Add permission control for service resource

2024-12-28 23:02:02 +00:00 · 2017-11-24 13:03:51 +08:00 · 2017-11-24 13:03:51 +08:00 · 1f652bb6f3
commit 1f652bb6f3
parent 8ce6adf478
23 changed files with 577 additions and 96 deletions
--- a/assets/swirl/js/swirl.js
+++ b/assets/swirl/js/swirl.js
@ -1350,6 +1350,63 @@ var Swirl;
    })(Node = Swirl.Node || (Swirl.Node = {}));
 })(Swirl || (Swirl = {}));
 var Swirl;
 (function (Swirl) {
    var Perm;
    (function (Perm) {
        var Dispatcher = Swirl.Core.Dispatcher;
        var Modal = Swirl.Core.Modal;
        class EditPage {
            constructor() {
                $("#txt-query").keydown(this.searchUser);
                $("#btn-add-user").click(this.addUser);
                Dispatcher.bind("#div-users").on("delete-user", this.deleteUser.bind(this));
            }
            deleteUser(e) {
                $(e.target).closest("div.control").remove();
            }
            searchUser(e) {
                if (e.keyCode == 13) {
                    let query = $.trim($(e.target).val());
                    if (query.length == 0) {
                        return;
                    }
                    $ajax.post("/system/user/search", { query: query }).encoder("form").json((users) => {
                        let $panel = $("#nav-users");
                        $panel.find("label.panel-block").remove();
                        for (let user of users) {
                            $panel.append(`<label class="panel-block">
          <input type="checkbox" value="${user.id}" data-name="${user.name}"> ${user.name}
        </label>`);
                        }
                    });
                }
            }
            addUser() {
                let users = {};
                $("#div-users").find("input").each((i, e) => {
                    users[$(e).val()] = true;
                });
                let $panel = $("#nav-users");
                $panel.find("input:checked").each((i, e) => {
                    let $el = $(e);
                    if (users[$el.val()]) {
                        return;
                    }
                    $("#div-users").append(`<div class="control">
            <div class="tags has-addons">
              <span class="tag is-info">${$el.data("name")}</span>
              <a class="tag is-delete" data-action="delete-user"></a>
              <input name="users[]" value="${$el.val()}" type="hidden">
            </div>`);
                });
                Modal.close();
                $panel.find("label.panel-block").remove();
            }
        }
        Perm.EditPage = EditPage;
    })(Perm = Swirl.Perm || (Swirl.Perm = {}));
 })(Swirl || (Swirl = {}));
 var Swirl;
 (function (Swirl) {
    var Registry;
    (function (Registry) {
@ -1762,49 +1819,35 @@ var Swirl;
                this.table.on("delete-service", this.deleteService.bind(this))
                    .on("scale-service", this.scaleService.bind(this))
                    .on("rollback-service", this.rollbackService.bind(this));
                $("#btn-delete").click(this.deleteServices.bind(this));
            }
            deleteService(e) {
                let $tr = $(e.target).closest("tr");
-                let name = $tr.find("td:eq(1)").text().trim();
+                let name = $tr.find("td:eq(0)").text().trim();
                Modal.confirm(`Are you sure to remove service: <strong>${name}</strong>?`, "Delete service", (dlg, e) => {
-                    $ajax.post("delete", { names: name }).trigger(e.target).encoder("form").json(() => {
+                    $ajax.post(`${name}/delete`, { names: name }).trigger(e.target).encoder("form").json(() => {
                        $tr.remove();
                        dlg.close();
                    });
                });
            }
            deleteServices() {
                let names = this.table.selectedKeys();
                if (names.length == 0) {
                    Modal.alert("Please select one or more items.");
                    return;
                }
                Modal.confirm(`Are you sure to remove ${names.length} services?`, "Delete services", (dlg, e) => {
                    $ajax.post("delete", { names: names.join(",") }).trigger(e.target).encoder("form").json(() => {
                        this.table.selectedRows().remove();
                        dlg.close();
                    });
                });
            }
            scaleService(e) {
                let $btn = $(e.target).closest("button");
                let $tr = $btn.closest("tr");
                let data = {
-                    name: $tr.find("td:eq(1)").text().trim(),
+                    name: $tr.find("td:eq(0)").text().trim(),
                    count: $btn.data("replicas"),
                };
                Modal.confirm(`<input name="count" value="${data.count}" class="input" placeholder="Replicas">`, "Scale service", (dlg, e) => {
                    data.count = dlg.find("input[name=count]").val();
-                    $ajax.post("scale", data).trigger(e.target).encoder("form").json(() => {
+                    $ajax.post(`${data.name}/scale`, data).trigger(e.target).encoder("form").json(() => {
                        location.reload();
                    });
                });
            }
            rollbackService(e) {
-                let $btn = $(e.target).closest("button"), $tr = $btn.closest("tr"), name = $tr.find("td:eq(1)").text().trim();
+                let $btn = $(e.target).closest("button"), $tr = $btn.closest("tr"), name = $tr.find("td:eq(0)").text().trim();
                Modal.confirm(`Are you sure to rollback service: <strong>${name}</strong>?`, "Rollback service", (dlg, e) => {
-                    $ajax.post("rollback", { name: name }).trigger(e.target).encoder("form").json(() => {
+                    $ajax.post(`${name}/rollback`, { name: name }).trigger(e.target).encoder("form").json(() => {
                        dlg.close();
                    });
                });
--- a/assets/swirl/js/swirl.js.map
+++ b/assets/swirl/js/swirl.js.map
--- a/assets/swirl/ts/perm/edit.ts
+++ b/assets/swirl/ts/perm/edit.ts
@ -0,0 +1,61 @@
 ///<reference path="../core/core.ts" />
 namespace Swirl.Perm {
    import Dispatcher = Swirl.Core.Dispatcher;
    import Modal = Swirl.Core.Modal;
    export class EditPage {
        constructor() {
            // bind events
            $("#txt-query").keydown(this.searchUser);
            $("#btn-add-user").click(this.addUser);
            Dispatcher.bind("#div-users").on("delete-user", this.deleteUser.bind(this));
        }
        private deleteUser(e: JQueryEventObject) {
            $(e.target).closest("div.control").remove();
        }
        private searchUser(e: JQueryEventObject) {
            if (e.keyCode == 13) {
                let query = $.trim($(e.target).val());
                if (query.length == 0) {
                    return;
                }
                $ajax.post("/system/user/search", {query: query}).encoder("form").json((users: any) => {
                    let $panel = $("#nav-users");
                    $panel.find("label.panel-block").remove();
                    for (let user of users) {
                        $panel.append(`<label class="panel-block">
          <input type="checkbox" value="${user.id}" data-name="${user.name}"> ${user.name}
        </label>`);
                    }
                });
            }
        }
        private addUser() {
            let users: { [index: string]: boolean } = {};
            $("#div-users").find("input").each((i, e) => {
                users[$(e).val()] = true;
            });
            let $panel = $("#nav-users");
            $panel.find("input:checked").each((i, e) => {
                let $el = $(e);
                if (users[$el.val()]) {
                    return;
                }
                $("#div-users").append(`<div class="control">
            <div class="tags has-addons">
              <span class="tag is-info">${$el.data("name")}</span>
              <a class="tag is-delete" data-action="delete-user"></a>
              <input name="users[]" value="${$el.val()}" type="hidden">
            </div>`);
            });
            Modal.close();
            $panel.find("label.panel-block").remove();
        }
    }
 }
--- a/assets/swirl/ts/service/list.ts
+++ b/assets/swirl/ts/service/list.ts
@ -14,45 +14,29 @@ namespace Swirl.Service {
            this.table.on("delete-service", this.deleteService.bind(this))
                .on("scale-service", this.scaleService.bind(this))
                .on("rollback-service", this.rollbackService.bind(this));
            $("#btn-delete").click(this.deleteServices.bind(this));
        }
        private deleteService(e: JQueryEventObject) {
            let $tr = $(e.target).closest("tr");
-            let name = $tr.find("td:eq(1)").text().trim();
+            let name = $tr.find("td:eq(0)").text().trim();
            Modal.confirm(`Are you sure to remove service: <strong>${name}</strong>?`, "Delete service", (dlg, e) => {
-                $ajax.post("delete", {names: name}).trigger(e.target).encoder("form").json<AjaxResult>(() => {
+                $ajax.post(`${name}/delete`, {names: name}).trigger(e.target).encoder("form").json<AjaxResult>(() => {
                    $tr.remove();
                    dlg.close();
                })
            });
        }
        private deleteServices() {
            let names = this.table.selectedKeys();
            if (names.length == 0) {
                Modal.alert("Please select one or more items.");
                return;
            }
            Modal.confirm(`Are you sure to remove ${names.length} services?`, "Delete services", (dlg, e) => {
                $ajax.post("delete", {names: names.join(",")}).trigger(e.target).encoder("form").json<AjaxResult>(() => {
                    this.table.selectedRows().remove();
                    dlg.close();
                })
            });
        }
        private scaleService(e: JQueryEventObject) {
            let $btn = $(e.target).closest("button");
            let $tr = $btn.closest("tr");
            let data = {
-                name: $tr.find("td:eq(1)").text().trim(),
+                name: $tr.find("td:eq(0)").text().trim(),
                count: $btn.data("replicas"),
            };
            Modal.confirm(`<input name="count" value="${data.count}" class="input" placeholder="Replicas">`, "Scale service", (dlg, e) => {
                data.count = dlg.find("input[name=count]").val();
-                $ajax.post("scale", data).trigger(e.target).encoder("form").json<AjaxResult>(() => {
+                $ajax.post(`${data.name}/scale`, data).trigger(e.target).encoder("form").json<AjaxResult>(() => {
                    location.reload();
                })
            });
@ -61,9 +45,9 @@ namespace Swirl.Service {
        private rollbackService(e: JQueryEventObject) {
            let $btn = $(e.target).closest("button"),
                $tr = $btn.closest("tr"),
-                name = $tr.find("td:eq(1)").text().trim();
+                name = $tr.find("td:eq(0)").text().trim();
            Modal.confirm(`Are you sure to rollback service: <strong>${name}</strong>?`, "Rollback service", (dlg, e) => {
-                $ajax.post("rollback", {name: name}).trigger(e.target).encoder("form").json<AjaxResult>(() => {
+                $ajax.post(`${name}/rollback`, {name: name}).trigger(e.target).encoder("form").json<AjaxResult>(() => {
                    dlg.close();
                })
            });
--- a/biz/perm.go
+++ b/biz/perm.go
@ -0,0 +1,87 @@
 package biz
 import (
 	"net/http"
 	"strings"
 	"github.com/cuigh/auxo/net/web"
 	"github.com/cuigh/swirl/dao"
 	"github.com/cuigh/swirl/model"
 )
 // Perm return a perm biz instance.
 var (
 	Perm         = &permBiz{}
 	ErrForbidden = web.NewError(http.StatusForbidden)
 )
 type permBiz struct {
 }
 func (b *permBiz) Delete(resType, resID string, user web.User) (err error) {
 	do(func(d dao.Interface) {
 		err = d.PermDelete(resType, resID)
 	})
 	return
 }
 func (b *permBiz) Get(resType, resID string) (perm *model.Perm, err error) {
 	do(func(d dao.Interface) {
 		perm, err = d.PermGet(resType, resID)
 	})
 	return
 }
 func (b *permBiz) Update(perm *model.Perm, user web.User) (err error) {
 	do(func(d dao.Interface) {
 		err = d.PermUpdate(perm)
 	})
 	return
 }
 func (b *permBiz) Check(user web.User, scope string, resType, resID string) (err error) {
 	au := user.(*model.AuthUser)
 	if au.Admin() {
 		return
 	}
 	do(func(d dao.Interface) {
 		var perm *model.Perm
 		perm, err = d.PermGet(resType, resID)
 		if err != nil {
 			return
 		}
 		if perm == nil || perm.Scope == model.PermNone || (scope == "read" && perm.Scope == model.PermWrite) {
 			return
 		}
 		for _, u := range perm.Users {
 			if user.ID() == u {
 				return
 			}
 		}
 		for _, r := range perm.Roles {
 			if au.IsInRole(r) {
 				return
 			}
 		}
 		err = ErrForbidden
 	})
 	return
 }
 func (b *permBiz) Apply(next web.HandlerFunc) web.HandlerFunc {
 	return func(ctx web.Context) error {
 		opt := ctx.Handler().Option("perm")
 		if opt != "" {
 			array := strings.Split(opt, ",")
 			err := b.Check(ctx.User(), array[0], array[1], ctx.P(array[2]))
 			if err != nil {
 				return err
 			}
 		}
 		return next(ctx)
 	}
 }
--- a/biz/template.go
+++ b/biz/template.go
@ -1,6 +1,7 @@
 package biz
 import (
 	"encoding/json"
 	"time"
 	"github.com/cuigh/auxo/data/guid"
@ -40,6 +41,34 @@ func (b *templateBiz) Get(id string) (tpl *model.Template, err error) {
 	return
 }
 func (b *templateBiz) FillInfo(id string, si *model.ServiceInfo) (err error) {
 	do(func(d dao.Interface) {
 		var (
 			tpl      *model.Template
 			registry *model.Registry
 		)
 		tpl, err = d.TemplateGet(id)
 		if err != nil || tpl == nil {
 			return
 		}
 		err = json.Unmarshal([]byte(tpl.Content), si)
 		if err != nil {
 			return
 		}
 		if si.Registry != "" {
 			registry, err = Registry.Get(si.Registry)
 			if err != nil {
 				return
 			}
 			si.RegistryURL = registry.URL
 		}
 	})
 	return
 }
 func (b *templateBiz) Delete(id string, user web.User) (err error) {
 	do(func(d dao.Interface) {
 		var tpl *model.Template
--- a/config/i18n/en.yml
+++ b/config/i18n/en.yml
@ -12,6 +12,7 @@ button.confirm: Confirm
 button.delete: Delete
 button.prune: Prune
 button.new: New
 button.add: Add
 button.edit: Edit
 button.save: Save
 button.update: Update
@ -42,6 +43,8 @@ field.image: Image
 field.address: Address
 field.driver: Driver
 field.scope: Scope
 field.role: Roles
 field.user: Users
 # menu
 menu.dashboard: Dashboard
@ -73,6 +76,7 @@ menu.detail: Detail
 menu.raw: Raw
 menu.edit: Edit
 menu.log: Logs
 menu.perm: Permission
 # login page
 login.title: Sign in to Swirl
--- a/config/i18n/zh.yml
+++ b/config/i18n/zh.yml
@ -12,6 +12,7 @@ button.confirm: 确定
 button.delete: 删除
 button.prune: 清理
 button.new: 新建
 button.add: 添加
 button.edit: 编辑
 button.save: 保存
 button.update: 更新
@ -42,6 +43,8 @@ field.image: 镜像
 field.address: 地址
 field.driver: 驱动
 field.scope: 范围
 field.role: 角色
 field.user: 用户
 # menu
 menu.dashboard: 仪表盘
@ -73,6 +76,7 @@ menu.detail: 详情
 menu.raw: 原始
 menu.edit: 编辑
 menu.log: 日志
 menu.perm: 权限
 # login page
 login.title: 登录到 Swirl
--- a/controller/perm.go
+++ b/controller/perm.go
@ -0,0 +1,57 @@
 package controller
 import (
 	"github.com/cuigh/auxo/data"
 	"github.com/cuigh/auxo/net/web"
 	"github.com/cuigh/swirl/biz"
 	"github.com/cuigh/swirl/model"
 )
 func permEdit(ctx web.Context, resType, resID, tpl string, m data.Map) error {
 	perm, err := biz.Perm.Get(resType, resID)
 	if err != nil {
 		return err
 	}
 	if perm == nil {
 		perm = &model.Perm{}
 	}
 	roles, err := biz.Role.List()
 	if err != nil {
 		return err
 	}
 	checkedRoles := data.Set{}
 	checkedRoles.AddSlice(perm.Roles, func(i int) interface{} {
 		return perm.Roles[i]
 	})
 	var users []*model.User
 	for _, id := range perm.Users {
 		var user *model.User
 		if user, err = biz.User.GetByID(id); err != nil {
 			return err
 		} else if user != nil {
 			users = append(users, user)
 		}
 	}
 	m.Set("Perm", perm).Set("Roles", roles).Set("CheckedRoles", checkedRoles).Set("Users", users)
 	return ctx.Render(tpl, m)
 }
 func permUpdate(resType, argName string) web.HandlerFunc {
 	return func(ctx web.Context) error {
 		perm := &model.Perm{
 			ResType: resType,
 			ResID:   ctx.P(argName),
 		}
 		err := ctx.Bind(perm)
 		if err != nil {
 			return err
 		}
 		err = biz.Perm.Update(perm, ctx.User())
 		return ajaxResult(ctx, err)
 	}
 }
--- a/controller/service.go
+++ b/controller/service.go
@ -1,7 +1,6 @@
 package controller
 import (
 	"encoding/json"
 	"strconv"
 	"strings"
@ -17,33 +16,37 @@ import (
 // ServiceController is a controller of docker service
 type ServiceController struct {
-	List     web.HandlerFunc `path:"/" name:"service.list" authorize:"!" desc:"service list page"`
+	List       web.HandlerFunc `path:"/" name:"service.list" authorize:"!" desc:"service list page"`
-	Detail   web.HandlerFunc `path:"/:name/detail" name:"service.detail" authorize:"!" desc:"service detail page"`
+	Detail     web.HandlerFunc `path:"/:name/detail" name:"service.detail" authorize:"!" perm:"read,service,name"`
-	Raw      web.HandlerFunc `path:"/:name/raw" name:"service.raw" authorize:"!" desc:"service raw page"`
+	Raw        web.HandlerFunc `path:"/:name/raw" name:"service.raw" authorize:"!" perm:"read,service,name"`
-	Logs     web.HandlerFunc `path:"/:name/logs" name:"service.logs" authorize:"!" desc:"service logs page"`
+	Logs       web.HandlerFunc `path:"/:name/logs" name:"service.logs" authorize:"!" perm:"read,service,name"`
-	Delete   web.HandlerFunc `path:"/delete" method:"post" name:"service.delete" authorize:"!" desc:"delete service"`
+	Delete     web.HandlerFunc `path:"/:name/delete" method:"post" name:"service.delete" authorize:"!" perm:"write,service,name"`
-	Scale    web.HandlerFunc `path:"/scale" method:"post" name:"service.scale" authorize:"!" desc:"scale service"`
+	Scale      web.HandlerFunc `path:"/:name/scale" method:"post" name:"service.scale" authorize:"!" perm:"write,service,name"`
-	Rollback web.HandlerFunc `path:"/rollback" method:"post" name:"service.rollback" authorize:"!" desc:"rollback service"`
+	Rollback   web.HandlerFunc `path:"/:name/rollback" method:"post" name:"service.rollback" authorize:"!" perm:"write,service,name"`
-	New      web.HandlerFunc `path:"/new" name:"service.new" authorize:"!" desc:"new service page"`
+	New        web.HandlerFunc `path:"/new" name:"service.new" authorize:"!" desc:"new service page"`
-	Create   web.HandlerFunc `path:"/new" method:"post" name:"service.create" authorize:"!" desc:"create service"`
+	Create     web.HandlerFunc `path:"/new" method:"post" name:"service.create" authorize:"!" desc:"create service"`
-	Edit     web.HandlerFunc `path:"/:name/edit" name:"service.edit" authorize:"!" desc:"service edit page"`
+	Edit       web.HandlerFunc `path:"/:name/edit" name:"service.edit" authorize:"!" perm:"write,service,name"`
-	Update   web.HandlerFunc `path:"/:name/edit" method:"post" name:"service.update" authorize:"!" desc:"update service"`
+	Update     web.HandlerFunc `path:"/:name/edit" method:"post" name:"service.update" authorize:"!" perm:"write,service,name"`
 	PermEdit   web.HandlerFunc `path:"/:name/perm" name:"service.perm.edit" authorize:"!" perm:"write,service,name"`
 	PermUpdate web.HandlerFunc `path:"/:name/perm" method:"post" name:"service.perm.update" authorize:"!" perm:"write,service,name"`
 }
 // Service creates an instance of ServiceController
 func Service() (c *ServiceController) {
 	return &ServiceController{
-		List:     serviceList,
+		List:       serviceList,
-		Detail:   serviceDetail,
+		Detail:     serviceDetail,
-		Raw:      serviceRaw,
+		Raw:        serviceRaw,
-		Logs:     serviceLogs,
+		Logs:       serviceLogs,
-		Delete:   serviceDelete,
+		Delete:     serviceDelete,
-		New:      serviceNew,
+		New:        serviceNew,
-		Create:   serviceCreate,
+		Create:     serviceCreate,
-		Edit:     serviceEdit,
+		Edit:       serviceEdit,
-		Update:   serviceUpdate,
+		Update:     serviceUpdate,
-		Scale:    serviceScale,
+		Scale:      serviceScale,
-		Rollback: serviceRollback,
+		Rollback:   serviceRollback,
 		PermEdit:   servicePermEdit,
 		PermUpdate: permUpdate("service", "name"),
 	}
 }
@ -126,37 +129,20 @@ func serviceDelete(ctx web.Context) error {
 	for _, name := range names {
 		if err := docker.ServiceRemove(name); err != nil {
 			return ajaxResult(ctx, err)
 		} else {
 			biz.Event.CreateService(model.EventActionDelete, name, ctx.User())
 		}
 		biz.Event.CreateService(model.EventActionDelete, name, ctx.User())
 	}
 	return ajaxSuccess(ctx, nil)
 }
 func serviceNew(ctx web.Context) error {
-	service := &model.ServiceInfo{}
+	info := &model.ServiceInfo{}
 	tid := ctx.Q("template")
 	if tid != "" {
-		tpl, err := biz.Template.Get(tid)
+		err := biz.Template.FillInfo(tid, info)
 		if err != nil {
 			return err
 		}
 		if tpl != nil {
 			err = json.Unmarshal([]byte(tpl.Content), service)
 			if err != nil {
 				return err
 			}
 			if service.Registry != "" {
 				var registry *model.Registry
 				registry, err = biz.Registry.Get(service.Registry)
 				if err != nil {
 					return err
 				}
 				service.RegistryURL = registry.URL
 			}
 		}
 	}
 	networks, err := docker.NetworkList()
@ -177,11 +163,11 @@ func serviceNew(ctx web.Context) error {
 	}
 	checkedNetworks := data.NewSet()
-	checkedNetworks.AddSlice(service.Networks, func(i int) interface{} {
+	checkedNetworks.AddSlice(info.Networks, func(i int) interface{} {
-		return service.Networks[i]
+		return info.Networks[i]
 	})
-	m := newModel(ctx).Set("Service", service).Set("Registries", registries).
+	m := newModel(ctx).Set("Service", info).Set("Registries", registries).
 		Set("Networks", networks).Set("CheckedNetworks", checkedNetworks).
 		Set("Secrets", secrets).Set("Configs", configs)
 	return ctx.Render("service/new", m)
@ -279,3 +265,9 @@ func serviceRollback(ctx web.Context) error {
 	}
 	return ajaxResult(ctx, err)
 }
 func servicePermEdit(ctx web.Context) error {
 	name := ctx.P("name")
 	m := newModel(ctx).Set("Name", name)
 	return permEdit(ctx, "service", name, "service/perm", m)
 }
--- a/controller/user.go
+++ b/controller/user.go
@ -18,6 +18,7 @@ type UserController struct {
 	Block   web.HandlerFunc `path:"/block" method:"post" name:"user.block" authorize:"!" desc:"block user"`
 	Unblock web.HandlerFunc `path:"/unblock" method:"post" name:"user.unblock" authorize:"!" desc:"unblock user"`
 	Delete  web.HandlerFunc `path:"/delete" method:"post" name:"user.delete" authorize:"!" desc:"delete user"`
 	Search  web.HandlerFunc `path:"/search" method:"post" name:"user.search" authorize:"?" desc:"search users"`
 }
 // User creates an instance of UserController
@ -32,6 +33,7 @@ func User() (c *UserController) {
 		Block:   userBlock,
 		Unblock: userUnblock,
 		Delete:  userDelete,
 		Search:  userSearch,
 	}
 }
@ -159,3 +161,29 @@ func userDelete(ctx web.Context) error {
 	err := biz.User.Delete(id)
 	return ajaxResult(ctx, err)
 }
 func userSearch(ctx web.Context) error {
 	query := ctx.F("query")
 	args := &model.UserListArgs{
 		Query:     query,
 		PageIndex: 1,
 		PageSize:  10,
 	}
 	users, _, err := biz.User.List(args)
 	if err != nil {
 		return err
 	}
 	type User struct {
 		ID   string `json:"id"`
 		Name string `json:"name"`
 	}
 	list := make([]User, len(users))
 	for i, user := range users {
 		list[i] = User{
 			ID:   user.ID,
 			Name: user.Name,
 		}
 	}
 	return ctx.JSON(list)
 }
--- a/dao/dao.go
+++ b/dao/dao.go
@ -56,6 +56,10 @@ type Interface interface {
 	EventCreate(event *model.Event) error
 	EventList(args *model.EventListArgs) (events []*model.Event, count int, err error)
 	PermGet(resType, resID string) (*model.Perm, error)
 	PermUpdate(perm *model.Perm) error
 	PermDelete(resType, resID string) error
 	SettingGet() (setting *model.Setting, err error)
 	SettingUpdate(setting *model.Setting) error
 }
--- a/dao/mongo/mongo.go
+++ b/dao/mongo/mongo.go
@ -35,6 +35,9 @@ var (
 		"template": {
 			mgo.Index{Key: []string{"name"}, Unique: true},
 		},
 		"perm": {
 			mgo.Index{Key: []string{"res_type", "res_id"}, Unique: true},
 		},
 	}
 )
--- a/dao/mongo/perm.go
+++ b/dao/mongo/perm.go
@ -0,0 +1,53 @@
 package mongo
 import (
 	"github.com/cuigh/swirl/model"
 	"gopkg.in/mgo.v2"
 	"gopkg.in/mgo.v2/bson"
 )
 func (d *Dao) PermGet(resType, resID string) (p *model.Perm, err error) {
 	d.do(func(db *database) {
 		p = &model.Perm{}
 		q := bson.M{
 			"res_type": resType,
 			"res_id":   resID,
 		}
 		err = db.C("perm").Find(q).One(p)
 		if err == mgo.ErrNotFound {
 			p, err = nil, nil
 		} else if err != nil {
 			p = nil
 		}
 	})
 	return
 }
 func (d *Dao) PermUpdate(perm *model.Perm) (err error) {
 	d.do(func(db *database) {
 		q := bson.M{
 			"res_type": perm.ResType,
 			"res_id":   perm.ResID,
 		}
 		update := bson.M{
 			"$set": bson.M{
 				"scope": perm.Scope,
 				"roles": perm.Roles,
 				"users": perm.Users,
 			},
 		}
 		_, err = db.C("perm").Upsert(q, update)
 	})
 	return
 }
 func (d *Dao) PermDelete(resType, resID string) (err error) {
 	d.do(func(db *database) {
 		q := bson.M{
 			"res_type": resType,
 			"res_id":   resID,
 		}
 		err = db.C("perm").Remove(q)
 	})
 	return
 }
--- a/main.go
+++ b/main.go
@ -24,7 +24,7 @@ func main() {
 	misc.BindOptions()
 	app.Name = "Swirl"
-	app.Version = "0.6.3"
+	app.Version = "0.6.4"
 	app.Desc = "A web management UI for Docker, focused on swarm cluster"
 	app.Action = func(ctx *app.Context) {
 		misc.LoadOptions()
@ -91,7 +91,7 @@ func server() *web.Server {
 	g.Handle("/profile", controller.Profile())
 	g.Handle("/registry", controller.Registry())
 	g.Handle("/node", controller.Node())
-	g.Handle("/service", controller.Service())
+	g.Handle("/service", controller.Service(), biz.Perm)
 	g.Handle("/service/template", controller.Template())
 	g.Handle("/stack", controller.Stack())
 	g.Handle("/network", controller.Network())
--- a/model/auth.go
+++ b/model/auth.go
@ -65,6 +65,7 @@ type Session struct {
 type AuthUser struct {
 	user  *User
 	roles []*Role
 	perms map[string]struct{}
 }
@ -74,6 +75,7 @@ func NewAuthUser(user *User, roles []*Role) *AuthUser {
 	}
 	u := &AuthUser{
 		user:  user,
 		roles: roles,
 		perms: make(map[string]struct{}),
 	}
 	for _, role := range roles {
@ -100,6 +102,15 @@ func (u *AuthUser) Admin() bool {
 	return u.user.Admin
 }
 func (u *AuthUser) IsInRole(roleID string) bool {
 	for _, role := range u.roles {
 		if role.ID == roleID {
 			return true
 		}
 	}
 	return false
 }
 func (u *AuthUser) IsAllowed(perm string) bool {
 	if u.user.Admin {
 		return true
--- a/model/setting.go
+++ b/model/setting.go
@ -2,17 +2,26 @@ package model
 import "time"
 // LDAP security policy
 const (
 	LDAPSecurityNone     = 0
 	LDAPSecurityTLS      = 1
 	LDAPSecurityStartTLS = 2
 )
 // LDAP auth type
 const (
 	LDAPAuthSimple = 0
 	LDAPAuthBind   = 1
 )
 // Perm control scope
 const (
 	PermNone      = 0
 	PermWrite     = 1
 	PermReadWrite = 2
 )
 // Setting represents the options of swirl.
 type Setting struct {
 	LDAP struct {
@ -38,3 +47,12 @@ type Setting struct {
 	UpdatedBy string    `bson:"updated_by" json:"updated_by,omitempty"`
 	UpdatedAt time.Time `bson:"updated_at" json:"updated_at,omitempty"`
 }
 // Perm holds permissions of Docker resource.
 type Perm struct {
 	ResType string   `json:"res_type"`
 	ResID   string   `json:"res_id"`
 	Scope   int32    `json:"scope"`
 	Roles   []string `json:"roles"`
 	Users   []string `json:"users"`
 }
--- a/views/service/detail.jet
+++ b/views/service/detail.jet
@ -29,6 +29,7 @@
      <a class="navbar-item is-tab" href="/service/{{.Service.Spec.Name}}/raw">{{ i18n("menu.raw") }}</a>
      <a class="navbar-item is-tab" href="/service/{{.Service.Spec.Name}}/logs">{{ i18n("menu.log") }}</a>
      <a class="navbar-item is-tab" href="/service/{{.Service.Spec.Name}}/edit">{{ i18n("menu.edit") }}</a>
      <a class="navbar-item is-tab" href="/service/{{.Service.Spec.Name}}/perm">{{ i18n("menu.perm") }}</a>
    </div>
  </div>
 </nav>
--- a/views/service/edit.jet
+++ b/views/service/edit.jet
@ -29,6 +29,7 @@
      <a class="navbar-item is-tab" href="/service/{{.Service.Name}}/raw">{{ i18n("menu.raw") }}</a>
      <a class="navbar-item is-tab" href="/service/{{.Service.Name}}/logs">{{ i18n("menu.log") }}</a>
      <a class="navbar-item is-tab is-active" href="/service/{{.Service.Name}}/edit">{{ i18n("menu.edit") }}</a>
      <a class="navbar-item is-tab" href="/service/{{.Service.Name}}/perm">{{ i18n("menu.perm") }}</a>
    </div>
  </div>
 </nav>
--- a/views/service/list.jet
+++ b/views/service/list.jet
@ -31,9 +31,6 @@
    </div>
    <!-- Right side -->
    <div class="level-right">
      <p class="level-item">
        <button id="btn-delete" class="button is-danger"><span class="icon"><i class="fa fa-remove"></i></span><span>{{ i18n("button.delete") }}</span></button>
      </p>
      <p class="level-item">
        <a class="button is-success" href="new"><span class="icon"><i class="fa fa-plus"></i></span><span>{{ i18n("button.new") }}</span></a>
      </p>
@ -43,7 +40,6 @@
  <table id="table-items" class="table is-bordered is-striped is-narrow is-fullwidth">
    <thead>
      <tr>
        <th width="30"><input type="checkbox" data-action="check-all"></th>
        <th>{{ i18n("field.name") }}</th>
        <th>{{ i18n("field.image") }}</th>
        <th width="145">Mode</th>
@ -54,7 +50,6 @@
    <tbody>
      {{range .Services}}
      <tr>
        <td><input type="checkbox" value="{{.Name}}" data-action="check"></td>
        <td><a href="{{.Name}}/detail">{{.Name}}</a></td>
        <td>{{ limit(.Image, 60) }}</td>
        <td>
--- a/views/service/logs.jet
+++ b/views/service/logs.jet
@ -28,6 +28,7 @@
      <a class="navbar-item is-tab" href="/service/{{.Service}}/raw">{{ i18n("menu.raw") }}</a>
      <a class="navbar-item is-tab is-active" href="/service/{{.Service}}/logs">{{ i18n("menu.log") }}</a>
      <a class="navbar-item is-tab" href="/service/{{.Service}}/edit">{{ i18n("menu.edit") }}</a>
      <a class="navbar-item is-tab" href="/service/{{.Service}}/perm">{{ i18n("menu.perm") }}</a>
    </div>
  </div>
 </nav>
--- a/views/service/perm.jet
+++ b/views/service/perm.jet
@ -0,0 +1,104 @@
 {{ extends "_base" }}
 {{ import "../_modules/form" }}
 {{ block script() }}
 <script>$(() => new Swirl.Perm.EditPage())</script>
 {{ end }}
 {{ block body_content() }}
 <div class="container">
  <nav class="breadcrumb has-succeeds-separator is-small is-marginless" aria-label="breadcrumbs">
    <ul>
      <li><a href="/">{{ i18n("menu.dashboard") }}</a></li>
      <li><a href="/service/">{{ i18n("menu.service") }}</a></li>
      <li class="is-active"><a>{{ i18n("menu.perm") }}</a></li>
    </ul>
  </nav>
 </div>
 <section class="hero is-small is-light">
  <div class="hero-body">
    <div class="container">
      <h2 class="title is-2">{{ .Name }}</h2>
    </div>
  </div>
 </section>
 <nav class="navbar has-shadow">
  <div class="container">
    <div class="navbar-brand">
      <a class="navbar-item is-tab" href="/service/{{.Name}}/detail">{{ i18n("menu.detail") }}</a>
      <a class="navbar-item is-tab" href="/service/{{.Name}}/raw">{{ i18n("menu.raw") }}</a>
      <a class="navbar-item is-tab" href="/service/{{.Name}}/logs">{{ i18n("menu.log") }}</a>
      <a class="navbar-item is-tab" href="/service/{{.Name}}/edit">{{ i18n("menu.edit") }}</a>
      <a class="navbar-item is-tab is-active" href="/service/{{.Name}}/perm">{{ i18n("menu.perm") }}</a>
    </div>
  </div>
 </nav>
 <section class="section">
  <div class="container">
    <form method="post" data-form="ajax-json" data-url="/service/">
      <div class="field">
        <label class="label">{{ i18n("field.scope") }}</label>
        <div class="field is-grouped is-grouped-multiline">
          <div class="control">
          {{ yield radio(name="scope", value=0, label="None", checked=.Perm.Scope) content }} data-type="integer"{{ end }}
          {{ yield radio(name="scope", value=1, label="Write", checked=.Perm.Scope) content }} data-type="integer"{{ end }}
          {{ yield radio(name="scope", value=2, label="Read & Write", checked=.Perm.Scope) content }} data-type="integer"{{ end }}
          </div>
        </div>
      </div>
      <div class="field">
        <label class="label">{{ i18n("field.role") }}</label>
        <div class="control">
          {{ roles := .CheckedRoles }}
          {{range .Roles}}
          {{ yield checkbox(name="roles", value=.ID, label=.Name, checked=isset(roles[.ID])) }}
          {{end}}
        </div>
      </div>
      <div class="field">
        <label class="label" style="display: inline-block">{{ i18n("field.user") }}</label>
        <button type="button" class="button is-small is-success is-outlined tooltip is-tooltip-bottom modal-trigger" data-tooltip="{{ i18n("button.add") }}" data-action="add-user" data-target="dlg-add-user">
          <span class="icon"><i class="fa fa-plus"></i></span>
        </button>
        <div id="div-users" class="field is-grouped is-grouped-multiline">
          {{range .Users}}
          <div class="control">
            <div class="tags has-addons">
              <span class="tag is-info">{{ .Name }}</span>
              <a class="tag is-delete" data-action="delete-user"></a>
              <input name="users[]" value="{{ .ID }}" type="hidden">
            </div>
          </div>
          {{end}}
        </div>
      </div>
      {{ yield form_submit(url="/service/") }}
    </form>
  </div>
 </section>
 <div id="dlg-add-user" class="modal">
  <div class="modal-background"></div>
  <div class="modal-card">
    <header class="modal-card-head">
      <p class="modal-card-title">Add user</p>
      <button class="delete"></button>
    </header>
    <section class="modal-card-body" style="max-height: 400px; overflow-y: auto">
      <nav id="nav-users" class="panel">
        <div class="panel-block">
          <p class="control has-icons-left">
            <input id="txt-query" class="input is-small" type="text" placeholder="Searching user...">
            <span class="icon is-small is-left">
              <i class="fa fa-search"></i>
            </span>
          </p>
        </div>
      </nav>
    </section>
    <footer class="modal-card-foot">
      <button id="btn-add-user" type="button" class="button is-primary">{{ i18n("button.confirm") }}</button>
      <button type="button" class="button dismiss">{{ i18n("button.cancel") }}</button>
    </footer>
  </div>
 </div>
 {{ end }}
--- a/views/service/raw.jet
+++ b/views/service/raw.jet
@ -37,6 +37,7 @@
      <a class="navbar-item is-tab is-active" href="/service/{{.Service}}/raw">{{ i18n("menu.raw") }}</a>
      <a class="navbar-item is-tab" href="/service/{{.Service}}/logs">{{ i18n("menu.log") }}</a>
      <a class="navbar-item is-tab" href="/service/{{.Service}}/edit">{{ i18n("menu.edit") }}</a>
      <a class="navbar-item is-tab" href="/service/{{.Service}}/perm">{{ i18n("menu.perm") }}</a>
    </div>
  </div>
 </nav>