auth-module-architecture
Auth 权限认证模块架构指南,涵盖 IAM 集成、RBAC 权限模型、资源权限校验、权限迁移、OAuth 认证。当用户开发权限功能、配置 IAM 资源、实现权限校验或处理认证流程时使用。
Install
mkdir -p .claude/skills/auth-module-architecture && curl -L -o skill.zip "https://mcp.directory/api/skills/download/4185" && unzip -o skill.zip -d .claude/skills/auth-module-architecture && rm skill.zipInstalls to .claude/skills/auth-module-architecture
About this skill
Auth 权限认证模块架构指南
模块定位: Auth 是 BK-CI 的权限认证核心模块,负责用户认证、权限校验、用户组管理、OAuth2 认证等功能,采用 RBAC(基于角色的访问控制)模型。
一、模块整体结构
1.1 子模块划分
src/backend/ci/core/auth/
├── api-auth/ # API 接口定义层
│ └── src/main/kotlin/com/tencent/devops/auth/
│ ├── api/
│ │ ├── callback/ # 回调接口(IAM、ITSM)
│ │ ├── login/ # 登录接口
│ │ ├── manager/ # 管理员接口
│ │ ├── migrate/ # 迁移接口
│ │ ├── oauth2/ # OAuth2 接口
│ │ ├── op/ # 运维接口
│ │ ├── open/ # 开放接口
│ │ ├── service/ # 服务间调用接口
│ │ ├── sync/ # 同步接口
│ │ └── user/ # 用户接口
│ ├── constant/ # 常量定义
│ └── pojo/ # 数据对象
│
├── biz-auth/ # 业务逻辑层
│ └── src/main/kotlin/com/tencent/devops/auth/
│ ├── aspect/ # AOP 切面
│ ├── common/ # 通用配置
│ ├── cron/ # 定时任务
│ ├── dao/ # 数据访问层(40+ 文件)
│ ├── entity/ # 实体定义
│ ├── filter/ # 过滤器
│ ├── provider/
│ │ ├── rbac/ # RBAC 实现(核心)
│ │ └── sample/ # 示例实现
│ ├── refresh/ # 刷新机制
│ ├── resources/ # API 实现
│ ├── service/ # 业务服务(30+ 文件)
│ ├── sharding/ # 分片策略
│ └── utils/ # 工具类
│
├── boot-auth/ # Spring Boot 启动模块
└── model-auth/ # 数据模型层(JOOQ 生成)
1.2 模块职责矩阵
| 模块 | 职责 | 核心类数量 |
|---|---|---|
| api-auth | REST API 接口定义 | 50+ |
| biz-auth | 业务逻辑、RBAC 实现 | 150+ |
| model-auth | JOOQ 数据模型 | 自动生成 |
二、核心概念
2.1 RBAC 权限模型
┌─────────────────────────────────────────────────────────────────────────┐
│ BK-CI RBAC 权限模型 │
├─────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ 用户 │────►│ 用户组 │────►│ 权限策略 │ │
│ │ (User) │ │ (Group) │ │ (Policy) │ │
│ └──────────┘ └──────────────┘ └──────────────┘ │
│ │ │ │ │
│ │ │ ▼ │
│ │ │ ┌──────────────────┐ │
│ │ │ │ 操作 │ │
│ │ │ │ (Action) │ │
│ │ │ │ create/view/edit │ │
│ │ │ │ delete/execute │ │
│ │ │ └────────┬─────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────────────────────────────────────────────────────┐ │
│ │ 资源 (Resource) │ │
│ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ │
│ │ │ project │ │pipeline │ │ repo │ │ env │ ... │ │
│ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ │
│ └─────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────┘
2.2 核心实体关系
| 实体 | 说明 | 对应表 |
|---|---|---|
| 用户 (User) | 系统用户 | T_AUTH_USER_INFO |
| 用户组 (Group) | 权限组,关联权限策略 | T_AUTH_RESOURCE_GROUP |
| 组成员 (Member) | 用户组成员关系 | T_AUTH_RESOURCE_GROUP_MEMBER |
| 资源 (Resource) | 被管理的资源 | T_AUTH_RESOURCE |
| 操作 (Action) | 资源上的操作 | T_AUTH_ACTION |
| 权限 (Permission) | 组对资源的权限 | T_AUTH_RESOURCE_GROUP_PERMISSION |
2.3 默认用户组类型
enum class DefaultGroupType {
MANAGER, // 管理员组
DEVELOPER, // 开发人员组
MAINTAINER, // 运维人员组
TESTER, // 测试人员组
PM, // 产品人员组
QC, // 质量管理员组
VIEWER // 查看者组
}
三、分层架构图
┌─────────────────────────────────────────────────────────────────────────┐
│ 请求入口 │
│ HTTP Request / 服务间调用 / IAM 回调 / OAuth2 │
└─────────────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────┐
│ API 层 (api-auth) │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │UserAuth │ │ServicePerm │ │OpenProject │ │Oauth2Service │ │
│ │ApplyResource │ │AuthResource │ │AuthResource │ │EndpointRes │ │
│ │(用户权限申请) │ │(服务间鉴权) │ │(开放项目权限) │ │(OAuth2认证) │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────┐
│ 业务层 (biz-auth) │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ ResourceImpl 实现层 │ │
│ │ ServicePermissionAuthResourceImpl | OpenProjectAuthResourceImpl │ │
│ └──────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ RBAC Provider 层 (核心) │ │
│ │ RbacPermissionService - 权限校验核心服务 │ │
│ │ RbacPermissionResourceGroupService - 用户组管理服务 │ │
│ │ RbacPermissionResourceMemberService - 组成员管理服务 │ │
│ │ RbacPermissionResourceService - 资源管理服务 │ │
│ │ PermissionGradeManagerService - 分级管理员服务 │ │
│ └──────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ┌──────────────────────────────────────────────────────────────────┐ │
│ │ 通用 Service 层 │ │
│ │ PermissionAuthorizationService - 授权服务 │ │
│ │ AuthDeptServiceImpl - 部门服务 │ │
│ │ ManagerUserService - 管理员用户服务 │ │
│ │ StrategyService - 策略服务 │ │
│ │ AuthMonitorSpaceService - 监控空间服务 │ │
│ └──────────────────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────┐
│ DAO 层 (biz-auth/dao) │
│ AuthResourceGroupDao | AuthResourceGroupMemberDao | AuthResourceDao │
│ AuthAuthorizationDao | AuthOauth2ClientDetailsDao | ... │
└─────────────────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────────────────┐
│ 数据层 (model-auth + MySQL) │
│ 数据库:devops_ci_auth(共 30+ 张表) │
└─────────────────────────────────────────────────────────────────────────┘
四、核心数据库表
4.1 用户组相关表
| 表名 | 说明 | 核心字段 |
|---|---|---|
T_AUTH_RESOURCE_GROUP | 资源用户组 | ID, PROJECT_CODE, RESOURCE_TYPE, RESOURCE_CODE, GROUP_CODE, GROUP_NAME, IAM_GROUP_ID |
T_AUTH_RESOURCE_GROUP_MEMBER | 组成员关系 | ID, PROJECT_CODE, IAM_GROUP_ID, MEMBER_ID, MEMBER_TYPE, EXPIRED_TIME |
T_AUTH_RESOURCE_GROUP_PERMISSION | 组权限 | ID, PROJECT_CODE, RESOURCE_TYPE, IAM_GROUP_ID, ACTION, RESOURCE_CODE |
T_AUTH_RESOURCE_GROUP_CONFIG | 组配置 | ID, RESOURCE_TYPE, GROUP_CODE, GROUP_NAME, ACTIONS |
4.2 资源相关表
| 表名 | 说明 | 核心字段 |
|---|---|---|
T_AUTH_RESOURCE | 资源信息 | ID, PROJECT_CODE, RESOURCE_TYPE, RESOURCE_CODE, RESOURCE_NAME, IAM_RESOURCE_CODE |
T_AUTH_RESOURCE_TYPE | 资源类型 | ID, RESOURCE_TYPE, NAME, PARENT, SYSTEM |
T_AUTH_ACTION | 操作定义 | ACTION, RESOURCE_TYPE, ACTION_NAME, ACTION_TYPE |
4.3 授权相关表
| 表名 | 说明 | 核心字段 |
|---|---|---|
T_AUTH_AUTHORIZATION | 资源授权 | ID, PROJECT_CODE, RESOURCE_TYPE, RESOURCE_CODE, HANDOVER_FROM, HANDOVER_TO |
T_AUTH_IAM_CALLBACK | IAM 回调 | ID, GATEWAY, PATH, RESOURCE, SYSTEM |
4.4 OAuth2 相关表
| 表名 | 说明 |
|---|---|
T_AUTH_OAUTH2_CLIENT_DETAILS | OAuth2 客户端信息 |
T_AUTH_OAUTH2_ACCESS_TOKEN | 访问令牌 |
T_AUTH_OAUTH2_REFRESH_TOKEN | 刷新令牌 |
T_AUTH_OAUTH2_CODE | 授权码 |
T_AUTH_OAUTH2_SCOPE | 授权范围 |
五、核心类速查
5.1 API 接口层
| 类名 | 路径前缀 | 职责 |
|---|---|---|
ServicePermissionAuthResource | /service/auth/permission | 服务间权限校验 |
ServiceProjectAuthResource | /service/auth/project | 服务间项目权限 |
ServiceResourceGroupResource | /service/auth/resource/group | 用户组管理 |
ServiceResourceMemberResource | /service/auth/resource/member | 组成员管理 |
UserAuthApplyResource | /user/auth/apply | 用户权限申请 |
UserAuthAuthorizationResource | /user/auth/authorization | 用户授权管理 |
OpenPermissionAuthResource | `/open/auth |
Content truncated.
More by TencentBlueKing
View all skills by TencentBlueKing →You might also like
flutter-development
aj-geddes
Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.
ui-ux-pro-max
nextlevelbuilder
"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."
drawio-diagrams-enhanced
jgtolentino
Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.
godot
bfollington
This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.
nano-banana-pro
garg-aayush
Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.
pdf-to-markdown
aliceisjustplaying
Convert entire PDF documents to clean, structured Markdown for full context loading. Use this skill when the user wants to extract ALL text from a PDF into context (not grep/search), when discussing or analyzing PDF content in full, when the user mentions "load the whole PDF", "bring the PDF into context", "read the entire PDF", or when partial extraction/grepping would miss important context. This is the preferred method for PDF text extraction over page-by-page or grep approaches.
Related MCP Servers
Browse all servers
SlackPowerful MCP server for Slack with advanced API, message fetching, webhooks, and enterprise features. Robust Slack data
Google SheetsIntegrate with Google Sheets and Google Drive to manage spreadsheets easily using the Google Sheets API and advanced aut
Reddit BuddyReddit Buddy offers powerful Reddit API tools for browsing, searching, and data annotation with secure access, rate limi
Reddit BuddyReddit Buddy offers clean access to Reddit API, advanced reddit tools, and seamless data annotation reddit with smart ca
XeroXero enables seamless financial data integration and accounting operations via xero software and OAuth2 for automated wo
SlackIntegrate your Slack app to manage channels, messages, status on Slack, reactions, and user profiles securely via OAuth.
Stay ahead of the MCP ecosystem
Get weekly updates on new skills and servers.