[WIP][DSIP-104][ApiServer] Refactor the permission verification template code. #17923
Description
Search before asking
- I had searched in the DSIP and found no similar DSIP.
Motivation
Currently, we have two permission tools, PermissionCheck and ResourcePermissionCheckService, but neither works well. ResourcePermissionCheckService contains many fields of type Object, which reduces clarity and safety.
Additionally, some permission checks are missing.
This DSIP aims to provide a simple and user-friendly tool for performing permission verification.
Design Detail
DolphinScheduler uses a Role-Based Access Control (RBAC) model to manage permissions.
All metadata in DolphinScheduler is treated as resources, such as user, project, and cluster.
For each resource type, the system defines a set of operation types (e.g., delete_user, update_user, select_user). Different resources support different operations.
Permissions are defined as (resource, operation) pairs.
A role is a collection of permissions.
A user obtains permissions by being assigned one or more roles.
During an API call, the system checks whether the user’s roles include the permission required to perform the requested operation on the target resource.
Compatibility, Deprecation, and Migration Plan
Compatibility with the previous version.
Test Plan
Test by UT test case.
Code of Conduct
- I agree to follow this project's Code of Conduct