github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

Perf: 优化RBAC权限树 (#7782) 

* fix: 优化权限树(1)

* fix: 优化权限树(2)

* fix: 优化权限树(3)

* fix: 优化权限树(4)

* fix: 优化权限树(5)

* fix: 优化权限树(添加迁移文件)

* fix: 优化权限树(6)

* fix: 优化权限树(7)

* fix: 优化权限树(8)

* fix: 优化权限树(9)
pull/7786/head
Jiangjie.Bai 2022-03-10 11:25:33 +08:00 committed by GitHub
parent 9ca0eaf7ce
commit b017e68a56
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
28 changed files with 1672 additions and 341 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
apps/applications/migrations/0019_databaseapp_kubernetesapp_remoteapp.py Normal file
View File

@ -0,0 +1,49 @@
# Generated by Django 3.1.14 on 2022-03-09 22:16
from django.db import migrations
class Migration(migrations.Migration):
dependencies = [
('applications', '0018_auto_20220223_1539'),
]
operations = [
migrations.CreateModel(
name='DatabaseApp',
fields=[
],
options={
'verbose_name': 'Database application',
'proxy': True,
'indexes': [],
'constraints': [],
},
bases=('applications.application',),
),
migrations.CreateModel(
name='KubernetesApp',
fields=[
],
options={
'verbose_name': 'Kubernetes',
'proxy': True,
'indexes': [],
'constraints': [],
},
bases=('applications.application',),
),
migrations.CreateModel(
name='RemoteApp',
fields=[
],
options={
'verbose_name': 'Remote application',
'proxy': True,
'indexes': [],
'constraints': [],
},
bases=('applications.application',),
),
]

18
apps/applications/models/application.py
View File

@ -266,3 +266,21 @@ class ApplicationUser(SystemUser):
class Meta: class Meta:
proxy = True proxy = True
verbose_name = _('Application user') verbose_name = _('Application user')
class RemoteApp(Application):
class Meta:
proxy = True
verbose_name = _('Remote application')
class DatabaseApp(Application):
class Meta:
proxy = True
verbose_name = _('Database application')
class KubernetesApp(Application):
class Meta:
proxy = True
verbose_name = _('Kubernetes')

29
apps/assets/migrations/0089_auto_20220310_0616.py Normal file
View File

@ -0,0 +1,29 @@
# Generated by Django 3.1.14 on 2022-03-09 22:16
from django.db import migrations
class Migration(migrations.Migration):
dependencies = [
('assets', '0088_auto_20220303_1612'),
]
operations = [
migrations.AlterModelOptions(
name='authbook',
options={'permissions': [('test_authbook', 'Can test asset account connectivity'), ('view_assetaccountsecret', 'Can view asset account secret'), ('change_assetaccountsecret', 'Can change asset account secret')], 'verbose_name': 'AuthBook'},
),
migrations.AlterModelOptions(
name='systemuser',
options={'ordering': ['name'], 'permissions': [('view_systemuserasset', 'Can view system user asset'), ('add_systemuserasset', 'Can add asset to system user'), ('remove_systemuserasset', 'Can remove system user asset'), ('match_systemuser', 'Can match system user')], 'verbose_name': 'System user'},
),
migrations.AlterModelOptions(
name='asset',
options={'ordering': ['hostname'], 'permissions': [('refresh_assethardwareinfo', 'Can refresh asset hardware info'), ('test_assetconnectivity', 'Can test asset connectivity'), ('push_assetsystemuser', 'Can push system user to asset'), ('match_asset', 'Can match asset'), ('add_assettonode', 'Add asset to node'), ('move_assettonode', 'Move asset to node')], 'verbose_name': 'Asset'},
),
migrations.AlterModelOptions(
name='gateway',
options={'permissions': [('test_gateway', 'Test gateway')], 'verbose_name': 'Gateway'},
),
]

2
apps/assets/models/asset.py
View File

@ -359,4 +359,6 @@ class Asset(AbsConnectivity, AbsHardwareInfo, ProtocolsMixin, NodesRelationMixin
('test_assetconnectivity', _('Can test asset connectivity')), ('test_assetconnectivity', _('Can test asset connectivity')),
('push_assetsystemuser', _('Can push system user to asset')), ('push_assetsystemuser', _('Can push system user to asset')),
('match_asset', _('Can match asset')), ('match_asset', _('Can match asset')),
('add_assettonode', _('Add asset to node')),
('move_assettonode', _('Move asset to node')),
] ]

1
apps/assets/models/authbook.py
View File

@ -27,6 +27,7 @@ class AuthBook(BaseUser, AbsConnectivity):
verbose_name = _('AuthBook') verbose_name = _('AuthBook')
unique_together = [('username', 'asset', 'systemuser')] unique_together = [('username', 'asset', 'systemuser')]
permissions = [ permissions = [
('test_authbook', _('Can test asset account connectivity')),
('view_assetaccountsecret', _('Can view asset account secret')), ('view_assetaccountsecret', _('Can view asset account secret')),
('change_assetaccountsecret', _('Can change asset account secret')) ('change_assetaccountsecret', _('Can change asset account secret'))
] ]

3
apps/assets/models/domain.py
View File

@ -70,6 +70,9 @@ class Gateway(BaseUser):
class Meta: class Meta:
unique_together = [('name', 'org_id')] unique_together = [('name', 'org_id')]
verbose_name = _("Gateway") verbose_name = _("Gateway")
permissions = [
('test_gateway', _('Test gateway'))
]
def set_unconnective(self): def set_unconnective(self):
unconnective_key = self.UNCONNECTIVE_KEY_TMPL.format(self.id) unconnective_key = self.UNCONNECTIVE_KEY_TMPL.format(self.id)

3
apps/assets/models/user.py
View File

@ -324,6 +324,9 @@ class SystemUser(ProtocolMixin, AuthMixin, BaseUser):
unique_together = [('name', 'org_id')] unique_together = [('name', 'org_id')]
verbose_name = _("System user") verbose_name = _("System user")
permissions = [ permissions = [
('view_systemuserasset', _('Can view system user asset')),
('add_systemuserasset', _('Can add asset to system user')),
('remove_systemuserasset', _('Can remove system user asset')),
('match_systemuser', _('Can match system user')), ('match_systemuser', _('Can match system user')),
] ]

17
apps/authentication/migrations/0009_auto_20220310_0616.py Normal file
View File

@ -0,0 +1,17 @@
# Generated by Django 3.1.14 on 2022-03-09 22:16
from django.db import migrations
class Migration(migrations.Migration):
dependencies = [
('authentication', '0008_superconnectiontoken'),
]
operations = [
migrations.AlterModelOptions(
name='connectiontoken',
options={'permissions': [('view_connectiontokensecret', 'Can view connection token secret')], 'verbose_name': 'Connection token'},
),
]

3
apps/authentication/models.py
View File

@ -59,6 +59,9 @@ class ConnectionToken(models.JMSBaseModel):
class Meta: class Meta:
verbose_name = _('Connection token') verbose_name = _('Connection token')
permissions = [
('view_connectiontokensecret', _('Can view connection token secret'))
]
class SuperConnectionToken(ConnectionToken): class SuperConnectionToken(ConnectionToken):

2
apps/jumpserver/api.py
View File

@ -214,7 +214,7 @@ class DatesLoginMetricMixin:
class IndexApi(DatesLoginMetricMixin, APIView): class IndexApi(DatesLoginMetricMixin, APIView):
http_method_names = ['get'] http_method_names = ['get']
rbac_perms = { rbac_perms = {
'GET': 'rbac.view_resourcestatistics' 'GET': 'rbac.view_dashboard'
} }
def get(self, request, *args, **kwargs): def get(self, request, *args, **kwargs):

4
apps/locale/zh/LC_MESSAGES/django.mo
View File

@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1 version https://git-lfs.github.com/spec/v1
oid sha256:819f2eb404c90465d945987436e236488653e031c46e90fb23defae28ca57c19 oid sha256:a5f51e35576a9fd77db6f5267ccaffe74c453828ec36abc5dbea9734c8ac6a01
size 102615 size 107878

884
apps/locale/zh/LC_MESSAGES/django.po
View File

File diff suppressed because it is too large Load Diff

13
apps/perms/migrations/0026_auto_20220307_1500.py
View File

@ -12,19 +12,6 @@ class Migration(migrations.Migration):
] ]
operations = [ operations = [
migrations.CreateModel(
name='PermedApplication',
fields=[
],
options={
'verbose_name': 'Permed app',
'permissions': [('view_myapps', 'Can view my apps'), ('connect_myapps', 'Can connect my apps'), ('view_userapps', 'Can view user apps'), ('view_usergroupapps', 'Can view usergroup apps')],
'proxy': True,
'indexes': [],
'constraints': [],
},
bases=('applications.application',),
),
migrations.CreateModel( migrations.CreateModel(
name='PermedAsset', name='PermedAsset',
fields=[ fields=[

78
apps/perms/migrations/0027_auto_20220310_0616.py Normal file
View File

@ -0,0 +1,78 @@
# Generated by Django 3.1.14 on 2022-03-09 22:16
from django.db import migrations
class Migration(migrations.Migration):
dependencies = [
('applications', '0019_databaseapp_kubernetesapp_remoteapp'),
('perms', '0026_auto_20220307_1500'),
]
operations = [
migrations.CreateModel(
name='PermedApplication',
fields=[
],
options={
'verbose_name': 'Permed application',
'permissions': [('view_userapps', 'Can view user apps'), ('view_usergroupapps', 'Can view usergroup apps')],
'proxy': True,
'default_permissions': [],
'indexes': [],
'constraints': [],
},
bases=('applications.application',),
),
migrations.CreateModel(
name='PermedDatabaseApp',
fields=[
],
options={
'verbose_name': 'Database application',
'permissions': [('view_mydatabaseapp', 'Can view my database application'), ('connect_mydatabaseapp', 'Can connect my database application')],
'proxy': True,
'default_permissions': [],
'indexes': [],
'constraints': [],
},
bases=('applications.application',),
),
migrations.CreateModel(
name='PermedKubernetesApp',
fields=[
],
options={
'verbose_name': 'Kubernetes',
'permissions': [('view_mykubernetesapp', 'Can view my kubernetes application'), ('connect_mykubernetesapp', 'Can connect my kubernetes application')],
'proxy': True,
'default_permissions': [],
'indexes': [],
'constraints': [],
},
bases=('applications.application',),
),
migrations.CreateModel(
name='PermedRemoteApp',
fields=[
],
options={
'verbose_name': 'Permed remote application',
'permissions': [('view_myremoteapp', 'Can view my remoteapp'), ('connect_myremoteapp', 'Can connect my remoteapp')],
'proxy': True,
'default_permissions': [],
'indexes': [],
'constraints': [],
},
bases=('applications.application',),
),
migrations.AlterModelOptions(
name='applicationpermission',
options={'ordering': ('name',), 'permissions': [('view_permuserapplication', 'Can view application of permission to user')], 'verbose_name': 'Application permission'},
),
migrations.AlterModelOptions(
name='assetpermission',
options={'ordering': ('name',), 'permissions': [('view_permuserasset', 'Can view asset of permission to user'), ('view_permusergroupasset', 'Can view asset of permission to user group')], 'verbose_name': 'Asset permission'},
),
]

42
apps/perms/models/application_permission.py
View File

@ -36,9 +36,11 @@ class ApplicationPermission(BasePermission):
class Meta: class Meta:
unique_together = [('org_id', 'name')] unique_together = [('org_id', 'name')]
verbose_name = _('Application permission') verbose_name = _('Application permission')
permissions = [
('view_permuserapplication', _('Can view application of permission to user'))
]
ordering = ('name',) ordering = ('name',)
@property @property
def category_remote_app(self): def category_remote_app(self):
return self.category == AppCategory.remote_app.value return self.category == AppCategory.remote_app.value
@ -107,10 +109,42 @@ class ApplicationPermission(BasePermission):
class PermedApplication(Application): class PermedApplication(Application):
class Meta: class Meta:
proxy = True proxy = True
verbose_name = _("Permed app") verbose_name = _('Permed application')
default_permissions = []
permissions = [ permissions = [
('view_myapps', _('Can view my apps')),
('connect_myapps', _('Can connect my apps')),
('view_userapps', _('Can view user apps')), ('view_userapps', _('Can view user apps')),
('view_usergroupapps', _('Can view usergroup apps')), ('view_usergroupapps', _('Can view usergroup apps')),
] ]
class PermedRemoteApp(Application):
class Meta:
proxy = True
verbose_name = _('Permed remote application')
default_permissions = []
permissions = [
('view_myremoteapp', _('Can view my remoteapp')),
('connect_myremoteapp', _('Can connect my remoteapp')),
]
class PermedDatabaseApp(Application):
class Meta:
proxy = True
verbose_name = _('Database application')
default_permissions = []
permissions = [
('view_mydatabaseapp', _('Can view my database application')),
('connect_mydatabaseapp', _('Can connect my database application')),
]
class PermedKubernetesApp(Application):
class Meta:
proxy = True
verbose_name = _('Kubernetes')
default_permissions = []
permissions = [
('view_mykubernetesapp', _('Can view my kubernetes application')),
('connect_mykubernetesapp', _('Can connect my kubernetes application')),
]

4
apps/perms/models/asset_permission.py
View File

@ -28,6 +28,10 @@ class AssetPermission(BasePermission):
unique_together = [('org_id', 'name')] unique_together = [('org_id', 'name')]
verbose_name = _("Asset permission") verbose_name = _("Asset permission")
ordering = ('name',) ordering = ('name',)
permissions = [
('view_permuserasset', _('Can view asset of permission to user')),
('view_permusergroupasset', _('Can view asset of permission to user group'))
]
@lazyproperty @lazyproperty
def users_amount(self): def users_amount(self):

2
apps/rbac/migrations/0001_initial.py
View File

@ -27,7 +27,7 @@ class Migration(migrations.Migration):
], ],
options={ options={
'verbose_name': 'Menu permission', 'verbose_name': 'Menu permission',
'permissions': [('view_adminview', 'Can view console view'), ('view_auditview', 'Can view audit view'), ('view_userview', 'Can view workspace view')], 'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workspace view')],
'default_permissions': [], 'default_permissions': [],
}, },
), ),

2
apps/rbac/migrations/0005_auto_20220307_1524.py
View File

@ -12,6 +12,6 @@ class Migration(migrations.Migration):
operations = [ operations = [
migrations.AlterModelOptions( migrations.AlterModelOptions(
name='menupermission', name='menupermission',
options={'default_permissions': [], 'permissions': [('view_resourcestatistics', 'Can view resource statistics'), ('view_adminview', 'Can view console view'), ('view_auditview', 'Can view audit view'), ('view_userview', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager')], 'verbose_name': 'Menu permission'}, options={'default_permissions': [], 'permissions': [('view_dashboard', 'Can view resource statistics'), ('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager')], 'verbose_name': 'Menu permission'},
), ),
] ]

17
apps/rbac/migrations/0007_auto_20220310_0616.py Normal file
View File

@ -0,0 +1,17 @@
# Generated by Django 3.1.14 on 2022-03-09 22:16
from django.db import migrations
class Migration(migrations.Migration):
dependencies = [
('rbac', '0006_auto_20220307_1558'),
]
operations = [
migrations.AlterModelOptions(
name='menupermission',
options={'default_permissions': [], 'permissions': [('view_console', 'Can view console view'), ('view_audit', 'Can view audit view'), ('view_workspace', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager'), ('view_dashboard', 'Can view dashboard')], 'verbose_name': 'Menu permission'},
),
]

8
apps/rbac/models/menu.py
View File

@ -12,10 +12,10 @@ class MenuPermission(models.Model):
default_permissions = [] default_permissions = []
verbose_name = _('Menu permission') verbose_name = _('Menu permission')
permissions = [ permissions = [
('view_resourcestatistics', _('Can view resource statistics')), ('view_console', _('Can view console view')),
('view_adminview', _('Can view console view')), ('view_audit', _('Can view audit view')),
('view_auditview', _('Can view audit view')), ('view_workspace', _('Can view workspace view')),
('view_userview', _('Can view workspace view')),
('view_webterminal', _('Can view web terminal')), ('view_webterminal', _('Can view web terminal')),
('view_filemanager', _('Can view file manager')), ('view_filemanager', _('Can view file manager')),
('view_dashboard', _('Can view dashboard')),
] ]

29
apps/rbac/models/permission.py
View File

@ -64,22 +64,12 @@ class Permission(DjangoPermission):
q |= Q(**kwargs) q |= Q(**kwargs)
return q return q
@classmethod
def clean_permissions(cls, permissions, scope=Scope.system):
if scope == Scope.org:
excludes = const.org_exclude_permissions
else:
excludes = const.system_exclude_permissions
q = cls.get_define_permissions_q(excludes)
if q:
permissions = permissions.exclude(q)
return permissions
@staticmethod @staticmethod
def create_tree_nodes(permissions, scope, check_disabled=False): def create_tree_nodes(permissions, scope, check_disabled=False):
from ..tree import PermissionTreeUtil from ..ztree.tree import ZTree
util = PermissionTreeUtil(permissions, scope, check_disabled) ztree = ZTree(permissions, scope, check_disabled)
return util.create_tree_nodes() tree_nodes = ztree.get_tree_nodes()
return tree_nodes
@classmethod @classmethod
def get_permissions(cls, scope): def get_permissions(cls, scope):
@ -87,4 +77,13 @@ class Permission(DjangoPermission):
permissions = cls.clean_permissions(permissions, scope=scope) permissions = cls.clean_permissions(permissions, scope=scope)
return permissions return permissions
@classmethod
def clean_permissions(cls, permissions, scope=Scope.system):
from ..ztree.tree import ZTree
perms_app_label_codename = ZTree.get_permissions_app_label_codename(scope)
q = Q()
for app_label_codename in perms_app_label_codename:
app_label, codename = app_label_codename.split('.')
q |= Q(**{'content_type__app_label': app_label, 'codename': codename})
permissions = permissions.filter(q)
return permissions

0
apps/rbac/ztree/__init__.py Normal file
View File

259
apps/rbac/ztree/permissions.py Normal file
View File

@ -0,0 +1,259 @@
# @ 分割符 $ 企业版 # ! 系统级别 # # 组织级别 # 控制台
flag_sep = '@'
flag_license_required = '$'
flag_scope_system = '!'
# flag_scop_org = '#'
permission_paths = [
# format: 权限树路径 / app.codename @ 企业版、系统级别
'/root/view/view_console/rbac.view_console',
'/root/view/view_console/rbac.view_dashboard',
'/root/view/view_console/user_management/user_list/users.view_user',
'/root/view/view_console/user_management/user_list/users.add_user',
'/root/view/view_console/user_management/user_list/users.change_user',
'/root/view/view_console/user_management/user_list/users.delete_user',
f'/root/view/view_console/user_management/user_list/users.invite_user{flag_sep}{flag_license_required}',
f'/root/view/view_console/user_management/user_list/users.remove_user{flag_sep}{flag_license_required}',
'/root/view/view_console/user_management/user_list/user_detail/perms.view_userassets',
'/root/view/view_console/user_management/user_list/user_detail/asset_perm/perms.view_assetpermission',
'/root/view/view_console/user_management/user_list/user_detail/asset_perm/perms.change_assetpermission',
'/root/view/view_console/user_management/user_list/user_detail/asset_perm/perms.delete_assetpermission',
'/root/view/view_console/user_management/user_list/user_detail/perms.view_userapps',
'/root/view/view_console/user_management/user_list/user_detail/app_perm/perms.view_applicationpermission',
'/root/view/view_console/user_management/user_list/user_detail/app_perm/perms.change_applicationpermission',
'/root/view/view_console/user_management/user_list/user_detail/app_perm/perms.delete_applicationpermission',
'/root/view/view_console/user_management/user_list/user_detail/user_login_acl/acls.view_loginacl',
'/root/view/view_console/user_management/user_list/user_detail/user_login_acl/acls.add_loginacl',
'/root/view/view_console/user_management/user_list/user_detail/user_login_acl/acls.change_loginacl',
'/root/view/view_console/user_management/user_list/user_detail/user_login_acl/acls.delete_loginacl',
'/root/view/view_console/user_management/user_group_list/users.view_usergroup',
'/root/view/view_console/user_management/user_group_list/users.add_usergroup',
'/root/view/view_console/user_management/user_group_list/users.change_usergroup',
'/root/view/view_console/user_management/user_group_list/users.delete_usergroup',
'/root/view/view_console/user_management/user_group_list/user_group_detail/perms.view_permusergroupasset',
'/root/view/view_console/user_management/role_list/permission_list/rbac.view_permission',
'/root/view/view_console/user_management/role_list/org_role/rbac.view_orgrole',
'/root/view/view_console/user_management/role_list/org_role/rbac.add_orgrole',
'/root/view/view_console/user_management/role_list/org_role/rbac.change_orgrole',
'/root/view/view_console/user_management/role_list/org_role/rbac.delete_orgrole',
'/root/view/view_console/user_management/role_list/org_role/org_role_detail/rbac.view_orgrolebinding',
'/root/view/view_console/user_management/role_list/org_role/org_role_detail/rbac.add_orgrolebinding',
'/root/view/view_console/user_management/role_list/org_role/org_role_detail/rbac.delete_orgrolebinding',
'/root/view/view_console/user_management/role_list/system_role/rbac.view_systemrole',
'/root/view/view_console/user_management/role_list/system_role/rbac.add_systemrole',
'/root/view/view_console/user_management/role_list/system_role/rbac.change_systemrole',
'/root/view/view_console/user_management/role_list/system_role/rbac.delete_systemrole',
'/root/view/view_console/user_management/role_list/system_role/system_role_detail/rbac.view_systemrolebinding',
'/root/view/view_console/user_management/role_list/system_role/system_role_detail/rbac.add_systemrolebinding',
'/root/view/view_console/user_management/role_list/system_role/system_role_detail/rbac.delete_systemrolebinding',
'/root/view/view_console/asset_management/asset_list/assets.view_asset',
'/root/view/view_console/asset_management/asset_list/assets.add_asset',
'/root/view/view_console/asset_management/asset_list/assets.change_asset',
'/root/view/view_console/asset_management/asset_list/assets.delete_asset',
'/root/view/view_console/asset_management/asset_list/assets.test_assetconnectivity',
'/root/view/view_console/asset_management/asset_list/assets.refresh_assethardwareinfo',
'/root/view/view_console/asset_management/asset_list/assets.push_assetsystemuser',
'/root/view/view_console/asset_management/asset_list/assets.match_asset',
'/root/view/view_console/asset_management/asset_list/node_tree/assets.view_node',
'/root/view/view_console/asset_management/asset_list/node_tree/assets.add_node',
'/root/view/view_console/asset_management/asset_list/node_tree/assets.change_node',
'/root/view/view_console/asset_management/asset_list/node_tree/assets.delete_node',
'/root/view/view_console/asset_management/asset_list/node_tree/assets.add_assettonode',
'/root/view/view_console/asset_management/asset_list/node_tree/assets.move_assettonode',
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/xpack.view_syncinstancetask{flag_sep}{flag_license_required}',
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/xpack.add_syncinstancetask{flag_sep}{flag_license_required}',
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/xpack.change_syncinstancetask{flag_sep}{flag_license_required}',
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/xpack.delete_syncinstancetask{flag_sep}{flag_license_required}',
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/xpack.add_syncinstancetaskexecution{flag_sep}{flag_license_required}',
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/sync_instance_task_detail/xpack.view_syncinstancetaskexecution{flag_sep}{flag_license_required}',
f'/root/view/view_console/asset_management/asset_list/cloud_sync/sync_instance_task_list/sync_instance_task_detail/xpack.view_syncinstancedetail{flag_sep}{flag_license_required}',
f'/root/view/view_console/asset_management/asset_list/cloud_sync/account_list/xpack.view_account{flag_sep}{flag_license_required}',
f'/root/view/view_console/asset_management/asset_list/cloud_sync/account_list/xpack.add_account{flag_sep}{flag_license_required}',
f'/root/view/view_console/asset_management/asset_list/cloud_sync/account_list/xpack.change_account{flag_sep}{flag_license_required}',
f'/root/view/view_console/asset_management/asset_list/cloud_sync/account_list/xpack.delete_account{flag_sep}{flag_license_required}',
f'/root/view/view_console/asset_management/asset_list/cloud_sync/account_list/xpack.test_account{flag_sep}{flag_license_required}',
'/root/view/view_console/asset_management/domain_list/assets.view_domain',
'/root/view/view_console/asset_management/domain_list/assets.add_domain',
'/root/view/view_console/asset_management/domain_list/assets.change_domain',
'/root/view/view_console/asset_management/domain_list/assets.delete_domain',
'/root/view/view_console/asset_management/domain_list/gateway_list/assets.view_gateway',
'/root/view/view_console/asset_management/domain_list/gateway_list/assets.add_gateway',
'/root/view/view_console/asset_management/domain_list/gateway_list/assets.change_gateway',
'/root/view/view_console/asset_management/domain_list/gateway_list/assets.delete_gateway',
'/root/view/view_console/asset_management/domain_list/gateway_list/assets.test_gateway',
'/root/view/view_console/asset_management/system_user/assets.view_systemuser',
'/root/view/view_console/asset_management/system_user/assets.add_systemuser',
'/root/view/view_console/asset_management/system_user/assets.change_systemuser',
'/root/view/view_console/asset_management/system_user/assets.delete_systemuser',
'/root/view/view_console/asset_management/system_user/assets.test_assetconnectivity',
'/root/view/view_console/asset_management/system_user/assets.push_assetsystemuser',
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_asset_list/assets.view_systemuserasset',
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_asset_list/assets.add_systemuserasset',
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_asset_list/assets.remove_systemuserasset',
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_account_list/assets.view_authbook',
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_account_list/assets.change_authbook',
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_account_list/assets.delete_authbook',
'/root/view/view_console/asset_management/system_user/system_user_detail/system_user_account_list/assets.test_authbook',
'/root/view/view_console/asset_management/command_filter/assets.view_commandfilter',
'/root/view/view_console/asset_management/command_filter/assets.add_commandfilter',
'/root/view/view_console/asset_management/command_filter/assets.change_commandfilter',
'/root/view/view_console/asset_management/command_filter/assets.delete_commandfilter',
'/root/view/view_console/asset_management/command_filter/command_filter_rule/assets.view_commandfilterrule',
'/root/view/view_console/asset_management/command_filter/command_filter_rule/assets.add_commandfilterrule',
'/root/view/view_console/asset_management/command_filter/command_filter_rule/assets.change_commandfilterrule',
'/root/view/view_console/asset_management/command_filter/command_filter_rule/assets.delete_commandfilterrule',
'/root/view/view_console/asset_management/platform_list/assets.view_platform',
'/root/view/view_console/asset_management/platform_list/assets.add_platform',
'/root/view/view_console/asset_management/platform_list/assets.change_platform',
'/root/view/view_console/asset_management/platform_list/assets.delete_platform',
'/root/view/view_console/asset_management/label_management/assets.view_label',
'/root/view/view_console/asset_management/label_management/assets.add_label',
'/root/view/view_console/asset_management/label_management/assets.change_label',
'/root/view/view_console/asset_management/label_management/assets.delete_label',
'/root/view/view_console/app_management/remote_app/applications.view_remoteapp',
'/root/view/view_console/app_management/remote_app/applications.add_remoteapp',
'/root/view/view_console/app_management/remote_app/applications.change_remoteapp',
'/root/view/view_console/app_management/remote_app/applications.delete_remoteapp',
'/root/view/view_console/app_management/db_app/applications.view_databaseapp',
'/root/view/view_console/app_management/db_app/applications.add_databaseapp',
'/root/view/view_console/app_management/db_app/applications.change_databaseapp',
'/root/view/view_console/app_management/db_app/applications.delete_databaseapp',
'/root/view/view_console/app_management/k8s_app/applications.view_kubernetesapp',
'/root/view/view_console/app_management/k8s_app/applications.add_kubernetesapp',
'/root/view/view_console/app_management/k8s_app/applications.change_kubernetesapp',
'/root/view/view_console/app_management/k8s_app/applications.delete_kubernetesapp',
'/root/view/view_console/account_management/asset_account/assets.view_authbook',
'/root/view/view_console/account_management/asset_account/assets.add_authbook',
'/root/view/view_console/account_management/asset_account/assets.change_authbook',
'/root/view/view_console/account_management/asset_account/assets.delete_authbook',
'/root/view/view_console/account_management/asset_account/assets.test_authbook',
'/root/view/view_console/account_management/application_account/applications.view_account',
'/root/view/view_console/account_management/application_account/applications.add_account',
'/root/view/view_console/account_management/application_account/applications.change_account',
'/root/view/view_console/account_management/application_account/applications.delete_account',
'/root/view/view_console/account_management/gather_user/gather_user_list/assets.view_gathereduser',
'/root/view/view_console/account_management/gather_user/gather_user_task_list/xpack.view_gatherusertask',
'/root/view/view_console/account_management/gather_user/gather_user_task_list/xpack.add_gatherusertask',
'/root/view/view_console/account_management/gather_user/gather_user_task_list/xpack.change_gatherusertask',
'/root/view/view_console/account_management/gather_user/gather_user_task_list/xpack.delete_gatherusertask',
'/root/view/view_console/account_management/gather_user/gather_user_task_list/xpack.add_gatherusertaskexecution',
'/root/view/view_console/account_management/gather_user/gather_user_task_list/xpack.view_gatherusertaskexecution',
'/root/view/view_console/account_management/change_auth_plan/asset_change_auth_plan/xpack.view_changeauthplan',
'/root/view/view_console/account_management/change_auth_plan/asset_change_auth_plan/xpack.add_changeauthplan',
'/root/view/view_console/account_management/change_auth_plan/asset_change_auth_plan/xpack.change_changeauthplan',
'/root/view/view_console/account_management/change_auth_plan/asset_change_auth_plan/xpack.delete_changeauthplan',
'/root/view/view_console/account_management/change_auth_plan/asset_change_auth_plan/xpack.add_changeauthplanexecution',
'/root/view/view_console/account_management/change_auth_plan/asset_change_auth_plan/xpack.view_changeauthplanexecution',
'/root/view/view_console/account_management/change_auth_plan/app_change_auth_plan/xpack.view_applicationchangeauthplan',
'/root/view/view_console/account_management/change_auth_plan/app_change_auth_plan/xpack.add_applicationchangeauthplan',
'/root/view/view_console/account_management/change_auth_plan/app_change_auth_plan/xpack.change_applicationchangeauthplan',
'/root/view/view_console/account_management/change_auth_plan/app_change_auth_plan/xpack.delete_applicationchangeauthplan',
'/root/view/view_console/account_management/change_auth_plan/app_change_auth_plan/xpack.add_applicationchangeauthplanexecution',
'/root/view/view_console/account_management/change_auth_plan/app_change_auth_plan/xpack.view_applicationchangeauthplanexecution',
'/root/view/view_console/account_management/account_backup/assets.view_accountbackupplan',
'/root/view/view_console/account_management/account_backup/assets.add_accountbackupplan',
'/root/view/view_console/account_management/account_backup/assets.change_accountbackupplan',
'/root/view/view_console/account_management/account_backup/assets.delete_accountbackupplan',
'/root/view/view_console/account_management/account_backup/assets.add_accountbackupplanexecution',
'/root/view/view_console/account_management/account_backup/assets.view_accountbackupplanexecution',
'/root/view/view_console/perm_management/asset_permission/perms.view_assetpermission',
'/root/view/view_console/perm_management/asset_permission/perms.add_assetpermission',
'/root/view/view_console/perm_management/asset_permission/perms.change_assetpermission',
'/root/view/view_console/perm_management/asset_permission/perms.delete_assetpermission',
'/root/view/view_console/perm_management/app_permission/perms.view_applicationpermission',
'/root/view/view_console/perm_management/app_permission/perms.add_applicationpermission',
'/root/view/view_console/perm_management/app_permission/perms.change_applicationpermission',
'/root/view/view_console/perm_management/app_permission/perms.delete_applicationpermission',
'/root/view/view_console/access_control/asset_login/acls.view_loginassetacl',
'/root/view/view_console/access_control/asset_login/acls.add_loginassetacl',
'/root/view/view_console/access_control/asset_login/acls.change_loginassetacl',
'/root/view/view_console/access_control/asset_login/acls.delete_loginassetacl',
'/root/view/view_console/job_center/task_list/ops.view_task',
'/root/view/view_console/job_center/task_list/ops.delete_task',
'/root/view/view_console/job_center/task_list/ops.add_adhocexecution',
'/root/view/view_console/job_center/task_list/task_list_detail/ops.view_adhoc',
'/root/view/view_console/job_center/task_list/task_list_detail/ops.view_adhocexecution',
'/root/view/view_console/job_center/ops.view_taskmonitor',
'/root/view/view_audit/rbac.view_audit',
'/root/view/view_audit/rbac.view_dashboard',
'/root/view/view_audit/session_audit/session_record/terminal.view_session',
'/root/view/view_audit/session_audit/session_record/terminal.terminate_session',
'/root/view/view_audit/session_audit/session_record/terminal.monitor_session',
'/root/view/view_audit/session_audit/session_record/session_detail/terminal.view_command',
'/root/view/view_audit/session_audit/session_record/session_detail/terminal.view_sessionjoinrecord',
'/root/view/view_audit/session_audit/command_record/terminal.view_command',
'/root/view/view_audit/session_audit/command_record/terminal.view_commandstorage',
'/root/view/view_audit/session_audit/file_transfer/audits.view_ftplog',
'/root/view/view_audit/log_audit/audits.view_userloginlog',
'/root/view/view_audit/log_audit/audits.view_operatelog',
'/root/view/view_audit/log_audit/audits.view_passwordchangelog',
'/root/view/view_audit/log_audit/ops.view_commandexecution',
'/root/view/view_workspace/rbac.view_workspace',
'/root/view/view_workspace/rbac.view_overview',
'/root/view/view_workspace/my_asset/perms.view_myassets',
'/root/view/view_workspace/my_asset/perms.connect_myassets',
'/root/view/view_workspace/my_app/my_remote_app/perms.view_myremoteapp',
'/root/view/view_workspace/my_app/my_remote_app/perms.connect_myremoteapp',
'/root/view/view_workspace/my_app/my_db_app/perms.view_mydatabaseapp',
'/root/view/view_workspace/my_app/my_db_app/perms.connect_mydatabaseapp',
'/root/view/view_workspace/my_app/my_k8s_app/perms.view_mykubernetesapp',
'/root/view/view_workspace/my_app/my_k8s_app/perms.connect_mykubernetesapp',
'/root/view/view_workspace/ops.add_commandexecution',
'/root/view/view_workspace/rbac.view_webterminal',
'/root/view/view_workspace/rbac.view_filemanager',
'/root/notifications.view_sitemessage',
'/root/rbac.view_webterminal',
f'/root/system_setting/settings.change_basic{flag_sep}{flag_scope_system}',
f'/root/system_setting/settings.change_email{flag_sep}{flag_scope_system}',
f'/root/system_setting/settings.change_auth{flag_sep}{flag_scope_system}',
f'/root/system_setting/notifications.change_systemmsgsubscription{flag_sep}{flag_scope_system}',
f'/root/system_setting/settings.change_sms{flag_sep}{flag_scope_system}{flag_license_required}',
f'/root/system_setting/terminal_setting/settings.change_terminal_basic_setting{flag_sep}{flag_scope_system}',
f'/root/system_setting/terminal_setting/terminal_management/terminal.view_terminal{flag_sep}{flag_scope_system}',
f'/root/system_setting/terminal_setting/terminal_management/terminal.change_terminal{flag_sep}{flag_scope_system}',
f'/root/system_setting/terminal_setting/terminal_management/terminal.delete_terminal{flag_sep}{flag_scope_system}',
f'/root/system_setting/terminal_setting/replay_storage/terminal.view_replaystorage{flag_sep}{flag_scope_system}',
f'/root/system_setting/terminal_setting/replay_storage/terminal.add_replaystorage{flag_sep}{flag_scope_system}',
f'/root/system_setting/terminal_setting/replay_storage/terminal.change_replaystorage{flag_sep}{flag_scope_system}',
f'/root/system_setting/terminal_setting/replay_storage/terminal.delete_replaystorage{flag_sep}{flag_scope_system}',
f'/root/system_setting/terminal_setting/command_storage/terminal.view_commandstorage{flag_sep}{flag_scope_system}',
f'/root/system_setting/terminal_setting/command_storage/terminal.add_commandstorage{flag_sep}{flag_scope_system}',
f'/root/system_setting/terminal_setting/command_storage/terminal.change_commandstorage{flag_sep}{flag_scope_system}',
f'/root/system_setting/terminal_setting/command_storage/terminal.delete_commandstorage{flag_sep}{flag_scope_system}',
f'/root/system_setting/terminal_setting/terminal.view_status{flag_sep}{flag_scope_system}',
f'/root/system_setting/settings.change_security{flag_sep}{flag_scope_system}',
f'/root/system_setting/settings.change_clean{flag_sep}{flag_scope_system}{flag_license_required}',
f'/root/system_setting/org_management/orgs.view_rootorg{flag_sep}{flag_scope_system}{flag_license_required}',
f'/root/system_setting/org_management/orgs.view_organization{flag_sep}{flag_scope_system}{flag_license_required}',
f'/root/system_setting/org_management/orgs.add_organization{flag_sep}{flag_scope_system}{flag_license_required}',
f'/root/system_setting/org_management/orgs.change_organization{flag_sep}{flag_scope_system}{flag_license_required}',
f'/root/system_setting/org_management/orgs.delete_organization{flag_sep}{flag_scope_system}{flag_license_required}',
f'/root/system_setting/settings.change_other{flag_sep}{flag_scope_system}',
f'/root/system_setting/license/xpack.view_license{flag_sep}{flag_scope_system}',
f'/root/system_setting/license/xpack.add_license{flag_sep}{flag_scope_system}',
f'/root/ticket/tickets.view_ticket{flag_sep}{flag_license_required}',
f'/root/ticket/tickets.add_ticket{flag_sep}{flag_license_required}',
f'/root/ticket/ticket_detail/tickets.change_ticket{flag_sep}{flag_license_required}',
f'/root/ticket/ticket_detail/tickets.add_comment{flag_sep}{flag_license_required}',
f'/root/ticket/ticket_detail/tickets.view_comment{flag_sep}{flag_license_required}',
f'/root/ticket/ticket_detail/tickets.view_ticketsession{flag_sep}{flag_license_required}',
# '/root/rbac.view_help',
f'/root/api_permission/terminal.add_session',
'/root/api_permission/terminal.add_command',
f'/root/api_permission/tickets.add_superticket{flag_sep}{flag_license_required}',
'/root/api_permission/authentication.add_superconnectiontoken',
'/root/api_permission/authentication.view_connectiontokensecret',
# ...
]

207
apps/rbac/ztree/tree.py Normal file
View File

@ -0,0 +1,207 @@
import random
from collections import defaultdict
from django.utils.translation import ugettext
from common.tree import TreeNode as RawTreeNode
from django.utils.translation import gettext_lazy as _, gettext
from rbac.models import Permission, ContentType
from django.db.models import F, Count
from .permissions import permission_paths, flag_license_required, flag_sep, flag_scope_system
from .tree_nodes import permission_tree_nodes
from ..const import Scope
from jumpserver.utils import has_valid_xpack_license
from django.conf import settings
class TreeNode(RawTreeNode):
total_count = 0
checked_count = 0
app_label_codename = ''
def mark_checked_if_need(self):
if self.isParent:
self.checked = self.total_count == self.checked_count
def refresh_name_if_need(self):
if self.isParent:
self.name = str(self.name) + f'({self.checked_count}/{self.total_count})'
elif settings.DEBUG:
self.name = str(self.name) + f'({self.app_label_codename})'
class TreeNodes:
def __init__(self):
self.tree_nodes = defaultdict(TreeNode)
def add_node(self, data):
tree_node = self.add(data)
tree_node.total_count += 1
def add_leaf(self, data):
tree_node = self.add(data)
if not data['checked']:
return
parent_node = self.tree_nodes.get(tree_node.pId)
while parent_node:
parent_node.checked_count += 1
parent_node = self.tree_nodes.get(parent_node.pId)
def add(self, data):
_id = data['id']
data['name'] = data.get('name') or data['id']
tree_node = self.tree_nodes.get(_id, TreeNode(**data))
self.tree_nodes[tree_node.id] = tree_node
return tree_node
def get(self):
tree_nodes = list(self.tree_nodes.values())
for tree_node in tree_nodes:
tree_node.mark_checked_if_need()
tree_node.refresh_name_if_need()
return tree_nodes
class ZTree(object):
has_valid_license = has_valid_xpack_license()
def __init__(self, checked_permission, scope, check_disabled=False):
self.scope = scope
self.checked_permission = self.prefetch_permissions(
checked_permission
)
self.checked_permissions_mapper = {p.id: p for p in self.checked_permission}
self.permissions = self.prefetch_permissions(
Permission.get_permissions(scope)
)
self.permissions_mapper = {p.app_label_codename: p for p in self.permissions}
self.content_types_name_mapper = {ct.model: ct.name for ct in ContentType.objects.all()}
self.check_disabled = check_disabled
self.tree_nodes = TreeNodes()
self.show_node_level = 3
@staticmethod
def prefetch_permissions(permissions):
return permissions.select_related('content_type') \
.annotate(app=F('content_type__app_label')) \
.annotate(model=F('content_type__model'))
def get_tree_nodes(self):
perm_paths = self.__class__.get_permission_paths(self.scope)
for perm_path in perm_paths:
self.generate_tree_nodes_by_path(perm_path)
return self.tree_nodes.get()
def generate_tree_nodes_by_path(self, perm_path):
path, perm_app_label_codename = perm_path.rsplit('/', 1)
# add path
path_list = path.lstrip('/').split('/')
pid = ''
for level, tree_node_id in enumerate(path_list, start=1):
name = _('Detail') if 'detail' in tree_node_id else tree_node_id
data = dict({
'id': tree_node_id,
'name': name,
'title': name,
'pId': pid,
'isParent': True,
'chkDisabled': self.check_disabled,
'open': level < self.show_node_level,
'meta': {
'type': 'perm',
}
})
_data = permission_tree_nodes.get(tree_node_id, {})
data.update(_data)
pid = data['id']
self.tree_nodes.add_node(data)
# add perm
if not perm_app_label_codename:
return
perm = self.permissions_mapper.get(perm_app_label_codename)
if perm:
# 解决同一个权限不能在多个节点的问题
_id = f'{pid}#{perm.id}'
name = self._get_permission_name(perm)
checked = perm.id in self.checked_permissions_mapper
else:
# 最终不应该走这里,所有权限都要在数据库里
_id = perm_app_label_codename
name = perm_app_label_codename
checked = False
data = {
'id': _id,
'pId': pid,
'name': name,
'title': perm_app_label_codename,
'chkDisabled': self.check_disabled,
'app_label_codename': perm_app_label_codename,
'isParent': False,
'iconSkin': 'file',
'open': False,
'checked': checked,
'meta': {
'type': 'perm',
}
}
_data = permission_tree_nodes.get(perm_app_label_codename, {})
data.update(_data)
self.tree_nodes.add_leaf(data)
def _get_permission_name(self, p):
code_name = p.codename
action_mapper = {
'add': ugettext('Create'),
'view': ugettext('View'),
'change': ugettext('Update'),
'delete': ugettext('Delete')
}
name = ''
ct = ''
if 'add_' in p.codename:
name = action_mapper['add']
ct = code_name.replace('add_', '')
elif 'view_' in p.codename:
name = action_mapper['view']
ct = code_name.replace('view_', '')
elif 'change_' in p.codename:
name = action_mapper['change']
ct = code_name.replace('change_', '')
elif 'delete' in code_name:
name = action_mapper['delete']
ct = code_name.replace('delete_', '')
if ct in self.content_types_name_mapper:
name += self.content_types_name_mapper[ct]
else:
name = gettext(p.name)
name = name.replace('Can ', '').replace('可以', '')
return name
@classmethod
def get_permissions_app_label_codename(cls, scope):
perm_paths = cls.get_permission_paths(scope)
perms = []
for path in perm_paths:
path, app_label_code_name = path.rsplit('/', 1)
if not app_label_code_name:
continue
perms.append(app_label_code_name)
return perms
@classmethod
def get_permission_paths(cls, scope):
perm_paths = []
for path in permission_paths:
if flag_sep in path:
path, flags = path.split(flag_sep)
if flag_scope_system in flags and scope == Scope.org:
continue
if flag_license_required in flags and not cls.has_valid_license:
continue
perm_paths.append(path)
return perm_paths

308
apps/rbac/ztree/tree_nodes.py Normal file
View File

@ -0,0 +1,308 @@
from django.utils.translation import gettext_lazy as _
permission_tree_nodes = {
# 节点
'root': {
'name': _('All permissions'),
},
'view': {
'name': _("View menu")
},
'view_console': {
'name': _('Console view'),
},
'user_management': {
'name': _('User management')
},
'user_list': {
'name': _('User list')
},
'view_workspace': {
'name': _('Workspace view')
},
'view_audit': {
'name': _("Audit view")
},
'asset_perm': {
'name': _('Asset permission')
},
'session_audits': {
'name': _('Session audits')
},
'session_record': {
'name': _('Online/Offline Session record')
},
'asset_management': {
'name': _('Asset management')
},
'asset_list': {
'name': _('Asset list')
},
'my_asset': {
'name': _('My assets')
},
'my_app': {
'name': _('My application')
},
'bulk_command': {
'name': _('Bulk command')
},
'system_setting': {
'name': _('System setting')
},
'ticket': {
'name': _('Ticket system')
},
'help': {
'name': _('Help')
},
'api_permission': {
'name': _('API permission')
},
'app_management': {
'name': _('Application management')
},
'account_management': {
'name': _('Account management'),
},
'perm_management': {
'name': _('Permission management'),
},
'access_control': {
'name': _('Access control'),
},
'job_center': {
'name': _('Job center'),
},
'session_audit': {
'name': _('Session audit')
},
'log_audit': {
'name': _('Log audit')
},
'user_group_list': {
'name': _('User group')
},
'role_list': {
'name': _('Role list')
},
'app_perm': {
'name': _('Application permission')
},
'user_login_acl': {
'name': _('User login acl')
},
'user_group_detail': {
'name': _('Detail')
},
'permission_list': {
'name': _('Permission list')
},
'node_tree': {
'name': _('Node tree')
},
'cloud_sync': {
'name': _('Cloud sync')
},
'sync_instance_task_list': {
'name': _('Sync instance task list')
},
'account_list': {
'name': _('Account list')
},
'system_user': {
'name': _('Common/Admin User')
},
'system_user_asset_list': {
'name': _('Asset list'),
},
'system_user_account_list': {
'name': _('Account list')
},
'command_filter': {
'name': _('Command filter')
},
'command_filter_rule': {
'name': _('Command filter rule')
},
'platform_list': {
'name': _('Platform list')
},
'label_management': {
'name': _('Label management')
},
'remote_app': {
'name': _('Remote application')
},
'db_app': {
'name': _('Database application')
},
'k8s_app': {
'name': _('Kubernetes')
},
'asset_account': {
'name': _('Asset account')
},
'application_account': {
'name': _('Application account')
},
'gather_user': {
'name': _('Gathered user')
},
'gather_user_list': {
'name': _('Gathered user list')
},
'gather_user_task_list': {
'name': _('Gathered user task list')
},
'change_auth_plan': {
'name': _('Change auth plan')
},
'asset_change_auth_plan': {
'name': _('Asset change auth plan')
},
'app_change_auth_plan': {
'name': _('Application change auth plan')
},
'account_backup': {
'name': _('Account backup')
},
'asset_permission': {
'name': _('Asset permission')
},
'app_permission': {
'name': _('Application permission')
},
'asset_login': {
'name': _('Asset login')
},
'task_list': {
'name': _('Task list')
},
'command_record': {
'name': _('Command record')
},
'file_transfer': {
'name': _('File transfer')
},
'my_remote_app': {
'name': _('Remote App')
},
'my_db_app': {
'name': _('Database application')
},
'my_k8s_app': {
'name': _('Kubernetes')
},
'terminal_setting': {
'name': _('Terminal setting')
},
'terminal_management': {
'name': _('Terminal management')
},
'command_storage': {
'name': _('Command storage')
},
'replay_storage': {
'name': _('Replay storage')
},
'org_management': {
'name': _('Organization management')
},
'license': {
'name': _('License')
},
# 权限
'rbac.view_permission': {
'name': _('View all permission')
},
'domain_list': {
'name': _('Domain list')
},
'gateway_list': {
'name': _('Gateway list')
},
'org_role': {
'name': _('Organization role')
},
'system_role': {
'name': _('System role')
},
'xpack.add_gatherusertaskexecution': {
'name': _('Run gather user task')
},
'xpack.add_changeauthplanexecution': {
'name': _('Run asset change auth plan')
},
'xpack.add_applicationchangeauthplanexecution': {
'name': _('Run application change auth plan')
},
'assets.add_accountbackupplanexecution': {
'name': _('Run account backup plan')
},
'ops.add_adhocexecution': {
'name': _('Run task')
},
'ops.view_adhoc': {
'name': _('View task version')
},
'ops.view_adhocexecution': {
'name': _('View execution history')
},
'ops.add_commandexecution': {
'name': _('Bulk command')
},
'notifications.view_sitemessage': {
'name': _('Site message')
},
'notifications.change_systemmsgsubscription': {
'name': _('Message subscription')
},
'terminal.view_status': {
'name': _('Component monitor')
},
'tickets.view_ticket': {
'name': _('View my/assigned ticket')
},
'tickets.add_ticket': {
'name': _('Create asset/application ticket')
},
'tickets.change_ticket': {
'name': _('Change/close ticket')
},
'assets.match_asset': {
'name': _('View some of the assets searched')
},
'rbac.view_workspace': {
'checked': True,
'chkDisabled': True,
},
'rbac.view_overview': {
'name': _('Overview'),
'checked': True,
'chkDisabled': True,
},
'rbac.view_orgrolebinding': {
'name': _('View permission user')
},
'rbac.add_orgrolebinding': {
'name': _('Add user to role')
},
'rbac.delete_orgrolebinding': {
'name': _('Remove user from role')
},
'rbac.view_systemrolebinding': {
'name': _('View permission user')
},
'rbac.add_systemrolebinding': {
'name': _('Add user to role')
},
'rbac.delete_systemrolebinding': {
'name': _('Remove user from role')
},
'xpack.add_syncinstancetaskexecution': {
'name': _('Run sync instance task')
}
}

17
apps/settings/migrations/0005_auto_20220310_0616.py Normal file
View File

@ -0,0 +1,17 @@
# Generated by Django 3.1.14 on 2022-03-09 22:16
from django.db import migrations
class Migration(migrations.Migration):
dependencies = [
('settings', '0004_auto_20220211_1401'),
]
operations = [
migrations.AlterModelOptions(
name='setting',
options={'permissions': [('change_basic', 'Can change basic setting'), ('change_email', 'Can change email setting'), ('change_auth', 'Can change auth setting'), ('change_sms', 'Can change sms setting'), ('change_security', 'Can change security setting'), ('change_clean', 'Can change clean setting'), ('change_other', 'Can change other setting'), ('change_terminal_basic_setting', 'Can change terminal basic setting')], 'verbose_name': 'System setting'},
),
]

10
apps/settings/models.py
View File

@ -138,3 +138,13 @@ class Setting(models.Model):
class Meta: class Meta:
db_table = "settings_setting" db_table = "settings_setting"
verbose_name = _("System setting") verbose_name = _("System setting")
permissions = [
('change_basic', _('Can change basic setting')),
('change_email', _('Can change email setting')),
('change_auth', _('Can change auth setting')),
('change_sms', _('Can change sms setting')),
('change_security', _('Can change security setting')),
('change_clean', _('Can change clean setting')),
('change_other', _('Can change other setting')),
('change_terminal_basic_setting', _('Can change terminal basic setting')),
]

2
apps/users/models/user.py
View File

@ -274,7 +274,7 @@ class RoleMixin:
def perms(self): def perms(self):
key = self.PERM_CACHE_KEY.format(self.id, current_org.id) key = self.PERM_CACHE_KEY.format(self.id, current_org.id)
perms = cache.get(key) perms = cache.get(key)
if not perms: if not perms or settings.DEBUG:
perms = self.get_all_permissions() perms = self.get_all_permissions()
cache.set(key, perms, 3600) cache.set(key, perms, 3600)
return perms return perms