191 lines
8.0 KiB
Python
Executable File
191 lines
8.0 KiB
Python
Executable File
#!/usr/bin/env python3
|
||
"""
|
||
初始化RBAC数据
|
||
创建系统角色和权限
|
||
"""
|
||
import sys
|
||
import os
|
||
sys.path.insert(0, os.path.dirname(os.path.dirname(os.path.abspath(__file__))))
|
||
|
||
from app.core.database import SessionLocal
|
||
from app.models.permission import Role, Permission
|
||
import uuid
|
||
|
||
# 系统角色定义
|
||
SYSTEM_ROLES = [
|
||
{
|
||
"name": "admin",
|
||
"description": "系统管理员,拥有所有权限",
|
||
"is_system": True
|
||
},
|
||
{
|
||
"name": "developer",
|
||
"description": "开发者,可以创建和管理工作流、Agent",
|
||
"is_system": True
|
||
},
|
||
{
|
||
"name": "viewer",
|
||
"description": "查看者,只能查看工作流和执行记录",
|
||
"is_system": True
|
||
},
|
||
{
|
||
"name": "operator",
|
||
"description": "操作员,可以执行工作流,但不能修改",
|
||
"is_system": True
|
||
}
|
||
]
|
||
|
||
# 权限定义
|
||
PERMISSIONS = [
|
||
# 工作流权限
|
||
{"name": "工作流-创建", "code": "workflow:create", "resource": "workflow", "action": "create", "description": "创建工作流"},
|
||
{"name": "工作流-查看", "code": "workflow:read", "resource": "workflow", "action": "read", "description": "查看工作流"},
|
||
{"name": "工作流-更新", "code": "workflow:update", "resource": "workflow", "action": "update", "description": "更新工作流"},
|
||
{"name": "工作流-删除", "code": "workflow:delete", "resource": "workflow", "action": "delete", "description": "删除工作流"},
|
||
{"name": "工作流-执行", "code": "workflow:execute", "resource": "workflow", "action": "execute", "description": "执行工作流"},
|
||
{"name": "工作流-分享", "code": "workflow:share", "resource": "workflow", "action": "share", "description": "分享工作流"},
|
||
|
||
# Agent权限
|
||
{"name": "Agent-创建", "code": "agent:create", "resource": "agent", "action": "create", "description": "创建Agent"},
|
||
{"name": "Agent-查看", "code": "agent:read", "resource": "agent", "action": "read", "description": "查看Agent"},
|
||
{"name": "Agent-更新", "code": "agent:update", "resource": "agent", "action": "update", "description": "更新Agent"},
|
||
{"name": "Agent-删除", "code": "agent:delete", "resource": "agent", "action": "delete", "description": "删除Agent"},
|
||
{"name": "Agent-执行", "code": "agent:execute", "resource": "agent", "action": "execute", "description": "执行Agent"},
|
||
{"name": "Agent-部署", "code": "agent:deploy", "resource": "agent", "action": "deploy", "description": "部署Agent"},
|
||
|
||
# 执行权限
|
||
{"name": "执行-查看", "code": "execution:read", "resource": "execution", "action": "read", "description": "查看执行记录"},
|
||
{"name": "执行-取消", "code": "execution:cancel", "resource": "execution", "action": "cancel", "description": "取消执行"},
|
||
|
||
# 数据源权限
|
||
{"name": "数据源-创建", "code": "data_source:create", "resource": "data_source", "action": "create", "description": "创建数据源"},
|
||
{"name": "数据源-查看", "code": "data_source:read", "resource": "data_source", "action": "read", "description": "查看数据源"},
|
||
{"name": "数据源-更新", "code": "data_source:update", "resource": "data_source", "action": "update", "description": "更新数据源"},
|
||
{"name": "数据源-删除", "code": "data_source:delete", "resource": "data_source", "action": "delete", "description": "删除数据源"},
|
||
|
||
# 模型配置权限
|
||
{"name": "模型配置-创建", "code": "model_config:create", "resource": "model_config", "action": "create", "description": "创建模型配置"},
|
||
{"name": "模型配置-查看", "code": "model_config:read", "resource": "model_config", "action": "read", "description": "查看模型配置"},
|
||
{"name": "模型配置-更新", "code": "model_config:update", "resource": "model_config", "action": "update", "description": "更新模型配置"},
|
||
{"name": "模型配置-删除", "code": "model_config:delete", "resource": "model_config", "action": "delete", "description": "删除模型配置"},
|
||
|
||
# 权限管理权限
|
||
{"name": "权限-管理", "code": "permission:manage", "resource": "permission", "action": "manage", "description": "管理权限和角色"},
|
||
]
|
||
|
||
# 角色权限映射
|
||
ROLE_PERMISSIONS = {
|
||
"admin": ["*"], # 所有权限
|
||
"developer": [
|
||
"workflow:create", "workflow:read", "workflow:update", "workflow:delete", "workflow:execute", "workflow:share",
|
||
"agent:create", "agent:read", "agent:update", "agent:delete", "agent:execute", "agent:deploy",
|
||
"execution:read", "execution:cancel",
|
||
"data_source:create", "data_source:read", "data_source:update", "data_source:delete",
|
||
"model_config:create", "model_config:read", "model_config:update", "model_config:delete"
|
||
],
|
||
"viewer": [
|
||
"workflow:read",
|
||
"agent:read",
|
||
"execution:read",
|
||
"data_source:read",
|
||
"model_config:read"
|
||
],
|
||
"operator": [
|
||
"workflow:read", "workflow:execute",
|
||
"agent:read", "agent:execute",
|
||
"execution:read", "execution:cancel"
|
||
]
|
||
}
|
||
|
||
|
||
def init_rbac_data():
|
||
"""初始化RBAC数据"""
|
||
db = SessionLocal()
|
||
try:
|
||
print("=" * 60)
|
||
print("初始化RBAC数据")
|
||
print("=" * 60)
|
||
print()
|
||
|
||
# 创建权限
|
||
print("创建权限...")
|
||
permission_map = {}
|
||
for perm_data in PERMISSIONS:
|
||
existing = db.query(Permission).filter(Permission.code == perm_data["code"]).first()
|
||
if existing:
|
||
print(f" 权限已存在: {perm_data['code']}")
|
||
permission_map[perm_data["code"]] = existing
|
||
else:
|
||
permission = Permission(
|
||
id=str(uuid.uuid4()),
|
||
name=perm_data["name"],
|
||
code=perm_data["code"],
|
||
resource=perm_data["resource"],
|
||
action=perm_data["action"],
|
||
description=perm_data["description"]
|
||
)
|
||
db.add(permission)
|
||
permission_map[perm_data["code"]] = permission
|
||
print(f" ✅ 创建权限: {perm_data['code']}")
|
||
|
||
db.commit()
|
||
print()
|
||
|
||
# 创建角色
|
||
print("创建角色...")
|
||
role_map = {}
|
||
for role_data in SYSTEM_ROLES:
|
||
existing = db.query(Role).filter(Role.name == role_data["name"]).first()
|
||
if existing:
|
||
print(f" 角色已存在: {role_data['name']}")
|
||
role_map[role_data["name"]] = existing
|
||
else:
|
||
role = Role(
|
||
id=str(uuid.uuid4()),
|
||
name=role_data["name"],
|
||
description=role_data["description"],
|
||
is_system=role_data["is_system"]
|
||
)
|
||
db.add(role)
|
||
role_map[role_data["name"]] = role
|
||
print(f" ✅ 创建角色: {role_data['name']}")
|
||
|
||
db.commit()
|
||
print()
|
||
|
||
# 分配权限给角色
|
||
print("分配权限给角色...")
|
||
for role_name, permission_codes in ROLE_PERMISSIONS.items():
|
||
role = role_map.get(role_name)
|
||
if not role:
|
||
continue
|
||
|
||
if permission_codes == ["*"]:
|
||
# 管理员拥有所有权限
|
||
role.permissions = list(permission_map.values())
|
||
print(f" ✅ {role_name}: 分配所有权限")
|
||
else:
|
||
# 分配指定权限
|
||
permissions = [permission_map[code] for code in permission_codes if code in permission_map]
|
||
role.permissions = permissions
|
||
print(f" ✅ {role_name}: 分配 {len(permissions)} 个权限")
|
||
|
||
db.commit()
|
||
print()
|
||
|
||
print("=" * 60)
|
||
print("✅ RBAC数据初始化完成!")
|
||
print("=" * 60)
|
||
|
||
except Exception as e:
|
||
db.rollback()
|
||
print(f"❌ 初始化失败: {e}")
|
||
import traceback
|
||
traceback.print_exc()
|
||
finally:
|
||
db.close()
|
||
|
||
|
||
if __name__ == "__main__":
|
||
init_rbac_data()
|