跳到主要内容

资源权限策略(Resource Policy)

网关前缀:${API_BASE}/metadata/resource-policies/...

资源权限策略(Resource Policy)用于为资源(实体/视图/指标)配置访问控制策略,支持:

  • 对象级(Object-level):谁能对资源执行哪些动作
  • 列级(Column-level):字段可见性/脱敏规则
  • 行级(Row-level):行过滤谓词(RLS)

后端入口:ResourcePolicyController/api/v1/resource-policies)。

ResourceType

resourceType 取值(来自后端枚举 ResourcePolicy.ResourceType):

  • entity:数据实体
  • view:视图
  • metric:指标

DTO(ResourcePolicyDto)

请求/响应体主要字段:

  • id:策略ID(返回时)
  • resourceTypeentity | view | metric,必填
  • resourceId:资源ID,必填
  • resourceName:资源名(冗余字段,便于展示)
  • description:描述
  • objectLevelPolicy:JSON 字符串
  • columnLevelPolicy:JSON 字符串
  • rowLevelPolicy:JSON 字符串
  • isActive:是否启用(默认 true)
  • priority:优先级(数字越小优先级越高)
  • tenantId:租户ID(由服务端写入/返回)

创建资源策略

  • POST /resource-policies
  • 权限:tenant:admin / admin
  • 请求头:Authorization: Bearer <token>

示例(对象级 + 列级 + 行级):

curl -X POST \
  "${API_BASE}/metadata/resource-policies" \
  -H "Authorization: Bearer <token>" \
  -H "Content-Type: application/json" \
  -d '{
    "resourceType": "entity",
    "resourceId": "en_xxx",
    "resourceName": "orders",
    "description": "Orders access policy",
    "priority": 100,
    "isActive": true,
    "objectLevelPolicy": "{\"admin\":[\"read\",\"write\"],\"user\":[\"read\"]}",
    "columnLevelPolicy": "{\"user\":{\"allowedColumns\":[\"id\",\"order_date\",\"total_amount\"],\"maskingRules\":{\"customer_email\":{\"type\":\"PARTIAL_MASK\"}}}}",
    "rowLevelPolicy": "{\"user\":{\"predicates\":[{\"field\":\"tenant_id\",\"op\":\"eq\",\"value\":\"${user.tenant_id}\"}]}}"
  }'

更新 / 删除 / 查询

  • PUT /resource-policies/{id}:更新策略(tenant:admin / admin
  • DELETE /resource-policies/{id}:删除策略(tenant:admin / admin
  • GET /resource-policies/{id}:按 ID 查询(tenant:admin / admin

按资源查询

  • GET /resource-policies/resource/{resourceType}/{resourceId}tenant:admin / admin

示例:

curl -X GET \
  "${API_BASE}/metadata/resource-policies/resource/entity/en_xxx" \
  -H "Authorization: Bearer <token>"

分页查询 / 按类型分页 / 搜索

  • GET /resource-policies?page=1&size=20&sortBy=priority&sortDirection=asc
  • GET /resource-policies/by-type/{resourceType}?page=0&size=20&sortBy=priority&sortDirection=asc
  • GET /resource-policies/search?keyword=order&page=1&size=20&sortBy=priority&sortDirection=asc

Principal 权限矩阵(管理员)

  • GET /resource-policies/principal-permissions?resourceType=<type>&action=<action>&userName=<userName>&page=1&size=20
  • 权限:admin
  • 说明:用于查看某用户在特定资源类型上的权限矩阵(用于排查权限)

内部接口:获取某资源的所有生效策略

  • GET /resource-policies/internal/active/{resourceType}/{resourceId}
  • 权限:tenant:admin / admin
  • 请求头:X-Tenant-Id: <tenantId>
  • 说明:内部 API,供其他服务读取生效策略(返回单个 ResourcePolicyDtonull