BK-IAM is a centralized permission management service provided by The Tencent BlueKing; based on ABAC

license Release Version PRs Welcome

(English Documents Available)

Overview

蓝鲸权限中心(BK-IAM)是蓝鲸智云提供的集中权限管理服务,支持基于蓝鲸开发框架的SaaS和企业第三方系统的权限控制接入,以及支持细粒度的权限管理。

Features

蓝鲸权限中心是基于 ABAC 强大权限模型,结合蓝鲸体系内各种业务场景而研发的通用的权限管控产品,可以满足各种业务场景的权限管控场景。

  • 强大的权限模型引擎: 基于强大的 ABAC 权限模型, 能够支持尽可能丰富的业务权限场景。
  • 细粒度的权限控制: 支持实例级别的权限控制粒度
  • 灵活的权限获取方式: 用户可以通过多种途径获取:自定义申请、申请加入用户组、接入系统侧无权限跳转、管理员授权等
  • 权限分级管理: 支持超级管理员、系统管理员、分级管理员三种级别的管理模式。
  • 组织架构权限管理: 支持通过组织架构来管理权限,包括个人、组织的权限管理。

Getting started

Roadmap

SDK

Support

BlueKing Community

  • BK-CI:蓝鲸持续集成平台是一个开源的持续集成和持续交付系统,可以轻松将你的研发流程呈现到你面前。
  • BK-BCS:蓝鲸容器管理平台是以容器技术为基础,为微服务业务提供编排管理的基础服务平台。
  • BK-BCS-SaaS:蓝鲸容器管理平台SaaS基于原生Kubernetes和Mesos自研的两种模式,提供给用户高度可扩展、灵活易用的容器产品服务。
  • BK-PaaS:蓝鲸PaaS平台是一个开放式的开发平台,让开发者可以方便快捷地创建、开发、部署和管理SaaS应用。
  • BK-SOPS:标准运维(SOPS)是通过可视化的图形界面进行任务流程编排和执行的系统,是蓝鲸体系中一款轻量级的调度编排类SaaS产品。
  • BK-CMDB:蓝鲸配置平台是一个面向资产及应用的企业级配置管理平台。

Contributing

如果你有好的意见或建议,欢迎给我们提 Issues 或 Pull Requests,为蓝鲸开源社区贡献力量。

License

基于 MIT 协议, 详细请参考LICENSE

Comments
  • Ft policy api v2

    Ft policy api v2

    变更点(Changes)

    • api policy v2后台接口
    • 重构 debug entry/blacklist/superpermission, 提取公共处理逻辑

    相关issues (Which issues this PR fixes)

    • Fixes #

    备注(Special notes)

  • feat(pkg/prp): add group system auth type cache

    feat(pkg/prp): add group system auth type cache

    变更点(Changes)

    • add group system auth type cache
    • add service AlterGroupSystemAuthType method

    相关issues (Which issues this PR fixes)

    • Fixes #

    备注(Special notes)

  • refactor(pkg/service): add pap layer

    refactor(pkg/service): add pap layer

    变更点(Changes)

    • handler subject 拆分
    • service subject 拆分重构
    • 增加pap组合service cache

    相关issues (Which issues this PR fixes)

    • Fixes https://github.com/TencentBlueKing/bk-iam-saas/issues/1113

    备注(Special notes)

  • Ft subject system group

    Ft subject system group

    变更点(Changes)

    • 增加subject_system_group database manager
    • 增加group_system_auth_type database manager

    Service层计划实现:

    1. group_system_auth_type 创建或更新
    • 尝试创建, 如果返回重复key, 则更新
    • 更新, rows != 0 时需要清理缓存
    • 如果是创建, 则需要进一步进行subject_system_group相关的操作
    1. subject_system_group 变更逻辑
    for i < 3 {
        // 查询记录
        get(systemID, subjectPK)
        // 如果记录不存在, 则创建
        if not exists {
            create()
            // 创建时key 重复了, 重新查询走更新
            if duplicate {
                continue
            }
        } else {
            update()
            // 更新时并发导致版本变更了, 重新查询再次更新
            if rows == 0 {
                contine
            }
        }
    }
    

    相关issues (Which issues this PR fixes)

    • Fixes https://github.com/TencentBlueKing/bk-iam-saas/issues/1076

    备注(Special notes)

  • Ft audit sys support

    Ft audit sys support

    变更点(Changes)

    • [x] 操作/资源类型支持敏感等级
    • [x] audit专属API: 获取系统列表
    • [x] audit专属API: 查某个系统的所有权限模型

    废弃

    • 配置操作之间的层级关系
    • 配置: 操作或资源只给审计用

    相关issues (Which issues this PR fixes)

    • Fixes https://github.com/TencentBlueKing/bk-iam-saas/issues/921

    备注(Special notes)

  • Refactor subject groups

    Refactor subject groups

    DONT MERGE NOW!

    • [x] abac/prp/common to abac/common
    • [x] 重构subject groups为两级缓存(memory-redis-database)
    • [x] 单元测试补齐
    • [x] 功能自测
    • [x] 联调
    • [x] 压测

    将 user - groups也改成了两级缓存

    但是这样存在一个问题, 会多一次redis访问, 如果那个时候用户变更比较多, 那么所有用户的鉴权性能都会下降??? 有没有办法规避?

    原先, 只会一个用户加入的组多慢, 影响范围比较小


    压测结果, 切成两级缓存之后的提升并不大 当前版本: subjectDetail(大) + pipeline to get dept-groups 改造版本: subject departments + user_groups 两级缓存 + dept_gropus两级缓存

    1. 后者多一次io, 且pipeline性能并没有比两次local cache差;
    2. 对于redis, 新版本能减少大量的pipeline get操作, 存储上没差别
    3. 目前压测数据, 部门所属的组并不多, 所以dept_groups的优化看不出效果

    这个PR暂时hold, 除非遇到

    1. 用户-部门特别多
    2. 部门加入的组特别多

    带来的性能问题; 单纯的 用户-组特别多, 不是主要因素, 影响不大 (继承关系问题不大, 最大的问题还是由于继承关系带来的策略数量过多; (即, 没有标志或特征去提前过滤))

  • feat: prp temporary policy cache

    feat: prp temporary policy cache

    变更点(Changes)

    • 增加临时权限鉴权cache逻辑

    相关issues (Which issues this PR fixes)

    • Fixes https://github.com/TencentBlueKing/bk-iam-saas/issues/778

    备注(Special notes)

  • feat(support/bkauth): add bkauth support, check app_code/app_secret

    feat(support/bkauth): add bkauth support, check app_code/app_secret

    变更点(Changes)

    • 增加bkauth支持
    # app_code/app_secert, 用于访问bkauth, bkauth针对权限中心的app_code开白可访问校验接口
    bkAppCode: "bk_iam"
    bkAppSecret: "xxxxxxx"
    
    # 是否开启了 bkauth
    enableBkAuth: true
    
    # 如果开启了bkauth, 必须配置bkauth的地址, 注意, id固定是bkauth, 地址为 http://xxxxxxx 
    # 并且, 如果开启了bkauth, 可以不需要配置 database.id=open_paas
    hosts:
      - id: "bkauth"
        addr: ""
    

    相关issues (Which issues this PR fixes)

    • Fixes #

    备注(Special notes)

  • feat(mode/action): add related_environments to model action

    feat(mode/action): add related_environments to model action

    变更点(Changes)

    • 增加注册权限模型action支持related_environments

    相关issues (Which issues this PR fixes)

    • Fixes https://github.com/TencentBlueKing/bk-iam-saas/issues/392

    备注(Special notes)

  • feat(pdp eval): pdp eval context support environment

    feat(pdp eval): pdp eval context support environment

    变更点(Changes)

    • pdp执行上下文支持 environment, 第一期内置ts

    相关issues (Which issues this PR fixes)

    • Fixes https://github.com/TencentBlueKing/bk-iam-saas/issues/383

    备注(Special notes)

An authorization library that supports access control models like ACL, RBAC, ABAC in Golang
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Jan 2, 2023
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang
An authorization library that supports access control models like ACL, RBAC, ABAC in Golang

Casbin News: still worry about how to write the correct Casbin policy? Casbin online editor is coming to help! Try it at: https://casbin.org/editor/ C

Jan 4, 2023
ACL, RBAC, ABAC authorization middleware for KubeSphere

casbin-kubesphere-auth Casbin-kubesphere-auth is a plugin which apply several security authentication check on kubesphere via casbin. This plugin supp

Jun 9, 2022
JWT and Permission Middleware with MongoRPC

JWT and Permission Middleware with MongoRPC

Nov 19, 2021
GoFrame Permission Plugin

gf-casbin GoFrame Permission Plugin Support MySQL, SQLite, PostgreSQL, Oracle, SQL Server Power By GoFrame ORM Use Download and install go get github.

Dec 7, 2021
GCP Permission-to-Roles Utility

GCP Permission-to-Roles Utility Rather than sorting through Google's documentation to find a role that contains the permission you need, simply pass t

Feb 1, 2022
Scaffold to help building Terraform Providers using AWS IAM authentication.

Terraform Provider Scaffolding This repository is a template for a Terraform provider. It is intended as a starting point for creating Terraform provi

Mar 31, 2022
Golang based User creation and Management application. GORM, Fiber, JWT

User Creation and Management app (BACK-END) Auth Features: Create Clients (regular password + 6 one-time passwords + (optional) QR code and Secret for

Dec 2, 2022
Barbar Service is a project for demo of simple distribute authentication Service.
Barbar Service is a project for demo of simple distribute authentication Service.

Barbar Service Barbar Service is a project for demo of simple distribute authentication Service. Project Structure Basicaly we reffer to Domain Driven

Aug 29, 2022
Home-sso-service - Single-Sign On service with golang

home-sso-service This is Single-Sign On service Dependencies go version go1.15.6

May 10, 2022
HTTP Session Management for Go

SCS: HTTP Session Management for Go Features Automatic loading and saving of session data via middleware. Choice of server-side session stores includi

Jan 1, 2023
Go session management for web servers (including support for Google App Engine - GAE).

Session The Go standard library includes a nice http server, but unfortunately it lacks a very basic and important feature: HTTP session management. T

Oct 10, 2022
Straightforward HTTP session management

sessionup ?? Simple, yet effective HTTP session management and identification package Features Effortless session management: Initialization. Request

Oct 10, 2022
simple-jwt-provider - Simple and lightweight provider which exhibits JWTs, supports login, password-reset (via mail) and user management.

Simple and lightweight JWT-Provider written in go (golang). It exhibits JWT for the in postgres persisted user, which can be managed via api. Also, a password-reset flow via mail verification is available. User specific custom-claims also available for jwt-generation and mail rendering.

Dec 18, 2022
Simple authentication and books management with GoFiber

Simple authentication and books management with GoFiber Simple authentication system with gofiber. Endpoints GET /api - Welcome message POST /api/auth

Nov 27, 2022
Backend Development Rest Api Project for book management system. Used Features like redis, jwt token,validation and authorization.

Golang-restapi-project Simple Rest Api Project with Authentication, Autherization,Validation and Connection with redis File Structure ├── cache │ ├──

May 25, 2022
Time-Based One-Time Password (TOTP) and HMAC-Based One-Time Password (HOTP) library for Go.

otpgo HMAC-Based and Time-Based One-Time Password (HOTP and TOTP) library for Go. Implements RFC 4226 and RFC 6238. Contents Supported Operations Read

Dec 19, 2022
Go based HTTP server with 2FA based on OTP (One-Time Password) manager like Google Authenticator

Go based HTTP server with 2FA based on OTP (One-Time Password) manager like Goog

Aug 21, 2022
Authentication service that keeps you in control without forcing you to be an expert in web security.
Authentication service that keeps you in control without forcing you to be an expert in web security.

Authentication service that keeps you in control without forcing you to be an expert in web security.

Jan 1, 2023