From c5edb9981e575b1f95f4c80176ece76471ee1d27 Mon Sep 17 00:00:00 2001 From: fit2bot <68588906+fit2bot@users.noreply.github.com> Date: Thu, 22 Dec 2022 20:09:20 +0800 Subject: [PATCH] perf: rbac tree (#9237) Co-authored-by: feng <1304903146@qq.com> --- apps/assets/api/automations/base.py | 19 +++++++- .../migrations/0107_auto_20221019_1115.py | 12 ----- .../0116_alter_automationexecution_options.py | 17 +++++++ apps/assets/models/automations/__init__.py | 1 - apps/assets/models/automations/base.py | 6 +++ .../models/automations/discovery_account.py | 15 ------- apps/assets/urls/api_urls.py | 3 +- apps/rbac/const.py | 33 +++++++++++--- apps/rbac/tree.py | 44 +++++++++++-------- 9 files changed, 94 insertions(+), 56 deletions(-) create mode 100644 apps/assets/migrations/0116_alter_automationexecution_options.py delete mode 100644 apps/assets/models/automations/discovery_account.py diff --git a/apps/assets/api/automations/base.py b/apps/assets/api/automations/base.py index 1b480cbdc..83f1a3a8c 100644 --- a/apps/assets/api/automations/base.py +++ b/apps/assets/api/automations/base.py @@ -11,7 +11,8 @@ from common.const.choices import Trigger __all__ = [ 'AutomationAssetsListApi', 'AutomationRemoveAssetApi', - 'AutomationAddAssetApi', 'AutomationNodeAddRemoveApi', 'AutomationExecutionViewSet' + 'AutomationAddAssetApi', 'AutomationNodeAddRemoveApi', + 'ChangSecretExecutionViewSet', 'GatherAccountsExecutionViewSet', ] @@ -114,3 +115,19 @@ class AutomationExecutionViewSet( pid=automation.pk, trigger=Trigger.manual, tp=tp ) return Response({'task': task.id}, status=status.HTTP_201_CREATED) + + +class ChangSecretExecutionViewSet(AutomationExecutionViewSet): + rbac_perms = ( + ("list", "assets.view_changesecretexecution"), + ("retrieve", "assets.view_changesecretexecution"), + ("create", "assets.add_changesecretexecution"), + ) + + +class GatherAccountsExecutionViewSet(AutomationExecutionViewSet): + rbac_perms = ( + ("list", "assets.view_gatheraccountsexecution"), + ("retrieve", "assets.view_gatheraccountsexecution"), + ("create", "assets.add_gatheraccountsexecution"), + ) diff --git a/apps/assets/migrations/0107_auto_20221019_1115.py b/apps/assets/migrations/0107_auto_20221019_1115.py index 2dea81e71..377b3981d 100644 --- a/apps/assets/migrations/0107_auto_20221019_1115.py +++ b/apps/assets/migrations/0107_auto_20221019_1115.py @@ -90,18 +90,6 @@ class Migration(migrations.Migration): name='default', field=models.BooleanField(default=False, verbose_name='Default'), ), - migrations.CreateModel( - name='DiscoveryAccountAutomation', - fields=[ - ('baseautomation_ptr', - models.OneToOneField(auto_created=True, on_delete=django.db.models.deletion.CASCADE, parent_link=True, - primary_key=True, serialize=False, to='assets.baseautomation')), - ], - options={ - 'verbose_name': 'Discovery account automation', - }, - bases=('assets.baseautomation',), - ), migrations.CreateModel( name='GatherFactsAutomation', fields=[ diff --git a/apps/assets/migrations/0116_alter_automationexecution_options.py b/apps/assets/migrations/0116_alter_automationexecution_options.py new file mode 100644 index 000000000..75ae53efd --- /dev/null +++ b/apps/assets/migrations/0116_alter_automationexecution_options.py @@ -0,0 +1,17 @@ +# Generated by Django 3.2.16 on 2022-12-22 11:50 + +from django.db import migrations + + +class Migration(migrations.Migration): + + dependencies = [ + ('assets', '0115_auto_20221220_1956'), + ] + + operations = [ + migrations.AlterModelOptions( + name='automationexecution', + options={'permissions': [('view_changesecretexecution', 'Can view change secret execution'), ('add_changesecretexection', 'Can add change secret execution'), ('view_gatheraccountsexecution', 'Can view gather accounts execution'), ('add_gatheraccountsexecution', 'Can add gather accounts execution')], 'verbose_name': 'Automation task execution'}, + ), + ] diff --git a/apps/assets/models/automations/__init__.py b/apps/assets/models/automations/__init__.py index 82fa19620..abf23ed7e 100644 --- a/apps/assets/models/automations/__init__.py +++ b/apps/assets/models/automations/__init__.py @@ -5,4 +5,3 @@ from .gather_facts import * from .change_secret import * from .verify_account import * from .gather_accounts import * -from .discovery_account import * diff --git a/apps/assets/models/automations/base.py b/apps/assets/models/automations/base.py index a09084fe5..6504e5898 100644 --- a/apps/assets/models/automations/base.py +++ b/apps/assets/models/automations/base.py @@ -101,6 +101,12 @@ class AutomationExecution(OrgModelMixin): class Meta: verbose_name = _('Automation task execution') + permissions = [ + ('view_changesecretexecution', _('Can view change secret execution')), + ('add_changesecretexection', _('Can add change secret execution')), + ('view_gatheraccountsexecution', _('Can view gather accounts execution')), + ('add_gatheraccountsexecution', _('Can add gather accounts execution')), + ] @property def manager_type(self): diff --git a/apps/assets/models/automations/discovery_account.py b/apps/assets/models/automations/discovery_account.py deleted file mode 100644 index 9e2adf610..000000000 --- a/apps/assets/models/automations/discovery_account.py +++ /dev/null @@ -1,15 +0,0 @@ -from django.utils.translation import ugettext_lazy as _ - -from .base import BaseAutomation - - -class DiscoveryAccountAutomation(BaseAutomation): - class Meta: - verbose_name = _("Discovery account automation") - - def to_attr_json(self): - attr_json = super().to_attr_json() - attr_json.update({ - 'type': 'discover_account' - }) - return attr_json diff --git a/apps/assets/urls/api_urls.py b/apps/assets/urls/api_urls.py index 2f8033d30..0279aa785 100644 --- a/apps/assets/urls/api_urls.py +++ b/apps/assets/urls/api_urls.py @@ -29,7 +29,8 @@ router.register(r'account-backup-plans', api.AccountBackupPlanViewSet, 'account- router.register(r'account-backup-plan-executions', api.AccountBackupPlanExecutionViewSet, 'account-backup-execution') router.register(r'change-secret-automations', api.ChangeSecretAutomationViewSet, 'change-secret-automation') -router.register(r'automation-executions', api.AutomationExecutionViewSet, 'automation-execution') +router.register(r'change-secret-executions', api.ChangSecretExecutionViewSet, 'change-secret-execution') +router.register(r'gather-account-executions', api.GatherAccountsExecutionViewSet, 'gather-account-execution') router.register(r'change-secret-records', api.ChangeSecretRecordViewSet, 'change-secret-record') router.register(r'gather-account-automations', api.GatherAccountsAutomationViewSet, 'gather-account-automation') diff --git a/apps/rbac/const.py b/apps/rbac/const.py index dc9d2592b..d63c2f610 100644 --- a/apps/rbac/const.py +++ b/apps/rbac/const.py @@ -27,10 +27,6 @@ exclude_permissions = ( ('authentication', 'superconnectiontoken', 'change,delete', 'superconnectiontoken'), ('authentication', 'temptoken', 'delete', 'temptoken'), ('users', 'userpasswordhistory', '*', '*'), - ('applications', 'applicationuser', '*', '*'), - ('applications', 'historicalaccount', '*', '*'), - ('applications', 'account', 'add,change,delete', 'account'), - ('applications', 'account', 'change', 'appplicationaccountsecret'), ('assets', 'adminuser', '*', '*'), ('assets', 'assetgroup', '*', '*'), ('assets', 'cluster', '*', '*'), @@ -39,6 +35,23 @@ exclude_permissions = ( ('assets', 'assetuser', '*', '*'), ('assets', 'gathereduser', 'add,delete,change', 'gathereduser'), ('assets', 'accountbackupplanexecution', 'delete,change', 'accountbackupplanexecution'), + ('assets', 'gathereduser', 'add,delete,change', 'gathereduser'), + ('assets', 'web', '*', '*'), + ('assets', 'host', '*', '*'), + ('assets', 'cloud', '*', '*'), + ('assets', 'device', '*', '*'), + ('assets', 'database', '*', '*'), + ('assets', 'protocol', '*', '*'), + ('assets', 'systemuser', '*', '*'), + ('assets', 'baseautomation', '*', '*'), + ('assets', 'pingautomation', '*', '*'), + ('assets', 'platformprotocol', '*', '*'), + ('assets', 'platformautomation', '*', '*'), + ('assets', 'gatherfactsautomation', '*', '*'), + ('assets', 'pushaccountautomation', '*', '*'), + ('assets', 'verifyaccountautomation', '*', '*'), + ('assets', 'changesecretrecord', 'add,delete,change', 'changesecretrecord'), + ('assets', 'automationexecution', '*', 'automationexecution'), # TODO 暂时去掉历史账号的权限 ('assets', 'account', '*', 'assethistoryaccount'), ('assets', 'account', '*', 'assethistoryaccountsecret'), @@ -58,6 +71,10 @@ exclude_permissions = ( ('ops', 'adhoc', 'delete,change', '*'), ('ops', 'adhocexecution', 'add,delete,change', '*'), ('ops', 'task', 'add,change', 'task'), + ('ops', 'jobexecution', 'change,delete', 'jobexecution'), + ('ops', 'historicaljob', '*', '*'), + ('ops', 'celerytask', 'add,change,delete', 'celerytask'), + ('ops', 'celerytaskexecution', 'add,change,delete', 'celerytaskexecution'), ('ops', 'commandexecution', 'delete,change', 'commandexecution'), ('orgs', 'organizationmember', '*', '*'), ('settings', 'setting', 'add,change,delete', 'setting'), @@ -82,9 +99,9 @@ exclude_permissions = ( ('xpack', 'license', '*', '*'), ('xpack', 'syncinstancedetail', 'add,delete,change', 'syncinstancedetail'), ('xpack', 'syncinstancetaskexecution', 'delete,change', 'syncinstancetaskexecution'), - ('xpack', 'changeauthplanexecution', 'delete,change', 'changeauthplanexecution'), - ('xpack', 'changeauthplantask', 'add,delete', 'changeauthplantask'), - ('xpack', 'gatherusertaskexecution', 'change,delete', 'gatherusertaskexecution'), + ('xpack', 'changeauthplanexecution', '*', '*'), + ('xpack', 'changeauthplantask', '*', '*'), + ('xpack', 'gatherusertaskexecution', '*', '*'), ('common', 'permission', 'add,delete,view,change', 'permission'), ('terminal', 'command', 'delete,change', 'command'), ('terminal', 'status', 'delete,change', 'status'), @@ -94,6 +111,8 @@ exclude_permissions = ( ('terminal', 'sessionsharing', 'view,add,change,delete', 'sessionsharing'), ('terminal', 'session', 'delete,share', 'session'), ('terminal', 'session', 'delete,change', 'command'), + ('terminal', 'appletpublication', '*', '*'), + ('terminal', 'applethostdeployment', '*', '*'), ('applications', '*', '*', '*'), ) diff --git a/apps/rbac/tree.py b/apps/rbac/tree.py index abce5759a..67ecfb90e 100644 --- a/apps/rbac/tree.py +++ b/apps/rbac/tree.py @@ -33,11 +33,8 @@ view_nodes_data = [ app_nodes_data = [ {'id': 'users', 'view': 'view_console'}, {'id': 'assets', 'view': 'view_console'}, - {'id': 'applications', 'view': 'view_console'}, {'id': 'accounts', 'name': _('Accounts'), 'view': 'view_console'}, {'id': 'perms', 'view': 'view_console'}, - {'id': 'acls', 'view': 'view_console'}, - {'id': 'ops', 'view': 'view_console'}, {'id': 'terminal', 'name': _('Session audits'), 'view': 'view_audit'}, {'id': 'audits', 'view': 'view_audit'}, {'id': 'rbac', 'view': 'view_console'}, @@ -51,33 +48,42 @@ extra_nodes_data = [ {"id": "cloud_import", "name": _("Cloud import"), "pId": "assets"}, {"id": "backup_account_node", "name": _("Backup account"), "pId": "accounts"}, {"id": "gather_account_node", "name": _("Gather account"), "pId": "accounts"}, - {"id": "app_change_plan_node", "name": _("App change auth"), "pId": "accounts"}, {"id": "asset_change_plan_node", "name": _("Asset change auth"), "pId": "accounts"}, {"id": "terminal_node", "name": _("Terminal setting"), "pId": "view_setting"}, + {'id': "task_center", "name": _("Task Center"), "pId": "view_console"}, {'id': "my_assets", "name": _("My assets"), "pId": "view_workbench"}, - {'id': "my_apps", "name": _("My apps"), "pId": "view_workbench"}, + {'id': "operation_center", "name": _('Operation Center'), "pId": "view_workbench"}, + {'id': "remote_application", "name": _("Remote application"), "pId": "view_setting"}, ] # 将 model 放到其它节点下,而不是本来的 app 中 special_pid_mapper = { 'common.permission': 'view_other', - "assets.account": "accounts", - "applications.account": "accounts", + 'assets.account': 'accounts', + 'assets.accounttemplate': 'accounts', + 'acls.commandfilteracl': 'perms', + 'acls.commandgroup': 'perms', + 'acls.loginacl': 'perms', + 'acls.loginassetacl': 'perms', 'xpack.account': 'cloud_import', 'xpack.syncinstancedetail': 'cloud_import', 'xpack.syncinstancetask': 'cloud_import', 'xpack.syncinstancetaskexecution': 'cloud_import', + 'terminal.applet': 'remote_application', + 'terminal.applethost': 'remote_application', 'assets.accountbackupplan': "backup_account_node", 'assets.accountbackupplanexecution': "backup_account_node", - 'xpack.applicationchangeauthplan': 'app_change_plan_node', - 'xpack.applicationchangeauthplanexecution': 'app_change_plan_node', - 'xpack.applicationchangeauthplantask': 'app_change_plan_node', 'xpack.changeauthplan': 'asset_change_plan_node', 'xpack.changeauthplanexecution': 'asset_change_plan_node', 'xpack.changeauthplantask': 'asset_change_plan_node', "assets.gathereduser": "gather_account_node", - 'xpack.gatherusertask': 'gather_account_node', - 'xpack.gatherusertaskexecution': 'gather_account_node', + "assets.gatheraccountsautomation": "gather_account_node", + "assets.view_gatheraccountsexecution": "gather_account_node", + "assets.add_gatheraccountsexecution": "gather_account_node", + "assets.changesecretautomation": "asset_change_plan_node", + "assets.view_changesecretexecution": "asset_change_plan_node", + "assets.add_changesecretexection": "asset_change_plan_node", + "assets.view_changesecretrecord": "asset_change_plan_node", 'orgs.organization': 'view_setting', 'settings.setting': 'view_setting', 'terminal.terminal': 'terminal_node', @@ -89,15 +95,15 @@ special_pid_mapper = { 'terminal.endpointrule': 'terminal_node', 'audits.ftplog': 'terminal', 'perms.view_myassets': 'my_assets', - 'perms.view_myapps': 'my_apps', 'ops.add_commandexecution': 'view_workbench', 'ops.view_commandexecution': 'audits', - "perms.view_mykubernetsapp": "my_apps", - "perms.connect_mykubernetsapp": "my_apps", - "perms.view_myremoteapp": "my_apps", - "perms.connect_myremoteapp": "my_apps", - "perms.view_mydatabaseapp": "my_apps", - "perms.connect_mydatabaseapp": "my_apps", + 'ops.jobauditlog': 'audits', + 'ops.view_celerytask': 'task_center', + 'ops.view_celerytaskexecution': 'task_center', + 'ops.job': 'operation_center', + 'ops.adhoc': 'operation_center', + 'ops.playbook': 'operation_center', + 'ops.jobexecution': 'operation_center', "xpack.interface": "view_setting", "settings.change_terminal": "terminal_node", "settings.view_setting": "view_setting",