yumoqing
8261f9d309
- Three-tier permission model: public/read/admin - Public: CSS files for any role - Read: console UI, data view pages, read-only APIs for logined + admin roles - Admin: config management, CRUD write ops, execution APIs for admin roles only - Correct wss path handling (no /wss prefix in RBAC, nginx strips it) - 420 total permission entries across 8 read roles and 7 admin roles
194 lines
7.4 KiB
Bash
194 lines
7.4 KiB
Bash
#!/bin/bash
|
||
# setup_harnessed_perms.sh
|
||
# 为 harnessed_agent(执行层)和 harnessed_reasoning(推理层)模块配置 RBAC 角色权限
|
||
#
|
||
# 权限分级策略(基于业务功能分析):
|
||
# 1. public — 静态资源(CSS),any 角色可用
|
||
# 2. read — 控制台主页、数据查看页面、只读API,logined + 管理员可用
|
||
# 3. admin — 配置管理、数据创建/更新/删除、执行操作,仅管理员可用
|
||
#
|
||
# 运行位置: sage 项目根目录 (包含 set_role_perm.py 的目录)
|
||
# 用法: bash setup_harnessed_perms.sh
|
||
|
||
set -e
|
||
|
||
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
|
||
cd "$SCRIPT_DIR"
|
||
|
||
# 角色定义
|
||
ADMIN_ROLES=(
|
||
# 通用登录角色 — read 级别使用
|
||
"logined"
|
||
# 各机构类型管理员 — admin 级别使用
|
||
"owner.admin"
|
||
"reseller.admin"
|
||
"provider.admin"
|
||
"customer.admin"
|
||
# Reseller 业务角色
|
||
"reseller.operator"
|
||
"reseller.accountant"
|
||
"reseller.maintainer"
|
||
)
|
||
|
||
COUNT=0
|
||
set_perm() {
|
||
local role="$1"
|
||
local path="$2"
|
||
python set_role_perm.py "${role}" "${path}"
|
||
COUNT=$((COUNT + 1))
|
||
}
|
||
|
||
echo "============================================"
|
||
echo " harnessed 模块权限初始化"
|
||
echo "============================================"
|
||
|
||
# =============================================
|
||
# 层级 1: PUBLIC — 静态资源(CSS文件)
|
||
# 任何用户(含未登录)均可访问
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [1/3] Public: 静态资源 (any)"
|
||
PUBLIC_FILES=(
|
||
"/harnessed_agent/ios_design.css"
|
||
"/harnessed_reasoning/ios_design.css"
|
||
)
|
||
for f in "${PUBLIC_FILES[@]}"; do
|
||
set_perm "any" "${f}"
|
||
done
|
||
|
||
# =============================================
|
||
# 层级 2: READ — 控制台主页 + 数据查看
|
||
# 所有登录用户 + 管理员可用
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [2/3] Read: 控制台主页 + 数据查看 (logined + 管理员)"
|
||
|
||
READ_PATHS=(
|
||
# ---------- harnessed_agent ----------
|
||
# 控制台/主页(用户使用入口)
|
||
"/harnessed_agent/hermes_agent.ui"
|
||
"/harnessed_agent/agent_console.ui"
|
||
"/harnessed_agent/menu.ui"
|
||
# 数据查看页面(只读浏览)
|
||
"/harnessed_agent/sessions.ui"
|
||
"/harnessed_agent/skills.ui"
|
||
"/harnessed_agent/tasks.ui"
|
||
"/harnessed_agent/workflows.ui"
|
||
"/harnessed_agent/memory.ui"
|
||
"/harnessed_agent/tools.ui"
|
||
"/harnessed_agent/remote_skills.ui"
|
||
# API 配置查看(只读)
|
||
"/harnessed_agent/api/agent_config_get.dspy"
|
||
|
||
# ---------- harnessed_reasoning ----------
|
||
# 控制台/主页(用户使用入口)
|
||
"/harnessed_reasoning/hermes_reasoning.ui"
|
||
"/harnessed_reasoning/reasoning_console.ui"
|
||
"/harnessed_reasoning/menu.ui"
|
||
# WSS WebSocket 端点(nginx会去掉/wss前缀,应用收到的path不含/wss)
|
||
"/harnessed_reasoning/reasoning_console.wss"
|
||
# 数据查看页面
|
||
"/harnessed_reasoning/harnessed_reasoning_sessions_crud.ui"
|
||
"/harnessed_reasoning/harnessed_reasoning_config_view.ui"
|
||
# API 会话列表(只读)
|
||
"/harnessed_reasoning/api/sessions_list.dspy"
|
||
"/harnessed_reasoning/api/config_get.dspy"
|
||
# 推理提交(核心使用功能,所有登录用户可用)
|
||
"/harnessed_reasoning/api/reasoning_submit.dspy"
|
||
)
|
||
|
||
READ_ROLES=("logined" "owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.accountant" "reseller.maintainer")
|
||
|
||
for p in "${READ_PATHS[@]}"; do
|
||
for role in "${READ_ROLES[@]}"; do
|
||
set_perm "${role}" "${p}"
|
||
done
|
||
done
|
||
|
||
# =============================================
|
||
# 层级 3: ADMIN — 配置管理 + 数据操作 + 执行
|
||
# 仅管理员角色可用
|
||
# =============================================
|
||
echo ""
|
||
echo ">>> [3/3] Admin: 配置管理 + 数据操作 + 执行 (仅管理员)"
|
||
|
||
ADMIN_PATHS=(
|
||
# ---------- harnessed_agent ----------
|
||
# 配置管理页面(管理员专用)
|
||
"/harnessed_agent/agent_config.ui"
|
||
"/harnessed_agent/agent_config_form.ui"
|
||
# 技能部署(管理员操作)
|
||
"/harnessed_agent/deploy_skill.ui"
|
||
"/harnessed_agent/execute_remote_skill.ui"
|
||
|
||
# harnessed_agent CRUD 页面(完整CRUD = 含写操作)
|
||
"/harnessed_agent/api/harnessed_agent_config_create.dspy"
|
||
"/harnessed_agent/api/harnessed_agent_config_update.dspy"
|
||
"/harnessed_agent/api/harnessed_agent_config_delete.dspy"
|
||
"/harnessed_agent/api/hermes_sessions_create.dspy"
|
||
"/harnessed_agent/api/hermes_sessions_update.dspy"
|
||
"/harnessed_agent/api/hermes_sessions_delete.dspy"
|
||
"/harnessed_agent/api/hermes_skills_create.dspy"
|
||
"/harnessed_agent/api/hermes_skills_update.dspy"
|
||
"/harnessed_agent/api/hermes_skills_delete.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_create.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_update.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_delete.dspy"
|
||
"/harnessed_agent/api/hermes_workflows_create.dspy"
|
||
"/harnessed_agent/api/hermes_workflows_update.dspy"
|
||
"/harnessed_agent/api/hermes_workflows_delete.dspy"
|
||
"/harnessed_agent/api/hermes_executions_create.dspy"
|
||
"/harnessed_agent/api/hermes_executions_update.dspy"
|
||
"/harnessed_agent/api/hermes_executions_delete.dspy"
|
||
"/harnessed_agent/api/hermes_executions_task_create.dspy"
|
||
"/harnessed_agent/api/hermes_executions_task_update.dspy"
|
||
"/harnessed_agent/api/hermes_executions_task_delete.dspy"
|
||
"/harnessed_agent/api/hermes_memory_create.dspy"
|
||
"/harnessed_agent/api/hermes_memory_update.dspy"
|
||
"/harnessed_agent/api/hermes_memory_delete.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_workflow_create.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_workflow_update.dspy"
|
||
"/harnessed_agent/api/hermes_tasks_workflow_delete.dspy"
|
||
"/harnessed_agent/api/harnessed_remote_skills_create.dspy"
|
||
"/harnessed_agent/api/harnessed_remote_skills_update.dspy"
|
||
"/harnessed_agent/api/harnessed_remote_skills_delete.dspy"
|
||
"/harnessed_agent/api/executions_by_workflow_create.dspy"
|
||
"/harnessed_agent/api/executions_by_workflow_update.dspy"
|
||
"/harnessed_agent/api/executions_by_workflow_delete.dspy"
|
||
"/harnessed_agent/api/task_dependencies_create.dspy"
|
||
"/harnessed_agent/api/task_dependencies_update.dspy"
|
||
"/harnessed_agent/api/task_dependencies_delete.dspy"
|
||
|
||
# Agent 执行操作
|
||
"/harnessed_agent/api/agent_execute.dspy"
|
||
"/harnessed_agent/api/agent_config_save.dspy"
|
||
"/harnessed_agent/hermes.dspy"
|
||
|
||
# ---------- harnessed_reasoning ----------
|
||
# 配置管理(管理员专用)
|
||
"/harnessed_reasoning/api/config_save.dspy"
|
||
)
|
||
|
||
ADMIN_ROLES_ONLY=("owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.accountant" "reseller.maintainer")
|
||
|
||
for p in "${ADMIN_PATHS[@]}"; do
|
||
for role in "${ADMIN_ROLES_ONLY[@]}"; do
|
||
set_perm "${role}" "${p}"
|
||
done
|
||
done
|
||
|
||
# =============================================
|
||
# 完成
|
||
# =============================================
|
||
echo ""
|
||
echo "============================================"
|
||
echo " 权限配置完成,共设置 ${COUNT} 条权限"
|
||
echo "============================================"
|
||
echo ""
|
||
echo "权限摘要:"
|
||
echo " Public (any): ${#PUBLIC_FILES[@]} 个文件"
|
||
echo " Read (logined+admin): ${#READ_PATHS[@]} 个路径 x ${#READ_ROLES[@]} 角色 = $((${#READ_PATHS[@]} * ${#READ_ROLES[@]})) 条"
|
||
echo " Admin (admin-only): ${#ADMIN_PATHS[@]} 个路径 x ${#ADMIN_ROLES_ONLY[@]} 角色 = $((${#ADMIN_PATHS[@]} * ${#ADMIN_ROLES_ONLY[@]})) 条"
|
||
echo ""
|
||
echo "注意: 修改权限后需重启应用以刷新 RBAC 缓存。"
|