perf: 修改 rbac tree (#7743)

* perf: 修改 rbac tree

* perf: 修改verbose name

* fix: 修复系统用户

* fix: 还原 xpack

Co-authored-by: ibuler <ibuler@qq.com>

apps/authentication/api/connection_token.py

@@ -401,7 +401,12 @@ class UserConnectionTokenViewSet(
 
         asset, application, system_user, user = self.get_request_resource(serializer)
         token, secret = self.create_token(user, asset, application, system_user)
-        return Response({"id": token, 'secret': secret}, status=201)
+        tp = 'app' if application else 'asset'
+        data = {
+            "id": token, 'secret': secret,
+            'type': tp, 'protocol': system_user.protocol
+        }
+        return Response(data, status=201)
 
     def valid_token(self, token):
         from users.models import User

apps/common/migrations/0007_permission.py

@@ -19,6 +19,7 @@ class Migration(migrations.Migration):
             ],
             options={
                 'permissions': [('view_resourcestatistics', 'Can view resource statistics')],
+                'verbose_name': 'Common permission'
             },
         ),
     ]

apps/common/models.py

@@ -4,6 +4,7 @@ from django.utils.translation import gettext_lazy as _
 
 class Permission(models.Model):
     class Meta:
+        verbose_name = _("Common permission")
         permissions = [
             ('view_resourcestatistics', _('Can view resource statistics'))
         ]

apps/locale/zh/LC_MESSAGES/django.mo

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:8bd2394fc5d9bb9254965db4273a09d4ddabd8051b4855b9642476ff9cab836b
+oid sha256:8f6c99abd272924bb5008bc55960af43af3b50ee1312c6aeaec48dbe5a31aa5c
-size 101898
+size 102226

apps/locale/zh/LC_MESSAGES/django.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-03-02 19:46+0800\n"
+"POT-Creation-Date: 2022-03-07 10:31+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -90,7 +90,7 @@ msgstr "登录复核"
 #: assets/models/cmd_filter.py:30 assets/models/label.py:15 audits/models.py:37
 #: audits/models.py:60 audits/models.py:85 audits/serializers.py:100
 #: authentication/models.py:50 orgs/models.py:196 perms/models/base.py:84
-#: rbac/builtin.py:89 rbac/models/rolebinding.py:33 templates/index.html:78
+#: rbac/builtin.py:99 rbac/models/rolebinding.py:35 templates/index.html:78
 #: terminal/backends/command/models.py:19
 #: terminal/backends/command/serializers.py:12 terminal/models/session.py:42
 #: terminal/notifications.py:88 terminal/notifications.py:136
@@ -481,15 +481,15 @@ msgstr "Vmware 密码"
 msgid "Number required"
 msgstr "需要为数字"
 
-#: assets/api/node.py:58
+#: assets/api/node.py:61
 msgid "You can't update the root node name"
 msgstr "不能修改根节点名称"
 
-#: assets/api/node.py:65
+#: assets/api/node.py:68
 msgid "You can't delete the root node ({})"
 msgstr "不能删除根节点 ({})"
 
-#: assets/api/node.py:68
+#: assets/api/node.py:71
 msgid "Deletion failed and the node contains assets"
 msgstr "删除失败，节点包含资产"
 
@@ -595,7 +595,7 @@ msgid "Is active"
 msgstr "激活"
 
 #: assets/models/asset.py:222 assets/models/cluster.py:19
-#: assets/models/user.py:222 assets/models/user.py:374
+#: assets/models/user.py:222 assets/models/user.py:377
 msgid "Admin user"
 msgstr "特权用户"
 
@@ -630,6 +630,10 @@ msgstr "可以测试资产连接性"
 msgid "Can push system user to asset"
 msgstr "可以推送系统用户到资产"
 
+#: assets/models/asset.py:360
+msgid "Can match asset"
+msgstr "可以匹配资产"
+
 #: assets/models/authbook.py:27
 msgid "AuthBook"
 msgstr "资产账号"
@@ -744,7 +748,7 @@ msgstr "校验日期"
 
 #: assets/models/base.py:177 audits/signal_handlers.py:68
 #: authentication/forms.py:22
-#: authentication/templates/authentication/login.html:151
+#: authentication/templates/authentication/login.html:178
 #: settings/serializers/auth/ldap.py:44 users/forms/profile.py:21
 #: users/templates/users/_msg_user_created.html:13
 #: users/templates/users/user_password_update.html:43
@@ -933,7 +937,7 @@ msgstr "空"
 msgid "Key"
 msgstr "键"
 
-#: assets/models/node.py:547 assets/serializers/node.py:21
+#: assets/models/node.py:547 assets/serializers/node.py:20
 msgid "Full value"
 msgstr "全称"
 
@@ -949,6 +953,10 @@ msgstr "ssh私钥"
 msgid "Node"
 msgstr "节点"
 
+#: assets/models/node.py:562
+msgid "Can match node"
+msgstr "可以匹配节点"
+
 #: assets/models/user.py:216
 msgid "Automatic managed"
 msgstr "托管密码"
@@ -1019,6 +1027,10 @@ msgstr "用户切换"
 msgid "Switch from"
 msgstr "切换自"
 
+#: assets/models/user.py:327
+msgid "Can match system user"
+msgstr "可以匹配系统用户"
+
 #: assets/models/utils.py:35
 #, python-format
 msgid "%(value)s is not an even number"
@@ -1120,15 +1132,15 @@ msgstr "应用数量"
 msgid "Gateways count"
 msgstr "网关数量"
 
-#: assets/serializers/node.py:18
+#: assets/serializers/node.py:17
 msgid "value"
 msgstr "值"
 
-#: assets/serializers/node.py:32
+#: assets/serializers/node.py:31
 msgid "Can't contains: /"
 msgstr "不能包含: /"
 
-#: assets/serializers/node.py:42
+#: assets/serializers/node.py:41
 msgid "The same level node name cannot be the same"
 msgstr "同级别节点名字不能重复"
 
@@ -1327,7 +1339,7 @@ msgstr "日志审计"
 
 #: audits/models.py:27 audits/models.py:57
 #: authentication/templates/authentication/_access_key_modal.html:65
-#: rbac/tree.py:254 users/templates/users/user_asset_permission.html:128
+#: rbac/tree.py:301 users/templates/users/user_asset_permission.html:128
 #: users/templates/users/user_database_app_permission.html:111
 msgid "Delete"
 msgstr "删除"
@@ -1381,11 +1393,11 @@ msgstr "文件管理"
 
 #: audits/models.py:55
 #: authentication/templates/authentication/_access_key_modal.html:22
-#: rbac/tree.py:251
+#: rbac/tree.py:298
 msgid "Create"
 msgstr "创建"
 
-#: audits/models.py:56 rbac/tree.py:253 templates/_csv_import_export.html:18
+#: audits/models.py:56 rbac/tree.py:300 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
 #: users/templates/users/user_asset_permission.html:127
 #: users/templates/users/user_database_app_permission.html:110
@@ -2013,15 +2025,11 @@ msgstr ""
 
 #: authentication/models.py:61
 msgid "Connection token"
-msgstr ""
+msgstr "连接Token"
 
-#: authentication/models.py:63
+#: authentication/models.py:67
-msgid "Can add super connection token"
+msgid "Super connection token"
-msgstr "可以添加 超级连接Token"
+msgstr "超级连接Token"
-
-#: authentication/models.py:64
-msgid "Can view connect token secret"
-msgstr "可以查看 连接Token 密文"
 
 #: authentication/notifications.py:19
 msgid "Different city login reminder"
@@ -2201,22 +2209,22 @@ msgid ""
 "security issues"
 msgstr "如果这次公钥更新不是由你发起的，那么你的账号可能存在安全问题"
 
-#: authentication/templates/authentication/login.html:143
+#: authentication/templates/authentication/login.html:170
 msgid "Welcome back, please enter username and password to login"
 msgstr "欢迎回来，请输入用户名和密码登录"
 
-#: authentication/templates/authentication/login.html:179
+#: authentication/templates/authentication/login.html:206
 #: users/templates/users/forgot_password.html:15
 #: users/templates/users/forgot_password.html:16
 msgid "Forgot password"
 msgstr "忘记密码"
 
-#: authentication/templates/authentication/login.html:186
+#: authentication/templates/authentication/login.html:213
 #: templates/_header_bar.html:83
 msgid "Login"
 msgstr "登录"
 
-#: authentication/templates/authentication/login.html:193
+#: authentication/templates/authentication/login.html:220
 msgid "More login options"
 msgstr "更多登录方式"
 
@@ -2507,7 +2515,11 @@ msgstr "忽略的"
 msgid "discard time"
 msgstr "忽略时间"
 
-#: common/models.py:8
+#: common/models.py:7
+msgid "Common permission"
+msgstr "通用权限"
+
+#: common/models.py:9
 msgid "Can view resource statistics"
 msgstr "可以查看资源统计"
 
@@ -2826,12 +2838,12 @@ msgstr "当前组织 ({}) 不能被删除"
 msgid "The organization have resource ({}) cannot be deleted"
 msgstr "组织存在资源 ({}) 不能被删除"
 
-#: orgs/apps.py:7
+#: orgs/apps.py:7 rbac/tree.py:170
 msgid "App organizations"
 msgstr "组织管理"
 
 #: orgs/mixins/models.py:46 orgs/mixins/serializers.py:25 orgs/models.py:27
-#: orgs/models.py:193 rbac/const.py:7 rbac/models/rolebinding.py:40
+#: orgs/models.py:193 rbac/const.py:7 rbac/models/rolebinding.py:42
 #: rbac/serializers/rolebinding.py:40 tickets/serializers/ticket/ticket.py:77
 msgid "Organization"
 msgstr "组织"
@@ -2844,7 +2856,7 @@ msgstr "全局组织"
 msgid "Can view root org"
 msgstr "可以查看全局组织"
 
-#: orgs/models.py:198 rbac/models/role.py:46 rbac/models/rolebinding.py:36
+#: orgs/models.py:198 rbac/models/role.py:46 rbac/models/rolebinding.py:38
 #: users/models/user.py:560 users/templates/users/_select_user_modal.html:15
 msgid "Role"
 msgstr "角色"
@@ -3061,27 +3073,27 @@ msgstr "{} 至少有一个系统角色"
 msgid "RBAC"
 msgstr "RBAC"
 
-#: rbac/builtin.py:80
+#: rbac/builtin.py:90
 msgid "SystemAdmin"
 msgstr "系统管理员"
 
-#: rbac/builtin.py:83
+#: rbac/builtin.py:93
 msgid "SystemAuditor"
 msgstr "系统审计员"
 
-#: rbac/builtin.py:86
+#: rbac/builtin.py:96
 msgid "SystemComponent"
 msgstr "系统组件"
 
-#: rbac/builtin.py:92
+#: rbac/builtin.py:102
 msgid "OrgAdmin"
 msgstr "组织管理员"
 
-#: rbac/builtin.py:95
+#: rbac/builtin.py:105
 msgid "OrgAuditor"
 msgstr "组织审计员"
 
-#: rbac/builtin.py:98
+#: rbac/builtin.py:108
 msgid "OrgUser"
 msgstr "组织用户"
 
@@ -3105,7 +3117,7 @@ msgstr "查看工作台"
 msgid "Permission"
 msgstr "授权"
 
-#: rbac/models/role.py:31 rbac/models/rolebinding.py:30
+#: rbac/models/role.py:31 rbac/models/rolebinding.py:32
 msgid "Scope"
 msgstr "范围"
 
@@ -3125,21 +3137,21 @@ msgstr "系统角色"
 msgid "Organization role"
 msgstr "组织角色"
 
-#: rbac/models/rolebinding.py:45
+#: rbac/models/rolebinding.py:47
 msgid "Role binding"
 msgstr "角色绑定"
 
-#: rbac/models/rolebinding.py:111
+#: rbac/models/rolebinding.py:113
 msgid ""
 "User last role in org, can not be delete, you can remove user from org "
 "instead"
 msgstr "用户最后一个角色，不能删除，你可以将用户从组织移除"
 
-#: rbac/models/rolebinding.py:118
+#: rbac/models/rolebinding.py:120
 msgid "Organization role binding"
 msgstr "组织角色绑定"
 
-#: rbac/models/rolebinding.py:132
+#: rbac/models/rolebinding.py:134
 msgid "System role binding"
 msgstr "系统角色绑定"
 
@@ -3163,59 +3175,63 @@ msgstr "角色显示"
 msgid "Has bound this role"
 msgstr "已经绑定"
 
-#: rbac/tree.py:16 rbac/tree.py:17
+#: rbac/tree.py:17 rbac/tree.py:18
 msgid "All permissions"
 msgstr "所有权限"
 
-#: rbac/tree.py:24
+#: rbac/tree.py:26
 msgid "Console view"
 msgstr "控制台"
 
-#: rbac/tree.py:28
+#: rbac/tree.py:30
 msgid "Workspace view"
 msgstr "工作台"
 
-#: rbac/tree.py:32
+#: rbac/tree.py:34
 msgid "Audit view"
 msgstr "安全审计"
 
-#: rbac/tree.py:36 settings/models.py:140
+#: rbac/tree.py:38 settings/models.py:140
 msgid "System setting"
 msgstr "系统设置"
 
-#: rbac/tree.py:40
+#: rbac/tree.py:42
 msgid "Other"
-msgstr ""
+msgstr "其它"
 
-#: rbac/tree.py:59
+#: rbac/tree.py:62
 msgid "Accounts"
 msgstr "账号管理"
 
-#: rbac/tree.py:76
+#: rbac/tree.py:79
 msgid "Session audits"
 msgstr "会话审计"
 
-#: rbac/tree.py:104
+#: rbac/tree.py:108
 msgid "Cloud import"
 msgstr "云同步"
 
-#: rbac/tree.py:109
+#: rbac/tree.py:113
 msgid "Backup account"
 msgstr "备份账号"
 
-#: rbac/tree.py:114
+#: rbac/tree.py:118
 msgid "Gather account"
 msgstr "收集账号"
 
-#: rbac/tree.py:119
+#: rbac/tree.py:123
 msgid "App change auth"
 msgstr "应用改密"
 
-#: rbac/tree.py:124
+#: rbac/tree.py:128
 msgid "Asset change auth"
 msgstr "资产改密"
 
-#: rbac/tree.py:252
+#: rbac/tree.py:133
+msgid "Terminal setting"
+msgstr "终端设置"
+
+#: rbac/tree.py:299
 msgid "View"
 msgstr "查看"
 
@@ -6688,6 +6704,9 @@ msgstr "旗舰版"
 msgid "Community edition"
 msgstr "社区版"
 
+#~ msgid "Can view connect token secret"
+#~ msgstr "可以查看 连接Token 密文"
+
 #~ msgid "AppAsset"
 #~ msgstr "资产管理"
 

apps/perms/api/application/user_permission/common.py

@@ -28,7 +28,7 @@ __all__ = [
 ]
 
 
-class GrantedApplicationSystemUsersMixin(ListAPIView):
+class BaseGrantedApplicationSystemUsersApi(ListAPIView):
     serializer_class = serializers.ApplicationSystemUserSerializer
     only_fields = serializers.ApplicationSystemUserSerializer.Meta.only_fields
     user: None
@@ -45,11 +45,11 @@ class GrantedApplicationSystemUsersMixin(ListAPIView):
         return system_users
 
 
-class UserGrantedApplicationSystemUsersApi(RoleAdminMixin, GrantedApplicationSystemUsersMixin):
+class UserGrantedApplicationSystemUsersApi(RoleAdminMixin, BaseGrantedApplicationSystemUsersApi):
     pass
 
 
-class MyGrantedApplicationSystemUsersApi(RoleUserMixin, GrantedApplicationSystemUsersMixin):
+class MyGrantedApplicationSystemUsersApi(RoleUserMixin, BaseGrantedApplicationSystemUsersApi):
     pass
 
 

apps/perms/api/application/user_permission/mixin.py

@@ -23,6 +23,6 @@ class RoleUserMixin(_RoleUserMixin):
         ('GET', 'perms.view_myapps'),
     )
 
-    def get(self, request, *args, **kwargs):
+    def dispatch(self, *args, **kwargs):
         with tmp_to_root_org():
-            return super().get(request, *args, **kwargs)
+            return super().dispatch(*args, **kwargs)

apps/perms/api/asset/user_permission/mixin.py

@@ -37,10 +37,6 @@ class RoleUserMixin(PermBaseMixin, _RoleUserMixin):
         ('GET', 'perms.view_myassets'),
     )
 
-    def get(self, request, *args, **kwargs):
+    def dispatch(self, *args, **kwargs):
         with tmp_to_root_org():
-            return super().get(request, *args, **kwargs)
+            return super().dispatch(*args, **kwargs)
-
-    def get_queryset(self):
-        with tmp_to_root_org():
-            return super().get_queryset()

apps/rbac/const.py

@@ -78,6 +78,10 @@ only_system_permissions = (
     ('xpack', 'license', '*', '*'),
     ('settings', 'setting', '*', '*'),
     ('terminal', 'terminal', '*', '*'),
+    ('terminal', 'commandstorage', '*', '*'),
+    ('terminal', 'replaystorage', '*', '*'),
+    ('terminal', 'status', '*', '*'),
+    ('terminal', 'task', '*', '*'),
 )
 
 only_org_permissions = (

apps/rbac/tree.py

@@ -11,6 +11,7 @@ from django.utils.translation import ugettext
 from .models import Permission, ContentType
 from common.tree import TreeNode
 
+# 根节点
 root_node_data = {
     'id': '$ROOT$',
     'name': _('All permissions'),
@@ -18,6 +19,7 @@ root_node_data = {
     'pId': '',
 }
 
+# 第二层 view 节点，手动创建的
 view_nodes_data = [
     {
         'id': 'view_console',
@@ -41,6 +43,7 @@ view_nodes_data = [
     }
 ]
 
+# 第三层 app 节点，定义了父子关系
 app_nodes_data = [
     {
         'id': 'users',
@@ -98,6 +101,7 @@ app_nodes_data = [
     }
 ]
 
+# 额外其他节点，可以在不同的层次，需要指定父节点，可以将一些 model 归类到这个节点下面
 extra_nodes_data = [
     {
         "id": "cloud_import",
@@ -131,6 +135,7 @@ extra_nodes_data = [
     }
 ]
 
+# 将 model 放到其它节点下，而不是本来的 app 中
 special_model_pid_mapper = {
     'common.permission': 'view_other',
     "assets.authbook": "accounts",
@@ -157,14 +162,19 @@ special_model_pid_mapper = {
     'terminal.replaystorage': 'terminal_node',
     'terminal.status': 'terminal_node',
     'terminal.task': 'terminal_node',
+    'audits.ftplog': 'terminal',
+    'rbac.menupermission': 'view_other',
 }
 
 model_verbose_name_mapper = {
     'orgs.organization': _("App organizations"),
 }
 
-xpack_required = [
+xpack_apps = [
-    'accounts', 'rbac.'
+    'xpack', 'tickets',
+]
+
+xpack_models = [
 ]
 
 
@@ -236,6 +246,17 @@ class PermissionTreeUtil:
         }
         return model_counts_mapper, model_check_counts_mapper
 
+    @staticmethod
+    def _check_model_xpack(model_id):
+        app, model = model_id.split('.', 2)
+        if settings.XPACK_ENABLED:
+            return True
+        if app in xpack_apps:
+            return False
+        if model_id in xpack_models:
+            return False
+        return True
+
     def _create_models_nodes(self):
         content_types = ContentType.objects.all()
         total_counts_mapper, checked_counts_mapper = self._get_model_counts_mapper()
@@ -248,6 +269,8 @@ class PermissionTreeUtil:
                 continue
 
             model_id = '{}.{}'.format(ct.app_label, ct.model)
+            if not self._check_model_xpack(model_id):
+                continue
             # 获取 pid
             app = ct.app_label
             if special_model_pid_mapper.get(model_id):
@@ -307,6 +330,8 @@ class PermissionTreeUtil:
 
         for p in self.all_permissions:
             model_id = f'{p.app}.{p.model}'
+            if not self._check_model_xpack(model_id):
+                continue
             name = self._get_permission_name(p, content_types_name_mapper)
             if settings.DEBUG:
                 name += '({})'.format(p.app_label_codename)