feat(iam): 完整实现 iam 身份认证与权限服务
包含 jwt/jwks/audit/grpc、rbac、cache、redis/kafka 配置等完整实现
This commit is contained in:
@@ -2,15 +2,18 @@ syntax = "proto3";
|
||||
|
||||
package next_edu_cloud.events.v1;
|
||||
|
||||
// Cross-service event contracts published by CoreEdu via the transactional
|
||||
// outbox pattern and consumed by downstream services (notifications, analytics,
|
||||
// audit, etc.). Topics follow the convention edu.{domain}.events.
|
||||
// Cross-service event contracts published via the transactional outbox pattern
|
||||
// and consumed by downstream services (notifications, analytics, audit, etc.).
|
||||
// Topics follow the convention edu.<domain>.<aggregate>.<action>.
|
||||
//
|
||||
// Event routing (TOPIC_MAP in outbox.publisher.ts):
|
||||
// Event routing (TOPIC_MAP in outbox publisher):
|
||||
// edu.exam.events <- exam.created / exam.updated / exam.deleted
|
||||
// edu.homework.events <- homework.assigned / homework.submitted / homework.graded
|
||||
// edu.grade.events <- grade.recorded / grade.updated
|
||||
// edu.class.events <- class.transferred
|
||||
// edu.iam.user.events <- user.created / user.updated / user.disabled / user.role_changed
|
||||
// edu.iam.role.events <- role.created / role.updated
|
||||
// edu.iam.audit.created <- audit (unified audit topic, action field distinguishes)
|
||||
|
||||
message ClassEvent {
|
||||
string event_id = 1;
|
||||
@@ -58,3 +61,51 @@ message GradeEvent {
|
||||
string action = 8;
|
||||
map<string, string> metadata = 9;
|
||||
}
|
||||
|
||||
// IAM 用户事件(edu.iam.user.events topic)
|
||||
// action: created / updated / disabled / role_changed
|
||||
message UserEvent {
|
||||
string event_id = 1;
|
||||
string aggregate_id = 2;
|
||||
string event_type = 3;
|
||||
int64 occurred_at = 4;
|
||||
string user_id = 5;
|
||||
string email = 6;
|
||||
string name = 7;
|
||||
repeated string roles = 8;
|
||||
string data_scope = 9;
|
||||
string action = 10;
|
||||
map<string, string> metadata = 11;
|
||||
}
|
||||
|
||||
// IAM 角色事件(edu.iam.role.events topic)
|
||||
// action: created / updated / deleted
|
||||
message RoleEvent {
|
||||
string event_id = 1;
|
||||
string aggregate_id = 2;
|
||||
string event_type = 3;
|
||||
int64 occurred_at = 4;
|
||||
string role_id = 5;
|
||||
string role_name = 6;
|
||||
string action = 7;
|
||||
map<string, string> metadata = 8;
|
||||
}
|
||||
|
||||
// IAM 审计事件(edu.iam.audit.created topic,统一审计 topic)
|
||||
// action: create / update / delete / login / logout / permission_change
|
||||
message AuditEvent {
|
||||
string event_id = 1;
|
||||
string aggregate_id = 2;
|
||||
string event_type = 3;
|
||||
int64 occurred_at = 4;
|
||||
string actor_user_id = 5;
|
||||
string action = 6;
|
||||
string resource_type = 7;
|
||||
string resource_id = 8;
|
||||
string before_state = 9;
|
||||
string after_state = 10;
|
||||
string ip = 11;
|
||||
string user_agent = 12;
|
||||
string trace_id = 13;
|
||||
map<string, string> metadata = 14;
|
||||
}
|
||||
|
||||
@@ -3,14 +3,33 @@ syntax = "proto3";
|
||||
package next_edu_cloud.iam.v1;
|
||||
|
||||
// IamService 定义身份与访问管理契约
|
||||
// P2: REST 实现,P3 起转 gRPC
|
||||
// 双入口策略(president §2.16):REST 供 gateway 透传 + admin-portal 直连,
|
||||
// gRPC 供 BFF 聚合调用。同一 Application Service 同时被两种 Controller 调用。
|
||||
// gRPC 端口 50052,P2 即启用(I1 裁决)。
|
||||
service IamService {
|
||||
// 认证类
|
||||
rpc Register(RegisterRequest) returns (AuthResponse);
|
||||
rpc Login(LoginRequest) returns (AuthResponse);
|
||||
rpc RefreshToken(RefreshTokenRequest) returns (TokenPair);
|
||||
rpc Logout(LogoutRequest) returns (LogoutResponse);
|
||||
|
||||
// 用户信息类
|
||||
rpc GetUserInfo(GetUserInfoRequest) returns (UserInfo);
|
||||
rpc BatchGetUsers(BatchGetUsersRequest) returns (BatchGetUsersResponse);
|
||||
|
||||
// 权限与视口类
|
||||
rpc GetEffectivePermissions(GetEffectivePermissionsRequest) returns (EffectivePermissionsResponse);
|
||||
rpc GetEffectiveAccess(GetEffectiveAccessRequest) returns (EffectiveAccessResponse);
|
||||
rpc GetEffectiveDataScope(GetEffectiveDataScopeRequest) returns (DataScopeResponse);
|
||||
rpc GetViewports(GetViewportsRequest) returns (ViewportsResponse);
|
||||
|
||||
// 密钥与关系类
|
||||
rpc GetPublicKey(GetPublicKeyRequest) returns (PublicKeyResponse);
|
||||
rpc GetChildrenByParent(GetChildrenByParentRequest) returns (ChildrenResponse);
|
||||
}
|
||||
|
||||
// ========== 认证类 ==========
|
||||
|
||||
message RegisterRequest {
|
||||
string email = 1;
|
||||
string password = 2;
|
||||
@@ -26,8 +45,13 @@ message RefreshTokenRequest {
|
||||
string refresh_token = 1;
|
||||
}
|
||||
|
||||
message GetUserInfoRequest {
|
||||
string user_id = 1;
|
||||
message LogoutRequest {
|
||||
string refresh_token = 1;
|
||||
string user_id = 2;
|
||||
}
|
||||
|
||||
message LogoutResponse {
|
||||
bool success = 1;
|
||||
}
|
||||
|
||||
message AuthResponse {
|
||||
@@ -41,10 +65,95 @@ message TokenPair {
|
||||
int32 expires_in = 3;
|
||||
}
|
||||
|
||||
// ========== 用户信息类 ==========
|
||||
|
||||
message GetUserInfoRequest {
|
||||
string user_id = 1;
|
||||
}
|
||||
|
||||
message BatchGetUsersRequest {
|
||||
repeated string user_ids = 1;
|
||||
}
|
||||
|
||||
message BatchGetUsersResponse {
|
||||
repeated UserInfo users = 1;
|
||||
}
|
||||
|
||||
message UserInfo {
|
||||
string id = 1;
|
||||
string email = 2;
|
||||
string name = 3;
|
||||
repeated string roles = 4;
|
||||
repeated string permissions = 5;
|
||||
string data_scope = 6;
|
||||
string status = 7;
|
||||
}
|
||||
|
||||
// ========== 权限与视口类 ==========
|
||||
|
||||
message GetEffectivePermissionsRequest {
|
||||
string user_id = 1;
|
||||
}
|
||||
|
||||
message EffectivePermissionsResponse {
|
||||
repeated string permissions = 1;
|
||||
}
|
||||
|
||||
message GetEffectiveAccessRequest {
|
||||
string user_id = 1;
|
||||
string permission = 2;
|
||||
}
|
||||
|
||||
message EffectiveAccessResponse {
|
||||
bool allowed = 1;
|
||||
string data_scope = 2;
|
||||
}
|
||||
|
||||
message GetEffectiveDataScopeRequest {
|
||||
string user_id = 1;
|
||||
}
|
||||
|
||||
message DataScopeResponse {
|
||||
string data_scope = 1;
|
||||
}
|
||||
|
||||
message GetViewportsRequest {
|
||||
string user_id = 1;
|
||||
}
|
||||
|
||||
message ViewportsResponse {
|
||||
repeated ViewportItem viewports = 1;
|
||||
}
|
||||
|
||||
message ViewportItem {
|
||||
string key = 1;
|
||||
string label = 2;
|
||||
string route = 3;
|
||||
string icon = 4;
|
||||
string sort_order = 5;
|
||||
string required_permission = 6;
|
||||
}
|
||||
|
||||
// ========== 密钥与关系类 ==========
|
||||
|
||||
message GetPublicKeyRequest {}
|
||||
|
||||
message PublicKeyResponse {
|
||||
string kid = 1;
|
||||
string alg = 2;
|
||||
string public_key_pem = 3;
|
||||
}
|
||||
|
||||
message GetChildrenByParentRequest {
|
||||
string parent_id = 1;
|
||||
}
|
||||
|
||||
message ChildrenResponse {
|
||||
repeated ChildInfo children = 1;
|
||||
}
|
||||
|
||||
message ChildInfo {
|
||||
string student_id = 1;
|
||||
string name = 2;
|
||||
string relation = 3;
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user