From 8261f9d3095118e1a237e2379dcaa6a3f47bf626 Mon Sep 17 00:00:00 2001 From: yumoqing Date: Wed, 13 May 2026 13:39:33 +0800 Subject: [PATCH] Add RBAC permission init script for harnessed_agent and harnessed_reasoning modules - Three-tier permission model: public/read/admin - Public: CSS files for any role - Read: console UI, data view pages, read-only APIs for logined + admin roles - Admin: config management, CRUD write ops, execution APIs for admin roles only - Correct wss path handling (no /wss prefix in RBAC, nginx strips it) - 420 total permission entries across 8 read roles and 7 admin roles --- setup_harnessed_perms.sh | 193 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 193 insertions(+) create mode 100644 setup_harnessed_perms.sh diff --git a/setup_harnessed_perms.sh b/setup_harnessed_perms.sh new file mode 100644 index 0000000..7bdc204 --- /dev/null +++ b/setup_harnessed_perms.sh @@ -0,0 +1,193 @@ +#!/bin/bash +# setup_harnessed_perms.sh +# 为 harnessed_agent(执行层)和 harnessed_reasoning(推理层)模块配置 RBAC 角色权限 +# +# 权限分级策略(基于业务功能分析): +# 1. public — 静态资源(CSS),any 角色可用 +# 2. read — 控制台主页、数据查看页面、只读API,logined + 管理员可用 +# 3. admin — 配置管理、数据创建/更新/删除、执行操作,仅管理员可用 +# +# 运行位置: sage 项目根目录 (包含 set_role_perm.py 的目录) +# 用法: bash setup_harnessed_perms.sh + +set -e + +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +cd "$SCRIPT_DIR" + +# 角色定义 +ADMIN_ROLES=( + # 通用登录角色 — read 级别使用 + "logined" + # 各机构类型管理员 — admin 级别使用 + "owner.admin" + "reseller.admin" + "provider.admin" + "customer.admin" + # Reseller 业务角色 + "reseller.operator" + "reseller.accountant" + "reseller.maintainer" +) + +COUNT=0 +set_perm() { + local role="$1" + local path="$2" + python set_role_perm.py "${role}" "${path}" + COUNT=$((COUNT + 1)) +} + +echo "============================================" +echo " harnessed 模块权限初始化" +echo "============================================" + +# ============================================= +# 层级 1: PUBLIC — 静态资源(CSS文件) +# 任何用户(含未登录)均可访问 +# ============================================= +echo "" +echo ">>> [1/3] Public: 静态资源 (any)" +PUBLIC_FILES=( + "/harnessed_agent/ios_design.css" + "/harnessed_reasoning/ios_design.css" +) +for f in "${PUBLIC_FILES[@]}"; do + set_perm "any" "${f}" +done + +# ============================================= +# 层级 2: READ — 控制台主页 + 数据查看 +# 所有登录用户 + 管理员可用 +# ============================================= +echo "" +echo ">>> [2/3] Read: 控制台主页 + 数据查看 (logined + 管理员)" + +READ_PATHS=( + # ---------- harnessed_agent ---------- + # 控制台/主页(用户使用入口) + "/harnessed_agent/hermes_agent.ui" + "/harnessed_agent/agent_console.ui" + "/harnessed_agent/menu.ui" + # 数据查看页面(只读浏览) + "/harnessed_agent/sessions.ui" + "/harnessed_agent/skills.ui" + "/harnessed_agent/tasks.ui" + "/harnessed_agent/workflows.ui" + "/harnessed_agent/memory.ui" + "/harnessed_agent/tools.ui" + "/harnessed_agent/remote_skills.ui" + # API 配置查看(只读) + "/harnessed_agent/api/agent_config_get.dspy" + + # ---------- harnessed_reasoning ---------- + # 控制台/主页(用户使用入口) + "/harnessed_reasoning/hermes_reasoning.ui" + "/harnessed_reasoning/reasoning_console.ui" + "/harnessed_reasoning/menu.ui" + # WSS WebSocket 端点(nginx会去掉/wss前缀,应用收到的path不含/wss) + "/harnessed_reasoning/reasoning_console.wss" + # 数据查看页面 + "/harnessed_reasoning/harnessed_reasoning_sessions_crud.ui" + "/harnessed_reasoning/harnessed_reasoning_config_view.ui" + # API 会话列表(只读) + "/harnessed_reasoning/api/sessions_list.dspy" + "/harnessed_reasoning/api/config_get.dspy" + # 推理提交(核心使用功能,所有登录用户可用) + "/harnessed_reasoning/api/reasoning_submit.dspy" +) + +READ_ROLES=("logined" "owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.accountant" "reseller.maintainer") + +for p in "${READ_PATHS[@]}"; do + for role in "${READ_ROLES[@]}"; do + set_perm "${role}" "${p}" + done +done + +# ============================================= +# 层级 3: ADMIN — 配置管理 + 数据操作 + 执行 +# 仅管理员角色可用 +# ============================================= +echo "" +echo ">>> [3/3] Admin: 配置管理 + 数据操作 + 执行 (仅管理员)" + +ADMIN_PATHS=( + # ---------- harnessed_agent ---------- + # 配置管理页面(管理员专用) + "/harnessed_agent/agent_config.ui" + "/harnessed_agent/agent_config_form.ui" + # 技能部署(管理员操作) + "/harnessed_agent/deploy_skill.ui" + "/harnessed_agent/execute_remote_skill.ui" + + # harnessed_agent CRUD 页面(完整CRUD = 含写操作) + "/harnessed_agent/api/harnessed_agent_config_create.dspy" + "/harnessed_agent/api/harnessed_agent_config_update.dspy" + "/harnessed_agent/api/harnessed_agent_config_delete.dspy" + "/harnessed_agent/api/hermes_sessions_create.dspy" + "/harnessed_agent/api/hermes_sessions_update.dspy" + "/harnessed_agent/api/hermes_sessions_delete.dspy" + "/harnessed_agent/api/hermes_skills_create.dspy" + "/harnessed_agent/api/hermes_skills_update.dspy" + "/harnessed_agent/api/hermes_skills_delete.dspy" + "/harnessed_agent/api/hermes_tasks_create.dspy" + "/harnessed_agent/api/hermes_tasks_update.dspy" + "/harnessed_agent/api/hermes_tasks_delete.dspy" + "/harnessed_agent/api/hermes_workflows_create.dspy" + "/harnessed_agent/api/hermes_workflows_update.dspy" + "/harnessed_agent/api/hermes_workflows_delete.dspy" + "/harnessed_agent/api/hermes_executions_create.dspy" + "/harnessed_agent/api/hermes_executions_update.dspy" + "/harnessed_agent/api/hermes_executions_delete.dspy" + "/harnessed_agent/api/hermes_executions_task_create.dspy" + "/harnessed_agent/api/hermes_executions_task_update.dspy" + "/harnessed_agent/api/hermes_executions_task_delete.dspy" + "/harnessed_agent/api/hermes_memory_create.dspy" + "/harnessed_agent/api/hermes_memory_update.dspy" + "/harnessed_agent/api/hermes_memory_delete.dspy" + "/harnessed_agent/api/hermes_tasks_workflow_create.dspy" + "/harnessed_agent/api/hermes_tasks_workflow_update.dspy" + "/harnessed_agent/api/hermes_tasks_workflow_delete.dspy" + "/harnessed_agent/api/harnessed_remote_skills_create.dspy" + "/harnessed_agent/api/harnessed_remote_skills_update.dspy" + "/harnessed_agent/api/harnessed_remote_skills_delete.dspy" + "/harnessed_agent/api/executions_by_workflow_create.dspy" + "/harnessed_agent/api/executions_by_workflow_update.dspy" + "/harnessed_agent/api/executions_by_workflow_delete.dspy" + "/harnessed_agent/api/task_dependencies_create.dspy" + "/harnessed_agent/api/task_dependencies_update.dspy" + "/harnessed_agent/api/task_dependencies_delete.dspy" + + # Agent 执行操作 + "/harnessed_agent/api/agent_execute.dspy" + "/harnessed_agent/api/agent_config_save.dspy" + "/harnessed_agent/hermes.dspy" + + # ---------- harnessed_reasoning ---------- + # 配置管理(管理员专用) + "/harnessed_reasoning/api/config_save.dspy" +) + +ADMIN_ROLES_ONLY=("owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.accountant" "reseller.maintainer") + +for p in "${ADMIN_PATHS[@]}"; do + for role in "${ADMIN_ROLES_ONLY[@]}"; do + set_perm "${role}" "${p}" + done +done + +# ============================================= +# 完成 +# ============================================= +echo "" +echo "============================================" +echo " 权限配置完成,共设置 ${COUNT} 条权限" +echo "============================================" +echo "" +echo "权限摘要:" +echo " Public (any): ${#PUBLIC_FILES[@]} 个文件" +echo " Read (logined+admin): ${#READ_PATHS[@]} 个路径 x ${#READ_ROLES[@]} 角色 = $((${#READ_PATHS[@]} * ${#READ_ROLES[@]})) 条" +echo " Admin (admin-only): ${#ADMIN_PATHS[@]} 个路径 x ${#ADMIN_ROLES_ONLY[@]} 角色 = $((${#ADMIN_PATHS[@]} * ${#ADMIN_ROLES_ONLY[@]})) 条" +echo "" +echo "注意: 修改权限后需重启应用以刷新 RBAC 缓存。"