MCP.directory

permission-model-change-guide

by TencentBlueKing
1
0
Source

IAM RBAC 权限模型变更规则,涵盖资源类型定义、操作权限配置、权限迁移脚本、IAM 回调实现。当用户修改权限模型、添加新资源类型、配置操作权限或编写权限迁移脚本时使用。

Install

mkdir -p .claude/skills/permission-model-change-guide && curl -L -o skill.zip "https://mcp.directory/api/skills/download/4077" && unzip -o skill.zip -d .claude/skills/permission-model-change-guide && rm skill.zip

Installs to .claude/skills/permission-model-change-guide

About this skill

IAM 权限中心资源类型接入最佳实践指南

概述

本指南基于 creative_stream 资源类型接入权限中心的实践经验总结,提供一套可复用的标准流程,帮助团队成员快速完成新资源类型的权限接入。

接入流程总览

┌─────────────────────────────────────────────────────────────────────────────┐
│                         IAM 资源类型接入流程                                   │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                             │
│  ┌──────────┐    ┌──────────┐    ┌──────────┐    ┌──────────────────────┐  │
│  │ 1.需求   │───▶│ 2.后端   │───▶│ 3.IAM    │───▶│ 4.数据库配置         │  │
│  │   分析   │    │   枚举   │    │   配置   │    │  (SQL 或 API 二选一) │  │
│  └──────────┘    └──────────┘    └──────────┘    └──────────────────────┘  │
│                                                                             │
│  ┌──────────┐    ┌──────────┐    ┌──────────┐                              │
│  │ 5.国际化 │───▶│ 6.用户组 │───▶│ 7.验证   │                              │
│  │   配置   │    │   配置   │    │   测试   │                              │
│  └──────────┘    └──────────┘    └──────────┘                              │
│                                                                             │
│  ⚡ 推荐:使用 API 接口替代 SQL 脚本,更简单、更安全                          │
│                                                                             │
└─────────────────────────────────────────────────────────────────────────────┘

第一步:需求分析与规划

1.1 确定资源类型信息

项目说明示例
资源类型 ID全局唯一标识,使用 snake_casecreative_stream
中文名称用于 UI 显示创作流
英文名称用于 UI 显示和日志Creative Stream
父资源通常为 projectproject

1.2 确定权限操作列表

参考已有资源类型(如 pipeline)设计操作列表:

操作类型命名规范说明关联资源类型
create{resource}_create创建资源project(特殊)
list{resource}_list列表查看{resource}
view{resource}_view查看详情{resource}
edit{resource}_edit编辑资源{resource}
delete{resource}_delete删除资源{resource}
execute{resource}_execute执行资源{resource}
manage{resource}_manage权限管理{resource}
其他按需定义如 download、share、archive{resource}

注意: create 操作的 related_resource_type 必须是 project,因为创建时资源还不存在。

1.3 设计权限依赖关系

project_visit (基础权限)
    │
    ├── {resource}_create ──────────────────────────────┐
    │                                                   │
    └── {resource}_list                                 │
            │                                           │
            └── {resource}_view                         │
                    │                                   │
                    ├── {resource}_edit ────────────────┤
                    │       │                           │
                    │       ├── {resource}_manage       │
                    │       └── {resource}_archive      │
                    │                                   │
                    ├── {resource}_delete               │
                    ├── {resource}_execute              │
                    ├── {resource}_download             │
                    └── {resource}_share                │

第二步:后端枚举定义

2.1 修改 AuthResourceType.kt

文件路径: src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/AuthResourceType.kt

enum class AuthResourceType(val value: String) {
    // ... 已有枚举 ...
    
    PIPELINE_DEFAULT("pipeline"),
    PIPELINE_GROUP("pipeline_group"),
    PIPELINE_TEMPLATE("pipeline_template"),
    CREATIVE_STREAM("creative_stream"),  // 新增:创作流类型
    
    // ... 其他枚举 ...
}

命名规范:

  • 枚举名:大写下划线 CREATIVE_STREAM
  • value:小写下划线 creative_stream

第三步:IAM RBAC 配置文件

需要修改 support-files/bkiam-rbac/ 目录下的 5 个 JSON 文件:

3.1 资源类型定义 (0003_resource_*.json)

{
  "operation": "upsert_resource_type",
  "data": {
    "id": "creative_stream",
    "name": "创作流",
    "name_en": "Creative Stream",
    "parents": [
      {
        "system_id": "bk_ci_rbac",
        "id": "project"
      }
    ],
    "provider_config": {
      "path": "/api/open/auth/resource/instances/list?x-devops-project-id=rbac-project"
    },
    "version": 1
  }
}

3.2 实例选择器 (0004_instance-views_*.json)

{
  "operation": "upsert_instance_selection",
  "data": {
    "id": "creative_stream_instance",
    "name": "创作流",
    "name_en": "Creative Stream",
    "resource_type_chain": [
      {
        "system_id": "bk_ci_rbac",
        "id": "project"
      },
      {
        "system_id": "bk_ci_rbac",
        "id": "creative_stream"
      }
    ]
  }
}

3.3 操作定义 (0005_action_*.json)

每个操作需要定义:

{
  "operation": "upsert_action",
  "data": {
    "id": "creative_stream_view",
    "name": "查看创作流",
    "name_en": "Creative Stream View",
    "type": "view",
    "related_resource_types": [
      {
        "system_id": "bk_ci_rbac",
        "id": "creative_stream",
        "selection_mode": "instance",
        "related_instance_selections": [
          {
            "system_id": "bk_ci_rbac",
            "id": "creative_stream_instance"
          }
        ]
      }
    ],
    "related_actions": ["project_visit", "creative_stream_list"],
    "version": 1
  }
}

关键字段说明:

字段说明
type操作类型:view/edit/delete/create/execute
related_resource_types操作关联的资源类型
selection_mode选择模式:instance(实例级)/ all(全部)
related_actions依赖的前置操作

create 操作的特殊配置:

{
  "id": "creative_stream_create",
  "related_resource_types": [
    {
      "system_id": "bk_ci_rbac",
      "id": "project",  // 关联 project 而非 creative_stream
      "selection_mode": "instance",
      "related_instance_selections": [
        {
          "system_id": "bk_ci_rbac",
          "id": "project_instance"
        }
      ]
    }
  ],
  "related_actions": ["project_visit"]
}

3.4 权限分组 (0006_group_*.json)

将所有操作归入一个分组,便于 IAM 界面展示:

{
  "operation": "upsert_action_groups",
  "data": {
    "action_groups": [
      {
        "name": "创作流",
        "name_en": "Creative Stream",
        "actions": [
          {"id": "creative_stream_create"},
          {"id": "creative_stream_list"},
          {"id": "creative_stream_view"},
          {"id": "creative_stream_edit"},
          {"id": "creative_stream_delete"},
          {"id": "creative_stream_execute"},
          {"id": "creative_stream_download"},
          {"id": "creative_stream_share"},
          {"id": "creative_stream_manage"},
          {"id": "creative_stream_archive"}
        ]
      }
    ]
  }
}

3.5 资源创建者关联操作 (0007_create-related_*.json)

定义创建资源后自动授予创建者的权限:

{
  "id": "creative_stream",
  "actions": [
    {"id": "creative_stream_list", "required": false},
    {"id": "creative_stream_view", "required": false},
    {"id": "creative_stream_edit", "required": false},
    {"id": "creative_stream_delete", "required": false},
    {"id": "creative_stream_execute", "required": false},
    {"id": "creative_stream_download", "required": false},
    {"id": "creative_stream_share", "required": false},
    {"id": "creative_stream_manage", "required": false},
    {"id": "creative_stream_archive", "required": false}
  ]
}

第四步:数据库 DML 脚本

4.1 脚本类型与用途

脚本类型文件位置用途是否必须
初始化脚本support-files/sql/5001_init_dml/5001_ci_auth-init_dml_mysql.sql开源社区部署时的数据初始化必须
增量脚本openspec/changes/{change-id}/specs/auth-resource-type/xxx_dml.sql内部线上已有数据的增量变更内部使用
API 接口/api/op/auth/resourceTypeConfig/*内部线上已有数据的运行时变更内部使用

重要:

  • 初始化脚本是必须的,用于开源社区新部署时初始化权限数据
  • 增量脚本和 API 接口二选一,用于内部线上环境的数据变更

4.2 表结构说明

表名说明
T_AUTH_RESOURCE_TYPE资源类型定义
T_AUTH_ACTION操作定义
T_AUTH_RESOURCE_GROUP_CONFIG用户组配置(资源级 + 项目级)

4.3 新增资源类型

REPLACE INTO T_AUTH_RESOURCE_TYPE (
    `ID`, RESOURCE_TYPE, NAME, ENGLISH_NAME, `DESC`, ENGLISH_DESC,
    PARENT, `SYSTEM`, CREATE_USER, CREATE_TIME, UPDATE_USER, UPDATE_TIME, `DELETE`
) VALUES (
    22,  -- 查询现有最大 ID + 1
    'creative_stream',
    '创作流',
    'Creative Stream',
    '创作流',
    'Creative Stream',
    'project',
    'bk_ci_rbac',
    'system',
    NOW(),
    'system',
    NOW(),
    0
);

4.4 新增操作定义

REPLACE INTO T_AUTH_ACTION(
    `ACTION`, RESOURCE_TYPE, RELATED_RESOURCE_TYPE, ACTION_NAME,
    ENGLISH_NAME, CREATE_USER, CREATE_TIME, UPDATE_TIME, `DELETE`, ACTION_TYPE
) VALUES
    ('creative_stream_view', 'creative_stream', 'creative_stream',
     '查看创作流', 'Creative Stream View', 'system', NOW(), NOW(), 0, 'view'),
    ('creative_stream_create', 'creative_stream', 'project',  -- 注意:关联 project
     '创建创作流', 'Creative Stream Create', 'system', NOW(), NOW(), 0, 'create'),
    -- ... 其他操作
;

4.5 新增资源级用户组

资源级用户组用于单个资源实例的权限管理:

-- 拥有者组 (全部权限)
REPLACE INTO T_AUTH_RESOURCE_GROUP_CONFIG(
    `ID`, `RESOURCE_TYPE`, `GROUP_CODE`, `GROUP_NAME`, `CREATE_MODE`, `GROUP_TYPE`,
    `DESCRIPTION`, `AUTHORIZATION_SCOPES`, `ACTIONS`
) VALUES (
    70,  -- 查询现有最大 ID + 1
    'creative_stream',
    'manager',
    '拥有者',
    0,
    0,
    '创作流拥有者,可以管理当前创作流的权限',
    '[授权范围 JSON]',
    '["creative_stream_view","creative_stream_edit",...]'
);

资源级用户组标准配置:

组代码组名典型权限
manager拥有者全部权限(除 create)
editor编辑者view + edit + execute + list + download + share
executor执行者view + execute + list + download + share
viewer查看者view + list + download + share

4.6 更新项目级用户组

为现有项目级用户组添加新资源的权限:

-- 使用 JSON_ARRAY_APPEND 追加权限
UPDATE T_AUTH_RESOURCE_GROUP_CONFIG
SET AUTHORIZATION_SCOPES = JSON_ARRAY_APPEND(
    AUTHORIZATION_SCOPES,
    '$',
    JSON_OBJECT(
        'system', '#system#',
        'actions', JSON_ARRAY(
            JSON_OBJECT('id', 'creative_stream_list'),
            JSON_OBJECT('id', 'creative_st

---

*Content truncated.*

More by TencentBlueKing

View all skills by TencentBlueKing

store-module-architecture

TencentBlueKing

Store 研发商店模块架构指南,涵盖插件/模板/镜像管理、版本发布、审核流程、商店市场、扩展点机制。当用户开发研发商店功能、发布插件、管理模板或实现扩展点时使用。

00

00-bkci-global-architecture

TencentBlueKing

BK-CI 全局架构指南,以流水线为核心的模块协作全景图,涵盖完整执行流程、模块依赖关系、数据流向、核心概念。当用户需要理解系统架构、进行跨模块开发、了解模块间协作或规划架构设计时优先阅读。

10

auth-module-architecture

TencentBlueKing

Auth 权限认证模块架构指南,涵盖 IAM 集成、RBAC 权限模型、资源权限校验、权限迁移、OAuth 认证。当用户开发权限功能、配置 IAM 资源、实现权限校验或处理认证流程时使用。

10

go-agent-development

TencentBlueKing

Go Agent 开发指南,涵盖 Agent 架构设计、心跳机制、任务执行、日志上报、升级流程、与 Dispatch 模块交互。当用户开发构建机 Agent、实现任务执行逻辑、处理 Agent 通信或进行 Go 语言开发时使用。

00

supporting-modules-architecture

TencentBlueKing

BK-CI 支撑模块架构指南,涵盖凭证管理(Ticket)、构建机环境(Environment)、通知服务(Notify)、构建日志(Log)、质量红线(Quality)、开放接口(OpenAPI)等支撑性服务模块。当用户开发这些模块功能或需要理解支撑服务架构时使用。

100

git-commit-specification

TencentBlueKing

Git 提交规范,涵盖 commit message 格式(feat/fix/refactor)、Issue 关联、分支命名、PR 提交准备、rebase 使用。当用户提交代码、编写 commit message、创建分支或准备 PR 时使用。

00

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

643969

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

591705

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

318398

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

339397

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

451339

fastapi-templates

wshobson

Create production-ready FastAPI projects with async patterns, dependency injection, and comprehensive error handling. Use when building new FastAPI applications or setting up backend API projects.

304231

Stay ahead of the MCP ecosystem

Get weekly updates on new skills and servers.