mirror of https://github.com/jumpserver/jumpserver
Perf: 优化RBAC权限树 (#7782)
* fix: 优化权限树(1) * fix: 优化权限树(2) * fix: 优化权限树(3) * fix: 优化权限树(4) * fix: 优化权限树(5) * fix: 优化权限树(添加迁移文件) * fix: 优化权限树(6) * fix: 优化权限树(7) * fix: 优化权限树(8) * fix: 优化权限树(9)pull/7786/head
parent
9ca0eaf7ce
commit
b017e68a56
|
@ -0,0 +1,49 @@
|
|||
# Generated by Django 3.1.14 on 2022-03-09 22:16
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('applications', '0018_auto_20220223_1539'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.CreateModel(
|
||||
name='DatabaseApp',
|
||||
fields=[
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Database application',
|
||||
'proxy': True,
|
||||
'indexes': [],
|
||||
'constraints': [],
|
||||
},
|
||||
bases=('applications.application',),
|
||||
),
|
||||
migrations.CreateModel(
|
||||
name='KubernetesApp',
|
||||
fields=[
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Kubernetes',
|
||||
'proxy': True,
|
||||
'indexes': [],
|
||||
'constraints': [],
|
||||
},
|
||||
bases=('applications.application',),
|
||||
),
|
||||
migrations.CreateModel(
|
||||
name='RemoteApp',
|
||||
fields=[
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Remote application',
|
||||
'proxy': True,
|
||||
'indexes': [],
|
||||
'constraints': [],
|
||||
},
|
||||
bases=('applications.application',),
|
||||
),
|
||||
]
|
|
@ -266,3 +266,21 @@ class ApplicationUser(SystemUser):
|
|||
class Meta:
|
||||
proxy = True
|
||||
verbose_name = _('Application user')
|
||||
|
||||
|
||||
class RemoteApp(Application):
|
||||
class Meta:
|
||||
proxy = True
|
||||
verbose_name = _('Remote application')
|
||||
|
||||
|
||||
class DatabaseApp(Application):
|
||||
class Meta:
|
||||
proxy = True
|
||||
verbose_name = _('Database application')
|
||||
|
||||
|
||||
class KubernetesApp(Application):
|
||||
class Meta:
|
||||
proxy = True
|
||||
verbose_name = _('Kubernetes')
|
||||
|
|
|
@ -0,0 +1,29 @@
|
|||
# Generated by Django 3.1.14 on 2022-03-09 22:16
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('assets', '0088_auto_20220303_1612'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterModelOptions(
|
||||
name='authbook',
|
||||
options={'permissions': [('test_authbook', 'Can test asset account connectivity'), ('view_assetaccountsecret', 'Can view asset account secret'), ('change_assetaccountsecret', 'Can change asset account secret')], 'verbose_name': 'AuthBook'},
|
||||
),
|
||||
migrations.AlterModelOptions(
|
||||
name='systemuser',
|
||||
options={'ordering': ['name'], 'permissions': [('view_systemuserasset', 'Can view system user asset'), ('add_systemuserasset', 'Can add asset to system user'), ('remove_systemuserasset', 'Can remove system user asset'), ('match_systemuser', 'Can match system user')], 'verbose_name': 'System user'},
|
||||
),
|
||||
migrations.AlterModelOptions(
|
||||
name='asset',
|
||||
options={'ordering': ['hostname'], 'permissions': [('refresh_assethardwareinfo', 'Can refresh asset hardware info'), ('test_assetconnectivity', 'Can test asset connectivity'), ('push_assetsystemuser', 'Can push system user to asset'), ('match_asset', 'Can match asset'), ('add_assettonode', 'Add asset to node'), ('move_assettonode', 'Move asset to node')], 'verbose_name': 'Asset'},
|
||||
),
|
||||
migrations.AlterModelOptions(
|
||||
name='gateway',
|
||||
options={'permissions': [('test_gateway', 'Test gateway')], 'verbose_name': 'Gateway'},
|
||||
),
|
||||
]
|
|
@ -359,4 +359,6 @@ class Asset(AbsConnectivity, AbsHardwareInfo, ProtocolsMixin, NodesRelationMixin
|
|||
('test_assetconnectivity', _('Can test asset connectivity')),
|
||||
('push_assetsystemuser', _('Can push system user to asset')),
|
||||
('match_asset', _('Can match asset')),
|
||||
('add_assettonode', _('Add asset to node')),
|
||||
('move_assettonode', _('Move asset to node')),
|
||||
]
|
||||
|
|
|
@ -27,6 +27,7 @@ class AuthBook(BaseUser, AbsConnectivity):
|
|||
verbose_name = _('AuthBook')
|
||||
unique_together = [('username', 'asset', 'systemuser')]
|
||||
permissions = [
|
||||
('test_authbook', _('Can test asset account connectivity')),
|
||||
('view_assetaccountsecret', _('Can view asset account secret')),
|
||||
('change_assetaccountsecret', _('Can change asset account secret'))
|
||||
]
|
||||
|
|
|
@ -70,6 +70,9 @@ class Gateway(BaseUser):
|
|||
class Meta:
|
||||
unique_together = [('name', 'org_id')]
|
||||
verbose_name = _("Gateway")
|
||||
permissions = [
|
||||
('test_gateway', _('Test gateway'))
|
||||
]
|
||||
|
||||
def set_unconnective(self):
|
||||
unconnective_key = self.UNCONNECTIVE_KEY_TMPL.format(self.id)
|
||||
|
|
|
@ -324,6 +324,9 @@ class SystemUser(ProtocolMixin, AuthMixin, BaseUser):
|
|||
unique_together = [('name', 'org_id')]
|
||||
verbose_name = _("System user")
|
||||
permissions = [
|
||||
('view_systemuserasset', _('Can view system user asset')),
|
||||
('add_systemuserasset', _('Can add asset to system user')),
|
||||
('remove_systemuserasset', _('Can remove system user asset')),
|
||||
('match_systemuser', _('Can match system user')),
|
||||
]
|
||||
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
# Generated by Django 3.1.14 on 2022-03-09 22:16
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('authentication', '0008_superconnectiontoken'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterModelOptions(
|
||||
name='connectiontoken',
|
||||
options={'permissions': [('view_connectiontokensecret', 'Can view connection token secret')], 'verbose_name': 'Connection token'},
|
||||
),
|
||||
]
|
|
@ -59,6 +59,9 @@ class ConnectionToken(models.JMSBaseModel):
|
|||
|
||||
class Meta:
|
||||
verbose_name = _('Connection token')
|
||||
permissions = [
|
||||
('view_connectiontokensecret', _('Can view connection token secret'))
|
||||
]
|
||||
|
||||
|
||||
class SuperConnectionToken(ConnectionToken):
|
||||
|
|
|
@ -214,7 +214,7 @@ class DatesLoginMetricMixin:
|
|||
class IndexApi(DatesLoginMetricMixin, APIView):
|
||||
http_method_names = ['get']
|
||||
rbac_perms = {
|
||||
'GET': 'rbac.view_resourcestatistics'
|
||||
'GET': 'rbac.view_dashboard'
|
||||
}
|
||||
|
||||
def get(self, request, *args, **kwargs):
|
||||
|
|
|
@ -1,3 +1,3 @@
|
|||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:819f2eb404c90465d945987436e236488653e031c46e90fb23defae28ca57c19
|
||||
size 102615
|
||||
oid sha256:a5f51e35576a9fd77db6f5267ccaffe74c453828ec36abc5dbea9734c8ac6a01
|
||||
size 107878
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -12,19 +12,6 @@ class Migration(migrations.Migration):
|
|||
]
|
||||
|
||||
operations = [
|
||||
migrations.CreateModel(
|
||||
name='PermedApplication',
|
||||
fields=[
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Permed app',
|
||||
'permissions': [('view_myapps', 'Can view my apps'), ('connect_myapps', 'Can connect my apps'), ('view_userapps', 'Can view user apps'), ('view_usergroupapps', 'Can view usergroup apps')],
|
||||
'proxy': True,
|
||||
'indexes': [],
|
||||
'constraints': [],
|
||||
},
|
||||
bases=('applications.application',),
|
||||
),
|
||||
migrations.CreateModel(
|
||||
name='PermedAsset',
|
||||
fields=[
|
||||
|
|
|
@ -0,0 +1,78 @@
|
|||
# Generated by Django 3.1.14 on 2022-03-09 22:16
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('applications', '0019_databaseapp_kubernetesapp_remoteapp'),
|
||||
('perms', '0026_auto_20220307_1500'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.CreateModel(
|
||||
name='PermedApplication',
|
||||
fields=[
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Permed application',
|
||||
'permissions': [('view_userapps', 'Can view user apps'), ('view_usergroupapps', 'Can view usergroup apps')],
|
||||
'proxy': True,
|
||||
'default_permissions': [],
|
||||
'indexes': [],
|
||||
'constraints': [],
|
||||
},
|
||||
bases=('applications.application',),
|
||||
),
|
||||
migrations.CreateModel(
|
||||
name='PermedDatabaseApp',
|
||||
fields=[
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Database application',
|
||||
'permissions': [('view_mydatabaseapp', 'Can view my database application'), ('connect_mydatabaseapp', 'Can connect my database application')],
|
||||
'proxy': True,
|
||||
'default_permissions': [],
|
||||
'indexes': [],
|
||||
'constraints': [],
|
||||
},
|
||||
bases=('applications.application',),
|
||||
),
|
||||
migrations.CreateModel(
|
||||
name='PermedKubernetesApp',
|
||||
fields=[
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Kubernetes',
|
||||
'permissions': [('view_mykubernetesapp', 'Can view my kubernetes application'), ('connect_mykubernetesapp', 'Can connect my kubernetes application')],
|
||||
'proxy': True,
|
||||
'default_permissions': [],
|
||||
'indexes': [],
|
||||
'constraints': [],
|
||||
},
|
||||
bases=('applications.application',),
|
||||
),
|
||||
migrations.CreateModel(
|
||||
name='PermedRemoteApp',
|
||||
fields=[
|
||||
],
|
||||
options={
|
||||
'verbose_name': 'Permed remote application',
|
||||
'permissions': [('view_myremoteapp', 'Can view my remoteapp'), ('connect_myremoteapp', 'Can connect my remoteapp')],
|
||||
'proxy': True,
|
||||
'default_permissions': [],
|
||||
'indexes': [],
|
||||
'constraints': [],
|
||||
},
|
||||
bases=('applications.application',),
|
||||
),
|
||||
migrations.AlterModelOptions(
|
||||
name='applicationpermission',
|
||||
options={'ordering': ('name',), 'permissions': [('view_permuserapplication', 'Can view application of permission to user')], 'verbose_name': 'Application permission'},
|
||||
),
|
||||
migrations.AlterModelOptions(
|
||||
name='assetpermission',
|
||||
options={'ordering': ('name',), 'permissions': [('view_permuserasset', 'Can view asset of permission to user'), ('view_permusergroupasset', 'Can view asset of permission to user group')], 'verbose_name': 'Asset permission'},
|
||||
),
|
||||
]
|
|
@ -36,9 +36,11 @@ class ApplicationPermission(BasePermission):
|
|||
class Meta:
|
||||
unique_together = [('org_id', 'name')]
|
||||
verbose_name = _('Application permission')
|
||||
permissions = [
|
||||
('view_permuserapplication', _('Can view application of permission to user'))
|
||||
]
|
||||
ordering = ('name',)
|
||||
|
||||
|
||||
@property
|
||||
def category_remote_app(self):
|
||||
return self.category == AppCategory.remote_app.value
|
||||
|
@ -107,10 +109,42 @@ class ApplicationPermission(BasePermission):
|
|||
class PermedApplication(Application):
|
||||
class Meta:
|
||||
proxy = True
|
||||
verbose_name = _("Permed app")
|
||||
verbose_name = _('Permed application')
|
||||
default_permissions = []
|
||||
permissions = [
|
||||
('view_myapps', _('Can view my apps')),
|
||||
('connect_myapps', _('Can connect my apps')),
|
||||
('view_userapps', _('Can view user apps')),
|
||||
('view_usergroupapps', _('Can view usergroup apps')),
|
||||
]
|
||||
|
||||
|
||||
class PermedRemoteApp(Application):
|
||||
class Meta:
|
||||
proxy = True
|
||||
verbose_name = _('Permed remote application')
|
||||
default_permissions = []
|
||||
permissions = [
|
||||
('view_myremoteapp', _('Can view my remoteapp')),
|
||||
('connect_myremoteapp', _('Can connect my remoteapp')),
|
||||
]
|
||||
|
||||
|
||||
class PermedDatabaseApp(Application):
|
||||
class Meta:
|
||||
proxy = True
|
||||
verbose_name = _('Database application')
|
||||
default_permissions = []
|
||||
permissions = [
|
||||
('view_mydatabaseapp', _('Can view my database application')),
|
||||
('connect_mydatabaseapp', _('Can connect my database application')),
|
||||
]
|
||||
|
||||
|
||||
class PermedKubernetesApp(Application):
|
||||
class Meta:
|
||||
proxy = True
|
||||
verbose_name = _('Kubernetes')
|
||||
default_permissions = []
|
||||
permissions = [
|
||||
('view_mykubernetesapp', _('Can view my kubernetes application')),
|
||||
('connect_mykubernetesapp', _('Can connect my kubernetes application')),
|
||||
]
|
||||
|
|
|
@ -28,6 +28,10 @@ class AssetPermission(BasePermission):
|
|||
unique_together = [('org_id', 'name')]
|
||||
verbose_name = _("Asset permission")
|
||||
ordering = ('name',)
|
||||
permissions = [
|
||||
('view_permuserasset', _('Can view asset of permission to user')),
|
||||
('view_permusergroupasset', _('Can view asset of permission to user group'))
|
||||
]
|
||||
|
||||
@lazyproperty
|
||||
def users_amount(self):
|
||||
|
|
|
@ -27,7 +27,7 @@ class Migration(migrations.Migration):
|
|||
],
|
||||
options={
|
||||
'verbose_name': 'Menu permission',
|
||||
'permissions': [('view_adminview', 'Can view console view'), ('view_auditview', 'Can view audit view'), ('view_userview', 'Can view workspace view')],
|
||||
'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workspace view')],
|
||||
'default_permissions': [],
|
||||
},
|
||||
),
|
||||
|
|
|
@ -12,6 +12,6 @@ class Migration(migrations.Migration):
|
|||
operations = [
|
||||
migrations.AlterModelOptions(
|
||||
name='menupermission',
|
||||
options={'default_permissions': [], 'permissions': [('view_resourcestatistics', 'Can view resource statistics'), ('view_adminview', 'Can view console view'), ('view_auditview', 'Can view audit view'), ('view_userview', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager')], 'verbose_name': 'Menu permission'},
|
||||
options={'default_permissions': [], 'permissions': [('view_dashboard', 'Can view resource statistics'), ('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager')], 'verbose_name': 'Menu permission'},
|
||||
),
|
||||
]
|
||||
|
|
|
@ -0,0 +1,17 @@
|
|||
# Generated by Django 3.1.14 on 2022-03-09 22:16
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('rbac', '0006_auto_20220307_1558'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterModelOptions(
|
||||
name='menupermission',
|
||||
options={'default_permissions': [], 'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager'), ('view_dashboard', 'Can view dashboard')], 'verbose_name': 'Menu permission'},
|
||||
),
|
||||
]
|
|
@ -12,10 +12,10 @@ class MenuPermission(models.Model):
|
|||
default_permissions = []
|
||||
verbose_name = _('Menu permission')
|
||||
permissions = [
|
||||
('view_resourcestatistics', _('Can view resource statistics')),
|
||||
('view_adminview', _('Can view console view')),
|
||||
('view_auditview', _('Can view audit view')),
|
||||
('view_userview', _('Can view workspace view')),
|
||||
('view_console', _('Can view console view')),
|
||||
('view_audit', _('Can view audit view')),
|
||||
('view_workspace', _('Can view workspace view')),
|
||||
('view_webterminal', _('Can view web terminal')),
|
||||
('view_filemanager', _('Can view file manager')),
|
||||
('view_dashboard', _('Can view dashboard')),
|
||||
]
|
||||
|
|
|
@ -64,22 +64,12 @@ class Permission(DjangoPermission):
|
|||
q |= Q(**kwargs)
|
||||
return q
|
||||
|
||||
@classmethod
|
||||
def clean_permissions(cls, permissions, scope=Scope.system):
|
||||
if scope == Scope.org:
|
||||
excludes = const.org_exclude_permissions
|
||||
else:
|
||||
excludes = const.system_exclude_permissions
|
||||
q = cls.get_define_permissions_q(excludes)
|
||||
if q:
|
||||
permissions = permissions.exclude(q)
|
||||
return permissions
|
||||
|
||||
@staticmethod
|
||||
def create_tree_nodes(permissions, scope, check_disabled=False):
|
||||
from ..tree import PermissionTreeUtil
|
||||
util = PermissionTreeUtil(permissions, scope, check_disabled)
|
||||
return util.create_tree_nodes()
|
||||
from ..ztree.tree import ZTree
|
||||
ztree = ZTree(permissions, scope, check_disabled)
|
||||
tree_nodes = ztree.get_tree_nodes()
|
||||
return tree_nodes
|
||||
|
||||
@classmethod
|
||||
def get_permissions(cls, scope):
|
||||
|
@ -87,4 +77,13 @@ class Permission(DjangoPermission):
|
|||
permissions = cls.clean_permissions(permissions, scope=scope)
|
||||
return permissions
|
||||
|
||||
|
||||
@classmethod
|
||||
def clean_permissions(cls, permissions, scope=Scope.system):
|
||||
from ..ztree.tree import ZTree
|
||||
perms_app_label_codename = ZTree.get_permissions_app_label_codename(scope)
|
||||
q = Q()
|
||||
for app_label_codename in perms_app_label_codename:
|
||||
app_label, codename = app_label_codename.split('.')
|
||||
q |= Q(**{'content_type__app_label': app_label, 'codename': codename})
|
||||
permissions = permissions.filter(q)
|
||||
return permissions
|
||||
|
|
|
@ -0,0 +1,259 @@
|
|||
# @ 分割符 $ 企业版 # ! 系统级别 # # 组织级别 # 控制台
|
||||
flag_sep = '@'
|
||||
flag_license_required = '$'
|
||||
flag_scope_system = '!'
|
||||
# flag_scop_org = '#'
|
||||
|
||||
permission_paths = [
|
||||
# format: 权限树路径 / app.codename @ 企业版、系统级别
|
||||
'/root/view/view_console/rbac.view_console',
|
||||
'/root/view/view_console/rbac.view_dashboard',
|
||||
'/root/view/view_console/user_management/user_list/users.view_user',
|
||||
'/root/view/view_console/user_management/user_list/users.add_user',
|
||||
'/root/view/view_console/user_management/user_list/users.change_user',
|
||||
'/root/view/view_console/user_management/user_list/users.delete_user',
|
||||
f'/root/view/view_console/user_management/user_list/users.invite_user{flag_sep}{flag_license_required}',
|
||||
f'/root/view/view_console/user_management/user_list/users.remove_user{flag_sep}{flag_license_required}',
|
||||
'/root/view/view_console/user_management/user_list/user_detail/perms.view_userassets',
|
||||
'/root/view/view_console/user_management/user_list/user_detail/asset_perm/perms.view_assetpermission',
|
||||
'/root/view/view_console/user_management/user_list/user_detail/asset_perm/perms.change_assetpermission',
|
||||
'/root/view/view_console/user_management/user_list/user_detail/asset_perm/perms.delete_assetpermission',
|
||||
'/root/view/view_console/user_management/user_list/user_detail/perms.view_userapps',
|
||||
'/root/view/view_console/user_management/user_list/user_detail/app_perm/perms.view_applicationpermission',
|
||||
'/root/view/view_console/user_management/user_list/user_detail/app_perm/perms.change_applicationpermission',
|
||||
'/root/view/view_console/user_management/user_list/user_detail/app_perm/perms.delete_applicationpermission',
|
||||
'/root/view/view_console/user_management/user_list/user_detail/user_login_acl/acls.view_loginacl',
|
||||
'/root/view/view_console/user_management/user_list/user_detail/user_login_acl/acls.add_loginacl',
|
||||
'/root/view/view_console/user_management/user_list/user_detail/user_login_acl/acls.change_loginacl',
|
||||
'/root/view/view_console/user_management/user_list/user_detail/user_login_acl/acls.delete_loginacl',
|
||||
'/root/view/view_console/user_management/user_group_list/users.view_usergroup',
|
||||
'/root/view/view_console/user_management/user_group_list/users.add_usergroup',
|
||||
'/root/view/view_console/user_management/user_group_list/users.change_usergroup',
|
||||
'/root/view/view_console/user_management/user_group_list/users.delete_usergroup',
|
||||
'/root/view/view_console/user_management/user_group_list/user_group_detail/perms.view_permusergroupasset',
|
||||
'/root/view/view_console/user_management/role_list/permission_list/rbac.view_permission',
|
||||
'/root/view/view_console/user_management/role_list/org_role/rbac.view_orgrole',
|
||||
'/root/view/view_console/user_management/role_list/org_role/rbac.add_orgrole',
|
||||
'/root/view/view_console/user_management/role_list/org_role/rbac.change_orgrole',
|
||||
'/root/view/view_console/user_management/role_list/org_role/rbac.delete_orgrole',
|
||||
'/root/view/view_console/user_management/role_list/org_role/org_role_detail/rbac.view_orgrolebinding',
|
||||
'/root/view/view_console/user_management/role_list/org_role/org_role_detail/rbac.add_orgrolebinding',
|
||||
'/root/view/view_console/user_management/role_list/org_role/org_role_detail/rbac.delete_orgrolebinding',
|
||||
'/root/view/view_console/user_management/role_list/system_role/rbac.view_systemrole',
|
||||
'/root/view/view_console/user_management/role_list/system_role/rbac.add_systemrole',
|
||||
'/root/view/view_console/user_management/role_list/system_role/rbac.change_systemrole',
|
||||
'/root/view/view_console/user_management/role_list/system_role/rbac.delete_systemrole',
|
||||
'/root/view/view_console/user_management/role_list/system_role/system_role_detail/rbac.view_systemrolebinding',
|
||||
'/root/view/view_console/user_management/role_list/system_role/system_role_detail/rbac.add_systemrolebinding',
|
||||
'/root/view/view_console/user_management/role_list/system_role/system_role_detail/rbac.delete_systemrolebinding',
|
||||
|
||||
'/root/view/view_console/asset_management/asset_list/assets.view_asset',
|
||||
'/root/view/view_console/asset_management/asset_list/assets.add_asset',
|
||||
'/root/view/view_console/asset_management/asset_list/assets.change_asset',
|
||||
'/root/view/view_console/asset_management/asset_list/assets.delete_asset',
|
||||
'/root/view/view_console/asset_management/asset_list/assets.test_assetconnectivity',
|
||||
'/root/view/view_console/asset_management/asset_list/assets.refresh_assethardwareinfo',
|
||||
'/root/view/view_console/asset_management/asset_list/assets.push_assetsystemuser',
|
||||
'/root/view/view_console/asset_management/asset_list/assets.match_asset',
|
||||
'/root/view/view_console/asset_management/asset_list/node_tree/assets.view_node',
|
||||
'/root/view/view_console/asset_management/asset_list/node_tree/assets.add_node',
|
||||
'/root/view/view_console/asset_management/asset_list/node_tree/assets.change_node',
|
||||
'/root/view/view_console/asset_management/asset_list/node_tree/assets.delete_node',
|
||||
'/root/view/view_console/asset_management/asset_list/node_tree/assets.add_assettonode',
|
||||
'/root/view/view_console/asset_management/asset_list/node_tree/assets.move_assettonode',
|
||||
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/xpack.view_syncinstancetask{flag_sep}{flag_license_required}',
|
||||
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/xpack.add_syncinstancetask{flag_sep}{flag_license_required}',
|
||||
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/xpack.change_syncinstancetask{flag_sep}{flag_license_required}',
|
||||
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/xpack.delete_syncinstancetask{flag_sep}{flag_license_required}',
|
||||
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/xpack.add_syncinstancetaskexecution{flag_sep}{flag_license_required}',
|
||||
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/sync_instance_task_detail/xpack.view_syncinstancetaskexecution{flag_sep}{flag_license_required}',
|
||||
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/sync_instance_task_detail/xpack.view_syncinstancedetail{flag_sep}{flag_license_required}',
|
||||
f'/root/view/view_console/asset_management/asset_list/cloud_sync/account_list/xpack.view_account{flag_sep}{flag_license_required}',
|
||||
f'/root/view/view_console/asset_management/asset_list/cloud_sync/account_list/xpack.add_account{flag_sep}{flag_license_required}',
|
||||
f'/root/view/view_console/asset_management/asset_list/cloud_sync/account_list/xpack.change_account{flag_sep}{flag_license_required}',
|
||||
f'/root/view/view_console/asset_management/asset_list/cloud_sync/account_list/xpack.delete_account{flag_sep}{flag_license_required}',
|
||||
f'/root/view/view_console/asset_management/asset_list/cloud_sync/account_list/xpack.test_account{flag_sep}{flag_license_required}',
|
||||
'/root/view/view_console/asset_management/domain_list/assets.view_domain',
|
||||
'/root/view/view_console/asset_management/domain_list/assets.add_domain',
|
||||
'/root/view/view_console/asset_management/domain_list/assets.change_domain',
|
||||
'/root/view/view_console/asset_management/domain_list/assets.delete_domain',
|
||||
'/root/view/view_console/asset_management/domain_list/gateway_list/assets.view_gateway',
|
||||
'/root/view/view_console/asset_management/domain_list/gateway_list/assets.add_gateway',
|
||||
'/root/view/view_console/asset_management/domain_list/gateway_list/assets.change_gateway',
|
||||
'/root/view/view_console/asset_management/domain_list/gateway_list/assets.delete_gateway',
|
||||
'/root/view/view_console/asset_management/domain_list/gateway_list/assets.test_gateway',
|
||||
'/root/view/view_console/asset_management/system_user/assets.view_systemuser',
|
||||
'/root/view/view_console/asset_management/system_user/assets.add_systemuser',
|
||||
'/root/view/view_console/asset_management/system_user/assets.change_systemuser',
|
||||
'/root/view/view_console/asset_management/system_user/assets.delete_systemuser',
|
||||
'/root/view/view_console/asset_management/system_user/assets.test_assetconnectivity',
|
||||
'/root/view/view_console/asset_management/system_user/assets.push_assetsystemuser',
|
||||
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_asset_list/assets.view_systemuserasset',
|
||||
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_asset_list/assets.add_systemuserasset',
|
||||
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_asset_list/assets.remove_systemuserasset',
|
||||
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_account_list/assets.view_authbook',
|
||||
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_account_list/assets.change_authbook',
|
||||
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_account_list/assets.delete_authbook',
|
||||
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_account_list/assets.test_authbook',
|
||||
'/root/view/view_console/asset_management/command_filter/assets.view_commandfilter',
|
||||
'/root/view/view_console/asset_management/command_filter/assets.add_commandfilter',
|
||||
'/root/view/view_console/asset_management/command_filter/assets.change_commandfilter',
|
||||
'/root/view/view_console/asset_management/command_filter/assets.delete_commandfilter',
|
||||
'/root/view/view_console/asset_management/command_filter/command_filter_rule/assets.view_commandfilterrule',
|
||||
'/root/view/view_console/asset_management/command_filter/command_filter_rule/assets.add_commandfilterrule',
|
||||
'/root/view/view_console/asset_management/command_filter/command_filter_rule/assets.change_commandfilterrule',
|
||||
'/root/view/view_console/asset_management/command_filter/command_filter_rule/assets.delete_commandfilterrule',
|
||||
'/root/view/view_console/asset_management/platform_list/assets.view_platform',
|
||||
'/root/view/view_console/asset_management/platform_list/assets.add_platform',
|
||||
'/root/view/view_console/asset_management/platform_list/assets.change_platform',
|
||||
'/root/view/view_console/asset_management/platform_list/assets.delete_platform',
|
||||
'/root/view/view_console/asset_management/label_management/assets.view_label',
|
||||
'/root/view/view_console/asset_management/label_management/assets.add_label',
|
||||
'/root/view/view_console/asset_management/label_management/assets.change_label',
|
||||
'/root/view/view_console/asset_management/label_management/assets.delete_label',
|
||||
|
||||
'/root/view/view_console/app_management/remote_app/applications.view_remoteapp',
|
||||
'/root/view/view_console/app_management/remote_app/applications.add_remoteapp',
|
||||
'/root/view/view_console/app_management/remote_app/applications.change_remoteapp',
|
||||
'/root/view/view_console/app_management/remote_app/applications.delete_remoteapp',
|
||||
'/root/view/view_console/app_management/db_app/applications.view_databaseapp',
|
||||
'/root/view/view_console/app_management/db_app/applications.add_databaseapp',
|
||||
'/root/view/view_console/app_management/db_app/applications.change_databaseapp',
|
||||
'/root/view/view_console/app_management/db_app/applications.delete_databaseapp',
|
||||
'/root/view/view_console/app_management/k8s_app/applications.view_kubernetesapp',
|
||||
'/root/view/view_console/app_management/k8s_app/applications.add_kubernetesapp',
|
||||
'/root/view/view_console/app_management/k8s_app/applications.change_kubernetesapp',
|
||||
'/root/view/view_console/app_management/k8s_app/applications.delete_kubernetesapp',
|
||||
|
||||
'/root/view/view_console/account_management/asset_account/assets.view_authbook',
|
||||
'/root/view/view_console/account_management/asset_account/assets.add_authbook',
|
||||
'/root/view/view_console/account_management/asset_account/assets.change_authbook',
|
||||
'/root/view/view_console/account_management/asset_account/assets.delete_authbook',
|
||||
'/root/view/view_console/account_management/asset_account/assets.test_authbook',
|
||||
'/root/view/view_console/account_management/application_account/applications.view_account',
|
||||
'/root/view/view_console/account_management/application_account/applications.add_account',
|
||||
'/root/view/view_console/account_management/application_account/applications.change_account',
|
||||
'/root/view/view_console/account_management/application_account/applications.delete_account',
|
||||
'/root/view/view_console/account_management/gather_user/gather_user_list/assets.view_gathereduser',
|
||||
'/root/view/view_console/account_management/gather_user/gather_user_task_list/xpack.view_gatherusertask',
|
||||
'/root/view/view_console/account_management/gather_user/gather_user_task_list/xpack.add_gatherusertask',
|
||||
'/root/view/view_console/account_management/gather_user/gather_user_task_list/xpack.change_gatherusertask',
|
||||
'/root/view/view_console/account_management/gather_user/gather_user_task_list/xpack.delete_gatherusertask',
|
||||
'/root/view/view_console/account_management/gather_user/gather_user_task_list/xpack.add_gatherusertaskexecution',
|
||||
'/root/view/view_console/account_management/gather_user/gather_user_task_list/xpack.view_gatherusertaskexecution',
|
||||
'/root/view/view_console/account_management/change_auth_plan/asset_change_auth_plan/xpack.view_changeauthplan',
|
||||
'/root/view/view_console/account_management/change_auth_plan/asset_change_auth_plan/xpack.add_changeauthplan',
|
||||
'/root/view/view_console/account_management/change_auth_plan/asset_change_auth_plan/xpack.change_changeauthplan',
|
||||
'/root/view/view_console/account_management/change_auth_plan/asset_change_auth_plan/xpack.delete_changeauthplan',
|
||||
'/root/view/view_console/account_management/change_auth_plan/asset_change_auth_plan/xpack.add_changeauthplanexecution',
|
||||
'/root/view/view_console/account_management/change_auth_plan/asset_change_auth_plan/xpack.view_changeauthplanexecution',
|
||||
'/root/view/view_console/account_management/change_auth_plan/app_change_auth_plan/xpack.view_applicationchangeauthplan',
|
||||
'/root/view/view_console/account_management/change_auth_plan/app_change_auth_plan/xpack.add_applicationchangeauthplan',
|
||||
'/root/view/view_console/account_management/change_auth_plan/app_change_auth_plan/xpack.change_applicationchangeauthplan',
|
||||
'/root/view/view_console/account_management/change_auth_plan/app_change_auth_plan/xpack.delete_applicationchangeauthplan',
|
||||
'/root/view/view_console/account_management/change_auth_plan/app_change_auth_plan/xpack.add_applicationchangeauthplanexecution',
|
||||
'/root/view/view_console/account_management/change_auth_plan/app_change_auth_plan/xpack.view_applicationchangeauthplanexecution',
|
||||
'/root/view/view_console/account_management/account_backup/assets.view_accountbackupplan',
|
||||
'/root/view/view_console/account_management/account_backup/assets.add_accountbackupplan',
|
||||
'/root/view/view_console/account_management/account_backup/assets.change_accountbackupplan',
|
||||
'/root/view/view_console/account_management/account_backup/assets.delete_accountbackupplan',
|
||||
'/root/view/view_console/account_management/account_backup/assets.add_accountbackupplanexecution',
|
||||
'/root/view/view_console/account_management/account_backup/assets.view_accountbackupplanexecution',
|
||||
|
||||
'/root/view/view_console/perm_management/asset_permission/perms.view_assetpermission',
|
||||
'/root/view/view_console/perm_management/asset_permission/perms.add_assetpermission',
|
||||
'/root/view/view_console/perm_management/asset_permission/perms.change_assetpermission',
|
||||
'/root/view/view_console/perm_management/asset_permission/perms.delete_assetpermission',
|
||||
'/root/view/view_console/perm_management/app_permission/perms.view_applicationpermission',
|
||||
'/root/view/view_console/perm_management/app_permission/perms.add_applicationpermission',
|
||||
'/root/view/view_console/perm_management/app_permission/perms.change_applicationpermission',
|
||||
'/root/view/view_console/perm_management/app_permission/perms.delete_applicationpermission',
|
||||
|
||||
'/root/view/view_console/access_control/asset_login/acls.view_loginassetacl',
|
||||
'/root/view/view_console/access_control/asset_login/acls.add_loginassetacl',
|
||||
'/root/view/view_console/access_control/asset_login/acls.change_loginassetacl',
|
||||
'/root/view/view_console/access_control/asset_login/acls.delete_loginassetacl',
|
||||
|
||||
'/root/view/view_console/job_center/task_list/ops.view_task',
|
||||
'/root/view/view_console/job_center/task_list/ops.delete_task',
|
||||
'/root/view/view_console/job_center/task_list/ops.add_adhocexecution',
|
||||
'/root/view/view_console/job_center/task_list/task_list_detail/ops.view_adhoc',
|
||||
'/root/view/view_console/job_center/task_list/task_list_detail/ops.view_adhocexecution',
|
||||
'/root/view/view_console/job_center/ops.view_taskmonitor',
|
||||
|
||||
'/root/view/view_audit/rbac.view_audit',
|
||||
'/root/view/view_audit/rbac.view_dashboard',
|
||||
'/root/view/view_audit/session_audit/session_record/terminal.view_session',
|
||||
'/root/view/view_audit/session_audit/session_record/terminal.terminate_session',
|
||||
'/root/view/view_audit/session_audit/session_record/terminal.monitor_session',
|
||||
'/root/view/view_audit/session_audit/session_record/session_detail/terminal.view_command',
|
||||
'/root/view/view_audit/session_audit/session_record/session_detail/terminal.view_sessionjoinrecord',
|
||||
'/root/view/view_audit/session_audit/command_record/terminal.view_command',
|
||||
'/root/view/view_audit/session_audit/command_record/terminal.view_commandstorage',
|
||||
'/root/view/view_audit/session_audit/file_transfer/audits.view_ftplog',
|
||||
'/root/view/view_audit/log_audit/audits.view_userloginlog',
|
||||
'/root/view/view_audit/log_audit/audits.view_operatelog',
|
||||
'/root/view/view_audit/log_audit/audits.view_passwordchangelog',
|
||||
'/root/view/view_audit/log_audit/ops.view_commandexecution',
|
||||
|
||||
'/root/view/view_workspace/rbac.view_workspace',
|
||||
'/root/view/view_workspace/rbac.view_overview',
|
||||
'/root/view/view_workspace/my_asset/perms.view_myassets',
|
||||
'/root/view/view_workspace/my_asset/perms.connect_myassets',
|
||||
'/root/view/view_workspace/my_app/my_remote_app/perms.view_myremoteapp',
|
||||
'/root/view/view_workspace/my_app/my_remote_app/perms.connect_myremoteapp',
|
||||
'/root/view/view_workspace/my_app/my_db_app/perms.view_mydatabaseapp',
|
||||
'/root/view/view_workspace/my_app/my_db_app/perms.connect_mydatabaseapp',
|
||||
'/root/view/view_workspace/my_app/my_k8s_app/perms.view_mykubernetesapp',
|
||||
'/root/view/view_workspace/my_app/my_k8s_app/perms.connect_mykubernetesapp',
|
||||
'/root/view/view_workspace/ops.add_commandexecution',
|
||||
'/root/view/view_workspace/rbac.view_webterminal',
|
||||
'/root/view/view_workspace/rbac.view_filemanager',
|
||||
|
||||
'/root/notifications.view_sitemessage',
|
||||
'/root/rbac.view_webterminal',
|
||||
|
||||
f'/root/system_setting/settings.change_basic{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/settings.change_email{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/settings.change_auth{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/notifications.change_systemmsgsubscription{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/settings.change_sms{flag_sep}{flag_scope_system}{flag_license_required}',
|
||||
f'/root/system_setting/terminal_setting/settings.change_terminal_basic_setting{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/terminal_setting/terminal_management/terminal.view_terminal{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/terminal_setting/terminal_management/terminal.change_terminal{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/terminal_setting/terminal_management/terminal.delete_terminal{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/terminal_setting/replay_storage/terminal.view_replaystorage{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/terminal_setting/replay_storage/terminal.add_replaystorage{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/terminal_setting/replay_storage/terminal.change_replaystorage{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/terminal_setting/replay_storage/terminal.delete_replaystorage{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/terminal_setting/command_storage/terminal.view_commandstorage{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/terminal_setting/command_storage/terminal.add_commandstorage{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/terminal_setting/command_storage/terminal.change_commandstorage{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/terminal_setting/command_storage/terminal.delete_commandstorage{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/terminal_setting/terminal.view_status{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/settings.change_security{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/settings.change_clean{flag_sep}{flag_scope_system}{flag_license_required}',
|
||||
f'/root/system_setting/org_management/orgs.view_rootorg{flag_sep}{flag_scope_system}{flag_license_required}',
|
||||
f'/root/system_setting/org_management/orgs.view_organization{flag_sep}{flag_scope_system}{flag_license_required}',
|
||||
f'/root/system_setting/org_management/orgs.add_organization{flag_sep}{flag_scope_system}{flag_license_required}',
|
||||
f'/root/system_setting/org_management/orgs.change_organization{flag_sep}{flag_scope_system}{flag_license_required}',
|
||||
f'/root/system_setting/org_management/orgs.delete_organization{flag_sep}{flag_scope_system}{flag_license_required}',
|
||||
f'/root/system_setting/settings.change_other{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/license/xpack.view_license{flag_sep}{flag_scope_system}',
|
||||
f'/root/system_setting/license/xpack.add_license{flag_sep}{flag_scope_system}',
|
||||
|
||||
f'/root/ticket/tickets.view_ticket{flag_sep}{flag_license_required}',
|
||||
f'/root/ticket/tickets.add_ticket{flag_sep}{flag_license_required}',
|
||||
f'/root/ticket/ticket_detail/tickets.change_ticket{flag_sep}{flag_license_required}',
|
||||
f'/root/ticket/ticket_detail/tickets.add_comment{flag_sep}{flag_license_required}',
|
||||
f'/root/ticket/ticket_detail/tickets.view_comment{flag_sep}{flag_license_required}',
|
||||
f'/root/ticket/ticket_detail/tickets.view_ticketsession{flag_sep}{flag_license_required}',
|
||||
|
||||
# '/root/rbac.view_help',
|
||||
f'/root/api_permission/terminal.add_session',
|
||||
'/root/api_permission/terminal.add_command',
|
||||
f'/root/api_permission/tickets.add_superticket{flag_sep}{flag_license_required}',
|
||||
'/root/api_permission/authentication.add_superconnectiontoken',
|
||||
'/root/api_permission/authentication.view_connectiontokensecret',
|
||||
# ...
|
||||
]
|
|
@ -0,0 +1,207 @@
|
|||
import random
|
||||
from collections import defaultdict
|
||||
from django.utils.translation import ugettext
|
||||
from common.tree import TreeNode as RawTreeNode
|
||||
from django.utils.translation import gettext_lazy as _, gettext
|
||||
from rbac.models import Permission, ContentType
|
||||
from django.db.models import F, Count
|
||||
from .permissions import permission_paths, flag_license_required, flag_sep, flag_scope_system
|
||||
from .tree_nodes import permission_tree_nodes
|
||||
from ..const import Scope
|
||||
from jumpserver.utils import has_valid_xpack_license
|
||||
from django.conf import settings
|
||||
|
||||
|
||||
class TreeNode(RawTreeNode):
|
||||
total_count = 0
|
||||
checked_count = 0
|
||||
app_label_codename = ''
|
||||
|
||||
def mark_checked_if_need(self):
|
||||
if self.isParent:
|
||||
self.checked = self.total_count == self.checked_count
|
||||
|
||||
def refresh_name_if_need(self):
|
||||
if self.isParent:
|
||||
self.name = str(self.name) + f'({self.checked_count}/{self.total_count})'
|
||||
elif settings.DEBUG:
|
||||
self.name = str(self.name) + f'({self.app_label_codename})'
|
||||
|
||||
|
||||
class TreeNodes:
|
||||
|
||||
def __init__(self):
|
||||
self.tree_nodes = defaultdict(TreeNode)
|
||||
|
||||
def add_node(self, data):
|
||||
tree_node = self.add(data)
|
||||
tree_node.total_count += 1
|
||||
|
||||
def add_leaf(self, data):
|
||||
tree_node = self.add(data)
|
||||
if not data['checked']:
|
||||
return
|
||||
|
||||
parent_node = self.tree_nodes.get(tree_node.pId)
|
||||
while parent_node:
|
||||
parent_node.checked_count += 1
|
||||
parent_node = self.tree_nodes.get(parent_node.pId)
|
||||
|
||||
def add(self, data):
|
||||
_id = data['id']
|
||||
data['name'] = data.get('name') or data['id']
|
||||
tree_node = self.tree_nodes.get(_id, TreeNode(**data))
|
||||
self.tree_nodes[tree_node.id] = tree_node
|
||||
return tree_node
|
||||
|
||||
def get(self):
|
||||
tree_nodes = list(self.tree_nodes.values())
|
||||
for tree_node in tree_nodes:
|
||||
tree_node.mark_checked_if_need()
|
||||
tree_node.refresh_name_if_need()
|
||||
return tree_nodes
|
||||
|
||||
|
||||
class ZTree(object):
|
||||
|
||||
has_valid_license = has_valid_xpack_license()
|
||||
|
||||
def __init__(self, checked_permission, scope, check_disabled=False):
|
||||
self.scope = scope
|
||||
self.checked_permission = self.prefetch_permissions(
|
||||
checked_permission
|
||||
)
|
||||
self.checked_permissions_mapper = {p.id: p for p in self.checked_permission}
|
||||
self.permissions = self.prefetch_permissions(
|
||||
Permission.get_permissions(scope)
|
||||
)
|
||||
self.permissions_mapper = {p.app_label_codename: p for p in self.permissions}
|
||||
self.content_types_name_mapper = {ct.model: ct.name for ct in ContentType.objects.all()}
|
||||
self.check_disabled = check_disabled
|
||||
self.tree_nodes = TreeNodes()
|
||||
self.show_node_level = 3
|
||||
|
||||
@staticmethod
|
||||
def prefetch_permissions(permissions):
|
||||
return permissions.select_related('content_type') \
|
||||
.annotate(app=F('content_type__app_label')) \
|
||||
.annotate(model=F('content_type__model'))
|
||||
|
||||
def get_tree_nodes(self):
|
||||
perm_paths = self.__class__.get_permission_paths(self.scope)
|
||||
for perm_path in perm_paths:
|
||||
self.generate_tree_nodes_by_path(perm_path)
|
||||
return self.tree_nodes.get()
|
||||
|
||||
def generate_tree_nodes_by_path(self, perm_path):
|
||||
path, perm_app_label_codename = perm_path.rsplit('/', 1)
|
||||
|
||||
# add path
|
||||
path_list = path.lstrip('/').split('/')
|
||||
pid = ''
|
||||
for level, tree_node_id in enumerate(path_list, start=1):
|
||||
name = _('Detail') if 'detail' in tree_node_id else tree_node_id
|
||||
data = dict({
|
||||
'id': tree_node_id,
|
||||
'name': name,
|
||||
'title': name,
|
||||
'pId': pid,
|
||||
'isParent': True,
|
||||
'chkDisabled': self.check_disabled,
|
||||
'open': level < self.show_node_level,
|
||||
'meta': {
|
||||
'type': 'perm',
|
||||
}
|
||||
})
|
||||
_data = permission_tree_nodes.get(tree_node_id, {})
|
||||
data.update(_data)
|
||||
pid = data['id']
|
||||
self.tree_nodes.add_node(data)
|
||||
|
||||
# add perm
|
||||
if not perm_app_label_codename:
|
||||
return
|
||||
perm = self.permissions_mapper.get(perm_app_label_codename)
|
||||
if perm:
|
||||
# 解决同一个权限不能在多个节点的问题
|
||||
_id = f'{pid}#{perm.id}'
|
||||
name = self._get_permission_name(perm)
|
||||
checked = perm.id in self.checked_permissions_mapper
|
||||
else:
|
||||
# 最终不应该走这里,所有权限都要在数据库里
|
||||
_id = perm_app_label_codename
|
||||
name = perm_app_label_codename
|
||||
checked = False
|
||||
|
||||
data = {
|
||||
'id': _id,
|
||||
'pId': pid,
|
||||
'name': name,
|
||||
'title': perm_app_label_codename,
|
||||
'chkDisabled': self.check_disabled,
|
||||
'app_label_codename': perm_app_label_codename,
|
||||
'isParent': False,
|
||||
'iconSkin': 'file',
|
||||
'open': False,
|
||||
'checked': checked,
|
||||
'meta': {
|
||||
'type': 'perm',
|
||||
}
|
||||
}
|
||||
_data = permission_tree_nodes.get(perm_app_label_codename, {})
|
||||
data.update(_data)
|
||||
self.tree_nodes.add_leaf(data)
|
||||
|
||||
def _get_permission_name(self, p):
|
||||
code_name = p.codename
|
||||
action_mapper = {
|
||||
'add': ugettext('Create'),
|
||||
'view': ugettext('View'),
|
||||
'change': ugettext('Update'),
|
||||
'delete': ugettext('Delete')
|
||||
}
|
||||
name = ''
|
||||
ct = ''
|
||||
if 'add_' in p.codename:
|
||||
name = action_mapper['add']
|
||||
ct = code_name.replace('add_', '')
|
||||
elif 'view_' in p.codename:
|
||||
name = action_mapper['view']
|
||||
ct = code_name.replace('view_', '')
|
||||
elif 'change_' in p.codename:
|
||||
name = action_mapper['change']
|
||||
ct = code_name.replace('change_', '')
|
||||
elif 'delete' in code_name:
|
||||
name = action_mapper['delete']
|
||||
ct = code_name.replace('delete_', '')
|
||||
|
||||
if ct in self.content_types_name_mapper:
|
||||
name += self.content_types_name_mapper[ct]
|
||||
else:
|
||||
name = gettext(p.name)
|
||||
name = name.replace('Can ', '').replace('可以', '')
|
||||
return name
|
||||
|
||||
@classmethod
|
||||
def get_permissions_app_label_codename(cls, scope):
|
||||
perm_paths = cls.get_permission_paths(scope)
|
||||
perms = []
|
||||
for path in perm_paths:
|
||||
path, app_label_code_name = path.rsplit('/', 1)
|
||||
if not app_label_code_name:
|
||||
continue
|
||||
perms.append(app_label_code_name)
|
||||
return perms
|
||||
|
||||
@classmethod
|
||||
def get_permission_paths(cls, scope):
|
||||
perm_paths = []
|
||||
for path in permission_paths:
|
||||
if flag_sep in path:
|
||||
path, flags = path.split(flag_sep)
|
||||
if flag_scope_system in flags and scope == Scope.org:
|
||||
continue
|
||||
if flag_license_required in flags and not cls.has_valid_license:
|
||||
continue
|
||||
perm_paths.append(path)
|
||||
return perm_paths
|
|
@ -0,0 +1,308 @@
|
|||
from django.utils.translation import gettext_lazy as _
|
||||
|
||||
permission_tree_nodes = {
|
||||
# 节点
|
||||
'root': {
|
||||
'name': _('All permissions'),
|
||||
},
|
||||
'view': {
|
||||
'name': _("View menu")
|
||||
},
|
||||
'view_console': {
|
||||
'name': _('Console view'),
|
||||
},
|
||||
'user_management': {
|
||||
'name': _('User management')
|
||||
},
|
||||
'user_list': {
|
||||
'name': _('User list')
|
||||
},
|
||||
'view_workspace': {
|
||||
'name': _('Workspace view')
|
||||
},
|
||||
'view_audit': {
|
||||
'name': _("Audit view")
|
||||
},
|
||||
'asset_perm': {
|
||||
'name': _('Asset permission')
|
||||
},
|
||||
'session_audits': {
|
||||
'name': _('Session audits')
|
||||
},
|
||||
'session_record': {
|
||||
'name': _('Online/Offline Session record')
|
||||
},
|
||||
'asset_management': {
|
||||
'name': _('Asset management')
|
||||
},
|
||||
'asset_list': {
|
||||
'name': _('Asset list')
|
||||
},
|
||||
'my_asset': {
|
||||
'name': _('My assets')
|
||||
},
|
||||
'my_app': {
|
||||
'name': _('My application')
|
||||
},
|
||||
'bulk_command': {
|
||||
'name': _('Bulk command')
|
||||
},
|
||||
'system_setting': {
|
||||
'name': _('System setting')
|
||||
},
|
||||
'ticket': {
|
||||
'name': _('Ticket system')
|
||||
},
|
||||
'help': {
|
||||
'name': _('Help')
|
||||
},
|
||||
'api_permission': {
|
||||
'name': _('API permission')
|
||||
},
|
||||
'app_management': {
|
||||
'name': _('Application management')
|
||||
},
|
||||
'account_management': {
|
||||
'name': _('Account management'),
|
||||
},
|
||||
'perm_management': {
|
||||
'name': _('Permission management'),
|
||||
},
|
||||
'access_control': {
|
||||
'name': _('Access control'),
|
||||
},
|
||||
'job_center': {
|
||||
'name': _('Job center'),
|
||||
},
|
||||
'session_audit': {
|
||||
'name': _('Session audit')
|
||||
},
|
||||
'log_audit': {
|
||||
'name': _('Log audit')
|
||||
},
|
||||
'user_group_list': {
|
||||
'name': _('User group')
|
||||
},
|
||||
'role_list': {
|
||||
'name': _('Role list')
|
||||
},
|
||||
'app_perm': {
|
||||
'name': _('Application permission')
|
||||
},
|
||||
'user_login_acl': {
|
||||
'name': _('User login acl')
|
||||
},
|
||||
'user_group_detail': {
|
||||
'name': _('Detail')
|
||||
},
|
||||
'permission_list': {
|
||||
'name': _('Permission list')
|
||||
},
|
||||
'node_tree': {
|
||||
'name': _('Node tree')
|
||||
},
|
||||
'cloud_sync': {
|
||||
'name': _('Cloud sync')
|
||||
},
|
||||
'sync_instance_task_list': {
|
||||
'name': _('Sync instance task list')
|
||||
},
|
||||
'account_list': {
|
||||
'name': _('Account list')
|
||||
},
|
||||
'system_user': {
|
||||
'name': _('Common/Admin User')
|
||||
},
|
||||
'system_user_asset_list': {
|
||||
'name': _('Asset list'),
|
||||
},
|
||||
'system_user_account_list': {
|
||||
'name': _('Account list')
|
||||
},
|
||||
'command_filter': {
|
||||
'name': _('Command filter')
|
||||
},
|
||||
'command_filter_rule': {
|
||||
'name': _('Command filter rule')
|
||||
},
|
||||
'platform_list': {
|
||||
'name': _('Platform list')
|
||||
},
|
||||
'label_management': {
|
||||
'name': _('Label management')
|
||||
},
|
||||
'remote_app': {
|
||||
'name': _('Remote application')
|
||||
},
|
||||
'db_app': {
|
||||
'name': _('Database application')
|
||||
},
|
||||
'k8s_app': {
|
||||
'name': _('Kubernetes')
|
||||
},
|
||||
'asset_account': {
|
||||
'name': _('Asset account')
|
||||
},
|
||||
'application_account': {
|
||||
'name': _('Application account')
|
||||
},
|
||||
'gather_user': {
|
||||
'name': _('Gathered user')
|
||||
},
|
||||
'gather_user_list': {
|
||||
'name': _('Gathered user list')
|
||||
},
|
||||
'gather_user_task_list': {
|
||||
'name': _('Gathered user task list')
|
||||
},
|
||||
'change_auth_plan': {
|
||||
'name': _('Change auth plan')
|
||||
},
|
||||
'asset_change_auth_plan': {
|
||||
'name': _('Asset change auth plan')
|
||||
},
|
||||
'app_change_auth_plan': {
|
||||
'name': _('Application change auth plan')
|
||||
},
|
||||
'account_backup': {
|
||||
'name': _('Account backup')
|
||||
},
|
||||
'asset_permission': {
|
||||
'name': _('Asset permission')
|
||||
},
|
||||
'app_permission': {
|
||||
'name': _('Application permission')
|
||||
},
|
||||
'asset_login': {
|
||||
'name': _('Asset login')
|
||||
},
|
||||
'task_list': {
|
||||
'name': _('Task list')
|
||||
},
|
||||
'command_record': {
|
||||
'name': _('Command record')
|
||||
},
|
||||
'file_transfer': {
|
||||
'name': _('File transfer')
|
||||
},
|
||||
'my_remote_app': {
|
||||
'name': _('Remote App')
|
||||
},
|
||||
'my_db_app': {
|
||||
'name': _('Database application')
|
||||
},
|
||||
'my_k8s_app': {
|
||||
'name': _('Kubernetes')
|
||||
},
|
||||
'terminal_setting': {
|
||||
'name': _('Terminal setting')
|
||||
},
|
||||
'terminal_management': {
|
||||
'name': _('Terminal management')
|
||||
},
|
||||
'command_storage': {
|
||||
'name': _('Command storage')
|
||||
},
|
||||
'replay_storage': {
|
||||
'name': _('Replay storage')
|
||||
},
|
||||
'org_management': {
|
||||
'name': _('Organization management')
|
||||
},
|
||||
'license': {
|
||||
'name': _('License')
|
||||
},
|
||||
|
||||
# 权限
|
||||
'rbac.view_permission': {
|
||||
'name': _('View all permission')
|
||||
},
|
||||
'domain_list': {
|
||||
'name': _('Domain list')
|
||||
},
|
||||
'gateway_list': {
|
||||
'name': _('Gateway list')
|
||||
},
|
||||
'org_role': {
|
||||
'name': _('Organization role')
|
||||
},
|
||||
'system_role': {
|
||||
'name': _('System role')
|
||||
},
|
||||
'xpack.add_gatherusertaskexecution': {
|
||||
'name': _('Run gather user task')
|
||||
},
|
||||
'xpack.add_changeauthplanexecution': {
|
||||
'name': _('Run asset change auth plan')
|
||||
},
|
||||
'xpack.add_applicationchangeauthplanexecution': {
|
||||
'name': _('Run application change auth plan')
|
||||
},
|
||||
'assets.add_accountbackupplanexecution': {
|
||||
'name': _('Run account backup plan')
|
||||
},
|
||||
'ops.add_adhocexecution': {
|
||||
'name': _('Run task')
|
||||
},
|
||||
'ops.view_adhoc': {
|
||||
'name': _('View task version')
|
||||
},
|
||||
'ops.view_adhocexecution': {
|
||||
'name': _('View execution history')
|
||||
},
|
||||
'ops.add_commandexecution': {
|
||||
'name': _('Bulk command')
|
||||
},
|
||||
'notifications.view_sitemessage': {
|
||||
'name': _('Site message')
|
||||
},
|
||||
'notifications.change_systemmsgsubscription': {
|
||||
'name': _('Message subscription')
|
||||
},
|
||||
'terminal.view_status': {
|
||||
'name': _('Component monitor')
|
||||
},
|
||||
'tickets.view_ticket': {
|
||||
'name': _('View my/assigned ticket')
|
||||
},
|
||||
'tickets.add_ticket': {
|
||||
'name': _('Create asset/application ticket')
|
||||
},
|
||||
'tickets.change_ticket': {
|
||||
'name': _('Change/close ticket')
|
||||
},
|
||||
'assets.match_asset': {
|
||||
'name': _('View some of the assets searched')
|
||||
},
|
||||
'rbac.view_workspace': {
|
||||
'checked': True,
|
||||
'chkDisabled': True,
|
||||
},
|
||||
'rbac.view_overview': {
|
||||
'name': _('Overview'),
|
||||
'checked': True,
|
||||
'chkDisabled': True,
|
||||
},
|
||||
'rbac.view_orgrolebinding': {
|
||||
'name': _('View permission user')
|
||||
},
|
||||
'rbac.add_orgrolebinding': {
|
||||
'name': _('Add user to role')
|
||||
},
|
||||
'rbac.delete_orgrolebinding': {
|
||||
'name': _('Remove user from role')
|
||||
},
|
||||
'rbac.view_systemrolebinding': {
|
||||
'name': _('View permission user')
|
||||
},
|
||||
'rbac.add_systemrolebinding': {
|
||||
'name': _('Add user to role')
|
||||
},
|
||||
'rbac.delete_systemrolebinding': {
|
||||
'name': _('Remove user from role')
|
||||
},
|
||||
'xpack.add_syncinstancetaskexecution': {
|
||||
'name': _('Run sync instance task')
|
||||
}
|
||||
|
||||
}
|
|
@ -0,0 +1,17 @@
|
|||
# Generated by Django 3.1.14 on 2022-03-09 22:16
|
||||
|
||||
from django.db import migrations
|
||||
|
||||
|
||||
class Migration(migrations.Migration):
|
||||
|
||||
dependencies = [
|
||||
('settings', '0004_auto_20220211_1401'),
|
||||
]
|
||||
|
||||
operations = [
|
||||
migrations.AlterModelOptions(
|
||||
name='setting',
|
||||
options={'permissions': [('change_basic', 'Can change basic setting'), ('change_email', 'Can change email setting'), ('change_auth', 'Can change auth setting'), ('change_sms', 'Can change sms setting'), ('change_security', 'Can change security setting'), ('change_clean', 'Can change clean setting'), ('change_other', 'Can change other setting'), ('change_terminal_basic_setting', 'Can change terminal basic setting')], 'verbose_name': 'System setting'},
|
||||
),
|
||||
]
|
|
@ -138,3 +138,13 @@ class Setting(models.Model):
|
|||
class Meta:
|
||||
db_table = "settings_setting"
|
||||
verbose_name = _("System setting")
|
||||
permissions = [
|
||||
('change_basic', _('Can change basic setting')),
|
||||
('change_email', _('Can change email setting')),
|
||||
('change_auth', _('Can change auth setting')),
|
||||
('change_sms', _('Can change sms setting')),
|
||||
('change_security', _('Can change security setting')),
|
||||
('change_clean', _('Can change clean setting')),
|
||||
('change_other', _('Can change other setting')),
|
||||
('change_terminal_basic_setting', _('Can change terminal basic setting')),
|
||||
]
|
||||
|
|
|
@ -274,7 +274,7 @@ class RoleMixin:
|
|||
def perms(self):
|
||||
key = self.PERM_CACHE_KEY.format(self.id, current_org.id)
|
||||
perms = cache.get(key)
|
||||
if not perms:
|
||||
if not perms or settings.DEBUG:
|
||||
perms = self.get_all_permissions()
|
||||
cache.set(key, perms, 3600)
|
||||
return perms
|
||||
|
|
Loading…
Reference in New Issue