This service includes management functions of user, role, permission, organization, project, password policy, fast code, client, menu, icon, multi-language , and supports for importing third-party users through ldap.
- Role
There are three built-in roles in iam-service
:
-
Platform administrator (having all privileges of platform global layout).
-
Organization administrator (having all privileges of a single organization's organizational layout).
-
Project administrator (having all privileges of a single project's project layout).
When assigning a role to a user, the role-associated labels are sent to the devops for processing, and the corresponding roles are assigned to gitlab.
-
User
After the service is initialized, a user admin is built in. Which has all the platform-wide privileges, including all permissions for all organizations and all projects.
Creating, modifying, and deleting users lead to send events, gitlab synchronization to do the appropriate operation
-
Privilege
All interfaces of the service define permissions through the
@Permission
annotation. All interfaces of this service define permissions through the@Permission
annotation. With theregister server
andmanager service
, the privileges information of all services will be automatically entered into the database to make it effective through the service. The@Permission
annotation sets the interface as a public interface (accessible without login), login access, global layer interfaces, organization layer interfaces, and project level interfaces. -
Organization
After the service is initialized, an organization "operational organization" is built in. At the same time, the admin user has all the privileges of the organization.
-
Client
The addition, deletion, and modification of the built-in client is a interface of organizational layer, which corresponds to the "client" needed to log in via
oauth-server
. -
Directory
Corresponding to the front page display directory, including add, delete, change check, is the global layer interface.
-
Password policy
- Currently only Chinese and English are supported. Will support more languages later.
- Refactor the code and optimize the domain model in DDD.
- The project is an eureka client project, which local operation needs to cooperate with
register-server
, and the online operation needs to cooperate withgo-register-server
.
- Start up register-server
- In the local mysql, create the
iam_service
database.
CREATE USER 'choerodon'@'%' IDENTIFIED BY "123456";
CREATE DATABASE iam_service DEFAULT CHARACTER SET utf8;
GRANT ALL PRIVILEGES ON iam_service.* TO choerodon@'%';
FLUSH PRIVILEGES;
New file of "init-local-database.sh" in the root directory of the manager-service project:
mkdir -p target
if [ ! -f target/choerodon-tool-liquibase.jar ]
then
curl http://nexus.choerodon.com.cn/repository/choerodon-release/io/choerodon/choerodon-tool-liquibase/0.5.2.RELEASE/choerodon-tool-liquibase-0.5.2.RELEASE.jar -o target/choerodon-tool-liquibase.jar
fi
java -Dspring.datasource.url="jdbc:mysql://localhost/iam_service?useUnicode=true&characterEncoding=utf-8&useSSL=false&useInformationSchema=true&remarks=true" \
-Dspring.datasource.username=choerodon \
-Dspring.datasource.password=123456 \
-Ddata.drop=false -Ddata.init=true \
-Ddata.dir=src/main/resources \
-jar target/choerodon-tool-liquibase.jar
And executed in the root directory of the iam-service project:
sh init-local-database.sh
- Go to the project directory and run
mvn spring-boot:run
or runIAMServiceApplication
in idea.
go-register-server
config-server
Pull requests are welcome! Follow to know for more information on how to contribute.