å称
val description: String? = null, // æè¿°
val createMode: Boolean = false, // å建模å¼
val groupType: Int = 0, // ç»ç±»å
val actions: List<String>, // æä½å表
val authorizationScopes: String? = null // ææèå´ JSON
)
ProjectGroupConfigUpdateRequest
data class ProjectGroupConfigUpdateRequest(
val groupConfigId: Long, // 项ç®çº§ç¨æ·ç»é
ç½® ID (1-7)
val resourceType: String, // èµæºç±»å
val actions: List<String> // è¦è¿½å çæä½å表
)
第å æ¥ï¼å½é åé ç½®
6.1 æ件ä½ç½®
support-files/i18n/auth/ ç®å½ä¸çä¸ä¸ªæ件ï¼
message_zh_CN.properties(ä¸æ)message_en_US.properties(è±æ)message_ja_JP.properties(æ¥æ)
6.2 é ç½®å 容
# èµæºç±»å
creative_stream.resourceType.name=åä½æµ
creative_stream.resourceType.desc=åä½æµ
# æä½å称
creative_stream_create.actionName=å建åä½æµ
creative_stream_list.actionName=åä½æµå表
creative_stream_view.actionName=æ¥çåä½æµ
creative_stream_edit.actionName=ç¼è¾åä½æµ
creative_stream_delete.actionName=å é¤åä½æµ
creative_stream_execute.actionName=æ§è¡åä½æµ
creative_stream_download.actionName=ä¸è½½åä½æµå¶å
creative_stream_share.actionName=å享åä½æµå¶å
creative_stream_manage.actionName=åä½æµæé管ç
creative_stream_archive.actionName=å½æ¡£åä½æµ
# èµæºçº§ç¨æ·ç»
creative_stream.manager.authResourceGroupConfig.groupName=æ¥æè
creative_stream.manager.authResourceGroupConfig.description=åä½æµæ¥æè
ï¼å¯ä»¥ç®¡çå½ååä½æµçæé
creative_stream.editor.authResourceGroupConfig.groupName=ç¼è¾è
creative_stream.editor.authResourceGroupConfig.description=åä½æµç¼è¾è
ï¼æ¥æå½ååä½æµé¤äºæé管çä¹å¤çæææé
creative_stream.executor.authResourceGroupConfig.groupName=æ§è¡è
creative_stream.executor.authResourceGroupConfig.description=åä½æµæ§è¡è
ï¼å¯ä»¥æ¥çåæ§è¡åä½æµï¼ä¸è½½æå享å¶å
creative_stream.viewer.authResourceGroupConfig.groupName=æ¥çè
creative_stream.viewer.authResourceGroupConfig.description=åä½æµæ¥çè
ï¼å¯ä»¥æ¥çåä½æµï¼ä¸è½½æå享å¶å
第ä¸æ¥ï¼åæ¥åå§åèæ¬ï¼å¿ é¡»ï¼
7.1 æ´æ° 5001_ci_auth-init_dml_mysql.sql
è¿æ¯å¿ é¡»æ¥éª¤ï¼åå§åèæ¬ç¨äºå¼æºç¤¾åºæ°é¨ç½²æ¶çæ°æ®åå§åã
å°åæ´å
容åæ¥å°åå§åèæ¬ï¼ä½¿ç¨ REPLACE INTO è¯æ³ç¡®ä¿å¹çæ§ã
注æäºé¡¹:
- åå§åèæ¬ä½¿ç¨å®æ´ç JSON å符串ï¼ä¸ä½¿ç¨
JSON_ARRAY_APPEND - ç¡®ä¿ ID ä¸ä¸ç°ææ°æ®å²çª
- 使ç¨
REPLACE INTOèéINSERTä¿è¯å¹ç - å¿
é¡»åæ¥ææåæ´ï¼å
æ¬ï¼
- æ°å¢èµæºç±»å
- æ°å¢æä½å®ä¹
- æ°å¢èµæºçº§ç¨æ·ç»
- æ´æ°é¡¹ç®çº§ç¨æ·ç»ï¼ç´æ¥ä¿®æ¹å®æ´ JSONï¼
ç¬¬å «æ¥ï¼éªè¯æ¸ å
8.1 æ件修æ¹æ¸ å
| æ件 | ä¿®æ¹å 容 | æ¯å¦å¿ é¡» |
|---|---|---|
AuthResourceType.kt |
æ°å¢æä¸¾å¼ | â å¿ é¡» |
0003_resource_*.json |
æ°å¢èµæºç±»å | â å¿ é¡» |
0004_instance-views_*.json |
æ°å¢å®ä¾éæ©å¨ | â å¿ é¡» |
0005_action_*.json |
æ°å¢æææä½å®ä¹ | â å¿ é¡» |
0006_group_*.json |
æ°å¢æéåç» | â å¿ é¡» |
0007_create-related_*.json |
æ°å¢å建è å ³èæä½ | â å¿ é¡» |
message_zh_CN.properties |
ä¸æå½é å | â å¿ é¡» |
message_en_US.properties |
è±æå½é å | â å¿ é¡» |
message_ja_JP.properties |
æ¥æå½é å | â å¿ é¡» |
5001_ci_auth-init_dml_mysql.sql |
å¼æºç¤¾åºé¨ç½²åå§åæ°æ® | â å¿ é¡» |
| å¢é SQL èæ¬ | å é¨çº¿ä¸å¢éåæ´ | å é¨ä½¿ç¨ï¼ä¸ API äºéä¸ï¼ |
8.2 éªè¯è¦ç¹
- èµæºç±»å ID å ¨å±å¯ä¸
- æä½ ID å½åè§èï¼
{resource}_{action} -
createæä½å ³èprojectèµæºç±»å - æææä½é½ææ£ç¡®ç
related_actionsä¾èµ - ç¨æ·ç» ID ä¸ä¸ç°ææ°æ®å²çªï¼ä½¿ç¨ API èªå¨å¤çï¼
- ä¸è¯å½é åé ç½®å®æ´
- 项ç®çº§ææç¨æ·ç»ï¼ID 1-7ï¼é½å·²æ´æ°
- èµæºçº§ç¨æ·ç»æéç©éµåç
8.3 API æ¥å£éªè¯
ä½¿ç¨ API æ¥å£é ç½®åï¼å¯éè¿ä»¥ä¸æ¥å£éªè¯ï¼
# éªè¯èµæºç±»å
curl "http://devops.example.com/api/op/auth/resourceTypeConfig/resourceTypes/creative_stream"
# éªè¯æä½å表
curl "http://devops.example.com/api/op/auth/resourceTypeConfig/actions?resourceType=creative_stream"
# éªè¯ç¨æ·ç»é
ç½®
curl \
"http://devops.example.com/api/op/auth/resourceTypeConfig/groupConfigs?resourceType=creative_stream"
常è§é®é¢ä¸è§£å³æ¹æ¡
Q1: å¦ä½ç¡®å®æ°èµæºç±»åç IDï¼
æ¥è¯¢ç°ææ大 IDï¼
SELECT MAX(ID) FROM T_AUTH_RESOURCE_TYPE;
SELECT MAX(ID) FROM T_AUTH_RESOURCE_GROUP_CONFIG;
Q2: æéä¾èµå ³ç³»å¦ä½è®¾è®¡ï¼
éµå¾ªæå°æéååï¼
viewä¾èµlistedit/delete/executeä¾èµviewmanageä¾èµedit- æææä½ä¾èµ
project_visit
Q3: 为ä»ä¹ create æä½å ³è projectï¼
å 为å建èµæºæ¶ï¼èµæºå®ä¾è¿ä¸åå¨ï¼æ æ³åºäºèµæºå®ä¾ææï¼æ以éè¦åºäºé¡¹ç®ææã
Q4: AUTHORIZATION_SCOPES JSON ç»æï¼
[
{
"system": "#system#",
"actions": [{"id": "action_id"}],
"resources": [
{
"system": "#system#",
"type": "resource_type",
"paths": [[
{"system": "#system#", "type": "project", "id": "#projectId#", "name": "#projectName#"},
{"system": "#system#", "type": "resource_type", "id": "#resourceCode#", "name": "#resourceName#"}
]]
}
]
}
]
åèèµæ
- è鲸æéä¸å¿ææ¡£
- å·²æèµæºç±»åå®ç°ï¼
pipelineãcredentialãenvironmentç - æ¬æ¬¡
creative_streamæ¥å ¥å½æ¡£ï¼openspec/changes/archive/2025-12-16-add-creative-stream-resource-type/