MCP.directory

permission-model-change-guide

by TencentBlueKing
1
1
Source

IAM RBAC 权限模型变更规则,涵盖资源类型定义、操作权限配置、权限迁移脚本、IAM 回调实现。当用户修改权限模型、添加新资源类型、配置操作权限或编写权限迁移脚本时使用。

Install

mkdir -p .claude/skills/permission-model-change-guide && curl -L -o skill.zip "https://mcp.directory/api/skills/download/4077" && unzip -o skill.zip -d .claude/skills/permission-model-change-guide && rm skill.zip

Installs to .claude/skills/permission-model-change-guide

About this skill

IAM 权限中心资源类型接入最佳实践指南

概述

本指南基于 creative_stream 资源类型接入权限中心的实践经验总结,提供一套可复用的标准流程,帮助团队成员快速完成新资源类型的权限接入。

接入流程总览

┌─────────────────────────────────────────────────────────────────────────────┐
│                         IAM 资源类型接入流程                                   │
├─────────────────────────────────────────────────────────────────────────────┤
│                                                                             │
│  ┌──────────┐    ┌──────────┐    ┌──────────┐    ┌──────────────────────┐  │
│  │ 1.需求   │───▶│ 2.后端   │───▶│ 3.IAM    │───▶│ 4.数据库配置         │  │
│  │   分析   │    │   枚举   │    │   配置   │    │  (SQL 或 API 二选一) │  │
│  └──────────┘    └──────────┘    └──────────┘    └──────────────────────┘  │
│                                                                             │
│  ┌──────────┐    ┌──────────┐    ┌──────────┐                              │
│  │ 5.国际化 │───▶│ 6.用户组 │───▶│ 7.验证   │                              │
│  │   配置   │    │   配置   │    │   测试   │                              │
│  └──────────┘    └──────────┘    └──────────┘                              │
│                                                                             │
│  ⚡ 推荐:使用 API 接口替代 SQL 脚本,更简单、更安全                          │
│                                                                             │
└─────────────────────────────────────────────────────────────────────────────┘

第一步:需求分析与规划

1.1 确定资源类型信息

项目说明示例
资源类型 ID全局唯一标识,使用 snake_casecreative_stream
中文名称用于 UI 显示创作流
英文名称用于 UI 显示和日志Creative Stream
父资源通常为 projectproject

1.2 确定权限操作列表

参考已有资源类型(如 pipeline)设计操作列表:

操作类型命名规范说明关联资源类型
create{resource}_create创建资源project(特殊)
list{resource}_list列表查看{resource}
view{resource}_view查看详情{resource}
edit{resource}_edit编辑资源{resource}
delete{resource}_delete删除资源{resource}
execute{resource}_execute执行资源{resource}
manage{resource}_manage权限管理{resource}
其他按需定义如 download、share、archive{resource}

注意: create 操作的 related_resource_type 必须是 project,因为创建时资源还不存在。

1.3 设计权限依赖关系

project_visit (基础权限)
    │
    ├── {resource}_create ──────────────────────────────┐
    │                                                   │
    └── {resource}_list                                 │
            │                                           │
            └── {resource}_view                         │
                    │                                   │
                    ├── {resource}_edit ────────────────┤
                    │       │                           │
                    │       ├── {resource}_manage       │
                    │       └── {resource}_archive      │
                    │                                   │
                    ├── {resource}_delete               │
                    ├── {resource}_execute              │
                    ├── {resource}_download             │
                    └── {resource}_share                │

第二步:后端枚举定义

2.1 修改 AuthResourceType.kt

文件路径: src/backend/ci/core/common/common-auth/common-auth-api/src/main/kotlin/com/tencent/devops/common/auth/api/AuthResourceType.kt

enum class AuthResourceType(val value: String) {
    // ... 已有枚举 ...
    
    PIPELINE_DEFAULT("pipeline"),
    PIPELINE_GROUP("pipeline_group"),
    PIPELINE_TEMPLATE("pipeline_template"),
    CREATIVE_STREAM("creative_stream"),  // 新增:创作流类型
    
    // ... 其他枚举 ...
}

命名规范:

  • 枚举名:大写下划线 CREATIVE_STREAM
  • value:小写下划线 creative_stream

第三步:IAM RBAC 配置文件

需要修改 support-files/bkiam-rbac/ 目录下的 5 个 JSON 文件:

3.1 资源类型定义 (0003_resource_*.json)

{
  "operation": "upsert_resource_type",
  "data": {
    "id": "creative_stream",
    "name": "创作流",
    "name_en": "Creative Stream",
    "parents": [
      {
        "system_id": "bk_ci_rbac",
        "id": "project"
      }
    ],
    "provider_config": {
      "path": "/api/open/auth/resource/instances/list?x-devops-project-id=rbac-project"
    },
    "version": 1
  }
}

3.2 实例选择器 (0004_instance-views_*.json)

{
  "operation": "upsert_instance_selection",
  "data": {
    "id": "creative_stream_instance",
    "name": "创作流",
    "name_en": "Creative Stream",
    "resource_type_chain": [
      {
        "system_id": "bk_ci_rbac",
        "id": "project"
      },
      {
        "system_id": "bk_ci_rbac",
        "id": "creative_stream"
      }
    ]
  }
}

3.3 操作定义 (0005_action_*.json)

每个操作需要定义:

{
  "operation": "upsert_action",
  "data": {
    "id": "creative_stream_view",
    "name": "查看创作流",
    "name_en": "Creative Stream View",
    "type": "view",
    "related_resource_types": [
      {
        "system_id": "bk_ci_rbac",
        "id": "creative_stream",
        "selection_mode": "instance",
        "related_instance_selections": [
          {
            "system_id": "bk_ci_rbac",
            "id": "creative_stream_instance"
          }
        ]
      }
    ],
    "related_actions": ["project_visit", "creative_stream_list"],
    "version": 1
  }
}

关键字段说明:

字段说明
type操作类型:view/edit/delete/create/execute
related_resource_types操作关联的资源类型
selection_mode选择模式:instance(实例级)/ all(全部)
related_actions依赖的前置操作

create 操作的特殊配置:

{
  "id": "creative_stream_create",
  "related_resource_types": [
    {
      "system_id": "bk_ci_rbac",
      "id": "project",  // 关联 project 而非 creative_stream
      "selection_mode": "instance",
      "related_instance_selections": [
        {
          "system_id": "bk_ci_rbac",
          "id": "project_instance"
        }
      ]
    }
  ],
  "related_actions": ["project_visit"]
}

3.4 权限分组 (0006_group_*.json)

将所有操作归入一个分组,便于 IAM 界面展示:

{
  "operation": "upsert_action_groups",
  "data": {
    "action_groups": [
      {
        "name": "创作流",
        "name_en": "Creative Stream",
        "actions": [
          {"id": "creative_stream_create"},
          {"id": "creative_stream_list"},
          {"id": "creative_stream_view"},
          {"id": "creative_stream_edit"},
          {"id": "creative_stream_delete"},
          {"id": "creative_stream_execute"},
          {"id": "creative_stream_download"},
          {"id": "creative_stream_share"},
          {"id": "creative_stream_manage"},
          {"id": "creative_stream_archive"}
        ]
      }
    ]
  }
}

3.5 资源创建者关联操作 (0007_create-related_*.json)

定义创建资源后自动授予创建者的权限:

{
  "id": "creative_stream",
  "actions": [
    {"id": "creative_stream_list", "required": false},
    {"id": "creative_stream_view", "required": false},
    {"id": "creative_stream_edit", "required": false},
    {"id": "creative_stream_delete", "required": false},
    {"id": "creative_stream_execute", "required": false},
    {"id": "creative_stream_download", "required": false},
    {"id": "creative_stream_share", "required": false},
    {"id": "creative_stream_manage", "required": false},
    {"id": "creative_stream_archive", "required": false}
  ]
}

第四步:数据库 DML 脚本

4.1 脚本类型与用途

脚本类型文件位置用途是否必须
初始化脚本support-files/sql/5001_init_dml/5001_ci_auth-init_dml_mysql.sql开源社区部署时的数据初始化必须
增量脚本openspec/changes/{change-id}/specs/auth-resource-type/xxx_dml.sql内部线上已有数据的增量变更内部使用
API 接口/api/op/auth/resourceTypeConfig/*内部线上已有数据的运行时变更内部使用

重要:

  • 初始化脚本是必须的,用于开源社区新部署时初始化权限数据
  • 增量脚本和 API 接口二选一,用于内部线上环境的数据变更

4.2 表结构说明

表名说明
T_AUTH_RESOURCE_TYPE资源类型定义
T_AUTH_ACTION操作定义
T_AUTH_RESOURCE_GROUP_CONFIG用户组配置(资源级 + 项目级)

4.3 新增资源类型

REPLACE INTO T_AUTH_RESOURCE_TYPE (
    `ID`, RESOURCE_TYPE, NAME, ENGLISH_NAME, `DESC`, ENGLISH_DESC,
    PARENT, `SYSTEM`, CREATE_USER, CREATE_TIME, UPDATE_USER, UPDATE_TIME, `DELETE`
) VALUES (
    22,  -- 查询现有最大 ID + 1
    'creative_stream',
    '创作流',
    'Creative Stream',
    '创作流',
    'Creative Stream',
    'project',
    'bk_ci_rbac',
    'system',
    NOW(),
    'system',
    NOW(),
    0
);

4.4 新增操作定义

REPLACE INTO T_AUTH_ACTION(
    `ACTION`, RESOURCE_TYPE, RELATED_RESOURCE_TYPE, ACTION_NAME,
    ENGLISH_NAME, CREATE_USER, CREATE_TIME, UPDATE_TIME, `DELETE`, ACTION_TYPE
) VALUES
    ('creative_stream_view', 'creative_stream', 'creative_stream',
     '查看创作流', 'Creative Stream View', 'system', NOW(), NOW(), 0, 'view'),
    ('creative_stream_create', 'creative_stream', 'project',  -- 注意:关联 project
     '创建创作流', 'Creative Stream Create', 'system', NOW(), NOW(), 0, 'create'),
    -- ... 其他操作
;

4.5 新增资源级用户组

资源级用户组用于单个资源实例的权限管理:

-- 拥有者组 (全部权限)
REPLACE INTO T_AUTH_RESOURCE_GROUP_CONFIG(
    `ID`, `RESOURCE_TYPE`, `GROUP_CODE`, `GROUP_NAME`, `CREATE_MODE`, `GROUP_TYPE`,
    `DESCRIPTION`, `AUTHORIZATION_SCOPES`, `ACTIONS`
) VALUES (
    70,  -- 查询现有最大 ID + 1
    'creative_stream',
    'manager',
    '拥有者',
    0,
    0,
    '创作流拥有者,可以管理当前创作流的权限',
    '[授权范围 JSON]',
    '["creative_stream_view","creative_stream_edit",...]'
);

资源级用户组标准配置:

组代码组名典型权限
manager拥有者全部权限(除 create)
editor编辑者view + edit + execute + list + download + share
executor执行者view + execute + list + download + share
viewer查看者view + list + download + share

4.6 更新项目级用户组

为现有项目级用户组添加新资源的权限:

-- 使用 JSON_ARRAY_APPEND 追加权限
UPDATE T_AUTH_RESOURCE_GROUP_CONFIG
SET AUTHORIZATION_SCOPES = JSON_ARRAY_APPEND(
    AUTHORIZATION_SCOPES,
    '$',
    JSON_OBJECT(
        'system', '#system#',
        'actions', JSON_ARRAY(
            JSON_OBJECT('id', 'creative_stream_list'),
            JSON_OBJECT('id', 'creative_st

---

*Content truncated.*

More by TencentBlueKing

View all skills by TencentBlueKing

project-module-architecture

TencentBlueKing

Project 项目管理模块架构指南,涵盖项目 CRUD、成员管理、项目配置、标签管理、项目迁移。当用户开发项目管理功能、处理项目成员、配置项目属性或实现项目相关逻辑时使用。

126

microservice-infrastructure

TencentBlueKing

微服务基础设施指南,涵盖条件配置、事件驱动架构、服务间通信、国际化与日志等微服务架构的核心基础设施。当用户实现服务间调用、配置多环境、实现异步通信、处理国际化或规范日志输出时使用。

114

artifactory-module-architecture

TencentBlueKing

Artifactory 制品库模块架构指南,涵盖制品上传下载、存储后端适配、制品元数据、清理策略、权限控制。当用户开发制品库功能、处理制品存储、配置清理策略或实现制品管理时使用。

193

supporting-modules-architecture

TencentBlueKing

BK-CI 支撑模块架构指南,涵盖凭证管理(Ticket)、构建机环境(Environment)、通知服务(Notify)、构建日志(Log)、质量红线(Quality)、开放接口(OpenAPI)等支撑性服务模块。当用户开发这些模块功能或需要理解支撑服务架构时使用。

132

managing-devops-pipeline

TencentBlueKing

管理蓝盾流水线的构建操作,包括查询构建历史、获取启动参数、查看构建状态、启动构建。当用户提及流水线、构建、部署、CI/CD、蓝盾或需要触发构建任务时使用。

102

go-agent-development

TencentBlueKing

Go Agent 开发指南,涵盖 Agent 架构设计、心跳机制、任务执行、日志上报、升级流程、与 Dispatch 模块交互。当用户开发构建机 Agent、实现任务执行逻辑、处理 Agent 通信或进行 Go 语言开发时使用。

12

You might also like

flutter-development

aj-geddes

Build beautiful cross-platform mobile apps with Flutter and Dart. Covers widgets, state management with Provider/BLoC, navigation, API integration, and material design.

1,6851,428

ui-ux-pro-max

nextlevelbuilder

"UI/UX design intelligence. 50 styles, 21 palettes, 50 font pairings, 20 charts, 8 stacks (React, Next.js, Vue, Svelte, SwiftUI, React Native, Flutter, Tailwind). Actions: plan, build, create, design, implement, review, fix, improve, optimize, enhance, refactor, check UI/UX code. Projects: website, landing page, dashboard, admin panel, e-commerce, SaaS, portfolio, blog, mobile app, .html, .tsx, .vue, .svelte. Elements: button, modal, navbar, sidebar, card, table, form, chart. Styles: glassmorphism, claymorphism, minimalism, brutalism, neumorphism, bento grid, dark mode, responsive, skeuomorphism, flat design. Topics: color palette, accessibility, animation, layout, typography, font pairing, spacing, hover, shadow, gradient."

1,2651,329

drawio-diagrams-enhanced

jgtolentino

Create professional draw.io (diagrams.net) diagrams in XML format (.drawio files) with integrated PMP/PMBOK methodologies, extensive visual asset libraries, and industry-standard professional templates. Use this skill when users ask to create flowcharts, swimlane diagrams, cross-functional flowcharts, org charts, network diagrams, UML diagrams, BPMN, project management diagrams (WBS, Gantt, PERT, RACI), risk matrices, stakeholder maps, or any other visual diagram in draw.io format. This skill includes access to custom shape libraries for icons, clipart, and professional symbols.

1,5361,147

godot

bfollington

This skill should be used when working on Godot Engine projects. It provides specialized knowledge of Godot's file formats (.gd, .tscn, .tres), architecture patterns (component-based, signal-driven, resource-based), common pitfalls, validation tools, code templates, and CLI workflows. The `godot` command is available for running the game, validating scripts, importing resources, and exporting builds. Use this skill for tasks involving Godot game development, debugging scene/resource files, implementing game systems, or creating new Godot components.

1,356809

nano-banana-pro

garg-aayush

Generate and edit images using Google's Nano Banana Pro (Gemini 3 Pro Image) API. Use when the user asks to generate, create, edit, modify, change, alter, or update images. Also use when user references an existing image file and asks to modify it in any way (e.g., "modify this image", "change the background", "replace X with Y"). Supports both text-to-image generation and image-to-image editing with configurable resolution (1K default, 2K, or 4K for high resolution). DO NOT read the image file first - use this skill directly with the --input-image parameter.

1,264728

pdf-to-markdown

aliceisjustplaying

Convert entire PDF documents to clean, structured Markdown for full context loading. Use this skill when the user wants to extract ALL text from a PDF into context (not grep/search), when discussing or analyzing PDF content in full, when the user mentions "load the whole PDF", "bring the PDF into context", "read the entire PDF", or when partial extraction/grepping would miss important context. This is the preferred method for PDF text extraction over page-by-page or grep approaches.

1,489684