From a20884e2adca80acfaaa09afe21e2449e920dfcf Mon Sep 17 00:00:00 2001 From: fit2bot <68588906+fit2bot@users.noreply.github.com> Date: Mon, 7 Mar 2022 11:19:03 +0800 Subject: [PATCH] =?UTF-8?q?perf:=20=E4=BF=AE=E6=94=B9=20rbac=20tree=20(#77?= =?UTF-8?q?43)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * perf: 修改 rbac tree * perf: 修改verbose name * fix: 修复系统用户 * fix: 还原 xpack Co-authored-by: ibuler --- apps/authentication/api/connection_token.py | 7 +- apps/common/migrations/0007_permission.py | 1 + apps/common/models.py | 1 + apps/locale/zh/LC_MESSAGES/django.mo | 4 +- apps/locale/zh/LC_MESSAGES/django.po | 131 ++++++++++-------- .../api/application/user_permission/common.py | 6 +- .../api/application/user_permission/mixin.py | 4 +- apps/perms/api/asset/user_permission/mixin.py | 8 +- apps/rbac/const.py | 4 + apps/rbac/tree.py | 29 +++- 10 files changed, 123 insertions(+), 72 deletions(-) diff --git a/apps/authentication/api/connection_token.py b/apps/authentication/api/connection_token.py index 47ce04ece..6062f64ce 100644 --- a/apps/authentication/api/connection_token.py +++ b/apps/authentication/api/connection_token.py @@ -401,7 +401,12 @@ class UserConnectionTokenViewSet( asset, application, system_user, user = self.get_request_resource(serializer) token, secret = self.create_token(user, asset, application, system_user) - return Response({"id": token, 'secret': secret}, status=201) + tp = 'app' if application else 'asset' + data = { + "id": token, 'secret': secret, + 'type': tp, 'protocol': system_user.protocol + } + return Response(data, status=201) def valid_token(self, token): from users.models import User diff --git a/apps/common/migrations/0007_permission.py b/apps/common/migrations/0007_permission.py index 8794b7c5b..964e9621e 100644 --- a/apps/common/migrations/0007_permission.py +++ b/apps/common/migrations/0007_permission.py @@ -19,6 +19,7 @@ class Migration(migrations.Migration): ], options={ 'permissions': [('view_resourcestatistics', 'Can view resource statistics')], + 'verbose_name': 'Common permission' }, ), ] diff --git a/apps/common/models.py b/apps/common/models.py index e716113cd..100630c21 100644 --- a/apps/common/models.py +++ b/apps/common/models.py @@ -4,6 +4,7 @@ from django.utils.translation import gettext_lazy as _ class Permission(models.Model): class Meta: + verbose_name = _("Common permission") permissions = [ ('view_resourcestatistics', _('Can view resource statistics')) ] diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo index 7c0f80e7b..f70ef90ae 100644 --- a/apps/locale/zh/LC_MESSAGES/django.mo +++ b/apps/locale/zh/LC_MESSAGES/django.mo @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8bd2394fc5d9bb9254965db4273a09d4ddabd8051b4855b9642476ff9cab836b -size 101898 +oid sha256:8f6c99abd272924bb5008bc55960af43af3b50ee1312c6aeaec48dbe5a31aa5c +size 102226 diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po index 4924dda74..e928b0e1f 100644 --- a/apps/locale/zh/LC_MESSAGES/django.po +++ b/apps/locale/zh/LC_MESSAGES/django.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: JumpServer 0.3.3\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2022-03-02 19:46+0800\n" +"POT-Creation-Date: 2022-03-07 10:31+0800\n" "PO-Revision-Date: 2021-05-20 10:54+0800\n" "Last-Translator: ibuler \n" "Language-Team: JumpServer team\n" @@ -90,7 +90,7 @@ msgstr "登录复核" #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37 #: audits/models.py:60 audits/models.py:85 audits/serializers.py:100 #: authentication/models.py:50 orgs/models.py:196 perms/models/base.py:84 -#: rbac/builtin.py:89 rbac/models/rolebinding.py:33 templates/index.html:78 +#: rbac/builtin.py:99 rbac/models/rolebinding.py:35 templates/index.html:78 #: terminal/backends/command/models.py:19 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:42 #: terminal/notifications.py:88 terminal/notifications.py:136 @@ -481,15 +481,15 @@ msgstr "Vmware 密码" msgid "Number required" msgstr "需要为数字" -#: assets/api/node.py:58 +#: assets/api/node.py:61 msgid "You can't update the root node name" msgstr "不能修改根节点名称" -#: assets/api/node.py:65 +#: assets/api/node.py:68 msgid "You can't delete the root node ({})" msgstr "不能删除根节点 ({})" -#: assets/api/node.py:68 +#: assets/api/node.py:71 msgid "Deletion failed and the node contains assets" msgstr "删除失败,节点包含资产" @@ -595,7 +595,7 @@ msgid "Is active" msgstr "激活" #: assets/models/asset.py:222 assets/models/cluster.py:19 -#: assets/models/user.py:222 assets/models/user.py:374 +#: assets/models/user.py:222 assets/models/user.py:377 msgid "Admin user" msgstr "特权用户" @@ -630,6 +630,10 @@ msgstr "可以测试资产连接性" msgid "Can push system user to asset" msgstr "可以推送系统用户到资产" +#: assets/models/asset.py:360 +msgid "Can match asset" +msgstr "可以匹配资产" + #: assets/models/authbook.py:27 msgid "AuthBook" msgstr "资产账号" @@ -744,7 +748,7 @@ msgstr "校验日期" #: assets/models/base.py:177 audits/signal_handlers.py:68 #: authentication/forms.py:22 -#: authentication/templates/authentication/login.html:151 +#: authentication/templates/authentication/login.html:178 #: settings/serializers/auth/ldap.py:44 users/forms/profile.py:21 #: users/templates/users/_msg_user_created.html:13 #: users/templates/users/user_password_update.html:43 @@ -933,7 +937,7 @@ msgstr "空" msgid "Key" msgstr "键" -#: assets/models/node.py:547 assets/serializers/node.py:21 +#: assets/models/node.py:547 assets/serializers/node.py:20 msgid "Full value" msgstr "全称" @@ -949,6 +953,10 @@ msgstr "ssh私钥" msgid "Node" msgstr "节点" +#: assets/models/node.py:562 +msgid "Can match node" +msgstr "可以匹配节点" + #: assets/models/user.py:216 msgid "Automatic managed" msgstr "托管密码" @@ -1019,6 +1027,10 @@ msgstr "用户切换" msgid "Switch from" msgstr "切换自" +#: assets/models/user.py:327 +msgid "Can match system user" +msgstr "可以匹配系统用户" + #: assets/models/utils.py:35 #, python-format msgid "%(value)s is not an even number" @@ -1120,15 +1132,15 @@ msgstr "应用数量" msgid "Gateways count" msgstr "网关数量" -#: assets/serializers/node.py:18 +#: assets/serializers/node.py:17 msgid "value" msgstr "值" -#: assets/serializers/node.py:32 +#: assets/serializers/node.py:31 msgid "Can't contains: /" msgstr "不能包含: /" -#: assets/serializers/node.py:42 +#: assets/serializers/node.py:41 msgid "The same level node name cannot be the same" msgstr "同级别节点名字不能重复" @@ -1327,7 +1339,7 @@ msgstr "日志审计" #: audits/models.py:27 audits/models.py:57 #: authentication/templates/authentication/_access_key_modal.html:65 -#: rbac/tree.py:254 users/templates/users/user_asset_permission.html:128 +#: rbac/tree.py:301 users/templates/users/user_asset_permission.html:128 #: users/templates/users/user_database_app_permission.html:111 msgid "Delete" msgstr "删除" @@ -1381,11 +1393,11 @@ msgstr "文件管理" #: audits/models.py:55 #: authentication/templates/authentication/_access_key_modal.html:22 -#: rbac/tree.py:251 +#: rbac/tree.py:298 msgid "Create" msgstr "创建" -#: audits/models.py:56 rbac/tree.py:253 templates/_csv_import_export.html:18 +#: audits/models.py:56 rbac/tree.py:300 templates/_csv_import_export.html:18 #: templates/_csv_update_modal.html:6 #: users/templates/users/user_asset_permission.html:127 #: users/templates/users/user_database_app_permission.html:110 @@ -2013,15 +2025,11 @@ msgstr "" #: authentication/models.py:61 msgid "Connection token" -msgstr "" +msgstr "连接Token" -#: authentication/models.py:63 -msgid "Can add super connection token" -msgstr "可以添加 超级连接Token" - -#: authentication/models.py:64 -msgid "Can view connect token secret" -msgstr "可以查看 连接Token 密文" +#: authentication/models.py:67 +msgid "Super connection token" +msgstr "超级连接Token" #: authentication/notifications.py:19 msgid "Different city login reminder" @@ -2201,22 +2209,22 @@ msgid "" "security issues" msgstr "如果这次公钥更新不是由你发起的,那么你的账号可能存在安全问题" -#: authentication/templates/authentication/login.html:143 +#: authentication/templates/authentication/login.html:170 msgid "Welcome back, please enter username and password to login" msgstr "欢迎回来,请输入用户名和密码登录" -#: authentication/templates/authentication/login.html:179 +#: authentication/templates/authentication/login.html:206 #: users/templates/users/forgot_password.html:15 #: users/templates/users/forgot_password.html:16 msgid "Forgot password" msgstr "忘记密码" -#: authentication/templates/authentication/login.html:186 +#: authentication/templates/authentication/login.html:213 #: templates/_header_bar.html:83 msgid "Login" msgstr "登录" -#: authentication/templates/authentication/login.html:193 +#: authentication/templates/authentication/login.html:220 msgid "More login options" msgstr "更多登录方式" @@ -2507,7 +2515,11 @@ msgstr "忽略的" msgid "discard time" msgstr "忽略时间" -#: common/models.py:8 +#: common/models.py:7 +msgid "Common permission" +msgstr "通用权限" + +#: common/models.py:9 msgid "Can view resource statistics" msgstr "可以查看资源统计" @@ -2826,12 +2838,12 @@ msgstr "当前组织 ({}) 不能被删除" msgid "The organization have resource ({}) cannot be deleted" msgstr "组织存在资源 ({}) 不能被删除" -#: orgs/apps.py:7 +#: orgs/apps.py:7 rbac/tree.py:170 msgid "App organizations" msgstr "组织管理" #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:27 -#: orgs/models.py:193 rbac/const.py:7 rbac/models/rolebinding.py:40 +#: orgs/models.py:193 rbac/const.py:7 rbac/models/rolebinding.py:42 #: rbac/serializers/rolebinding.py:40 tickets/serializers/ticket/ticket.py:77 msgid "Organization" msgstr "组织" @@ -2844,7 +2856,7 @@ msgstr "全局组织" msgid "Can view root org" msgstr "可以查看全局组织" -#: orgs/models.py:198 rbac/models/role.py:46 rbac/models/rolebinding.py:36 +#: orgs/models.py:198 rbac/models/role.py:46 rbac/models/rolebinding.py:38 #: users/models/user.py:560 users/templates/users/_select_user_modal.html:15 msgid "Role" msgstr "角色" @@ -3061,27 +3073,27 @@ msgstr "{} 至少有一个系统角色" msgid "RBAC" msgstr "RBAC" -#: rbac/builtin.py:80 +#: rbac/builtin.py:90 msgid "SystemAdmin" msgstr "系统管理员" -#: rbac/builtin.py:83 +#: rbac/builtin.py:93 msgid "SystemAuditor" msgstr "系统审计员" -#: rbac/builtin.py:86 +#: rbac/builtin.py:96 msgid "SystemComponent" msgstr "系统组件" -#: rbac/builtin.py:92 +#: rbac/builtin.py:102 msgid "OrgAdmin" msgstr "组织管理员" -#: rbac/builtin.py:95 +#: rbac/builtin.py:105 msgid "OrgAuditor" msgstr "组织审计员" -#: rbac/builtin.py:98 +#: rbac/builtin.py:108 msgid "OrgUser" msgstr "组织用户" @@ -3105,7 +3117,7 @@ msgstr "查看工作台" msgid "Permission" msgstr "授权" -#: rbac/models/role.py:31 rbac/models/rolebinding.py:30 +#: rbac/models/role.py:31 rbac/models/rolebinding.py:32 msgid "Scope" msgstr "范围" @@ -3125,21 +3137,21 @@ msgstr "系统角色" msgid "Organization role" msgstr "组织角色" -#: rbac/models/rolebinding.py:45 +#: rbac/models/rolebinding.py:47 msgid "Role binding" msgstr "角色绑定" -#: rbac/models/rolebinding.py:111 +#: rbac/models/rolebinding.py:113 msgid "" "User last role in org, can not be delete, you can remove user from org " "instead" msgstr "用户最后一个角色,不能删除,你可以将用户从组织移除" -#: rbac/models/rolebinding.py:118 +#: rbac/models/rolebinding.py:120 msgid "Organization role binding" msgstr "组织角色绑定" -#: rbac/models/rolebinding.py:132 +#: rbac/models/rolebinding.py:134 msgid "System role binding" msgstr "系统角色绑定" @@ -3163,59 +3175,63 @@ msgstr "角色显示" msgid "Has bound this role" msgstr "已经绑定" -#: rbac/tree.py:16 rbac/tree.py:17 +#: rbac/tree.py:17 rbac/tree.py:18 msgid "All permissions" msgstr "所有权限" -#: rbac/tree.py:24 +#: rbac/tree.py:26 msgid "Console view" msgstr "控制台" -#: rbac/tree.py:28 +#: rbac/tree.py:30 msgid "Workspace view" msgstr "工作台" -#: rbac/tree.py:32 +#: rbac/tree.py:34 msgid "Audit view" msgstr "安全审计" -#: rbac/tree.py:36 settings/models.py:140 +#: rbac/tree.py:38 settings/models.py:140 msgid "System setting" msgstr "系统设置" -#: rbac/tree.py:40 +#: rbac/tree.py:42 msgid "Other" -msgstr "" +msgstr "其它" -#: rbac/tree.py:59 +#: rbac/tree.py:62 msgid "Accounts" msgstr "账号管理" -#: rbac/tree.py:76 +#: rbac/tree.py:79 msgid "Session audits" msgstr "会话审计" -#: rbac/tree.py:104 +#: rbac/tree.py:108 msgid "Cloud import" msgstr "云同步" -#: rbac/tree.py:109 +#: rbac/tree.py:113 msgid "Backup account" msgstr "备份账号" -#: rbac/tree.py:114 +#: rbac/tree.py:118 msgid "Gather account" msgstr "收集账号" -#: rbac/tree.py:119 +#: rbac/tree.py:123 msgid "App change auth" msgstr "应用改密" -#: rbac/tree.py:124 +#: rbac/tree.py:128 msgid "Asset change auth" msgstr "资产改密" -#: rbac/tree.py:252 +#: rbac/tree.py:133 +msgid "Terminal setting" +msgstr "终端设置" + +#: rbac/tree.py:299 msgid "View" msgstr "查看" @@ -6688,6 +6704,9 @@ msgstr "旗舰版" msgid "Community edition" msgstr "社区版" +#~ msgid "Can view connect token secret" +#~ msgstr "可以查看 连接Token 密文" + #~ msgid "AppAsset" #~ msgstr "资产管理" diff --git a/apps/perms/api/application/user_permission/common.py b/apps/perms/api/application/user_permission/common.py index 650a403cb..150581632 100644 --- a/apps/perms/api/application/user_permission/common.py +++ b/apps/perms/api/application/user_permission/common.py @@ -28,7 +28,7 @@ __all__ = [ ] -class GrantedApplicationSystemUsersMixin(ListAPIView): +class BaseGrantedApplicationSystemUsersApi(ListAPIView): serializer_class = serializers.ApplicationSystemUserSerializer only_fields = serializers.ApplicationSystemUserSerializer.Meta.only_fields user: None @@ -45,11 +45,11 @@ class GrantedApplicationSystemUsersMixin(ListAPIView): return system_users -class UserGrantedApplicationSystemUsersApi(RoleAdminMixin, GrantedApplicationSystemUsersMixin): +class UserGrantedApplicationSystemUsersApi(RoleAdminMixin, BaseGrantedApplicationSystemUsersApi): pass -class MyGrantedApplicationSystemUsersApi(RoleUserMixin, GrantedApplicationSystemUsersMixin): +class MyGrantedApplicationSystemUsersApi(RoleUserMixin, BaseGrantedApplicationSystemUsersApi): pass diff --git a/apps/perms/api/application/user_permission/mixin.py b/apps/perms/api/application/user_permission/mixin.py index c0bd07928..9f2becb34 100644 --- a/apps/perms/api/application/user_permission/mixin.py +++ b/apps/perms/api/application/user_permission/mixin.py @@ -23,6 +23,6 @@ class RoleUserMixin(_RoleUserMixin): ('GET', 'perms.view_myapps'), ) - def get(self, request, *args, **kwargs): + def dispatch(self, *args, **kwargs): with tmp_to_root_org(): - return super().get(request, *args, **kwargs) + return super().dispatch(*args, **kwargs) \ No newline at end of file diff --git a/apps/perms/api/asset/user_permission/mixin.py b/apps/perms/api/asset/user_permission/mixin.py index 10b46e098..9514d41b0 100644 --- a/apps/perms/api/asset/user_permission/mixin.py +++ b/apps/perms/api/asset/user_permission/mixin.py @@ -37,10 +37,6 @@ class RoleUserMixin(PermBaseMixin, _RoleUserMixin): ('GET', 'perms.view_myassets'), ) - def get(self, request, *args, **kwargs): + def dispatch(self, *args, **kwargs): with tmp_to_root_org(): - return super().get(request, *args, **kwargs) - - def get_queryset(self): - with tmp_to_root_org(): - return super().get_queryset() + return super().dispatch(*args, **kwargs) diff --git a/apps/rbac/const.py b/apps/rbac/const.py index 7bccd958e..1aa232576 100644 --- a/apps/rbac/const.py +++ b/apps/rbac/const.py @@ -78,6 +78,10 @@ only_system_permissions = ( ('xpack', 'license', '*', '*'), ('settings', 'setting', '*', '*'), ('terminal', 'terminal', '*', '*'), + ('terminal', 'commandstorage', '*', '*'), + ('terminal', 'replaystorage', '*', '*'), + ('terminal', 'status', '*', '*'), + ('terminal', 'task', '*', '*'), ) only_org_permissions = ( diff --git a/apps/rbac/tree.py b/apps/rbac/tree.py index ec827b989..e0b29a617 100644 --- a/apps/rbac/tree.py +++ b/apps/rbac/tree.py @@ -11,6 +11,7 @@ from django.utils.translation import ugettext from .models import Permission, ContentType from common.tree import TreeNode +# 根节点 root_node_data = { 'id': '$ROOT$', 'name': _('All permissions'), @@ -18,6 +19,7 @@ root_node_data = { 'pId': '', } +# 第二层 view 节点,手动创建的 view_nodes_data = [ { 'id': 'view_console', @@ -41,6 +43,7 @@ view_nodes_data = [ } ] +# 第三层 app 节点,定义了父子关系 app_nodes_data = [ { 'id': 'users', @@ -98,6 +101,7 @@ app_nodes_data = [ } ] +# 额外其他节点,可以在不同的层次,需要指定父节点,可以将一些 model 归类到这个节点下面 extra_nodes_data = [ { "id": "cloud_import", @@ -131,6 +135,7 @@ extra_nodes_data = [ } ] +# 将 model 放到其它节点下,而不是本来的 app 中 special_model_pid_mapper = { 'common.permission': 'view_other', "assets.authbook": "accounts", @@ -157,14 +162,19 @@ special_model_pid_mapper = { 'terminal.replaystorage': 'terminal_node', 'terminal.status': 'terminal_node', 'terminal.task': 'terminal_node', + 'audits.ftplog': 'terminal', + 'rbac.menupermission': 'view_other', } model_verbose_name_mapper = { 'orgs.organization': _("App organizations"), } -xpack_required = [ - 'accounts', 'rbac.' +xpack_apps = [ + 'xpack', 'tickets', +] + +xpack_models = [ ] @@ -236,6 +246,17 @@ class PermissionTreeUtil: } return model_counts_mapper, model_check_counts_mapper + @staticmethod + def _check_model_xpack(model_id): + app, model = model_id.split('.', 2) + if settings.XPACK_ENABLED: + return True + if app in xpack_apps: + return False + if model_id in xpack_models: + return False + return True + def _create_models_nodes(self): content_types = ContentType.objects.all() total_counts_mapper, checked_counts_mapper = self._get_model_counts_mapper() @@ -248,6 +269,8 @@ class PermissionTreeUtil: continue model_id = '{}.{}'.format(ct.app_label, ct.model) + if not self._check_model_xpack(model_id): + continue # 获取 pid app = ct.app_label if special_model_pid_mapper.get(model_id): @@ -307,6 +330,8 @@ class PermissionTreeUtil: for p in self.all_permissions: model_id = f'{p.app}.{p.model}' + if not self._check_model_xpack(model_id): + continue name = self._get_permission_name(p, content_types_name_mapper) if settings.DEBUG: name += '({})'.format(p.app_label_codename)