5.5 权限管控
💡 一句话总结:配置细粒度的权限控制,确保系统和数据安全。
学完你能做什么
- 理解权限控制的重要性
- 能配置用户权限
- 能设置角色和访问控制
- 能审计权限使用
🎒 开始前的准备
确保你已经完成以下事项:
- [ ] 了解 OpenCode 的基本配置
- [ ] 有系统管理的经验
核心思路
权限模型
用户 → 角色 → 权限 → 资源配置结构
用户配置
yaml
users:
admin:
name: "管理员"
email: "admin@example.com"
role: "admin"
permissions:
- "*" # 所有权限
developer:
name: "开发者"
email: "dev@example.com"
role: "developer"
permissions:
- "read:*"
- "write:src/**"
- "write:tests/**"
viewer:
name: "只读用户"
role: "viewer"
permissions:
- "read:docs/**"角色配置
yaml
roles:
admin:
description: "系统管理员"
permissions:
- "system:*"
- "users:*"
- "projects:*"
inherits: []
developer:
description: "开发者"
permissions:
- "projects:read"
- "projects:write"
- "files:read"
- "files:write"
inherits: []
viewer:
description: "只读用户"
permissions:
- "projects:read"
- "files:read"资源权限
yaml
resources:
projects:
- name: "项目访问"
permissions:
- "read" # 查看项目
- "write" # 修改项目
- "delete" # 删除项目
files:
- name: "文件访问"
path_patterns:
- "src/**"
- "tests/**"
- "docs/**"
permissions:
- "read"
- "write"
- name: "敏感文件"
path_patterns:
- "**/.env"
- "**/secrets/**"
- "**/*.key"
permissions:
- "read"
- "write"
require_approval: true权限策略
访问控制列表
yaml
acl:
enabled: true
default_policy: "deny"
rules:
- resource: "system"
action: "*"
condition: "is_admin"
- resource: "files"
action: "read"
condition: "always"
- resource: "files"
action: "write"
condition: "in_team"
- resource: "secrets"
action: "*"
condition: "is_admin"审计日志
yaml
audit:
enabled: true
log_events:
- "login"
- "logout"
- "permission_change"
- "file_access"
- "sensitive_operation"
retention:
days: 90
compress: true跟我做
实战:配置团队权限
yaml
permissions:
users:
admin:
role: "admin"
permissions: ["*"]
lead-dev:
role: "lead"
permissions:
- "projects:*"
- "files:read"
- "files:write"
dev:
role: "developer"
permissions:
- "projects:read"
- "files:read"
- "files:write:src/**"
- "files:write:tests/**"
intern:
role: "intern"
permissions:
- "projects:read"
- "files:read:src/**"
- "files:write:tests/**"
roles:
admin:
inherits: []
permissions: ["*"]
lead:
inherits: ["developer"]
permissions: ["projects:manage"]
developer:
inherits: []
permissions:
- "files:read"
- "files:write:src/**"
- "files:write:tests/**"
intern:
inherits: ["developer"]
permissions: []
audit:
enabled: true
log_all: false
sensitive_operations:
- "file_delete"
- "permission_change"
- "system_config"检查点 ✅
全部通过才能继续
- [ ] 理解权限模型
- [ ] 能配置用户权限
- [ ] 能设置角色
- [ ] 能配置审计
本课小结
你学会了:
- 权限控制的重要性
- 用户和角色配置
- 资源权限设置
- 审计日志配置
下一课预告
下一课我们将学习主题系统,定制 OpenCode 的外观。
📚 更多完整模板:Prompt 模板库