ContextQMD
Back to Bytebase

Unify Predefined Roles in Store Package

docs/plans/2026-01-12-unify-predefined-roles-design.md

3.17.12.9 KB
Original Source

Unify Predefined Roles in Store Package

Goal

Move predefined role definitions from IAM manager to store package so that:

  1. store.ListRoles() returns all roles (custom + predefined)
  2. IAM manager focuses purely on permission checking

Dependency Graph (unchanged)

v1 service → store
v1 service → iam manager
iam manager → store
iam manager → common/permission
store → common/permission

File Changes

New Package: backend/common/permission/

ActionFromTo
Movebackend/component/iam/permission.gobackend/common/permission/permission.go
Movebackend/component/iam/permission.yamlbackend/common/permission/permission.yaml

Store Package

ActionFileNotes
Createbackend/store/predefined_roles.goDefine 9 roles using permission constants
Updatebackend/store/role.goListRoles() appends predefined roles

IAM Manager

ActionFileNotes
Updatebackend/component/iam/manager.goRemove PredefinedRoles field, loadPredefinedRoles(), YAML embedding
Deletebackend/component/iam/acl.yamlReplaced by Go code

API Service

ActionFileNotes
Updatebackend/api/v1/role_service.goRemove manual merge with predefined roles

Frontend

ActionFileNotes
Updatefrontend/scripts/copy_config_files.shNew path: ../backend/common/permission/permission.yaml

Implementation Details

store/predefined_roles.go

go
package store

import "github.com/bytebase/bytebase/backend/common/permission"

var predefinedRoles = []*RoleMessage{
    {
        ResourceID: "workspaceAdmin",
        Name:       "Workspace admin",
        Permissions: permissionSet(
            permission.PermissionAuditLogsExport,
            permission.PermissionInstancesCreate,
            // ... all permissions
        ),
    },
    // ... 8 more roles
}

func permissionSet(perms ...permission.Permission) map[string]bool {
    m := make(map[string]bool, len(perms))
    for _, p := range perms {
        m[string(p)] = true
    }
    return m
}

store/role.go - ListRoles

go
func (s *Store) ListRoles(ctx context.Context, find *FindRoleMessage) ([]*RoleMessage, error) {
    // existing DB query for custom roles
    roles := // from DB

    // Append predefined roles
    roles = append(roles, predefinedRoles...)
    return roles, nil
}

iam/manager.go - Changes

Remove:

  • PredefinedRoles field from Manager struct
  • loadPredefinedRoles() function
  • //go:embed acl.yaml directive

Update ReloadCache() to use ListRoles() directly without appending predefined.

Migration

  • No database migration needed
  • No breaking API changes
  • Update tests that reference loadPredefinedRoles() or PredefinedRoles field