yumoqing
6951ee7ebf
根据角色职责重新设计权限分级: - owner.superuser: 系统级管理(机构/角色/权限) - *.admin: 机构级管理(人员/角色分配) - reseller.operator: 运营(产品/合同/定价) - reseller.sale: 销售(客户/折扣) - reseller.accountant: 财务(充值/对账) - reseller.maintainer: 运维 - customer.customer: 终端客户 权限模型: 1. Public (any): CSS静态资源 2. Logined (所有登录用户10角色): 控制台、数据查看、用户自己的CRUD、推理、执行 3. Admin (superuser+5种admin): 系统级LLM配置管理 4. Superuser (仅owner.superuser): 技能部署等高危操作
323 lines
16 KiB
Bash
323 lines
16 KiB
Bash
#!/bin/bash
|
||
# setup_harnessed_perms.sh
|
||
# 为 harnessed_agent(执行层)和 harnessed_reasoning(推理层)模块配置 RBAC 角色权限
|
||
#
|
||
# 角色职责定义:
|
||
# owner.superuser — 系统级管理员:系统机构类型管理、角色管理、权限管理、添加业主机构管理员
|
||
# 系统初始化时由代码自动创建,拥有全部权限
|
||
# *.admin — 机构管理员(owner/reseller/provider/customer.admin):
|
||
# 添加本机构人员、分配人员角色、管理系统级配置
|
||
# reseller.operator — 运营:产品管理、供应商合同、产品定价、统一客户折扣、营销活动
|
||
# reseller.sale — 销售:客户管理、客户特殊折扣设定
|
||
# reseller.accountant — 财务:线下客户充值、分销商/供应商对账结算
|
||
# reseller.maintainer — 维护:系统运维
|
||
# logined — 所有已登录用户(含上述所有角色)
|
||
#
|
||
# 权限分级策略(基于业务功能分析):
|
||
# 1. public — 静态资源(CSS),any 角色可用
|
||
# 2. logined — 控制台主页、数据查看、核心使用功能,所有登录用户可用
|
||
# 3. admin — 系统配置管理、Agent/推理配置,仅 superuser 和机构管理员
|
||
# 4. superuser — 技能部署等高危操作,仅系统超级管理员
|
||
#
|
||
# 运行位置: sage 项目根目录 (包含 set_role_perm.py 的目录)
|
||
# 用法: bash setup_harnessed_perms.sh
|
||
|
||
set -e
|
||
|
||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||
cd "$SCRIPT_DIR"
|
||
|
||
COUNT=0
|
||
set_perm() {
|
||
local role="$1"
|
||
local path="$2"
|
||
python set_role_perm.py "${role}" "${path}"
|
||
COUNT=$((COUNT + 1))
|
||
}
|
||
|
||
# 角色分组
|
||
ALL_LOGINED=("logined" "owner.superuser" "owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.sale" "reseller.accountant" "reseller.maintainer" "customer.customer")
|
||
ADMIN_ROLES=("owner.superuser" "owner.admin" "reseller.admin" "provider.admin" "customer.admin")
|
||
SUPERUSER_ONLY=("owner.superuser")
|
||
|
||
echo "============================================"
|
||
echo " harnessed 模块权限初始化"
|
||
echo "============================================"
|
||
|
||
# =============================================
|
||
# 层级 1: PUBLIC — 静态资源
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [1/4] Public: 静态资源 (any)"
|
||
PUBLIC_FILES=(
|
||
"/harnessed_agent/ios_design.css"
|
||
"/harnessed_reasoning/ios_design.css"
|
||
)
|
||
for f in "${PUBLIC_FILES[@]}"; do
|
||
set_perm "any" "${f}"
|
||
done
|
||
|
||
# =============================================
|
||
# 层级 2: LOGINED — 所有登录用户可用
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [2/4] Logined: 控制台 + 数据查看 + 核心使用 (所有登录用户)"
|
||
|
||
LOGINED_PATHS=(
|
||
# ========== harnessed_agent ==========
|
||
# 控制台/主页(用户使用入口)
|
||
"/harnessed_agent/hermes_agent.ui"
|
||
"/harnessed_agent/agent_console.ui"
|
||
"/harnessed_agent/menu.ui"
|
||
|
||
# 数据查看(所有登录用户可查看自己的数据)
|
||
"/harnessed_agent/sessions.ui"
|
||
"/harnessed_agent/skills.ui"
|
||
"/harnessed_agent/tasks.ui"
|
||
"/harnessed_agent/workflows.ui"
|
||
"/harnessed_agent/memory.ui"
|
||
"/harnessed_agent/tools.ui"
|
||
"/harnessed_agent/remote_skills.ui"
|
||
|
||
# CRUD 列表页 — 目录路径(ahserver indexes 匹配)+ /index.ui
|
||
"/harnessed_agent/hermes_memory"
|
||
"/harnessed_agent/hermes_memory/index.ui"
|
||
"/harnessed_agent/hermes_sessions"
|
||
"/harnessed_agent/hermes_sessions/index.ui"
|
||
"/harnessed_agent/hermes_skills"
|
||
"/harnessed_agent/hermes_skills/index.ui"
|
||
"/harnessed_agent/hermes_tasks"
|
||
"/harnessed_agent/hermes_tasks/index.ui"
|
||
"/harnessed_agent/hermes_workflows"
|
||
"/harnessed_agent/hermes_workflows/index.ui"
|
||
"/harnessed_agent/hermes_executions"
|
||
"/harnessed_agent/hermes_executions/index.ui"
|
||
"/harnessed_agent/hermes_executions_task"
|
||
"/harnessed_agent/hermes_executions_task/index.ui"
|
||
"/harnessed_agent/hermes_tasks_workflow"
|
||
"/harnessed_agent/hermes_tasks_workflow/index.ui"
|
||
"/harnessed_agent/harnessed_remote_skills"
|
||
"/harnessed_agent/harnessed_remote_skills/index.ui"
|
||
"/harnessed_agent/harnessed_agent_config_view"
|
||
"/harnessed_agent/harnessed_agent_config_view/index.ui"
|
||
"/harnessed_agent/executions_by_workflow"
|
||
"/harnessed_agent/executions_by_workflow/index.ui"
|
||
"/harnessed_agent/task_dependencies"
|
||
"/harnessed_agent/task_dependencies/index.ui"
|
||
|
||
# CRUD 数据读取(get_*.dspy)
|
||
"/harnessed_agent/hermes_memory/get_hermes_memory.dspy"
|
||
"/harnessed_agent/hermes_sessions/get_hermes_sessions.dspy"
|
||
"/harnessed_agent/hermes_skills/get_hermes_skills.dspy"
|
||
"/harnessed_agent/hermes_tasks/get_hermes_tasks.dspy"
|
||
"/harnessed_agent/hermes_workflows/get_hermes_workflows.dspy"
|
||
"/harnessed_agent/hermes_executions/get_hermes_executions.dspy"
|
||
"/harnessed_agent/hermes_executions_task/get_hermes_executions_task.dspy"
|
||
"/harnessed_agent/hermes_tasks_workflow/get_hermes_tasks_workflow.dspy"
|
||
"/harnessed_agent/harnessed_remote_skills/get_harnessed_remote_skills.dspy"
|
||
"/harnessed_agent/harnessed_agent_config_view/get_harnessed_agent_config_view.dspy"
|
||
"/harnessed_agent/executions_by_workflow/get_executions_by_workflow.dspy"
|
||
"/harnessed_agent/task_dependencies/get_task_dependencies.dspy"
|
||
|
||
# CRUD 数据写入(用户管理自己的数据)
|
||
# 记忆管理(用户可增删改自己的记忆)
|
||
"/harnessed_agent/hermes_memory/add_hermes_memory.dspy"
|
||
"/harnessed_agent/hermes_memory/update_hermes_memory.dspy"
|
||
"/harnessed_agent/hermes_memory/delete_hermes_memory.dspy"
|
||
"/harnessed_agent/api/hermes_memory_create.dspy"
|
||
"/harnessed_agent/api/hermes_memory_update.dspy"
|
||
"/harnessed_agent/api/hermes_memory_delete.dspy"
|
||
# 任务管理(用户可创建/管理自己的任务)
|
||
"/harnessed_agent/hermes_tasks/add_hermes_tasks.dspy"
|
||
"/harnessed_agent/hermes_tasks/update_hermes_tasks.dspy"
|
||
"/harnessed_agent/hermes_tasks/delete_hermes_tasks.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_create.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_update.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_delete.dspy"
|
||
# 技能管理(用户可管理自己的技能)
|
||
"/harnessed_agent/hermes_skills/add_hermes_skills.dspy"
|
||
"/harnessed_agent/hermes_skills/update_hermes_skills.dspy"
|
||
"/harnessed_agent/hermes_skills/delete_hermes_skills.dspy"
|
||
"/harnessed_agent/api/hermes_skills_create.dspy"
|
||
"/harnessed_agent/api/hermes_skills_update.dspy"
|
||
"/harnessed_agent/api/hermes_skills_delete.dspy"
|
||
# 会话管理(用户可管理自己的会话)
|
||
"/harnessed_agent/hermes_sessions/add_hermes_sessions.dspy"
|
||
"/harnessed_agent/hermes_sessions/update_hermes_sessions.dspy"
|
||
"/harnessed_agent/hermes_sessions/delete_hermes_sessions.dspy"
|
||
"/harnessed_agent/api/hermes_sessions_create.dspy"
|
||
"/harnessed_agent/api/hermes_sessions_update.dspy"
|
||
"/harnessed_agent/api/hermes_sessions_delete.dspy"
|
||
# 工作流管理(用户可管理自己的工作流)
|
||
"/harnessed_agent/hermes_workflows/add_hermes_workflows.dspy"
|
||
"/harnessed_agent/hermes_workflows/update_hermes_workflows.dspy"
|
||
"/harnessed_agent/hermes_workflows/delete_hermes_workflows.dspy"
|
||
"/harnessed_agent/api/hermes_workflows_create.dspy"
|
||
"/harnessed_agent/api/hermes_workflows_update.dspy"
|
||
"/harnessed_agent/api/hermes_workflows_delete.dspy"
|
||
# 执行记录(用户可创建/更新执行记录)
|
||
"/harnessed_agent/hermes_executions/add_hermes_executions.dspy"
|
||
"/harnessed_agent/hermes_executions/update_hermes_executions.dspy"
|
||
"/harnessed_agent/hermes_executions/delete_hermes_executions.dspy"
|
||
"/harnessed_agent/api/hermes_executions_create.dspy"
|
||
"/harnessed_agent/api/hermes_executions_update.dspy"
|
||
"/harnessed_agent/api/hermes_executions_delete.dspy"
|
||
# 执行任务
|
||
"/harnessed_agent/hermes_executions_task/add_hermes_executions_task.dspy"
|
||
"/harnessed_agent/hermes_executions_task/update_hermes_executions_task.dspy"
|
||
"/harnessed_agent/hermes_executions_task/delete_hermes_executions_task.dspy"
|
||
"/harnessed_agent/api/hermes_executions_task_create.dspy"
|
||
"/harnessed_agent/api/hermes_executions_task_update.dspy"
|
||
"/harnessed_agent/api/hermes_executions_task_delete.dspy"
|
||
# 任务-工作流关联
|
||
"/harnessed_agent/hermes_tasks_workflow/add_hermes_tasks_workflow.dspy"
|
||
"/harnessed_agent/hermes_tasks_workflow/update_hermes_tasks_workflow.dspy"
|
||
"/harnessed_agent/hermes_tasks_workflow/delete_hermes_tasks_workflow.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_workflow_create.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_workflow_update.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_workflow_delete.dspy"
|
||
# 远程技能
|
||
"/harnessed_agent/harnessed_remote_skills/add_harnessed_remote_skills.dspy"
|
||
"/harnessed_agent/harnessed_remote_skills/update_harnessed_remote_skills.dspy"
|
||
"/harnessed_agent/harnessed_remote_skills/delete_harnessed_remote_skills.dspy"
|
||
"/harnessed_agent/api/harnessed_remote_skills_create.dspy"
|
||
"/harnessed_agent/api/harnessed_remote_skills_update.dspy"
|
||
"/harnessed_agent/api/harnessed_remote_skills_delete.dspy"
|
||
# 执行-工作流关联
|
||
"/harnessed_agent/executions_by_workflow/add_executions_by_workflow.dspy"
|
||
"/harnessed_agent/executions_by_workflow/update_executions_by_workflow.dspy"
|
||
"/harnessed_agent/executions_by_workflow/delete_executions_by_workflow.dspy"
|
||
"/harnessed_agent/api/executions_by_workflow_create.dspy"
|
||
"/harnessed_agent/api/executions_by_workflow_update.dspy"
|
||
"/harnessed_agent/api/executions_by_workflow_delete.dspy"
|
||
# 任务依赖
|
||
"/harnessed_agent/task_dependencies/add_task_dependencies.dspy"
|
||
"/harnessed_agent/task_dependencies/update_task_dependencies.dspy"
|
||
"/harnessed_agent/task_dependencies/delete_task_dependencies.dspy"
|
||
"/harnessed_agent/api/task_dependencies_create.dspy"
|
||
"/harnessed_agent/api/task_dependencies_update.dspy"
|
||
"/harnessed_agent/api/task_dependencies_delete.dspy"
|
||
|
||
# Agent 核心执行(用户使用功能)
|
||
"/harnessed_agent/api/agent_execute.dspy"
|
||
"/harnessed_agent/api/agent_config_get.dspy"
|
||
"/harnessed_agent/hermes.dspy"
|
||
|
||
# ========== harnessed_reasoning ==========
|
||
# 控制台/主页
|
||
"/harnessed_reasoning/hermes_reasoning.ui"
|
||
"/harnessed_reasoning/reasoning_console.ui"
|
||
"/harnessed_reasoning/menu.ui"
|
||
|
||
# WSS WebSocket 端点(nginx去掉/wss前缀后应用收到的path)
|
||
"/harnessed_reasoning/reasoning_console.wss"
|
||
|
||
# 数据查看
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud.ui"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view.ui"
|
||
|
||
# CRUD 列表页 — 目录路径 + /index.ui
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud"
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud/index.ui"
|
||
"/harnessed_reasoning/harnessed_reasoning_session_detail"
|
||
"/harnessed_reasoning/harnessed_reasoning_session_detail/index.ui"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view/index.ui"
|
||
|
||
# CRUD 数据读取
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud/get_harnessed_reasoning_sessions_crud.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_session_detail/get_harnessed_reasoning_session_detail.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view/get_harnessed_reasoning_config_view.dspy"
|
||
|
||
# CRUD 数据写入(用户管理自己的推理会话数据)
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud/add_harnessed_reasoning_sessions_crud.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud/update_harnessed_reasoning_sessions_crud.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud/delete_harnessed_reasoning_sessions_crud.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_session_detail/add_harnessed_reasoning_session_detail.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_session_detail/update_harnessed_reasoning_session_detail.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_session_detail/delete_harnessed_reasoning_session_detail.dspy"
|
||
|
||
# 推理核心功能(所有登录用户可用)
|
||
"/harnessed_reasoning/api/reasoning_submit.dspy"
|
||
"/harnessed_reasoning/api/sessions_list.dspy"
|
||
"/harnessed_reasoning/api/config_get.dspy"
|
||
)
|
||
|
||
for p in "${LOGINED_PATHS[@]}"; do
|
||
for role in "${ALL_LOGINED[@]}"; do
|
||
set_perm "${role}" "${p}"
|
||
done
|
||
done
|
||
|
||
# =============================================
|
||
# 层级 3: ADMIN — 系统配置管理
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [3/4] Admin: 系统配置管理 (superuser + 机构管理员)"
|
||
|
||
ADMIN_PATHS=(
|
||
# harnessed_agent — Agent 系统配置(影响整个系统的LLM设置)
|
||
"/harnessed_agent/agent_config.ui"
|
||
"/harnessed_agent/agent_config_form.ui"
|
||
"/harnessed_agent/api/agent_config_save.dspy"
|
||
"/harnessed_agent/api/harnessed_agent_config_create.dspy"
|
||
"/harnessed_agent/api/harnessed_agent_config_update.dspy"
|
||
"/harnessed_agent/api/harnessed_agent_config_delete.dspy"
|
||
"/harnessed_agent/harnessed_agent_config_view/add_harnessed_agent_config_view.dspy"
|
||
"/harnessed_agent/harnessed_agent_config_view/update_harnessed_agent_config_view.dspy"
|
||
"/harnessed_agent/harnessed_agent_config_view/delete_harnessed_agent_config_view.dspy"
|
||
|
||
# harnessed_reasoning — 推理系统配置
|
||
"/harnessed_reasoning/api/config_save.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view/add_harnessed_reasoning_config_view.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view/update_harnessed_reasoning_config_view.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view/delete_harnessed_reasoning_config_view.dspy"
|
||
)
|
||
|
||
for p in "${ADMIN_PATHS[@]}"; do
|
||
for role in "${ADMIN_ROLES[@]}"; do
|
||
set_perm "${role}" "${p}"
|
||
done
|
||
done
|
||
|
||
# =============================================
|
||
# 层级 4: SUPERUSER — 系统级高危操作
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [4/4] Superuser: 技能部署等高危操作 (仅 owner.superuser)"
|
||
|
||
SUPERUSER_PATHS=(
|
||
# 技能部署(可能影响全局)
|
||
"/harnessed_agent/deploy_skill.ui"
|
||
"/harnessed_agent/execute_remote_skill.ui"
|
||
)
|
||
|
||
for p in "${SUPERUSER_PATHS[@]}"; do
|
||
for role in "${SUPERUSER_ONLY[@]}"; do
|
||
set_perm "${role}" "${p}"
|
||
done
|
||
done
|
||
|
||
# =============================================
|
||
# 完成
|
||
# =============================================
|
||
echo ""
|
||
echo "============================================"
|
||
echo " 权限配置完成,共设置 ${COUNT} 条权限"
|
||
echo "============================================"
|
||
echo ""
|
||
echo "权限摘要:"
|
||
echo " Public (any): ${#PUBLIC_FILES[@]} 个路径"
|
||
echo " Logined (所有登录用户): ${#LOGINED_PATHS[@]} 个路径 x ${#ALL_LOGINED[@]} 角色 = $((${#LOGINED_PATHS[@]} * ${#ALL_LOGINED[@]})) 条"
|
||
echo " Admin (superuser+机构管理员): ${#ADMIN_PATHS[@]} 个路径 x ${#ADMIN_ROLES[@]} 角色 = $((${#ADMIN_PATHS[@]} * ${#ADMIN_ROLES[@]})) 条"
|
||
echo " Superuser (系统级): ${#SUPERUSER_PATHS[@]} 个路径 x ${#SUPERUSER_ONLY[@]} 角色 = $((${#SUPERUSER_PATHS[@]} * ${#SUPERUSER_ONLY[@]})) 条"
|
||
echo ""
|
||
echo "角色说明:"
|
||
echo " owner.superuser — 系统级: 机构类型/角色/权限管理"
|
||
echo " *.admin — 机构级: 添加本机构人员、分配角色"
|
||
echo " reseller.operator — 运营: 产品/合同/定价/折扣/营销"
|
||
echo " reseller.sale — 销售: 客户管理/特殊折扣"
|
||
echo " reseller.accountant — 财务: 充值/对账/结算"
|
||
echo ""
|
||
echo "注意: 修改权限后需重启应用以刷新 RBAC 缓存。"
|