Fix rbac (#7737)

* perf: 修改 rbac role bingding

* fix: suggestion perm

* perf: 修改 requirements

* perf: 修改 rbac

* fix: auditor_perms

Co-authored-by: feng626 <1304903146@qq.com>

apps/assets/api/asset.py

@@ -54,6 +54,9 @@ class AssetViewSet(SuggestionMixin, FilterAssetByNodeMixin, OrgBulkModelViewSet)
         'default': serializers.AssetSerializer,
         'suggestion': serializers.MiniAssetSerializer
     }
+    rbac_perms = {
+        'match': 'assets.match_asset'
+    }
     extra_filter_backends = [FilterAssetByNodeFilterBackend, LabelFilterBackend, IpInFilterBackend]
 
     def set_assets_node(self, assets):

apps/assets/api/node.py

@@ -46,6 +46,9 @@ class NodeViewSet(SuggestionMixin, OrgBulkModelViewSet):
     filterset_fields = ('value', 'key', 'id')
     search_fields = ('value', )
     serializer_class = serializers.NodeSerializer
+    rbac_perms = {
+        'match': 'assets.match_node'
+    }
 
     @action(methods=[POST], detail=False, url_path='check_assets_amount_task')
     def check_assets_amount_task(self, request):

apps/assets/api/system_user.py

@@ -47,7 +47,8 @@ class SystemUserViewSet(SuggestionMixin, OrgBulkModelViewSet):
     ordering = ('name', )
     rbac_perms = {
         'su_from': 'assets.view_systemuser',
-        'su_to': 'assets.view_systemuser'
+        'su_to': 'assets.view_systemuser',
+        'match': 'assets.match_systemuser'
     }
 
     @action(methods=['get'], detail=False, url_path='su-from')

apps/assets/migrations/0088_auto_20220303_1612.py

@@ -0,0 +1,25 @@
+# Generated by Django 3.1.14 on 2022-03-03 08:12
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0087_auto_20220223_1539'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='asset',
+            options={'ordering': ['hostname'], 'permissions': [('test_assetconnectivity', 'Can test asset connectivity'), ('push_assetsystemuser', 'Can push system user to asset'), ('match_asset', 'Can match asset')], 'verbose_name': 'Asset'},
+        ),
+        migrations.AlterModelOptions(
+            name='node',
+            options={'ordering': ['parent_key', 'value'], 'permissions': [('match_node', 'Can match node')], 'verbose_name': 'Node'},
+        ),
+        migrations.AlterModelOptions(
+            name='systemuser',
+            options={'ordering': ['name'], 'permissions': [('match_systemuser', 'Can match system user')], 'verbose_name': 'System user'},
+        ),
+    ]

apps/assets/models/asset.py

@@ -357,4 +357,5 @@ class Asset(AbsConnectivity, AbsHardwareInfo, ProtocolsMixin, NodesRelationMixin
         permissions = [
             ('test_assetconnectivity', _('Can test asset connectivity')),
             ('push_assetsystemuser', _('Can push system user to asset')),
+            ('match_asset', _('Can match asset')),
         ]

apps/assets/models/node.py

@@ -558,6 +558,9 @@ class Node(OrgModelMixin, SomeNodesMixin, FamilyMixin, NodeAssetsMixin):
     class Meta:
         verbose_name = _("Node")
         ordering = ['parent_key', 'value']
+        permissions = [
+            ('match_node', _('Can match node')),
+        ]
 
     def __str__(self):
         return self.full_value

apps/assets/models/user.py

@@ -323,6 +323,9 @@ class SystemUser(ProtocolMixin, AuthMixin, BaseUser):
         ordering = ['name']
         unique_together = [('name', 'org_id')]
         verbose_name = _("System user")
+        permissions = [
+            ('match_systemuser', _('Can match system user')),
+        ]
 
 
 # Deprecated: 准备废弃

apps/rbac/builtin.py

@@ -4,18 +4,27 @@ from .const import Scope, system_exclude_permissions, org_exclude_permissions
 
 
 auditor_perms = (
+    ('rbac', 'menupermission', 'view', 'auditview'),
+    ('perms', 'assetpermission', 'view,connect', 'myassets'),
+    ('perms', 'applicationpermission', 'view,connect', 'myapps'),
+    ('assets', 'asset', 'match', 'asset'),
+    ('assets', 'systemuser', 'match', 'systemuser'),
+    ('assets', 'node', 'match', 'node'),
     ('common', 'permission', 'view', 'resourcestatistics'),
     ('audits', '*', '*', '*'),
-    ('rbac', 'menupermission', 'view', 'auditview'),
     ('terminal', 'commandstorage', 'view', 'commandstorage'),
     ('terminal', 'session', '*', '*'),
     ('terminal', 'command', '*', '*'),
+    ('ops', 'commandexecution', 'view', 'commandexecution'),
 )
 
 user_perms = (
     ('rbac', 'menupermission', 'view', 'userview'),
     ('perms', 'assetpermission', 'view,connect', 'myassets'),
     ('perms', 'applicationpermission', 'view,connect', 'myapps'),
+    ('assets', 'asset', 'match', 'asset'),
+    ('assets', 'systemuser', 'match', 'systemuser'),
+    ('assets', 'node', 'match', 'node'),
 )
 
 app_exclude_perms = [

apps/rbac/const.py

@@ -20,6 +20,7 @@ exclude_permissions = (
     ('admin', '*', '*', '*'),
     ('sessions', '*', '*', '*'),
     ('notifications', '*', '*', '*'),
+    ('common', 'setting', '*', '*'),
 
     ('applications', 'applicationuser', '*', '*'),
     ('applications', 'historicalaccount', '*', '*'),
@@ -42,6 +43,8 @@ exclude_permissions = (
     ('perms', 'rebuildusertreetask', '*', '*'),
     ('rbac', 'contenttype', '*', '*'),
     ('rbac', 'permission', 'add,delete,change', 'permission'),
+    ('rbac', 'rolebingding', '*', '*'),
+    ('rbac', 'role', '*', '*'),
     ('ops', 'adhoc', '*', '*'),
     ('ops', 'adhocexecution', '*', '*'),
     ('ops', 'celerytask', '*', '*'),
@@ -74,6 +77,7 @@ only_system_permissions = (
     ('orgs', 'organization', '*', '*'),
     ('xpack', 'license', '*', '*'),
     ('settings', 'setting', '*', '*'),
+    ('terminal', 'terminal', '*', '*'),
 )
 
 only_org_permissions = (

apps/rbac/models/rolebinding.py

@@ -15,9 +15,11 @@ __all__ = ['RoleBinding', 'SystemRoleBinding', 'OrgRoleBinding']
 class RoleBindingManager(models.Manager):
     def get_queryset(self):
         queryset = super(RoleBindingManager, self).get_queryset()
-        q = Q(scope=Scope.system)
+
         if not current_org.is_root():
-            q |= Q(org_id=current_org.id, scope=Scope.org)
+            q = Q(scope=Scope.system) | Q(org_id=current_org.id, scope=Scope.org)
+        else:
+            q = Q()
         queryset = queryset.filter(q)
         return queryset
 
@@ -88,9 +90,9 @@ class OrgRoleBindingManager(models.Manager):
     def get_queryset(self):
         queryset = super().get_queryset()
         if current_org.is_root():
-            return queryset.none()
+            queryset = queryset.filter(scope=Scope.org)
-
+        else:
-        queryset = queryset.filter(org=current_org.id, scope=Scope.org)
+            queryset = queryset.filter(org=current_org.id, scope=Scope.org)
         return queryset
 
 

apps/rbac/tree.py

@@ -126,12 +126,12 @@ extra_nodes_data = [
     },
     {
         "id": "terminal_node",
-        "name": _("Terminal"),
+        "name": _("Terminal setting"),
         "pId": "view_setting"
     }
 ]
 
-special_pid_mapper = {
+special_model_pid_mapper = {
     'common.permission': 'view_other',
     "assets.authbook": "accounts",
     "applications.account": "accounts",
@@ -159,6 +159,14 @@ special_pid_mapper = {
     'terminal.task': 'terminal_node',
 }
 
+model_verbose_name_mapper = {
+    'orgs.organization': _("App organizations"),
+}
+
+xpack_required = [
+    'accounts', 'rbac.'
+]
+
 
 class PermissionTreeUtil:
     get_permissions: Callable
@@ -198,6 +206,8 @@ class PermissionTreeUtil:
             }
             total_count = self.total_counts[app]
             checked_count = self.checked_counts[app]
+            if total_count == 0:
+                continue
             self.total_counts[view] += total_count
             self.checked_counts[view] += checked_count
             node = self._create_node(
@@ -238,14 +248,18 @@ class PermissionTreeUtil:
                 continue
 
             model_id = '{}.{}'.format(ct.app_label, ct.model)
+            # 获取 pid
             app = ct.app_label
-            if special_pid_mapper.get(model_id):
+            if special_model_pid_mapper.get(model_id):
-                app = special_pid_mapper[model_id]
+                app = special_model_pid_mapper[model_id]
-
             self.total_counts[app] += total_count
             self.checked_counts[app] += checked_count
 
+            # 获取 name
             name = f'{ct.name}'
+            if model_verbose_name_mapper.get(model_id):
+                name = model_verbose_name_mapper[model_id]
+
             node = self._create_node({
                 'id': model_id,
                 'name': name,
@@ -354,6 +368,8 @@ class PermissionTreeUtil:
             }
             total_count = self.total_counts[view]
             checked_count = self.checked_counts[view]
+            if total_count == 0:
+                continue
             node = self._create_node(data, total_count, checked_count, 'view')
             nodes.append(node)
         return nodes
@@ -365,6 +381,8 @@ class PermissionTreeUtil:
             pid = data['pId']
             checked_count = self.checked_counts[i]
             total_count = self.total_counts[i]
+            if total_count == 0:
+                continue
             self.total_counts[pid] += total_count
             self.checked_counts[pid] += checked_count
             node = self._create_node(

requirements/requirements.txt

@@ -24,7 +24,7 @@ django-ranged-response==0.2.0
 django-redis-cache==2.1.1
 django-rest-swagger==2.2.0
 django-simple-captcha==0.5.13
-django-timezone-field==4.0
+django-timezone-field==4.1.0
 djangorestframework==3.12.2
 djangorestframework-bulk==0.2.1
 docutils==0.14