Merge pull request #7844 from jumpserver/dev

v2.20.0-rc3
2022-03-15 11:37:30 +08:00 · 2022-03-15 11:37:30 +08:00 · c77f02b295
parent cfed849175 3924ff0114
commit c77f02b295
28 changed files with 436 additions and 471 deletions
--- a/apps/applications/api/account.py
+++ b/apps/applications/api/account.py
@ -7,6 +7,7 @@ from django.db.models import F, Q
 from common.drf.filters import BaseFilterSet
 from common.drf.api import JMSBulkModelViewSet
 from rbac.permissions import RBACPermission
+from assets.models import SystemUser
 from ..models import Account
 from ..hands import NeedMFAVerify
 from .. import serializers
@ -49,6 +50,10 @@ class ApplicationAccountViewSet(JMSBulkModelViewSet):
        return queryset


+class SystemUserAppRelationViewSet(ApplicationAccountViewSet):
+    perm_model = SystemUser
+
+
 class ApplicationAccountSecretViewSet(ApplicationAccountViewSet):
    serializer_class = serializers.AppAccountSecretSerializer
    permission_classes = [RBACPermission, NeedMFAVerify]
--- a/apps/applications/migrations/0017_auto_20220217_2135.py
+++ b/apps/applications/migrations/0017_auto_20220217_2135.py
@ -12,7 +12,7 @@ class Migration(migrations.Migration):
    operations = [
        migrations.AlterModelOptions(
            name='account',
-            options={'permissions': [('view_applicationaccountsecret', 'Can view application account secret'), ('change_appplicationaccountsecret', 'Can view application account secret')], 'verbose_name': 'Application account'},
+            options={'permissions': [('view_applicationaccountsecret', 'Can view application account secret'), ('change_appplicationaccountsecret', 'Can change application account secret')], 'verbose_name': 'Application account'},
        ),
        migrations.AlterModelOptions(
            name='applicationuser',
--- a/apps/applications/models/account.py
+++ b/apps/applications/models/account.py
@ -24,7 +24,7 @@ class Account(BaseUser):
        unique_together = [('username', 'app', 'systemuser')]
        permissions = [
            ('view_applicationaccountsecret', _('Can view application account secret')),
-            ('change_appplicationaccountsecret', _('Can view application account secret')),
+            ('change_appplicationaccountsecret', _('Can change application account secret')),
        ]

    def __init__(self, *args, **kwargs):
--- a/apps/applications/urls/api_urls.py
+++ b/apps/applications/urls/api_urls.py
@ -11,6 +11,7 @@ app_name = 'applications'
 router = BulkRouter()
 router.register(r'applications', api.ApplicationViewSet, 'application')
 router.register(r'accounts', api.ApplicationAccountViewSet, 'application-account')
+router.register(r'system-users-apps-relations', api.SystemUserAppRelationViewSet, 'system-users-apps-relation')
 router.register(r'account-secrets', api.ApplicationAccountSecretViewSet, 'application-account-secret')


--- a/apps/assets/api/accounts.py
+++ b/apps/assets/api/accounts.py
@ -64,7 +64,8 @@ class AccountViewSet(OrgBulkModelViewSet):
        'verify_account': serializers.AssetTaskSerializer
    }
    rbac_perms = {
-        'verify_account': 'assets.add_authbook'
+        'verify_account': 'assets.test_authbook',
+        'PATCH': 'assets.change_assetaccountsecret'
    }

    def get_queryset(self):
--- a/apps/common/mixins/api/action.py
+++ b/apps/common/mixins/api/action.py
@ -38,7 +38,7 @@ class SuggestionMixin:

 class RenderToJsonMixin:
    @action(methods=[POST], detail=False, url_path='render-to-json')
-    def render_to_json(self, request: Request):
+    def render_to_json(self, request: Request, *args, **kwargs):
        data = {
            'title': (),
            'data': request.data,
--- a/apps/locale/zh/LC_MESSAGES/django.mo
+++ b/apps/locale/zh/LC_MESSAGES/django.mo
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:a885732955761c2942989a3e93751709e2be4ec75504bd009406671b93e0bfda
-size 107544
+oid sha256:675f93d2cc6b2049fdafc7f6b70edb8f73bbe132de9b91e98f2ec7acb2e89620
+size 104134
--- a/apps/locale/zh/LC_MESSAGES/django.po
+++ b/apps/locale/zh/LC_MESSAGES/django.po
--- a/apps/ops/api/command.py
+++ b/apps/ops/api/command.py
@ -10,6 +10,7 @@ from django.conf import settings
 from assets.models import Asset, Node
 from orgs.mixins.api import RootOrgViewMixin
 from common.permissions import IsValidUser
+from rbac.permissions import RBACPermission
 from ..models import CommandExecution
 from ..serializers import CommandExecutionSerializer
 from ..tasks import run_command_execution
@ -17,12 +18,10 @@ from ..tasks import run_command_execution

 class CommandExecutionViewSet(RootOrgViewMixin, viewsets.ModelViewSet):
    serializer_class = CommandExecutionSerializer
-    permission_classes = (IsValidUser,)
+    permission_classes = (RBACPermission,)

    def get_queryset(self):
-        return CommandExecution.objects.filter(
-            user_id=str(self.request.user.id)
-        )
+        return CommandExecution.objects.filter(user_id=str(self.request.user.id))

    def check_hosts(self, serializer):
        data = serializer.validated_data
@ -36,11 +35,7 @@ class CommandExecutionViewSet(RootOrgViewMixin, viewsets.ModelViewSet):
        )

        permed_assets = set()
-        permed_assets.update(
-            Asset.objects.filter(
-                id__in=[a.id for a in assets]
-            ).filter(q).distinct()
-        )
+        permed_assets.update(Asset.objects.filter(id__in=[a.id for a in assets]).filter(q).distinct())
        node_keys = Node.objects.filter(q).distinct().values_list('key', flat=True)

        nodes_assets_q = Q()
--- a/apps/perms/api/application/user_permission/common.py
+++ b/apps/perms/api/application/user_permission/common.py
@ -16,7 +16,7 @@ from perms.utils.application.permission import (
    get_application_system_user_ids,
    validate_permission,
 )
-from .mixin import RoleAdminMixin, RoleUserMixin
+from .mixin import AppRoleAdminMixin, AppRoleUserMixin
 from perms.hands import User, SystemUser
 from perms import serializers

@ -45,11 +45,11 @@ class BaseGrantedApplicationSystemUsersApi(ListAPIView):
        return system_users


-class UserGrantedApplicationSystemUsersApi(RoleAdminMixin, BaseGrantedApplicationSystemUsersApi):
+class UserGrantedApplicationSystemUsersApi(AppRoleAdminMixin, BaseGrantedApplicationSystemUsersApi):
    pass


-class MyGrantedApplicationSystemUsersApi(RoleUserMixin, BaseGrantedApplicationSystemUsersApi):
+class MyGrantedApplicationSystemUsersApi(AppRoleUserMixin, BaseGrantedApplicationSystemUsersApi):
    pass


--- a/apps/perms/api/application/user_permission/mixin.py
+++ b/apps/perms/api/application/user_permission/mixin.py
@ -6,7 +6,7 @@ from common.mixins.api import RoleUserMixin as _RoleUserMixin
 from orgs.utils import tmp_to_root_org


-class RoleAdminMixin(_RoleAdminMixin):
+class AppRoleAdminMixin(_RoleAdminMixin):
    rbac_perms = (
        ('list', 'perms.view_userapp'),
        ('retrieve', 'perms.view_userapps'),
@ -15,7 +15,7 @@ class RoleAdminMixin(_RoleAdminMixin):
    )


-class RoleUserMixin(_RoleUserMixin):
+class AppRoleUserMixin(_RoleUserMixin):
    rbac_perms = (
        ('list', 'perms.view_myapps'),
        ('retrieve', 'perms.view_myapps'),
--- a/apps/perms/api/application/user_permission/user_permission_applications.py
+++ b/apps/perms/api/application/user_permission/user_permission_applications.py
@ -9,7 +9,7 @@ from applications.api.mixin import (
    SerializeApplicationToTreeNodeMixin
 )
 from perms import serializers
-from perms.api.asset.user_permission.mixin import RoleAdminMixin, RoleUserMixin
+from .mixin import AppRoleAdminMixin, AppRoleUserMixin
 from perms.utils.application.user_permission import (
    get_user_granted_all_applications
 )
@ -41,11 +41,11 @@ class AllGrantedApplicationsMixin(CommonApiMixin, ListAPIView):
        return queryset.only(*self.only_fields)


-class UserAllGrantedApplicationsApi(RoleAdminMixin, AllGrantedApplicationsMixin):
+class UserAllGrantedApplicationsApi(AppRoleAdminMixin, AllGrantedApplicationsMixin):
    pass


-class MyAllGrantedApplicationsApi(RoleUserMixin, AllGrantedApplicationsMixin):
+class MyAllGrantedApplicationsApi(AppRoleUserMixin, AllGrantedApplicationsMixin):
    pass


--- a/apps/perms/api/asset/user_permission/mixin.py
+++ b/apps/perms/api/asset/user_permission/mixin.py
@ -20,7 +20,7 @@ class PermBaseMixin:
        return super().get(request, *args, **kwargs)


-class RoleAdminMixin(PermBaseMixin, _RoleAdminMixin):
+class AssetRoleAdminMixin(PermBaseMixin, _RoleAdminMixin):
    rbac_perms = (
        ('list', 'perms.view_userassets'),
        ('retrieve', 'perms.view_userassets'),
@ -29,7 +29,7 @@ class RoleAdminMixin(PermBaseMixin, _RoleAdminMixin):
    )


-class RoleUserMixin(PermBaseMixin, _RoleUserMixin):
+class AssetRoleUserMixin(PermBaseMixin, _RoleUserMixin):
    rbac_perms = (
        ('list', 'perms.view_myassets'),
        ('retrieve', 'perms.view_myassets'),
--- a/apps/perms/api/asset/user_permission/user_permission_assets/views.py
+++ b/apps/perms/api/asset/user_permission/user_permission_assets/views.py
@ -2,7 +2,7 @@ from rest_framework.generics import ListAPIView
 from django.conf import settings

 from common.utils import get_logger
-from ..mixin import RoleAdminMixin, RoleUserMixin
+from ..mixin import AssetRoleAdminMixin, AssetRoleUserMixin
 from .mixin import (
    UserAllGrantedAssetsQuerysetMixin, UserDirectGrantedAssetsQuerysetMixin, UserFavoriteGrantedAssetsMixin,
    UserGrantedNodeAssetsMixin, AssetsSerializerFormatMixin, AssetsTreeFormatMixin,
@ -19,42 +19,42 @@ logger = get_logger(__name__)


 class UserDirectGrantedAssetsForAdminApi(UserDirectGrantedAssetsQuerysetMixin,
-                                         RoleAdminMixin,
+                                         AssetRoleAdminMixin,
                                         AssetsSerializerFormatMixin,
                                         ListAPIView):
    pass


 class MyDirectGrantedAssetsApi(UserDirectGrantedAssetsQuerysetMixin,
-                               RoleUserMixin,
+                               AssetRoleUserMixin,
                               AssetsSerializerFormatMixin,
                               ListAPIView):
    pass


 class UserFavoriteGrantedAssetsForAdminApi(UserFavoriteGrantedAssetsMixin,
-                                           RoleAdminMixin,
+                                           AssetRoleAdminMixin,
                                           AssetsSerializerFormatMixin,
                                           ListAPIView):
    pass


 class MyFavoriteGrantedAssetsApi(UserFavoriteGrantedAssetsMixin,
-                                 RoleUserMixin,
+                                 AssetRoleUserMixin,
                                 AssetsSerializerFormatMixin,
                                 ListAPIView):
    pass


 class UserDirectGrantedAssetsAsTreeForAdminApi(UserDirectGrantedAssetsQuerysetMixin,
-                                               RoleAdminMixin,
+                                               AssetRoleAdminMixin,
                                               AssetsTreeFormatMixin,
                                               ListAPIView):
    pass


 class MyUngroupAssetsAsTreeApi(UserDirectGrantedAssetsQuerysetMixin,
-                               RoleUserMixin,
+                               AssetRoleUserMixin,
                               AssetsTreeFormatMixin,
                               ListAPIView):
    def get_queryset(self):
@ -65,34 +65,34 @@ class MyUngroupAssetsAsTreeApi(UserDirectGrantedAssetsQuerysetMixin,


 class UserAllGrantedAssetsApi(UserAllGrantedAssetsQuerysetMixin,
-                              RoleAdminMixin,
+                              AssetRoleAdminMixin,
                              AssetsSerializerFormatMixin,
                              ListAPIView):
    pass


 class MyAllGrantedAssetsApi(UserAllGrantedAssetsQuerysetMixin,
-                            RoleUserMixin,
+                            AssetRoleUserMixin,
                            AssetsSerializerFormatMixin,
                            ListAPIView):
    pass


 class MyAllAssetsAsTreeApi(UserAllGrantedAssetsQuerysetMixin,
-                           RoleUserMixin,
+                           AssetRoleUserMixin,
                           AssetsTreeFormatMixin,
                           ListAPIView):
    pass


-class UserGrantedNodeAssetsForAdminApi(RoleAdminMixin,
+class UserGrantedNodeAssetsForAdminApi(AssetRoleAdminMixin,
                                       UserGrantedNodeAssetsMixin,
                                       AssetsSerializerFormatMixin,
                                       ListAPIView):
    pass


-class MyGrantedNodeAssetsApi(RoleUserMixin,
+class MyGrantedNodeAssetsApi(AssetRoleUserMixin,
                             UserGrantedNodeAssetsMixin,
                             AssetsSerializerFormatMixin,
                             ListAPIView):
--- a/apps/perms/api/asset/user_permission/user_permission_nodes.py
+++ b/apps/perms/api/asset/user_permission/user_permission_nodes.py
@ -9,7 +9,7 @@ from rest_framework.request import Request

 from assets.api.mixin import SerializeToTreeNodeMixin
 from common.utils import get_logger
-from .mixin import RoleAdminMixin, RoleUserMixin
+from .mixin import AssetRoleAdminMixin, AssetRoleUserMixin
 from perms.hands import User
 from perms import serializers

@ -100,33 +100,33 @@ class UserGrantedNodesMixin:

 # ------------------------------------------
 # 最终的 api
-class UserGrantedNodeChildrenForAdminApi(RoleAdminMixin, UserGrantedNodeChildrenMixin, BaseNodeChildrenApi):
+class UserGrantedNodeChildrenForAdminApi(AssetRoleAdminMixin, UserGrantedNodeChildrenMixin, BaseNodeChildrenApi):
    pass


-class MyGrantedNodeChildrenApi(RoleUserMixin, UserGrantedNodeChildrenMixin, BaseNodeChildrenApi):
+class MyGrantedNodeChildrenApi(AssetRoleUserMixin, UserGrantedNodeChildrenMixin, BaseNodeChildrenApi):
    pass


-class UserGrantedNodeChildrenAsTreeForAdminApi(RoleAdminMixin, UserGrantedNodeChildrenMixin, BaseNodeChildrenAsTreeApi):
+class UserGrantedNodeChildrenAsTreeForAdminApi(AssetRoleAdminMixin, UserGrantedNodeChildrenMixin, BaseNodeChildrenAsTreeApi):
    pass


-class MyGrantedNodeChildrenAsTreeApi(RoleUserMixin, UserGrantedNodeChildrenMixin, BaseNodeChildrenAsTreeApi):
+class MyGrantedNodeChildrenAsTreeApi(AssetRoleUserMixin, UserGrantedNodeChildrenMixin, BaseNodeChildrenAsTreeApi):
    def get_permissions(self):
        permissions = super().get_permissions()
        return permissions


-class UserGrantedNodesForAdminApi(RoleAdminMixin, UserGrantedNodesMixin, BaseGrantedNodeApi):
+class UserGrantedNodesForAdminApi(AssetRoleAdminMixin, UserGrantedNodesMixin, BaseGrantedNodeApi):
    pass


-class MyGrantedNodesApi(RoleUserMixin, UserGrantedNodesMixin, BaseGrantedNodeApi):
+class MyGrantedNodesApi(AssetRoleUserMixin, UserGrantedNodesMixin, BaseGrantedNodeApi):
    pass


-class MyGrantedNodesAsTreeApi(RoleUserMixin, UserGrantedNodesMixin, BaseGrantedNodeAsTreeApi):
+class MyGrantedNodesAsTreeApi(AssetRoleUserMixin, UserGrantedNodesMixin, BaseGrantedNodeAsTreeApi):
    pass

 # ------------------------------------------
--- a/apps/perms/api/asset/user_permission/user_permission_nodes_with_assets.py
+++ b/apps/perms/api/asset/user_permission/user_permission_nodes_with_assets.py
@ -10,7 +10,7 @@ from common.utils.common import timeit
 from orgs.utils import tmp_to_root_org
 from common.permissions import IsValidUser
 from common.utils import get_logger, get_object_or_none
-from .mixin import RoleUserMixin, RoleAdminMixin
+from .mixin import AssetRoleUserMixin, AssetRoleAdminMixin
 from perms.utils.asset.user_permission import (
    UserGrantedTreeBuildUtils, get_user_all_asset_perm_ids,
    UserGrantedNodesQueryUtils, UserGrantedAssetsQueryUtils,
@ -146,9 +146,9 @@ class GrantedNodeChildrenWithAssetsAsTreeApiMixin(SerializeToTreeNodeMixin,
        return Response(data=[*tree_nodes, *tree_assets])


-class UserGrantedNodeChildrenWithAssetsAsTreeApi(RoleAdminMixin, GrantedNodeChildrenWithAssetsAsTreeApiMixin):
+class UserGrantedNodeChildrenWithAssetsAsTreeApi(AssetRoleAdminMixin, GrantedNodeChildrenWithAssetsAsTreeApiMixin):
    pass


-class MyGrantedNodeChildrenWithAssetsAsTreeApi(RoleUserMixin, GrantedNodeChildrenWithAssetsAsTreeApiMixin):
+class MyGrantedNodeChildrenWithAssetsAsTreeApi(AssetRoleUserMixin, GrantedNodeChildrenWithAssetsAsTreeApiMixin):
    pass
--- a/apps/perms/migrations/0026_auto_20220307_1500.py
+++ b/apps/perms/migrations/0026_auto_20220307_1500.py
@ -18,7 +18,7 @@ class Migration(migrations.Migration):
            ],
            options={
                'verbose_name': 'Permed asset',
-                'permissions': [('view_myassets', 'Can view my assets'), ('connect_myassets', 'Can connect my assets'), ('view_userassets', 'Can view user assets'), ('view_usergroupassets', 'Can view usergroup assets')],
+                'permissions': [('view_myassets', 'Can view my assets'), ('view_userassets', 'Can view user assets'), ('view_usergroupassets', 'Can view usergroup assets')],
                'proxy': True,
                'indexes': [],
                'constraints': [],
--- a/apps/perms/migrations/0027_auto_20220310_1802.py
+++ b/apps/perms/migrations/0027_auto_20220310_1802.py
@ -17,7 +17,7 @@ class Migration(migrations.Migration):
            ],
            options={
                'verbose_name': 'Permed application',
-                'permissions': [('view_myapps', 'Can view my apps'), ('connect_myapps', 'Can connect my apps'), ('view_userapps', 'Can view user apps'), ('view_usergroupapps', 'Can view usergroup apps')],
+                'permissions': [('view_myapps', 'Can view my apps'), ('view_userapps', 'Can view user apps'), ('view_usergroupapps', 'Can view usergroup apps')],
                'proxy': True,
                'default_permissions': [],
                'indexes': [],
--- a/apps/perms/models/application_permission.py
+++ b/apps/perms/models/application_permission.py
@ -113,7 +113,6 @@ class PermedApplication(Application):
        default_permissions = []
        permissions = [
            ('view_myapps', 'Can view my apps'),
-            ('connect_myapps', 'Can connect my apps'),
            ('view_userapps', _('Can view user apps')),
            ('view_usergroupapps', _('Can view usergroup apps')),
        ]
--- a/apps/perms/models/asset_permission.py
+++ b/apps/perms/models/asset_permission.py
@ -185,7 +185,6 @@ class PermedAsset(Asset):
        verbose_name = _('Permed asset')
        permissions = [
            ('view_myassets', _('Can view my assets')),
-            ('connect_myassets', _('Can connect my assets')),
            ('view_userassets', _('Can view user assets')),
            ('view_usergroupassets', _('Can view usergroup assets')),
        ]
--- a/apps/rbac/const.py
+++ b/apps/rbac/const.py
@ -11,7 +11,6 @@ exclude_permissions = (
    # ('App', 'Model', 'Action', 'Resource') Model 和 Resource 可能不同
    # users.add_user
    ('auth', '*', '*', '*'),
-    ('authentication', 'loginconfirmsetting', '*', '*'),
    ('captcha', '*', '*', '*'),
    ('contenttypes', '*', '*', '*'),
    ('django_cas_ng', '*', '*', '*'),
@ -30,6 +29,7 @@ exclude_permissions = (
    ('users', 'userpasswordhistory', '*', '*'),
    ('applications', 'applicationuser', '*', '*'),
    ('applications', 'historicalaccount', '*', '*'),
+    ('applications', 'account', 'add,change', 'account'),
    ('assets', 'adminuser', '*', '*'),
    ('assets', 'assetgroup', '*', '*'),
    ('assets', 'cluster', '*', '*'),
@ -38,9 +38,7 @@ exclude_permissions = (
    ('assets', 'assetuser', '*', '*'),
    ('assets', 'gathereduser', 'add,delete,change', 'gathereduser'),
    ('assets', 'accountbackupplanexecution', 'delete,change', 'accountbackupplanexecution'),
-    ('perms', 'databaseapppermission', '*', '*'),
-    ('perms', 'k8sapppermission', '*', '*'),
-    ('perms', 'remoteapppermission', '*', '*'),
+    ('assets', 'authbook', 'add,change', 'authbook'),
    ('perms', 'userassetgrantedtreenoderelation', '*', '*'),
    ('perms', 'usergrantedmappingnode', '*', '*'),
    ('perms', 'permnode', '*', '*'),
@ -51,7 +49,7 @@ exclude_permissions = (
    ('rbac', 'permission', 'add,delete,change', 'permission'),
    ('rbac', 'rolebinding', '*', '*'),
    ('rbac', 'role', '*', '*'),
-    ('ops', 'adhoc', '*', '*'),
+    ('ops', 'adhoc', 'delete,change', '*'),
    ('ops', 'adhocexecution', 'delete,change', '*'),
    ('ops', 'celerytask', '*', '*'),
    ('ops', 'task', 'add,change', 'task'),
@ -74,11 +72,13 @@ exclude_permissions = (
    ('xpack', 'license', '*', '*'),
    ('xpack', 'syncinstancedetail', 'add,delete,change', 'syncinstancedetail'),
    ('xpack', 'syncinstancetaskexecution', 'add,delete,change', 'syncinstancetaskexecution'),
+    ('xpack', 'changeauthplanexecution', 'add,delete,change', 'changeauthplanexecution'),
+    ('xpack', 'changeauthplantask', 'add,delete', 'changeauthplantask'),
    ('common', 'permission', 'add,delete,view,change', 'permission'),
    ('terminal', 'command', 'delete,change', 'command'),
    ('terminal', 'status', 'delete,change', 'status'),
    ('terminal', 'sessionjoinrecord', 'delete', 'sessionjoinrecord'),
-    ('terminal', 'sessionreplay', 'delete', 'sessionreplay'),
+    ('terminal', 'sessionreplay', 'add,change,delete', 'sessionreplay'),
    ('terminal', 'session', 'delete', 'session'),
    ('terminal', 'session', 'delete,change', 'command'),
 )
--- a/apps/rbac/migrations/0007_auto_20220314_1525.py
+++ b/apps/rbac/migrations/0007_auto_20220314_1525.py
@ -0,0 +1,30 @@
+# Generated by Django 3.1.14 on 2022-03-14 07:25
+
+from django.db import migrations
+
+
+def migrate_old_permissions(apps, *args):
+    ContentType = apps.get_model('rbac', 'ContentType')
+    content_type_delete_required = [
+        ('common', 'permission'),
+        ('applications', 'databaseapp'),
+        ('applications', 'k8sapp'),
+        ('applications', 'remoteapp'),
+        ('perms', 'databaseapppermission'),
+        ('perms', 'k8sapppermission'),
+        ('perms', 'remoteapppermission'),
+        ('authentication', 'loginconfirmsetting'),
+    ]
+    for app, model in content_type_delete_required:
+        ContentType.objects.filter(app_label=app, model=model).delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('rbac', '0006_auto_20220310_0616'),
+    ]
+
+    operations = [
+        migrations.RunPython(migrate_old_permissions)
+    ]
--- a/apps/rbac/models/permission.py
+++ b/apps/rbac/models/permission.py
@ -14,6 +14,10 @@ class ContentType(DjangoContentType):
    class Meta:
        proxy = True

+    @property
+    def app_model(self):
+        return '%s.%s' % (self.app_label, self.model)
+

 class Permission(DjangoPermission):
    """ 权限类 """
--- a/apps/rbac/tree.py
+++ b/apps/rbac/tree.py
@ -72,7 +72,7 @@ special_pid_mapper = {
    'xpack.applicationchangeauthplanexecution': 'app_change_plan_node',
    'xpack.applicationchangeauthplantask': 'app_change_plan_node',
    'xpack.changeauthplan': 'asset_change_plan_node',
-    'xpack.changeauthplanexecution': 'gather_account_node',
+    'xpack.changeauthplanexecution': 'asset_change_plan_node',
    'xpack.changeauthplantask': 'asset_change_plan_node',
    "assets.gathereduser": "gather_account_node",
    'xpack.gatherusertask': 'gather_account_node',
@ -87,10 +87,9 @@ special_pid_mapper = {
    'audits.ftplog': 'terminal',
    'rbac.menupermission': 'view_other',
    'perms.view_myassets': 'my_assets',
-    'perms.connect_myassets': 'my_assets',
    'perms.view_myapps': 'my_apps',
-    'perms.connect_myapps': 'my_apps',
-    'ops.commandexecution': 'view_workspace',
+    'ops.add_commandexecution': 'view_workspace',
+    'ops.view_commandexecution': 'audits',
    "perms.view_mykubernetsapp": "my_apps",
    "perms.connect_mykubernetsapp": "my_apps",
    "perms.view_myremoteapp": "my_apps",
@ -123,28 +122,30 @@ xpack_nodes = [


 def _sort_action(node):
-    value = 0
+    if node.isParent:
+        return ['zz', 0]

-    if 'view' in node.title:
-        value += 2
-    elif 'add' in node.title:
-        value += 4
-    elif 'change' in node.title:
-        value += 6
-    elif 'delete' in node.title:
-        value += 8
-    else:
-        value += 10
-    return value
+    action_resource = node.title.split('.')[-1]
+    action, resource = action_resource.split('_', 2)
+    action_value_mapper = {
+        'view': 2,
+        'add': 4,
+        'change': 6,
+        'delete': 8
+    }
+    v = action_value_mapper.get(action, 10)
+    return [resource, v]


 def sort_nodes(node):
-    value = 0
+    value = []

    if node.isParent:
-        value += 50
+        value.append(50)
    else:
-        value += _sort_action(node)
+        value.append(0)
+
+    value.extend(_sort_action(node))
    return value


@ -263,6 +264,7 @@ class PermissionTreeUtil:

    @staticmethod
    def _get_permission_name(p, content_types_name_mapper):
+        p: Permission
        code_name = p.codename
        action_mapper = {
            'add': ugettext('Create'),
@ -285,8 +287,9 @@ class PermissionTreeUtil:
            name = action_mapper['delete']
            ct = code_name.replace('delete_', '')

-        if ct in content_types_name_mapper:
-            name += content_types_name_mapper[ct]
+        app_model = '%s.%s' % (p.content_type.app_label, ct)
+        if app_model in content_types_name_mapper:
+            name += content_types_name_mapper[app_model]
        else:
            name = gettext(p.name)
            name = name.replace('Can ', '').replace('可以', '')
@ -296,7 +299,7 @@ class PermissionTreeUtil:
        permissions_id = self.permissions.values_list('id', flat=True)
        nodes = []
        content_types = ContentType.objects.all()
-        content_types_name_mapper = {ct.model: ct.name for ct in content_types}
+        content_types_name_mapper = {ct.app_model: ct.name for ct in content_types}

        for p in self.all_permissions:
            model_id = f'{p.app}.{p.model}'
--- a/apps/settings/migrations/0005_auto_20220310_0616.py
+++ b/apps/settings/migrations/0005_auto_20220310_0616.py
@ -12,6 +12,6 @@ class Migration(migrations.Migration):
    operations = [
        migrations.AlterModelOptions(
            name='setting',
-            options={'permissions': [('change_email', 'Can change email setting'), ('change_auth', 'Can change auth setting'), ('change_systemmsgsubscription', 'Can sys msg sub setting'), ('change_sms', 'Can change sms setting'), ('change_security', 'Can change security setting'), ('change_clean', 'Can change clean setting'), ('change_interface', 'Can change interface setting'), ('change_license', 'Can change license setting'), ('change_terminal', 'Can change terminal setting'), ('change_other', 'Can change other setting')], 'verbose_name': 'System setting'},
+            options={'permissions': [('change_email', 'Can change email setting'), ('change_auth', 'Can change auth setting'), ('change_systemmsgsubscription', 'Can change system msg sub setting'), ('change_sms', 'Can change sms setting'), ('change_security', 'Can change security setting'), ('change_clean', 'Can change clean setting'), ('change_interface', 'Can change interface setting'), ('change_license', 'Can change license setting'), ('change_terminal', 'Can change terminal setting'), ('change_other', 'Can change other setting')], 'verbose_name': 'System setting'},
        ),
    ]
--- a/apps/settings/models.py
+++ b/apps/settings/models.py
@ -141,7 +141,7 @@ class Setting(models.Model):
        permissions = [
            ('change_email', _('Can change email setting')),
            ('change_auth', _('Can change auth setting')),
-            ('change_systemmsgsubscription', _('Can sys msg sub setting')),
+            ('change_systemmsgsubscription', _('Can change system msg sub setting')),
            ('change_sms', _('Can change sms setting')),
            ('change_security', _('Can change security setting')),
            ('change_clean', _('Can change clean setting')),
--- a/apps/terminal/api/session.py
+++ b/apps/terminal/api/session.py
@ -126,7 +126,7 @@ class SessionReplayViewSet(AsyncApiMixin, viewsets.ViewSet):
    session = None
    rbac_perms = {
        'create': 'terminal.upload_sessionreplay',
-        'retrieve': 'terminal.download_sessionreplay',
+        'retrieve': 'terminal.view_sessionreplay',
    }

    def create(self, request, *args, **kwargs):
--- a/utils/clean_db_content_types.py
+++ b/utils/clean_db_content_types.py
@ -22,6 +22,9 @@ def clean_db_content_types():
        ContentType.objects.filter(app_label=app, model=model).delete()

    permissions_delete_required = [
+        ('perms', 'permedasset', 'connect_myassets'),
+        ('perms', 'permedapplication', 'connect_myapps'),
+
        ('perms', 'assetpermission', 'connect_myassets'),
        ('perms', 'assetpermission', 'view_myassets'),
        ('perms', 'assetpermission', 'view_userassets'),