yumoqing
050dd0b2da
- READ层级: 12个harnessed_agent CRUD目录的index.ui + get_*.dspy
3个harnessed_reasoning CRUD目录的index.ui + get_*.dspy
- ADMIN层级: 12个harnessed_agent CRUD目录的add/update/delete_*.dspy (36文件)
3个harnessed_reasoning CRUD目录的add/update/delete_*.dspy (9文件)
- 基于JSON CRUD alias确定目录结构和文件名
281 lines
13 KiB
Bash
281 lines
13 KiB
Bash
#!/bin/bash
|
||
# setup_harnessed_perms.sh
|
||
# 为 harnessed_agent(执行层)和 harnessed_reasoning(推理层)模块配置 RBAC 角色权限
|
||
#
|
||
# 权限分级策略(基于业务功能分析):
|
||
# 1. public — 静态资源(CSS),any 角色可用
|
||
# 2. read — 控制台主页、数据查看页面、只读API,logined + 管理员可用
|
||
# 3. admin — 配置管理、数据创建/更新/删除、执行操作,仅管理员可用
|
||
#
|
||
# 运行位置: sage 项目根目录 (包含 set_role_perm.py 的目录)
|
||
# 用法: bash setup_harnessed_perms.sh
|
||
|
||
set -e
|
||
|
||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||
cd "$SCRIPT_DIR"
|
||
|
||
# 角色定义
|
||
ADMIN_ROLES=(
|
||
# 通用登录角色 — read 级别使用
|
||
"logined"
|
||
# 各机构类型管理员 — admin 级别使用
|
||
"owner.admin"
|
||
"reseller.admin"
|
||
"provider.admin"
|
||
"customer.admin"
|
||
# Reseller 业务角色
|
||
"reseller.operator"
|
||
"reseller.accountant"
|
||
"reseller.maintainer"
|
||
)
|
||
|
||
COUNT=0
|
||
set_perm() {
|
||
local role="$1"
|
||
local path="$2"
|
||
python set_role_perm.py "${role}" "${path}"
|
||
COUNT=$((COUNT + 1))
|
||
}
|
||
|
||
echo "============================================"
|
||
echo " harnessed 模块权限初始化"
|
||
echo "============================================"
|
||
|
||
# =============================================
|
||
# 层级 1: PUBLIC — 静态资源(CSS文件)
|
||
# 任何用户(含未登录)均可访问
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [1/3] Public: 静态资源 (any)"
|
||
PUBLIC_FILES=(
|
||
"/harnessed_agent/ios_design.css"
|
||
"/harnessed_reasoning/ios_design.css"
|
||
)
|
||
for f in "${PUBLIC_FILES[@]}"; do
|
||
set_perm "any" "${f}"
|
||
done
|
||
|
||
# =============================================
|
||
# 层级 2: READ — 控制台主页 + 数据查看
|
||
# 所有登录用户 + 管理员可用
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [2/3] Read: 控制台主页 + 数据查看 (logined + 管理员)"
|
||
|
||
READ_PATHS=(
|
||
# ---------- harnessed_agent ----------
|
||
# 控制台/主页(用户使用入口)
|
||
"/harnessed_agent/hermes_agent.ui"
|
||
"/harnessed_agent/agent_console.ui"
|
||
"/harnessed_agent/menu.ui"
|
||
# 数据查看页面(只读浏览)
|
||
"/harnessed_agent/sessions.ui"
|
||
"/harnessed_agent/skills.ui"
|
||
"/harnessed_agent/tasks.ui"
|
||
"/harnessed_agent/workflows.ui"
|
||
"/harnessed_agent/memory.ui"
|
||
"/harnessed_agent/tools.ui"
|
||
"/harnessed_agent/remote_skills.ui"
|
||
# API 配置查看(只读)
|
||
"/harnessed_agent/api/agent_config_get.dspy"
|
||
|
||
# ---------- CRUD index.ui (列表页面,只读浏览) ----------
|
||
"/harnessed_agent/hermes_memory/index.ui"
|
||
"/harnessed_agent/hermes_sessions/index.ui"
|
||
"/harnessed_agent/hermes_skills/index.ui"
|
||
"/harnessed_agent/hermes_tasks/index.ui"
|
||
"/harnessed_agent/hermes_workflows/index.ui"
|
||
"/harnessed_agent/hermes_executions/index.ui"
|
||
"/harnessed_agent/hermes_executions_task/index.ui"
|
||
"/harnessed_agent/hermes_tasks_workflow/index.ui"
|
||
"/harnessed_agent/harnessed_remote_skills/index.ui"
|
||
"/harnessed_agent/harnessed_agent_config_view/index.ui"
|
||
"/harnessed_agent/executions_by_workflow/index.ui"
|
||
"/harnessed_agent/task_dependencies/index.ui"
|
||
|
||
# ---------- CRUD get_*.dspy (单条记录读取) ----------
|
||
"/harnessed_agent/hermes_memory/get_hermes_memory.dspy"
|
||
"/harnessed_agent/hermes_sessions/get_hermes_sessions.dspy"
|
||
"/harnessed_agent/hermes_skills/get_hermes_skills.dspy"
|
||
"/harnessed_agent/hermes_tasks/get_hermes_tasks.dspy"
|
||
"/harnessed_agent/hermes_workflows/get_hermes_workflows.dspy"
|
||
"/harnessed_agent/hermes_executions/get_hermes_executions.dspy"
|
||
"/harnessed_agent/hermes_executions_task/get_hermes_executions_task.dspy"
|
||
"/harnessed_agent/hermes_tasks_workflow/get_hermes_tasks_workflow.dspy"
|
||
"/harnessed_agent/harnessed_remote_skills/get_harnessed_remote_skills.dspy"
|
||
"/harnessed_agent/harnessed_agent_config_view/get_harnessed_agent_config_view.dspy"
|
||
"/harnessed_agent/executions_by_workflow/get_executions_by_workflow.dspy"
|
||
"/harnessed_agent/task_dependencies/get_task_dependencies.dspy"
|
||
|
||
# ---------- harnessed_reasoning ----------
|
||
# 控制台/主页(用户使用入口)
|
||
"/harnessed_reasoning/hermes_reasoning.ui"
|
||
"/harnessed_reasoning/reasoning_console.ui"
|
||
"/harnessed_reasoning/menu.ui"
|
||
# WSS WebSocket 端点(nginx会去掉/wss前缀,应用收到的path不含/wss)
|
||
"/harnessed_reasoning/reasoning_console.wss"
|
||
# 数据查看页面
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud.ui"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view.ui"
|
||
# API 会话列表(只读)
|
||
"/harnessed_reasoning/api/sessions_list.dspy"
|
||
"/harnessed_reasoning/api/config_get.dspy"
|
||
# 推理提交(核心使用功能,所有登录用户可用)
|
||
"/harnessed_reasoning/api/reasoning_submit.dspy"
|
||
|
||
# ---------- CRUD index.ui (列表页面,只读浏览) ----------
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud/index.ui"
|
||
"/harnessed_reasoning/harnessed_reasoning_session_detail/index.ui"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view/index.ui"
|
||
|
||
# ---------- CRUD get_*.dspy (单条记录读取) ----------
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud/get_harnessed_reasoning_sessions_crud.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_session_detail/get_harnessed_reasoning_session_detail.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view/get_harnessed_reasoning_config_view.dspy"
|
||
)
|
||
|
||
READ_ROLES=("logined" "owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.accountant" "reseller.maintainer")
|
||
|
||
for p in "${READ_PATHS[@]}"; do
|
||
for role in "${READ_ROLES[@]}"; do
|
||
set_perm "${role}" "${p}"
|
||
done
|
||
done
|
||
|
||
# =============================================
|
||
# 层级 3: ADMIN — 配置管理 + 数据操作 + 执行
|
||
# 仅管理员角色可用
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [3/3] Admin: 配置管理 + 数据操作 + 执行 (仅管理员)"
|
||
|
||
ADMIN_PATHS=(
|
||
# ---------- harnessed_agent ----------
|
||
# 配置管理页面(管理员专用)
|
||
"/harnessed_agent/agent_config.ui"
|
||
"/harnessed_agent/agent_config_form.ui"
|
||
# 技能部署(管理员操作)
|
||
"/harnessed_agent/deploy_skill.ui"
|
||
"/harnessed_agent/execute_remote_skill.ui"
|
||
|
||
# harnessed_agent CRUD 写操作(add/update/delete)
|
||
"/harnessed_agent/hermes_memory/add_hermes_memory.dspy"
|
||
"/harnessed_agent/hermes_memory/update_hermes_memory.dspy"
|
||
"/harnessed_agent/hermes_memory/delete_hermes_memory.dspy"
|
||
"/harnessed_agent/hermes_sessions/add_hermes_sessions.dspy"
|
||
"/harnessed_agent/hermes_sessions/update_hermes_sessions.dspy"
|
||
"/harnessed_agent/hermes_sessions/delete_hermes_sessions.dspy"
|
||
"/harnessed_agent/hermes_skills/add_hermes_skills.dspy"
|
||
"/harnessed_agent/hermes_skills/update_hermes_skills.dspy"
|
||
"/harnessed_agent/hermes_skills/delete_hermes_skills.dspy"
|
||
"/harnessed_agent/hermes_tasks/add_hermes_tasks.dspy"
|
||
"/harnessed_agent/hermes_tasks/update_hermes_tasks.dspy"
|
||
"/harnessed_agent/hermes_tasks/delete_hermes_tasks.dspy"
|
||
"/harnessed_agent/hermes_workflows/add_hermes_workflows.dspy"
|
||
"/harnessed_agent/hermes_workflows/update_hermes_workflows.dspy"
|
||
"/harnessed_agent/hermes_workflows/delete_hermes_workflows.dspy"
|
||
"/harnessed_agent/hermes_executions/add_hermes_executions.dspy"
|
||
"/harnessed_agent/hermes_executions/update_hermes_executions.dspy"
|
||
"/harnessed_agent/hermes_executions/delete_hermes_executions.dspy"
|
||
"/harnessed_agent/hermes_executions_task/add_hermes_executions_task.dspy"
|
||
"/harnessed_agent/hermes_executions_task/update_hermes_executions_task.dspy"
|
||
"/harnessed_agent/hermes_executions_task/delete_hermes_executions_task.dspy"
|
||
"/harnessed_agent/hermes_tasks_workflow/add_hermes_tasks_workflow.dspy"
|
||
"/harnessed_agent/hermes_tasks_workflow/update_hermes_tasks_workflow.dspy"
|
||
"/harnessed_agent/hermes_tasks_workflow/delete_hermes_tasks_workflow.dspy"
|
||
"/harnessed_agent/harnessed_remote_skills/add_harnessed_remote_skills.dspy"
|
||
"/harnessed_agent/harnessed_remote_skills/update_harnessed_remote_skills.dspy"
|
||
"/harnessed_agent/harnessed_remote_skills/delete_harnessed_remote_skills.dspy"
|
||
"/harnessed_agent/harnessed_agent_config_view/add_harnessed_agent_config_view.dspy"
|
||
"/harnessed_agent/harnessed_agent_config_view/update_harnessed_agent_config_view.dspy"
|
||
"/harnessed_agent/harnessed_agent_config_view/delete_harnessed_agent_config_view.dspy"
|
||
"/harnessed_agent/executions_by_workflow/add_executions_by_workflow.dspy"
|
||
"/harnessed_agent/executions_by_workflow/update_executions_by_workflow.dspy"
|
||
"/harnessed_agent/executions_by_workflow/delete_executions_by_workflow.dspy"
|
||
"/harnessed_agent/task_dependencies/add_task_dependencies.dspy"
|
||
"/harnessed_agent/task_dependencies/update_task_dependencies.dspy"
|
||
"/harnessed_agent/task_dependencies/delete_task_dependencies.dspy"
|
||
|
||
# harnessed_agent api/ CRUD 写操作(API接口层)
|
||
"/harnessed_agent/api/harnessed_agent_config_create.dspy"
|
||
"/harnessed_agent/api/harnessed_agent_config_update.dspy"
|
||
"/harnessed_agent/api/harnessed_agent_config_delete.dspy"
|
||
"/harnessed_agent/api/hermes_sessions_create.dspy"
|
||
"/harnessed_agent/api/hermes_sessions_update.dspy"
|
||
"/harnessed_agent/api/hermes_sessions_delete.dspy"
|
||
"/harnessed_agent/api/hermes_skills_create.dspy"
|
||
"/harnessed_agent/api/hermes_skills_update.dspy"
|
||
"/harnessed_agent/api/hermes_skills_delete.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_create.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_update.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_delete.dspy"
|
||
"/harnessed_agent/api/hermes_workflows_create.dspy"
|
||
"/harnessed_agent/api/hermes_workflows_update.dspy"
|
||
"/harnessed_agent/api/hermes_workflows_delete.dspy"
|
||
"/harnessed_agent/api/hermes_executions_create.dspy"
|
||
"/harnessed_agent/api/hermes_executions_update.dspy"
|
||
"/harnessed_agent/api/hermes_executions_delete.dspy"
|
||
"/harnessed_agent/api/hermes_executions_task_create.dspy"
|
||
"/harnessed_agent/api/hermes_executions_task_update.dspy"
|
||
"/harnessed_agent/api/hermes_executions_task_delete.dspy"
|
||
"/harnessed_agent/api/hermes_memory_create.dspy"
|
||
"/harnessed_agent/api/hermes_memory_update.dspy"
|
||
"/harnessed_agent/api/hermes_memory_delete.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_workflow_create.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_workflow_update.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_workflow_delete.dspy"
|
||
"/harnessed_agent/api/harnessed_remote_skills_create.dspy"
|
||
"/harnessed_agent/api/harnessed_remote_skills_update.dspy"
|
||
"/harnessed_agent/api/harnessed_remote_skills_delete.dspy"
|
||
"/harnessed_agent/api/executions_by_workflow_create.dspy"
|
||
"/harnessed_agent/api/executions_by_workflow_update.dspy"
|
||
"/harnessed_agent/api/executions_by_workflow_delete.dspy"
|
||
"/harnessed_agent/api/task_dependencies_create.dspy"
|
||
"/harnessed_agent/api/task_dependencies_update.dspy"
|
||
"/harnessed_agent/api/task_dependencies_delete.dspy"
|
||
|
||
# Agent 执行操作
|
||
"/harnessed_agent/api/agent_execute.dspy"
|
||
"/harnessed_agent/api/agent_config_save.dspy"
|
||
"/harnessed_agent/hermes.dspy"
|
||
|
||
# ---------- harnessed_reasoning ----------
|
||
# 配置管理(管理员专用)
|
||
"/harnessed_reasoning/api/config_save.dspy"
|
||
|
||
# harnessed_reasoning CRUD 写操作(add/update/delete)
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud/add_harnessed_reasoning_sessions_crud.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud/update_harnessed_reasoning_sessions_crud.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud/delete_harnessed_reasoning_sessions_crud.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_session_detail/add_harnessed_reasoning_session_detail.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_session_detail/update_harnessed_reasoning_session_detail.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_session_detail/delete_harnessed_reasoning_session_detail.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view/add_harnessed_reasoning_config_view.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view/update_harnessed_reasoning_config_view.dspy"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view/delete_harnessed_reasoning_config_view.dspy"
|
||
)
|
||
|
||
ADMIN_ROLES_ONLY=("owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.accountant" "reseller.maintainer")
|
||
|
||
for p in "${ADMIN_PATHS[@]}"; do
|
||
for role in "${ADMIN_ROLES_ONLY[@]}"; do
|
||
set_perm "${role}" "${p}"
|
||
done
|
||
done
|
||
|
||
# =============================================
|
||
# 完成
|
||
# =============================================
|
||
echo ""
|
||
echo "============================================"
|
||
echo " 权限配置完成,共设置 ${COUNT} 条权限"
|
||
echo "============================================"
|
||
echo ""
|
||
echo "权限摘要:"
|
||
echo " Public (any): ${#PUBLIC_FILES[@]} 个文件"
|
||
echo " Read (logined+admin): ${#READ_PATHS[@]} 个路径 x ${#READ_ROLES[@]} 角色 = $((${#READ_PATHS[@]} * ${#READ_ROLES[@]})) 条"
|
||
echo " Admin (admin-only): ${#ADMIN_PATHS[@]} 个路径 x ${#ADMIN_ROLES_ONLY[@]} 角色 = $((${#ADMIN_PATHS[@]} * ${#ADMIN_ROLES_ONLY[@]})) 条"
|
||
echo ""
|
||
echo "注意: 修改权限后需重启应用以刷新 RBAC 缓存。"
|