#!/bin/bash # setup_harnessed_perms.sh # 为 harnessed_agent(执行层)和 harnessed_reasoning(推理层)模块配置 RBAC 角色权限 # # 权限分级策略(基于业务功能分析): # 1. public — 静态资源(CSS),any 角色可用 # 2. read — 控制台主页、数据查看页面、只读API,logined + 管理员可用 # 3. admin — 配置管理、数据创建/更新/删除、执行操作,仅管理员可用 # # 运行位置: sage 项目根目录 (包含 set_role_perm.py 的目录) # 用法: bash setup_harnessed_perms.sh set -e SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" cd "$SCRIPT_DIR" # 角色定义 ADMIN_ROLES=( # 通用登录角色 — read 级别使用 "logined" # 各机构类型管理员 — admin 级别使用 "owner.admin" "reseller.admin" "provider.admin" "customer.admin" # Reseller 业务角色 "reseller.operator" "reseller.accountant" "reseller.maintainer" ) COUNT=0 set_perm() { local role="$1" local path="$2" python set_role_perm.py "${role}" "${path}" COUNT=$((COUNT + 1)) } echo "============================================" echo " harnessed 模块权限初始化" echo "============================================" # ============================================= # 层级 1: PUBLIC — 静态资源(CSS文件) # 任何用户(含未登录)均可访问 # ============================================= echo "" echo ">>> [1/3] Public: 静态资源 (any)" PUBLIC_FILES=( "/harnessed_agent/ios_design.css" "/harnessed_reasoning/ios_design.css" ) for f in "${PUBLIC_FILES[@]}"; do set_perm "any" "${f}" done # ============================================= # 层级 2: READ — 控制台主页 + 数据查看 # 所有登录用户 + 管理员可用 # ============================================= echo "" echo ">>> [2/3] Read: 控制台主页 + 数据查看 (logined + 管理员)" READ_PATHS=( # ---------- harnessed_agent ---------- # 控制台/主页(用户使用入口) "/harnessed_agent/hermes_agent.ui" "/harnessed_agent/agent_console.ui" "/harnessed_agent/menu.ui" # 数据查看页面(只读浏览) "/harnessed_agent/sessions.ui" "/harnessed_agent/skills.ui" "/harnessed_agent/tasks.ui" "/harnessed_agent/workflows.ui" "/harnessed_agent/memory.ui" "/harnessed_agent/tools.ui" "/harnessed_agent/remote_skills.ui" # API 配置查看(只读) "/harnessed_agent/api/agent_config_get.dspy" # ---------- CRUD index.ui (列表页面,只读浏览) ---------- # 注意: ahserver indexes 配置会自动匹配 index.ui,访问 /harnessed_agent/hermes_memory # 时 path 为 /harnessed_agent/hermes_memory(不含/index.ui),两种路径都需要注册 "/harnessed_agent/hermes_memory" "/harnessed_agent/hermes_memory/index.ui" "/harnessed_agent/hermes_sessions" "/harnessed_agent/hermes_sessions/index.ui" "/harnessed_agent/hermes_skills" "/harnessed_agent/hermes_skills/index.ui" "/harnessed_agent/hermes_tasks" "/harnessed_agent/hermes_tasks/index.ui" "/harnessed_agent/hermes_workflows" "/harnessed_agent/hermes_workflows/index.ui" "/harnessed_agent/hermes_executions" "/harnessed_agent/hermes_executions/index.ui" "/harnessed_agent/hermes_executions_task" "/harnessed_agent/hermes_executions_task/index.ui" "/harnessed_agent/hermes_tasks_workflow" "/harnessed_agent/hermes_tasks_workflow/index.ui" "/harnessed_agent/harnessed_remote_skills" "/harnessed_agent/harnessed_remote_skills/index.ui" "/harnessed_agent/harnessed_agent_config_view" "/harnessed_agent/harnessed_agent_config_view/index.ui" "/harnessed_agent/executions_by_workflow" "/harnessed_agent/executions_by_workflow/index.ui" "/harnessed_agent/task_dependencies" "/harnessed_agent/task_dependencies/index.ui" # ---------- CRUD get_*.dspy (单条记录读取) ---------- "/harnessed_agent/hermes_memory/get_hermes_memory.dspy" "/harnessed_agent/hermes_sessions/get_hermes_sessions.dspy" "/harnessed_agent/hermes_skills/get_hermes_skills.dspy" "/harnessed_agent/hermes_tasks/get_hermes_tasks.dspy" "/harnessed_agent/hermes_workflows/get_hermes_workflows.dspy" "/harnessed_agent/hermes_executions/get_hermes_executions.dspy" "/harnessed_agent/hermes_executions_task/get_hermes_executions_task.dspy" "/harnessed_agent/hermes_tasks_workflow/get_hermes_tasks_workflow.dspy" "/harnessed_agent/harnessed_remote_skills/get_harnessed_remote_skills.dspy" "/harnessed_agent/harnessed_agent_config_view/get_harnessed_agent_config_view.dspy" "/harnessed_agent/executions_by_workflow/get_executions_by_workflow.dspy" "/harnessed_agent/task_dependencies/get_task_dependencies.dspy" # ---------- harnessed_reasoning ---------- # 控制台/主页(用户使用入口) "/harnessed_reasoning/hermes_reasoning.ui" "/harnessed_reasoning/reasoning_console.ui" "/harnessed_reasoning/menu.ui" # WSS WebSocket 端点(nginx会去掉/wss前缀,应用收到的path不含/wss) "/harnessed_reasoning/reasoning_console.wss" # 数据查看页面 "/harnessed_reasoning/harnessed_reasoning_sessions_crud.ui" "/harnessed_reasoning/harnessed_reasoning_config_view.ui" # API 会话列表(只读) "/harnessed_reasoning/api/sessions_list.dspy" "/harnessed_reasoning/api/config_get.dspy" # 推理提交(核心使用功能,所有登录用户可用) "/harnessed_reasoning/api/reasoning_submit.dspy" # ---------- CRUD index.ui (列表页面,只读浏览) ---------- "/harnessed_reasoning/harnessed_reasoning_sessions_crud" "/harnessed_reasoning/harnessed_reasoning_sessions_crud/index.ui" "/harnessed_reasoning/harnessed_reasoning_session_detail" "/harnessed_reasoning/harnessed_reasoning_session_detail/index.ui" "/harnessed_reasoning/harnessed_reasoning_config_view" "/harnessed_reasoning/harnessed_reasoning_config_view/index.ui" # ---------- CRUD get_*.dspy (单条记录读取) ---------- "/harnessed_reasoning/harnessed_reasoning_sessions_crud/get_harnessed_reasoning_sessions_crud.dspy" "/harnessed_reasoning/harnessed_reasoning_session_detail/get_harnessed_reasoning_session_detail.dspy" "/harnessed_reasoning/harnessed_reasoning_config_view/get_harnessed_reasoning_config_view.dspy" ) READ_ROLES=("logined" "owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.accountant" "reseller.maintainer") for p in "${READ_PATHS[@]}"; do for role in "${READ_ROLES[@]}"; do set_perm "${role}" "${p}" done done # ============================================= # 层级 3: ADMIN — 配置管理 + 数据操作 + 执行 # 仅管理员角色可用 # ============================================= echo "" echo ">>> [3/3] Admin: 配置管理 + 数据操作 + 执行 (仅管理员)" ADMIN_PATHS=( # ---------- harnessed_agent ---------- # 配置管理页面(管理员专用) "/harnessed_agent/agent_config.ui" "/harnessed_agent/agent_config_form.ui" # 技能部署(管理员操作) "/harnessed_agent/deploy_skill.ui" "/harnessed_agent/execute_remote_skill.ui" # harnessed_agent CRUD 写操作(add/update/delete) "/harnessed_agent/hermes_memory/add_hermes_memory.dspy" "/harnessed_agent/hermes_memory/update_hermes_memory.dspy" "/harnessed_agent/hermes_memory/delete_hermes_memory.dspy" "/harnessed_agent/hermes_sessions/add_hermes_sessions.dspy" "/harnessed_agent/hermes_sessions/update_hermes_sessions.dspy" "/harnessed_agent/hermes_sessions/delete_hermes_sessions.dspy" "/harnessed_agent/hermes_skills/add_hermes_skills.dspy" "/harnessed_agent/hermes_skills/update_hermes_skills.dspy" "/harnessed_agent/hermes_skills/delete_hermes_skills.dspy" "/harnessed_agent/hermes_tasks/add_hermes_tasks.dspy" "/harnessed_agent/hermes_tasks/update_hermes_tasks.dspy" "/harnessed_agent/hermes_tasks/delete_hermes_tasks.dspy" "/harnessed_agent/hermes_workflows/add_hermes_workflows.dspy" "/harnessed_agent/hermes_workflows/update_hermes_workflows.dspy" "/harnessed_agent/hermes_workflows/delete_hermes_workflows.dspy" "/harnessed_agent/hermes_executions/add_hermes_executions.dspy" "/harnessed_agent/hermes_executions/update_hermes_executions.dspy" "/harnessed_agent/hermes_executions/delete_hermes_executions.dspy" "/harnessed_agent/hermes_executions_task/add_hermes_executions_task.dspy" "/harnessed_agent/hermes_executions_task/update_hermes_executions_task.dspy" "/harnessed_agent/hermes_executions_task/delete_hermes_executions_task.dspy" "/harnessed_agent/hermes_tasks_workflow/add_hermes_tasks_workflow.dspy" "/harnessed_agent/hermes_tasks_workflow/update_hermes_tasks_workflow.dspy" "/harnessed_agent/hermes_tasks_workflow/delete_hermes_tasks_workflow.dspy" "/harnessed_agent/harnessed_remote_skills/add_harnessed_remote_skills.dspy" "/harnessed_agent/harnessed_remote_skills/update_harnessed_remote_skills.dspy" "/harnessed_agent/harnessed_remote_skills/delete_harnessed_remote_skills.dspy" "/harnessed_agent/harnessed_agent_config_view/add_harnessed_agent_config_view.dspy" "/harnessed_agent/harnessed_agent_config_view/update_harnessed_agent_config_view.dspy" "/harnessed_agent/harnessed_agent_config_view/delete_harnessed_agent_config_view.dspy" "/harnessed_agent/executions_by_workflow/add_executions_by_workflow.dspy" "/harnessed_agent/executions_by_workflow/update_executions_by_workflow.dspy" "/harnessed_agent/executions_by_workflow/delete_executions_by_workflow.dspy" "/harnessed_agent/task_dependencies/add_task_dependencies.dspy" "/harnessed_agent/task_dependencies/update_task_dependencies.dspy" "/harnessed_agent/task_dependencies/delete_task_dependencies.dspy" # harnessed_agent api/ CRUD 写操作(API接口层) "/harnessed_agent/api/harnessed_agent_config_create.dspy" "/harnessed_agent/api/harnessed_agent_config_update.dspy" "/harnessed_agent/api/harnessed_agent_config_delete.dspy" "/harnessed_agent/api/hermes_sessions_create.dspy" "/harnessed_agent/api/hermes_sessions_update.dspy" "/harnessed_agent/api/hermes_sessions_delete.dspy" "/harnessed_agent/api/hermes_skills_create.dspy" "/harnessed_agent/api/hermes_skills_update.dspy" "/harnessed_agent/api/hermes_skills_delete.dspy" "/harnessed_agent/api/hermes_tasks_create.dspy" "/harnessed_agent/api/hermes_tasks_update.dspy" "/harnessed_agent/api/hermes_tasks_delete.dspy" "/harnessed_agent/api/hermes_workflows_create.dspy" "/harnessed_agent/api/hermes_workflows_update.dspy" "/harnessed_agent/api/hermes_workflows_delete.dspy" "/harnessed_agent/api/hermes_executions_create.dspy" "/harnessed_agent/api/hermes_executions_update.dspy" "/harnessed_agent/api/hermes_executions_delete.dspy" "/harnessed_agent/api/hermes_executions_task_create.dspy" "/harnessed_agent/api/hermes_executions_task_update.dspy" "/harnessed_agent/api/hermes_executions_task_delete.dspy" "/harnessed_agent/api/hermes_memory_create.dspy" "/harnessed_agent/api/hermes_memory_update.dspy" "/harnessed_agent/api/hermes_memory_delete.dspy" "/harnessed_agent/api/hermes_tasks_workflow_create.dspy" "/harnessed_agent/api/hermes_tasks_workflow_update.dspy" "/harnessed_agent/api/hermes_tasks_workflow_delete.dspy" "/harnessed_agent/api/harnessed_remote_skills_create.dspy" "/harnessed_agent/api/harnessed_remote_skills_update.dspy" "/harnessed_agent/api/harnessed_remote_skills_delete.dspy" "/harnessed_agent/api/executions_by_workflow_create.dspy" "/harnessed_agent/api/executions_by_workflow_update.dspy" "/harnessed_agent/api/executions_by_workflow_delete.dspy" "/harnessed_agent/api/task_dependencies_create.dspy" "/harnessed_agent/api/task_dependencies_update.dspy" "/harnessed_agent/api/task_dependencies_delete.dspy" # Agent 执行操作 "/harnessed_agent/api/agent_execute.dspy" "/harnessed_agent/api/agent_config_save.dspy" "/harnessed_agent/hermes.dspy" # ---------- harnessed_reasoning ---------- # 配置管理(管理员专用) "/harnessed_reasoning/api/config_save.dspy" # harnessed_reasoning CRUD 写操作(add/update/delete) "/harnessed_reasoning/harnessed_reasoning_sessions_crud/add_harnessed_reasoning_sessions_crud.dspy" "/harnessed_reasoning/harnessed_reasoning_sessions_crud/update_harnessed_reasoning_sessions_crud.dspy" "/harnessed_reasoning/harnessed_reasoning_sessions_crud/delete_harnessed_reasoning_sessions_crud.dspy" "/harnessed_reasoning/harnessed_reasoning_session_detail/add_harnessed_reasoning_session_detail.dspy" "/harnessed_reasoning/harnessed_reasoning_session_detail/update_harnessed_reasoning_session_detail.dspy" "/harnessed_reasoning/harnessed_reasoning_session_detail/delete_harnessed_reasoning_session_detail.dspy" "/harnessed_reasoning/harnessed_reasoning_config_view/add_harnessed_reasoning_config_view.dspy" "/harnessed_reasoning/harnessed_reasoning_config_view/update_harnessed_reasoning_config_view.dspy" "/harnessed_reasoning/harnessed_reasoning_config_view/delete_harnessed_reasoning_config_view.dspy" ) ADMIN_ROLES_ONLY=("owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.accountant" "reseller.maintainer") for p in "${ADMIN_PATHS[@]}"; do for role in "${ADMIN_ROLES_ONLY[@]}"; do set_perm "${role}" "${p}" done done # ============================================= # 完成 # ============================================= echo "" echo "============================================" echo " 权限配置完成,共设置 ${COUNT} 条权限" echo "============================================" echo "" echo "权限摘要:" echo " Public (any): ${#PUBLIC_FILES[@]} 个文件" echo " Read (logined+admin): ${#READ_PATHS[@]} 个路径 x ${#READ_ROLES[@]} 角色 = $((${#READ_PATHS[@]} * ${#READ_ROLES[@]})) 条" echo " Admin (admin-only): ${#ADMIN_PATHS[@]} 个路径 x ${#ADMIN_ROLES_ONLY[@]} 角色 = $((${#ADMIN_PATHS[@]} * ${#ADMIN_ROLES_ONLY[@]})) 条" echo "" echo "注意: 修改权限后需重启应用以刷新 RBAC 缓存。"