server/auth: implement role & role manager #3256
Conversation
errors.toml
Outdated
| @@ -11,6 +11,31 @@ error = ''' | |||
| redirect failed | |||
| ''' | |||
|
|
|||
| ["PD:auth:ErrInvalidName"] | |||
| error = ''' | |||
| key name may only contain alphanumeric and underscores, and may only start with an alphabetic character. | |||
There was a problem hiding this comment.
An end user won't know what "key" means.
|
|
||
| // Permission represents a permission to a specific pair of resource and action. | ||
| type Permission struct { | ||
| Resource string `json:"resource"` |
There was a problem hiding this comment.
Should this be a newtype like Action as well?
There was a problem hiding this comment.
We may define Resource as an enum.
|
/run-all-tests |
| type Action string | ||
|
|
||
| // All available actions types. | ||
| const ( |
There was a problem hiding this comment.
How about using the way like operator kind?
There was a problem hiding this comment.
We are assuming that an Action can hold only one operation now (so that AddPermission/RemovePermission can be simple and direct).
Maybe we won't gain much from changing those consts to uints?
There was a problem hiding this comment.
Hmmm...I'm not sure if it is reasonable.
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum <self@lightquantum.me>
PhotonQuantum
force-pushed
the
rbac-role
branch
from
f8d8da7
to
debb51a
Compare
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum <self@lightquantum.me>
PhotonQuantum
force-pushed
the
rbac-role
branch
from
9415644
to
42cb426
Compare
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum <self@lightquantum.me>
|
/run-all-tests |
|
/run-all-tests |
|
/run-all-tests tidb=master tikv=master |
|
/run-all-tests tidb=master tikv=master tidb-test=master |
|
/run-all-tests tidb=master tikv=master tidb-test=master pd=master |
server/auth/role.go
Outdated
| } | ||
|
|
||
| // HasPermission checks whether this user has a specific permission. | ||
| func (r *Role) HasPermission(permission Permission) bool { |
There was a problem hiding this comment.
How about making these kinds of methods private?
There was a problem hiding this comment.
Good idea! I've made them private.
server/auth/auth_test.go
Outdated
| } | ||
| } | ||
|
|
||
| func newTestSingleConfig() *embed.Config { |
There was a problem hiding this comment.
Does NewTestSingleConfig in server package meet the requirement?
There was a problem hiding this comment.
Actually, it seems that etcd is not needed to run these tests. I'm replacing EtcdKV with MemoryKV.
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum self@lightquantum.me
What problem does this PR solve?
ref: tikv/tikv#8621
server/auth: implement role & role manager.
This PR is split from #3224, and moved from #3248.
I'm still working on the RFC document about this change (RBAC support for TiDB PD), and I'll submit it as soon as it's completed. In the meantime, a draft written in Chinese is available at here.
What is changed and how it works?
server/auth
roleManageris implemented to handle role-related CRUD operations, including querying roles in memory, loading them from etcd and persisting them to etcd.Check List
Tests
Code changes
Release note