- add: add default sensitivity level query
- update: optimize SQL for expression queries
- add: subject template group api
- add: instace:paste select mod
- update: update requirements version
- update: feat: add subject cache batch get
- update: update policy list order
- update: user subject local cache replace subject cache
- bugfix: action update with hidden
- bugfix: delete unreferenced expression
- bugfix: rbac policy expression generate if action not found
- upgrade: /subjects-groups/belong api
- add: query rbac resource group api
- restore subject_relation table field policy_expired_at
- merge develop 1.11.10
- merge develop 1.11.9
- add: subject group quota check api
- add: task stats metrics
- add: transfer worker checker rbac command
- add: rbac action support
- bugfix: fix mysql session time zone
- bugfix: fix system_managers system config api
- add: system manager config api
- bugfix: common actions length gte 1
- add api for subject freeze/unfreeze
- action model change check use []ActionBaseInfo
- pref: action_service ListBySystem use cache to do check
- bugfix: temporary policy fill expression signature
- add: model change event delete api
- add: model share api support
- add: temporary policy
- upgrade: go 1.18
- bugfix: /api/v1/web/unreferenced-expressions timeout
- upgrade: component log request if latency is greater than 200ms
- upgrade: release environment attributes
- bugfix: API /api/v1/engine/credentials/verify use auth
- add: API /api/v1/web//unreferenced-expressions
- upgrade: go version 1.17
- upgrade: permission model supports environment attributes
- bugfix: healthz check fail if enable bkauth
- bugfix: ModelChangeEvent when action(no policy related) be deleted
- add: bkauth support
- update: replace some lib with https://github.com/TencentBlueKing/gopkg
- move: API /api/v1/systems/ to /api/v1/open/systems/
- add: API /api/v1/open/users/:user_id/groups
- hotfix: condition StringPrefix eval wrong when key is bk_iam_path
- bugfix: remove redundant policy index
- bugfix: partialEval out of index while the any condition key is empty
- refactor: pdp 模块重构, 完备的表达式, 支持两阶段计算
- add: 支持新老版本表达式unmarshal
- add: 支持gt/gte/lt/lte操作符
- upgrade: metrics name add prefix bkiam
- upgrade: config template update cmdb resource limit
- bugfix: AlterCustomPolicies create batch policies with action without resource return 500
- upgrade: change local subject pk get from redis first, instead of db first
- bugfix: modify sqlxBulkInsertReturnIDWithTx return id in batches
- bugfix: role group member renew cache clean issue
- bugfix: model api asynchronous delete action empty issue
- add: local cache expire with a random duration
- upgrade: update the expression table structure, delete useless columns
- bugfix: ratelimit middleware use wrong first param Limit, should be float number, not 1 every second
- add: zap buffered logger
- add: rate limit for api
- bugfix: wrong config reference by web logger
- bugfix: policy cache database make slice with wrong cap size
- refactor: policy and expression cache layer, refactor to local cache with redis change list; data flow
database->redis->local cache
- refactor: SubjectDetail use custom msgpack marshal/unmarshal
- refactor: rename subjectRelation to subjectGroup, use
[]ThinSubjectGroup
- refactor: use zap in api/web logger, for better performance
- add: extra random expired seconds for policy/expression redis cache
- add: unmarshaled expression local cache
- remove:
environment
unused field from all expression struct - remove: department pks from effective subject pks
- remove: action scope
scope_expression
from all struct - fix: typo from polices to policies
- bugfix: delete subject cache if update the expiredAt
- add: /version api include the
ts
/date
- upgrade: go.mod, the moduel to the newest
- add: support asynchronous delete action model and delete action policies
- add: policy query auth add expression debug info
- bugfix: engine api sql timestamp between
- add: web list instance selections api
- update: engine credentials verify api
- add: add api for iam engine
- bugfix: s2 compress in go-redis/cache, Fix memcopy writing out-of-bounds.(https://github.com/klauspost/compress/pull/315/commits/587204ab8e90e07ecb90864460f2ecacf5424de2)
- bugfix: reset the req.resources in auth_by_resources
- update: to go 1.16 and upgrade some dependency
- refactor: redis cache, move validClients/subjectRoles/subjectPK from redis cache to local cache
- refactor: policy cache/expression cache
- bugfix: subject groups got expired relations
- bugfix: the permission of deleted group still exists in redis cache
- bugfix: msgpack Marshal/Unmarshal error after upgrade go-redis/cache
- add: report system error to sentry
- bugfix: component request timeout
- add: get system clients api
- update: go-redis version v8
- bugfix: modify action without resource types
- add: filter group with expired member api
- add: delete expired expression api
- add: query group expired member api
- update: internal to abac
- add: web handler unittest
- bugfix: update judge super system permission
- bugfix: judge super system permission not raise error when subject not exists
- add: group expired member list api
- add: renewal function
- add: feature shield rule config
- update: action type support 'use'
- add: batch auth api
- update: optimize subject action cache
- update: optimize role verification logic
- add: default superuser configuration
- bugfix: pdp condition get type attribute
- bugfix: healthz api redis check without pool
- add: dynamic selection
- add: grading manager
- update: support-files/templates redis config support for render redis mode when deploy
- add: sentinel redis support multiple sentinel
- bugfix: cache for empty subject-groups
- add: debug for /api/policy/query_by_actions
- update: query subject groups support return created_at fields
- add: /version to get identify info
- add: switch support in config
- add: protect action from delete or update related_resource_types if the action has related-policies
- add: unittest via ginkgo
- update: component log support latency and response body if error
- update: remove sensitive in error message of iam/pkg/component remoet_resource
- update: merge OR conditions of the same filed with op=eq/in
- change: mysql expression.expression to type MEDIUMTEXT
- change: truncate the sql log if the args too long
- bugfix: healthz error log when mysql ConnMaxLifetimeSecond=60s
- add: list remote resource support local cache for 30 seconds
- add: quota for system action/resourceType/instanceSelection
- update: remove sensitive info from component log
- add: resource creator action support
- update: policy api return clear error message when vaild error
- add: action_groups web api
- update: query_by_ext_resource ext resources can be empty
- add: saas_system_configs support
- add: action_groups support
- add: sentinel password for redis
- update: resources in policy query request to omitempty
- bugfix: web list policy api filter system
- update: change filterFields from struts.Map to json.Marshal
- bugfix: delete expression cache fail keys=
[]
- breaking change: /api/v1/policy/query_by_actions response change from action_id to action.id
- add open api: polic get/list/subjects
- bugfix: errors.Is not working
- breaking change:
path
to_iam_path_
for policy - add: query policy via ext-resources api
- add: api/model action register support
ignore_iam_path
in instance_selection view
- bugfix: set wrong expression pk when alter policies
- add: policy/query_by_actions support admin any
- bugfix: admin any expression wrong
- add: admin got all permissions
- add: uinttest for internal
- add: action type support debug/manage/execute
- bugfix: unmarshal fail when expression is empty string
- bugfix: return instance_selections missing in saas api
- add: instance_selection
- modify: action add/update about resource types with related instance_selections
- remove: environment from expression
- change: action without resource types will not save and query expression
- bugfix: policy api invalid resource type 500
- remove codes of scope
- fix bugs(component init/prometheus metrics)
- refactor pdp
- disable redis cache guard
- add: policy cache support
?debug
- add: error wrap for policy translate
- update: go-mysql-driver interpolateparams to true
- bugfix: action related resource scope={} should not update into database
- bugfix: cache missing with guard can't be clean
- break change: change to expression+policy
- bugfix: instance_selection to instance_selections
- add: support policy cache
- update: delte policy api
- bugfix: id length validate
- add: action_resource_type add selection_mode
- add: support batch insert
- refactor: cache module
- add: support subject missing no error
- bugfix: subject departments empty query id fail
- bugfix: build template iam port
- add: api/policy/subjects
- refactor: internal + dao + service
- add: api/model/system support provider_config.healthz
- upgrade: go to 1.14.2
- support: batch delete redis cache
- update: all mod to newest
- refactor: pkg/internal
- add: cache support singleflight
- add: api/model support check valid id
- add: api/web del member return count
- bugfix: fix healthz db connection leak
- ready to release
- first version