New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
server/auth: implement role & role manager #3256
Conversation
errors.toml
Outdated
@@ -11,6 +11,31 @@ error = ''' | |||
redirect failed | |||
''' | |||
|
|||
["PD:auth:ErrInvalidName"] | |||
error = ''' | |||
key name may only contain alphanumeric and underscores, and may only start with an alphabetic character. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An end user won't know what "key" means.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Fixed.
|
||
// Permission represents a permission to a specific pair of resource and action. | ||
type Permission struct { | ||
Resource string `json:"resource"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be a newtype like Action as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We may define Resource
as an enum.
/run-all-tests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Rest LGTM, plz address the comment.
type Action string | ||
|
||
// All available actions types. | ||
const ( |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about using the way like operator kind?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We are assuming that an Action can hold only one operation now (so that AddPermission/RemovePermission can be simple and direct).
Maybe we won't gain much from changing those consts to uints?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmmm...I'm not sure if it is reasonable.
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum <self@lightquantum.me>
f8d8da7
to
debb51a
Compare
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum <self@lightquantum.me>
9415644
to
42cb426
Compare
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum <self@lightquantum.me>
/run-all-tests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/run-all-tests |
/run-all-tests tidb=master tikv=master |
/run-all-tests tidb=master tikv=master tidb-test=master |
/run-all-tests tidb=master tikv=master tidb-test=master pd=master |
server/auth/role.go
Outdated
} | ||
|
||
// HasPermission checks whether this user has a specific permission. | ||
func (r *Role) HasPermission(permission Permission) bool { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
How about making these kinds of methods private?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea! I've made them private.
server/auth/auth_test.go
Outdated
} | ||
} | ||
|
||
func newTestSingleConfig() *embed.Config { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does NewTestSingleConfig
in server
package meet the requirement?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, it seems that etcd is not needed to run these tests. I'm replacing EtcdKV with MemoryKV.
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum <self@lightquantum.me>
Signed-off-by: PhotonQuantum self@lightquantum.me
What problem does this PR solve?
ref: tikv/tikv#8621
server/auth: implement role & role manager.
This PR is split from #3224, and moved from #3248.
I'm still working on the RFC document about this change (RBAC support for TiDB PD), and I'll submit it as soon as it's completed. In the meantime, a draft written in Chinese is available at here.
What is changed and how it works?
server/auth
roleManager
is implemented to handle role-related CRUD operations, including querying roles in memory, loading them from etcd and persisting them to etcd.Check List
Tests
Code changes
Release note