From 6f851895feedcb1edb0f02ec853d0692aa80a2f8 Mon Sep 17 00:00:00 2001 From: yumoqing Date: Wed, 20 May 2026 18:01:53 +0800 Subject: [PATCH] feat: add permissions script for llm_api_map management (Admin + Operator level) - scripts/setup_llmage_perms.sh: shell-based permission init following sage convention - Replaces deleted Python/SQL permission scripts - Authorizes: owner.superuser, *.admin roles, reseller.operator - Covers: llm_api_map_manage.ui + all CRUD API endpoints + uapi_options --- scripts/add_llm_api_map_perms.py | 53 ------------------------- scripts/add_llm_api_map_perms.sql | 28 ------------- scripts/setup_llmage_perms.sh | 66 +++++++++++++++++++++++++++++++ 3 files changed, 66 insertions(+), 81 deletions(-) delete mode 100644 scripts/add_llm_api_map_perms.py delete mode 100644 scripts/add_llm_api_map_perms.sql create mode 100644 scripts/setup_llmage_perms.sh diff --git a/scripts/add_llm_api_map_perms.py b/scripts/add_llm_api_map_perms.py deleted file mode 100644 index 579cd9c..0000000 --- a/scripts/add_llm_api_map_perms.py +++ /dev/null @@ -1,53 +0,0 @@ -#!/usr/bin/env python3 -""" -Add permission records for new llm_api_map management files. -Run in Sage virtual environment: - cd ~/repos/llmage && python scripts/add_llm_api_map_perms.py -""" -import os -import sys -import asyncio -from appPublic.uniqueID import getID -from sqlor.dbpools import DBPools - -# Paths that need permissions -PERM_PATHS = [ - '/llm_api_map_manage.ui', - '/api/llm_api_map_list.dspy', - '/api/llm_api_map_create.dspy', - '/api/llm_api_map_delete.dspy', - '/api/llm_api_map_options.dspy', - '/api/uapi_options.dspy', -] - -async def add_permissions(): - """Insert permission records for llm_api_map files.""" - config_path = os.path.expanduser('~/repos/sage') - from appPublic.jsonConfig import getConfig - config = getConfig(config_path) - - db = DBPools(config.databases) - dbname = list(config.databases.keys())[0] - - async with db.sqlorContext(dbname) as sor: - for path in PERM_PATHS: - # Check if permission already exists - existing = await sor.sqlExe( - "select id from permission where path = ${path}$", - {'path': path} - ) - if not existing: - perm_id = getID() - await sor.C('permission', { - 'id': perm_id, - 'path': path - }) - print(f"Added permission: {path} (id={perm_id})") - else: - print(f"Permission already exists: {path}") - - print("\nDone. Now assign these permissions to roles using:") - print(" python ~/repos/sage/script/set_role_perm.py /llm_api_map_manage.ui") - -if __name__ == '__main__': - asyncio.get_event_loop().run_until_complete(add_permissions()) diff --git a/scripts/add_llm_api_map_perms.sql b/scripts/add_llm_api_map_perms.sql deleted file mode 100644 index 5cf027d..0000000 --- a/scripts/add_llm_api_map_perms.sql +++ /dev/null @@ -1,28 +0,0 @@ --- Add permissions for llm_api_map management files --- Run this SQL in the Sage database to grant access to new llm_api_map endpoints --- After inserting, assign these permissions to roles via: --- python ~/repos/sage/script/set_role_perm.py /llm_api_map_manage.ui - -INSERT INTO permission (id, path) -SELECT REPLACE(UUID(), '-', ''), '/llm_api_map_manage.ui' -WHERE NOT EXISTS (SELECT 1 FROM permission WHERE path = '/llm_api_map_manage.ui'); - -INSERT INTO permission (id, path) -SELECT REPLACE(UUID(), '-', ''), '/api/llm_api_map_list.dspy' -WHERE NOT EXISTS (SELECT 1 FROM permission WHERE path = '/api/llm_api_map_list.dspy'); - -INSERT INTO permission (id, path) -SELECT REPLACE(UUID(), '-', ''), '/api/llm_api_map_create.dspy' -WHERE NOT EXISTS (SELECT 1 FROM permission WHERE path = '/api/llm_api_map_create.dspy'); - -INSERT INTO permission (id, path) -SELECT REPLACE(UUID(), '-', ''), '/api/llm_api_map_delete.dspy' -WHERE NOT EXISTS (SELECT 1 FROM permission WHERE path = '/api/llm_api_map_delete.dspy'); - -INSERT INTO permission (id, path) -SELECT REPLACE(UUID(), '-', ''), '/api/llm_api_map_options.dspy' -WHERE NOT EXISTS (SELECT 1 FROM permission WHERE path = '/api/llm_api_map_options.dspy'); - -INSERT INTO permission (id, path) -SELECT REPLACE(UUID(), '-', ''), '/api/uapi_options.dspy' -WHERE NOT EXISTS (SELECT 1 FROM permission WHERE path = '/api/uapi_options.dspy'); diff --git a/scripts/setup_llmage_perms.sh b/scripts/setup_llmage_perms.sh new file mode 100644 index 0000000..aaf4e63 --- /dev/null +++ b/scripts/setup_llmage_perms.sh @@ -0,0 +1,66 @@ +#!/bin/bash +# setup_llmage_perms.sh +# 为 llmage 模块的 llm_api_map 管理功能配置 RBAC 角色权限 +# +# 授权角色: +# owner.superuser — 系统超管:全局所有模型配置 +# *.admin — 机构管理员:管理本机构模型(通过ownerid隔离数据) +# reseller.operator — 运营:产品管理、模型配置 +# +# 运行位置: sage 项目根目录 (包含 set_role_perm.py 的目录) +# 用法: bash setup_llmage_perms.sh + +set -e + +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +SAGE_DIR="$(cd "$SCRIPT_DIR/../.." && pwd 2>/dev/null || echo "")" +if [ ! -f "$SAGE_DIR/set_role_perm.py" ]; then + SAGE_DIR="$(cd "$SCRIPT_DIR/.." && pwd 2>/dev/null || echo "")" +fi +if [ ! -f "$SAGE_DIR/set_role_perm.py" ]; then + echo "Error: Cannot find set_role_perm.py" + exit 1 +fi +cd "$SAGE_DIR" + +COUNT=0 +set_perm() { + local role="$1" + local path="$2" + python set_role_perm.py "${role}" "${path}" + COUNT=$((COUNT + 1)) +} + +# 授权角色(超管 + 各机构管理员 + 运营) +PERM_ROLES=( + "owner.superuser" + "owner.admin" + "reseller.admin" + "provider.admin" + "customer.admin" + "reseller.operator" +) + +echo "============================================" +echo " llmage: llm_api_map 权限初始化" +echo "============================================" + +LLM_API_MAP_PATHS=( + "/llmage/llm_api_map_manage.ui" + "/llmage/api/llm_api_map_list.dspy" + "/llmage/api/llm_api_map_create.dspy" + "/llmage/api/llm_api_map_delete.dspy" + "/llmage/api/llm_api_map_options.dspy" + "/llmage/api/uapi_options.dspy" +) + +for p in "${LLM_API_MAP_PATHS[@]}"; do + for role in "${PERM_ROLES[@]}"; do + set_perm "${role}" "${p}" + done +done + +echo "" +echo "============================================" +echo " 权限配置完成,共设置 ${COUNT} 条权限" +echo "============================================"