yumoqing
ae43ce2c6c
基于角色职责分析的四层权限模型: 1. Public (any): 18个路径 - 登录/注册/认证/静态资源 2. Logined (11角色): 29个路径 - 用户自助服务、API Key CRUD 3. Admin (5角色): 35个路径 - 用户管理、机构管理、供应商/分销商 4. Superuser (1角色): 27个路径 - 角色/权限/机构类型管理 总计: 18 + 29*11 + 35*5 + 27*1 = 592 条权限记录
275 lines
9.5 KiB
Bash
275 lines
9.5 KiB
Bash
#!/bin/bash
|
||
# setup_rbac_perms.sh
|
||
# 为 rbac 模块配置 RBAC 角色权限
|
||
#
|
||
# 角色职责定义:
|
||
# owner.superuser — 系统级:机构类型管理、角色管理、权限管理、添加业主管理员
|
||
# 系统初始化时由代码自动创建
|
||
# *.admin — 机构级:添加本机构人员、分配人员角色
|
||
# reseller.operator — 运营:产品管理、供应商合同、定价、统一折扣、营销
|
||
# reseller.sale — 销售:客户管理、客户特殊折扣
|
||
# reseller.accountant — 财务:线下充值、对账结算
|
||
# reseller.maintainer — 运维维护
|
||
# customer.customer — 终端客户用户
|
||
# logined — 所有已登录用户
|
||
#
|
||
# 权限分级策略(基于rbac业务功能分析):
|
||
# 1. public — 登录/注册/密码重置等认证相关,any 角色可用
|
||
# 2. logined — 用户自助服务(个人信息、API Key管理),所有登录用户可用
|
||
# 3. admin — 用户管理、角色分配、机构管理,仅 superuser 和机构管理员
|
||
# 4. superuser — 系统级管理(机构类型/角色/权限/缓存刷新),仅 owner.superuser
|
||
#
|
||
# 运行位置: sage 项目根目录 (包含 set_role_perm.py 的目录)
|
||
# 用法: bash setup_rbac_perms.sh
|
||
|
||
set -e
|
||
|
||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||
cd "$SCRIPT_DIR"
|
||
|
||
COUNT=0
|
||
set_perm() {
|
||
local role="$1"
|
||
local path="$2"
|
||
python set_role_perm.py "${role}" "${path}"
|
||
COUNT=$((COUNT + 1))
|
||
}
|
||
|
||
# 角色分组
|
||
ALL_LOGINED=("logined" "owner.superuser" "owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.sale" "reseller.accountant" "reseller.maintainer" "customer.customer")
|
||
ADMIN_ROLES=("owner.superuser" "owner.admin" "reseller.admin" "provider.admin" "customer.admin")
|
||
SUPERUSER_ONLY=("owner.superuser")
|
||
|
||
echo "============================================"
|
||
echo " rbac 模块权限初始化"
|
||
echo "============================================"
|
||
|
||
# =============================================
|
||
# 层级 1: PUBLIC — 登录/注册/认证
|
||
# 任何用户(含未登录)均可访问
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [1/4] Public: 登录/注册/认证 (any)"
|
||
|
||
PUBLIC_PATHS=(
|
||
# 登录页面
|
||
"/rbac/user/login.ui"
|
||
"/rbac/userpassword_login.ui"
|
||
"/rbac/user/wechat_login.ui"
|
||
"/rbac/user/up_login.dspy"
|
||
"/rbac/userpassword_login.dspy"
|
||
"/rbac/phone_login.dspy"
|
||
# 注册
|
||
"/rbac/user/register.ui"
|
||
"/rbac/user/register.dspy"
|
||
# 短信验证码
|
||
"/rbac/gen_sms_code.dspy"
|
||
# 扫码
|
||
"/rbac/qr_scan.ui"
|
||
# 用户同步
|
||
"/rbac/usersync/index.dspy"
|
||
# 图片资源
|
||
"/rbac/imgs/organization.svg"
|
||
"/rbac/imgs/orgtype.svg"
|
||
"/rbac/imgs/permission.svg"
|
||
"/rbac/imgs/role.svg"
|
||
"/rbac/imgs/rolepermission.svg"
|
||
"/rbac/imgs/userrole.svg"
|
||
"/rbac/imgs/users.svg"
|
||
)
|
||
|
||
for p in "${PUBLIC_PATHS[@]}"; do
|
||
set_perm "any" "${p}"
|
||
done
|
||
|
||
# =============================================
|
||
# 层级 2: LOGINED — 用户自助服务
|
||
# 所有登录用户可用
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [2/4] Logined: 用户自助服务 (所有登录用户)"
|
||
|
||
LOGINED_PATHS=(
|
||
# 用户个人信息
|
||
"/rbac/user/userinfo.ui"
|
||
"/rbac/user/user.ui"
|
||
"/rbac/user/user_panel.ui"
|
||
"/rbac/user/myrole.ui"
|
||
"/rbac/usermenu.ui"
|
||
# 登出
|
||
"/rbac/user/logout.dspy"
|
||
# 密码重置
|
||
"/rbac/user/reset_password/index.ui"
|
||
"/rbac/user/reset_password/reset_password.dspy"
|
||
# 角色查询(只读,用户可查看自己的角色)
|
||
"/rbac/get_normal_roles.dspy"
|
||
|
||
# ========== User API Key CRUD(用户管理自己的API Key) ==========
|
||
"/rbac/user/userapikey/index.ui"
|
||
"/rbac/user/userapikey/get_userapikey.dspy"
|
||
"/rbac/user/userapikey/add_userapikey.dspy"
|
||
"/rbac/user/userapikey/update_userapikey.dspy"
|
||
"/rbac/user/userapikey/delete_userapikey.dspy"
|
||
"/rbac/userapp"
|
||
"/rbac/userapp/index.ui"
|
||
"/rbac/userapp/get_userapp.dspy"
|
||
"/rbac/userapp/add_userapp.dspy"
|
||
"/rbac/userapp/update_userapp.dspy"
|
||
"/rbac/userapp/delete_userapp.dspy"
|
||
|
||
# ========== User Department CRUD(用户管理自己的部门信息) ==========
|
||
"/rbac/userdepartment"
|
||
"/rbac/userdepartment/index.ui"
|
||
"/rbac/userdepartment/get_userdepartment.dspy"
|
||
"/rbac/userdepartment/add_userdepartment.dspy"
|
||
"/rbac/userdepartment/update_userdepartment.dspy"
|
||
"/rbac/userdepartment/delete_userdepartment.dspy"
|
||
|
||
# ========== User Role CRUD(用户角色关联,用户可查看自己的角色) ==========
|
||
"/rbac/userrole"
|
||
"/rbac/userrole/index.ui"
|
||
"/rbac/userrole/get_userrole.dspy"
|
||
)
|
||
|
||
for p in "${LOGINED_PATHS[@]}"; do
|
||
for role in "${ALL_LOGINED[@]}"; do
|
||
set_perm "${role}" "${p}"
|
||
done
|
||
done
|
||
|
||
# =============================================
|
||
# 层级 3: ADMIN — 机构管理(用户/角色/机构)
|
||
# superuser + 各机构管理员
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [3/4] Admin: 机构管理 (superuser + 机构管理员)"
|
||
|
||
ADMIN_PATHS=(
|
||
# ========== 添加管理员/供应商/分销商 ==========
|
||
"/rbac/add_adminuser.ui"
|
||
"/rbac/add_adminuser.dspy"
|
||
"/rbac/add_provider.ui"
|
||
"/rbac/add_provider.dspy"
|
||
"/rbac/get_provider.dspy"
|
||
"/rbac/add_reseller.dspy"
|
||
"/rbac/get_reseller.dspy"
|
||
|
||
# ========== Users CRUD(用户管理) ==========
|
||
"/rbac/users"
|
||
"/rbac/users/index.ui"
|
||
"/rbac/users/get_users.dspy"
|
||
"/rbac/users/add_users.dspy"
|
||
"/rbac/users/update_users.dspy"
|
||
"/rbac/users/delete_users.dspy"
|
||
|
||
# ========== Provider CRUD(供应商管理,alias=provider) ==========
|
||
"/rbac/provider"
|
||
"/rbac/provider/index.ui"
|
||
"/rbac/provider/get_provider.dspy"
|
||
"/rbac/provider/add_provider.dspy"
|
||
"/rbac/provider/update_provider.dspy"
|
||
"/rbac/provider/delete_provider.dspy"
|
||
|
||
# ========== Reseller CRUD(分销商管理,alias=reseller) ==========
|
||
"/rbac/reseller"
|
||
"/rbac/reseller/index.ui"
|
||
"/rbac/reseller/get_reseller.dspy"
|
||
"/rbac/reseller/add_reseller.dspy"
|
||
"/rbac/reseller/update_reseller.dspy"
|
||
"/rbac/reseller/delete_reseller.dspy"
|
||
|
||
# ========== Organization CRUD(机构管理) ==========
|
||
"/rbac/organization"
|
||
"/rbac/organization/index.ui"
|
||
"/rbac/organization/get_organization.dspy"
|
||
"/rbac/organization/add_organization.dspy"
|
||
"/rbac/organization/update_organization.dspy"
|
||
"/rbac/organization/delete_organization.dspy"
|
||
|
||
# ========== User Role CRUD(管理员可分配角色) ==========
|
||
"/rbac/userrole/add_userrole.dspy"
|
||
"/rbac/userrole/update_userrole.dspy"
|
||
"/rbac/userrole/delete_userrole.dspy"
|
||
|
||
# ========== 管理员菜单 ==========
|
||
"/rbac/admin_menu.ui"
|
||
)
|
||
|
||
for p in "${ADMIN_PATHS[@]}"; do
|
||
for role in "${ADMIN_ROLES[@]}"; do
|
||
set_perm "${role}" "${p}"
|
||
done
|
||
done
|
||
|
||
# =============================================
|
||
# 层级 4: SUPERUSER — 系统级管理
|
||
# 仅 owner.superuser
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [4/4] Superuser: 系统级管理 (仅 owner.superuser)"
|
||
|
||
SUPERUSER_PATHS=(
|
||
# 添加超级管理员(系统初始化)
|
||
"/rbac/add_superuser.dspy"
|
||
|
||
# ========== Role CRUD(角色管理 — 系统级) ==========
|
||
"/rbac/role"
|
||
"/rbac/role/index.ui"
|
||
"/rbac/role/get_role.dspy"
|
||
"/rbac/role/add_role.dspy"
|
||
"/rbac/role/update_role.dspy"
|
||
"/rbac/role/delete_role.dspy"
|
||
|
||
# ========== Role Permission CRUD(角色权限管理 — 系统级) ==========
|
||
"/rbac/rolepermission"
|
||
"/rbac/rolepermission/index.ui"
|
||
"/rbac/rolepermission/get_rolepermission.dspy"
|
||
"/rbac/rolepermission/add_rolepermission.dspy"
|
||
"/rbac/rolepermission/update_rolepermission.dspy"
|
||
"/rbac/rolepermission/delete_rolepermission.dspy"
|
||
|
||
# ========== Permission CRUD(权限管理 — 系统级) ==========
|
||
"/rbac/permission"
|
||
"/rbac/permission/index.ui"
|
||
"/rbac/permission/get_permission.dspy"
|
||
"/rbac/permission/add_permission.dspy"
|
||
"/rbac/permission/update_permission.dspy"
|
||
"/rbac/permission/delete_permission.dspy"
|
||
|
||
# ========== Org Types CRUD(机构类型管理 — 系统级) ==========
|
||
"/rbac/orgtypes"
|
||
"/rbac/orgtypes/index.ui"
|
||
"/rbac/orgtypes/get_orgtypes.dspy"
|
||
"/rbac/orgtypes/add_orgtypes.dspy"
|
||
"/rbac/orgtypes/update_orgtypes.dspy"
|
||
"/rbac/orgtypes/delete_orgtypes.dspy"
|
||
|
||
# 刷新权限缓存(系统级操作)
|
||
"/rbac/refresh_userperm.dspy"
|
||
|
||
# 获取所有角色(含系统级角色)
|
||
"/rbac/get_all_roles.dspy"
|
||
)
|
||
|
||
for p in "${SUPERUSER_PATHS[@]}"; do
|
||
for role in "${SUPERUSER_ONLY[@]}"; do
|
||
set_perm "${role}" "${p}"
|
||
done
|
||
done
|
||
|
||
# =============================================
|
||
# 完成
|
||
# =============================================
|
||
echo ""
|
||
echo "============================================"
|
||
echo " 权限配置完成,共设置 ${COUNT} 条权限"
|
||
echo "============================================"
|
||
echo ""
|
||
echo "权限摘要:"
|
||
echo " Public (any): ${#PUBLIC_PATHS[@]} 个路径 x 1 角色 = ${#PUBLIC_PATHS[@]} 条"
|
||
echo " Logined (所有登录用户): ${#LOGINED_PATHS[@]} 个路径 x ${#ALL_LOGINED[@]} 角色 = $((${#LOGINED_PATHS[@]} * ${#ALL_LOGINED[@]})) 条"
|
||
echo " Admin (superuser+机构管理员): ${#ADMIN_PATHS[@]} 个路径 x ${#ADMIN_ROLES[@]} 角色 = $((${#ADMIN_PATHS[@]} * ${#ADMIN_ROLES[@]})) 条"
|
||
echo " Superuser (系统级): ${#SUPERUSER_PATHS[@]} 个路径 x ${#SUPERUSER_ONLY[@]} 角色 = $((${#SUPERUSER_PATHS[@]} * ${#SUPERUSER_ONLY[@]})) 条"
|
||
echo ""
|
||
echo "注意: 修改权限后需重启应用以刷新 RBAC 缓存。"
|