feat: add permissions script for llm_api_map management (Admin + Operator level)

- scripts/setup_llmage_perms.sh: shell-based permission init following sage convention - Replaces deleted Python/SQL permission scripts - Authorizes: owner.superuser, *.admin roles, reseller.operator - Covers: llm_api_map_manage.ui + all CRUD API endpoints + uapi_options
2026-05-20 18:01:53 +08:00 · 2026-05-20 18:01:53 +08:00 · 6f851895fe
commit 6f851895fe
parent 715e759be9
3 changed files with 66 additions and 81 deletions
--- a/scripts/add_llm_api_map_perms.py
+++ b/scripts/add_llm_api_map_perms.py
@ -1,53 +0,0 @@
 #!/usr/bin/env python3
 """
 Add permission records for new llm_api_map management files.
 Run in Sage virtual environment:
    cd ~/repos/llmage && python scripts/add_llm_api_map_perms.py
 """
 import os
 import sys
 import asyncio
 from appPublic.uniqueID import getID
 from sqlor.dbpools import DBPools
 # Paths that need permissions
 PERM_PATHS = [
    '/llm_api_map_manage.ui',
    '/api/llm_api_map_list.dspy',
    '/api/llm_api_map_create.dspy',
    '/api/llm_api_map_delete.dspy',
    '/api/llm_api_map_options.dspy',
    '/api/uapi_options.dspy',
 ]
 async def add_permissions():
    """Insert permission records for llm_api_map files."""
    config_path = os.path.expanduser('~/repos/sage')
    from appPublic.jsonConfig import getConfig
    config = getConfig(config_path)
    db = DBPools(config.databases)
    dbname = list(config.databases.keys())[0]
    async with db.sqlorContext(dbname) as sor:
        for path in PERM_PATHS:
            # Check if permission already exists
            existing = await sor.sqlExe(
                "select id from permission where path = ${path}$",
                {'path': path}
            )
            if not existing:
                perm_id = getID()
                await sor.C('permission', {
                    'id': perm_id,
                    'path': path
                })
                print(f"Added permission: {path} (id={perm_id})")
            else:
                print(f"Permission already exists: {path}")
    print("\nDone. Now assign these permissions to roles using:")
    print("  python ~/repos/sage/script/set_role_perm.py <role_name> /llm_api_map_manage.ui")
 if __name__ == '__main__':
    asyncio.get_event_loop().run_until_complete(add_permissions())
--- a/scripts/add_llm_api_map_perms.sql
+++ b/scripts/add_llm_api_map_perms.sql
@ -1,28 +0,0 @@
 -- Add permissions for llm_api_map management files
 -- Run this SQL in the Sage database to grant access to new llm_api_map endpoints
 -- After inserting, assign these permissions to roles via:
 --   python ~/repos/sage/script/set_role_perm.py <role_name> /llm_api_map_manage.ui
 INSERT INTO permission (id, path) 
 SELECT REPLACE(UUID(), '-', ''), '/llm_api_map_manage.ui' 
 WHERE NOT EXISTS (SELECT 1 FROM permission WHERE path = '/llm_api_map_manage.ui');
 INSERT INTO permission (id, path) 
 SELECT REPLACE(UUID(), '-', ''), '/api/llm_api_map_list.dspy' 
 WHERE NOT EXISTS (SELECT 1 FROM permission WHERE path = '/api/llm_api_map_list.dspy');
 INSERT INTO permission (id, path) 
 SELECT REPLACE(UUID(), '-', ''), '/api/llm_api_map_create.dspy' 
 WHERE NOT EXISTS (SELECT 1 FROM permission WHERE path = '/api/llm_api_map_create.dspy');
 INSERT INTO permission (id, path) 
 SELECT REPLACE(UUID(), '-', ''), '/api/llm_api_map_delete.dspy' 
 WHERE NOT EXISTS (SELECT 1 FROM permission WHERE path = '/api/llm_api_map_delete.dspy');
 INSERT INTO permission (id, path) 
 SELECT REPLACE(UUID(), '-', ''), '/api/llm_api_map_options.dspy' 
 WHERE NOT EXISTS (SELECT 1 FROM permission WHERE path = '/api/llm_api_map_options.dspy');
 INSERT INTO permission (id, path) 
 SELECT REPLACE(UUID(), '-', ''), '/api/uapi_options.dspy' 
 WHERE NOT EXISTS (SELECT 1 FROM permission WHERE path = '/api/uapi_options.dspy');
--- a/scripts/setup_llmage_perms.sh
+++ b/scripts/setup_llmage_perms.sh
@ -0,0 +1,66 @@
 #!/bin/bash
 # setup_llmage_perms.sh
 # 为 llmage 模块的 llm_api_map 管理功能配置 RBAC 角色权限
 #
 # 授权角色：
 #   owner.superuser   — 系统超管：全局所有模型配置
 #   *.admin           — 机构管理员：管理本机构模型（通过ownerid隔离数据）
 #   reseller.operator — 运营：产品管理、模型配置
 #
 # 运行位置: sage 项目根目录 (包含 set_role_perm.py 的目录)
 # 用法: bash setup_llmage_perms.sh
 set -e
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 SAGE_DIR="$(cd "$SCRIPT_DIR/../.." && pwd 2>/dev/null || echo "")"
 if [ ! -f "$SAGE_DIR/set_role_perm.py" ]; then
    SAGE_DIR="$(cd "$SCRIPT_DIR/.." && pwd 2>/dev/null || echo "")"
 fi
 if [ ! -f "$SAGE_DIR/set_role_perm.py" ]; then
    echo "Error: Cannot find set_role_perm.py"
    exit 1
 fi
 cd "$SAGE_DIR"
 COUNT=0
 set_perm() {
    local role="$1"
    local path="$2"
    python set_role_perm.py "${role}" "${path}"
    COUNT=$((COUNT + 1))
 }
 # 授权角色（超管 + 各机构管理员 + 运营）
 PERM_ROLES=(
    "owner.superuser"
    "owner.admin"
    "reseller.admin"
    "provider.admin"
    "customer.admin"
    "reseller.operator"
 )
 echo "============================================"
 echo "  llmage: llm_api_map 权限初始化"
 echo "============================================"
 LLM_API_MAP_PATHS=(
    "/llmage/llm_api_map_manage.ui"
    "/llmage/api/llm_api_map_list.dspy"
    "/llmage/api/llm_api_map_create.dspy"
    "/llmage/api/llm_api_map_delete.dspy"
    "/llmage/api/llm_api_map_options.dspy"
    "/llmage/api/uapi_options.dspy"
 )
 for p in "${LLM_API_MAP_PATHS[@]}"; do
    for role in "${PERM_ROLES[@]}"; do
        set_perm "${role}" "${p}"
    done
 done
 echo ""
 echo "============================================"
 echo "  权限配置完成，共设置 ${COUNT} 条权限"
 echo "============================================"