genies_auth_admin 1.7.0

统一认证管理服务 - 用户、角色、权限、组织架构管理
Documentation

genies_auth_admin

Unified Authentication Administration Center for the Genies (神灯) framework — a full-featured management backend for users, roles, permissions, departments, and multi-application authorization.

Overview

genies_auth_admin is the management interface of the Genies permission system. While genies_auth serves as the core RBAC permission engine library (Casbin Enforcer, middleware, field-level filtering), genies_auth_admin provides a complete admin backend with:

  • A full set of RESTful APIs for managing users, roles, permissions, departments, and applications
  • Built-in JWT-based authentication (login / logout / token refresh)
  • A Vue 3 + Element Plus web UI embedded directly into the binary via rust-embed
  • Multi-application API proxy — manage Casbin policies of remote microservices from a single dashboard
  • Domain-Driven Design (DDD) layered architecture

Features

  • User Management: CRUD, status toggle, password reset, role assignment, permission query, batch delete
  • Role Management: CRUD, user listing, permission assignment / revocation
  • Permission Management: CRUD for fine-grained permission items
  • Department Management: CRUD, tree-based move, user listing by department
  • Application Registry: Register microservices with their base URLs and manage their authorization remotely
  • API Proxy: Forward policy / role / group / schema / reload requests to target microservices' /auth/* endpoints
  • Local JWT Auth: Self-contained login flow with bcrypt password hashing and JWT token issuance
  • Casbin Integration: JWT authentication + Casbin RBAC permission check on all protected routes
  • Field-Level Permission Filtering: Inherits genies_auth's #[casbin] macro for response field filtering
  • Embedded Web UI: SPA frontend served from /auth-admin/ui/ with intelligent cache control
  • OpenAPI Auto-Sync: Extracts schemas from OpenAPI docs and syncs to the permission system
  • Flyway Migrations: Auto-creates all required database tables on startup
  • Dapr Event Bus: Publishes CloudEvents after CRUD operations; downstream genies_auth syncs Casbin rules

Architecture

DDD Layered Structure

src/
├── main.rs                    # Entry point — init, migration, routing, server start
├── lib.rs                     # Library root
├── interfaces/                # Interface Layer
│   ├── router.rs              #   Route definitions (public + protected)
│   ├── admin_ui.rs            #   Embedded SPA static asset serving
│   ├── handler/               #   HTTP handlers
│   │   ├── auth_handler.rs    #     Login / Logout / Refresh / Me / Change password
│   │   ├── user_handler.rs    #     User CRUD + role assignment
│   │   ├── role_handler.rs    #     Role CRUD + permission assignment
│   │   ├── permission_handler.rs  # Permission CRUD
│   │   ├── department_handler.rs  # Department CRUD + move
│   │   ├── application_handler.rs # Application registry CRUD
│   │   └── app_proxy_handler.rs   # Multi-app API proxy
│   └── dto/                   #   Request / Response DTOs
├── application/               # Application Layer
│   ├── service.rs             #   AuthService, UserService, RoleService, etc.
│   ├── app_service.rs         #   ApplicationAppService
│   └── dto.rs                 #   Shared DTOs (LoginResponse, PageQuery, etc.)
├── domain/                    # Domain Layer
│   ├── entity/                #   AdminUser, AdminRole, AdminPermission, AdminDepartment, ApplicationEntity
│   ├── aggregate/             #   Aggregate roots (User, Role, Permission, Department)
│   ├── service/               #   UserDomainService, RoleDomainService, ApplicationDomainService
│   ├── repository/            #   RBatis repository implementations
│   └── event/                 #   Domain events (UserEvent, RoleEvent)
└── infrastructure/            # Infrastructure Layer
    └── migration.rs           #   Flyway migration runner

Middleware Flow

Request → JWT Auth (local_auth) → Casbin RBAC (casbin_auth) → Handler → Writer (field filter) → Response

Public routes (login, logout, refresh, admin UI) bypass authentication.

Tech Stack

Category Technology
Web Framework Salvo
ORM RBatis
Authorization Casbin 2.10
Password Hashing bcrypt
Token jsonwebtoken (JWT)
Database Migration Flyway (flyway + flyway-rbatis)
Database MySQL
Event Bus Dapr pub/sub (CloudEvents)
Caching Redis
Static Embedding rust-embed
Frontend Vue 3 + Element Plus + Vue Router + Axios
Build Tool Vite 5 + TypeScript

API Reference

Public Routes (No Auth)

Endpoint Method Description
/auth-admin/login POST Login with username & password
/auth-admin/logout POST Logout
/auth-admin/refresh POST Refresh JWT token
/auth-admin/ui/ GET Admin Web UI

Protected Routes (JWT + Casbin)

Auth

Endpoint Method Description
/auth-admin/me GET Get current user info
/auth-admin/me/password PUT Change own password

Users

Endpoint Method Description
/auth-admin/users GET List users (paginated)
/auth-admin/users POST Create user
/auth-admin/users/{id} GET Get user detail
/auth-admin/users/{id} PUT Update user
/auth-admin/users/{id} DELETE Delete user
/auth-admin/users/{id}/status PUT Toggle user status
/auth-admin/users/{id}/reset-password PUT Reset user password
/auth-admin/users/{id}/roles GET Get user's roles
/auth-admin/users/{id}/roles POST Assign role to user
/auth-admin/users/{id}/roles/{role_id} DELETE Revoke role from user
/auth-admin/users/{id}/permissions GET Get user's permissions
/auth-admin/users/batch-delete POST Batch delete users

Roles

Endpoint Method Description
/auth-admin/roles GET List roles
/auth-admin/roles POST Create role
/auth-admin/roles/{id} GET Get role detail
/auth-admin/roles/{id} PUT Update role
/auth-admin/roles/{id} DELETE Delete role
/auth-admin/roles/{id}/users GET List users under role
/auth-admin/roles/{id}/permissions GET Get role's permissions
/auth-admin/roles/{id}/permissions POST Assign permission to role
/auth-admin/roles/{id}/permissions/{perm_id} DELETE Revoke permission from role

Permissions

Endpoint Method Description
/auth-admin/permissions GET List permissions
/auth-admin/permissions POST Create permission
/auth-admin/permissions/{id} GET Get permission detail
/auth-admin/permissions/{id} PUT Update permission
/auth-admin/permissions/{id} DELETE Delete permission

Departments

Endpoint Method Description
/auth-admin/departments GET List departments
/auth-admin/departments POST Create department
/auth-admin/departments/{id} GET Get department detail
/auth-admin/departments/{id} PUT Update department
/auth-admin/departments/{id} DELETE Delete department
/auth-admin/departments/{id}/move/{parent_id} PUT Move department
/auth-admin/departments/{id}/users GET List users in department

Applications

Endpoint Method Description
/auth-admin/apps GET List registered applications
/auth-admin/apps POST Register application
/auth-admin/apps/{id} GET Get application detail
/auth-admin/apps/{id} PUT Update application
/auth-admin/apps/{id} DELETE Delete application

App Proxy (Forward to Target Microservice)

Endpoint Method Description
/auth-admin/apps/{id}/schemas GET Proxy: list target app's API schemas
/auth-admin/apps/{id}/policies GET Proxy: list target app's Casbin policies
/auth-admin/apps/{id}/policies POST Proxy: add policy to target app
/auth-admin/apps/{id}/policies/{policy_id} DELETE Proxy: remove policy from target app
/auth-admin/apps/{id}/roles GET Proxy: list target app's role mappings
/auth-admin/apps/{id}/roles POST Proxy: add role mapping to target app
/auth-admin/apps/{id}/roles/{role_id} DELETE Proxy: remove role mapping from target app
/auth-admin/apps/{id}/groups GET Proxy: list target app's groups
/auth-admin/apps/{id}/groups POST Proxy: add group to target app
/auth-admin/apps/{id}/groups/{group_id} DELETE Proxy: remove group from target app
/auth-admin/apps/{id}/reload POST Proxy: reload target app's Enforcer

Database Tables

Auto-created via Flyway migrations:

Table Description
auth_admin_users Admin user accounts
auth_admin_roles Role definitions
auth_admin_permissions Permission items
auth_admin_departments Department / organization tree
auth_admin_user_roles User-role associations
auth_admin_role_permissions Role-permission associations
auth_admin_applications Registered microservice applications
message Dapr message outbox

Tables from genies_auth migrations (created first):

Table Description
casbin_rules Casbin policy rules
casbin_model Casbin model definition
auth_api_schemas API schema metadata

Configuration

Key fields in application.yml:

server_name: "auth-admin"
servlet_path: "/auth-admin"
server_url: "0.0.0.0:9099"

database_url: "mysql://root:password@127.0.0.1:3306/auth_admin_service"

# JWT
jwt_secret: "auth_admin_jwt_secret_change_in_production"
auth_mode: "local"

# Redis
cache_type: "redis"
redis_url: "redis://127.0.0.1:6379"

# Dapr
dapr_pubsub_name: messagebus

Getting Started

Prerequisites

  • Rust 1.75+
  • MySQL 5.7+ / 8.0
  • Redis
  • (Optional) Dapr runtime for event-driven sync

Run the Service

cargo run -p genies_auth_admin

The service starts at http://127.0.0.1:9099.

Access the Web UI

Open your browser and navigate to:

http://127.0.0.1:9099/auth-admin/ui/

Note: The trailing slash / is required for the SPA to load correctly.

Build the Frontend (Development)

cd crates/auth-admin/web

npm install

npm run dev      # Dev server with hot reload

npm run build    # Production build → ../static/

Relationship with genies_auth

Crate Role
genies_auth Permission Engine Library — Casbin Enforcer, middleware (casbin_auth), field-level filtering (#[casbin] macro), Admin API for policy CRUD, OpenAPI schema sync
genies_auth_admin Management Backend — User / role / permission / department / app CRUD, local JWT login, Web UI, multi-app proxy; depends on genies_auth for authentication and authorization

genies_auth_admin uses genies_auth as its authentication and authorization backbone: all protected routes pass through genies_auth's local_auth (JWT verification) and casbin_auth (RBAC check) middleware.

License

See the project root for license information.