diff --git a/api/controllers/console/app/app.py b/api/controllers/console/app/app.py index 07d71d4225a..ff1eeeb8907 100644 --- a/api/controllers/console/app/app.py +++ b/api/controllers/console/app/app.py @@ -1094,7 +1094,7 @@ class AppTraceApi(Resource): @login_required @account_initialization_required @edit_permission_required - @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR) + @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TRACING_CONFIG) @get_app_model def post(self, app_model: App): # add app trace diff --git a/api/controllers/console/app/ops_trace.py b/api/controllers/console/app/ops_trace.py index d350ff52770..5261c3cb047 100644 --- a/api/controllers/console/app/ops_trace.py +++ b/api/controllers/console/app/ops_trace.py @@ -70,7 +70,7 @@ class TraceAppConfigApi(Resource): @setup_required @login_required @account_initialization_required - @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR) + @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_TRACING_CONFIG) @get_app_model def get(self, app_model: App): args = TraceProviderQuery.model_validate(request.args.to_dict(flat=True)) # type: ignore diff --git a/api/controllers/console/app/workflow_app_log.py b/api/controllers/console/app/workflow_app_log.py index cf94ceff853..b3426e8f6ea 100644 --- a/api/controllers/console/app/workflow_app_log.py +++ b/api/controllers/console/app/workflow_app_log.py @@ -181,7 +181,7 @@ class WorkflowAppLogApi(Resource): @setup_required @login_required @account_initialization_required - @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR) + @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_LOG_AND_ANNOTATION) @get_app_model(mode=[AppMode.WORKFLOW]) def get(self, app_model: App): """ @@ -225,7 +225,7 @@ class WorkflowArchivedLogApi(Resource): @setup_required @login_required @account_initialization_required - @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_MONITOR) + @rbac_permission_required(RBACResourceScope.APP, RBACPermission.APP_LOG_AND_ANNOTATION) @get_app_model(mode=[AppMode.WORKFLOW]) def get(self, app_model: App): """ diff --git a/api/controllers/console/workspace/endpoint.py b/api/controllers/console/workspace/endpoint.py index 821e30ee7e3..ddb0f7045d9 100644 --- a/api/controllers/console/workspace/endpoint.py +++ b/api/controllers/console/workspace/endpoint.py @@ -169,7 +169,7 @@ class EndpointCollectionApi(Resource): @setup_required @login_required @is_admin_or_owner_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False) + @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MODEL_CONFIG, resource_required=False) @account_initialization_required @with_current_user_id @with_current_tenant_id @@ -198,7 +198,7 @@ class DeprecatedEndpointCreateApi(Resource): @setup_required @login_required @is_admin_or_owner_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False) + @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MODEL_CONFIG, resource_required=False) @account_initialization_required @with_current_user_id @with_current_tenant_id @@ -290,7 +290,7 @@ class EndpointItemApi(Resource): @setup_required @login_required @is_admin_or_owner_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False) + @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MODEL_CONFIG, resource_required=False) @account_initialization_required @with_current_user_id @with_current_tenant_id @@ -310,7 +310,7 @@ class EndpointItemApi(Resource): @setup_required @login_required @is_admin_or_owner_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False) + @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MODEL_CONFIG, resource_required=False) @account_initialization_required @with_current_user_id @with_current_tenant_id @@ -340,7 +340,7 @@ class DeprecatedEndpointDeleteApi(Resource): @setup_required @login_required @is_admin_or_owner_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False) + @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MODEL_CONFIG, resource_required=False) @account_initialization_required @with_current_user_id @with_current_tenant_id @@ -371,7 +371,7 @@ class DeprecatedEndpointUpdateApi(Resource): @setup_required @login_required @is_admin_or_owner_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False) + @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MODEL_CONFIG, resource_required=False) @account_initialization_required @with_current_user_id @with_current_tenant_id @@ -394,7 +394,7 @@ class EndpointEnableApi(Resource): @setup_required @login_required @is_admin_or_owner_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False) + @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MODEL_CONFIG, resource_required=False) @account_initialization_required @with_current_user_id @with_current_tenant_id @@ -422,7 +422,7 @@ class EndpointDisableApi(Resource): @setup_required @login_required @is_admin_or_owner_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False) + @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MODEL_CONFIG, resource_required=False) @account_initialization_required @with_current_user_id @with_current_tenant_id diff --git a/api/controllers/console/workspace/plugin.py b/api/controllers/console/workspace/plugin.py index e768bb5acde..bcc1bb67459 100644 --- a/api/controllers/console/workspace/plugin.py +++ b/api/controllers/console/workspace/plugin.py @@ -793,7 +793,6 @@ class PluginFetchInstallTasksApi(Resource): @setup_required @login_required @account_initialization_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_INSTALL, resource_required=False) @plugin_permission_required(install_required=True) @with_current_tenant_id def get(self, tenant_id: str): @@ -811,7 +810,6 @@ class PluginFetchInstallTaskApi(Resource): @setup_required @login_required @account_initialization_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_INSTALL, resource_required=False) @plugin_permission_required(install_required=True) @with_current_tenant_id def get(self, tenant_id: str, task_id: str): @@ -827,7 +825,6 @@ class PluginDeleteInstallTaskApi(Resource): @setup_required @login_required @account_initialization_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_INSTALL, resource_required=False) @plugin_permission_required(install_required=True) @with_current_tenant_id def post(self, tenant_id: str, task_id: str): @@ -843,7 +840,6 @@ class PluginDeleteAllInstallTaskItemsApi(Resource): @setup_required @login_required @account_initialization_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_INSTALL, resource_required=False) @plugin_permission_required(install_required=True) @with_current_tenant_id def post(self, tenant_id: str): @@ -859,7 +855,6 @@ class PluginDeleteInstallTaskItemApi(Resource): @setup_required @login_required @account_initialization_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_INSTALL, resource_required=False) @plugin_permission_required(install_required=True) @with_current_tenant_id def post(self, tenant_id: str, task_id: str, identifier: str): @@ -876,7 +871,7 @@ class PluginUpgradeFromMarketplaceApi(Resource): @setup_required @login_required @account_initialization_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_INSTALL, resource_required=False) + @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MODEL_CONFIG, resource_required=False) @plugin_permission_required(install_required=True) @with_current_tenant_id def post(self, tenant_id: str): @@ -899,7 +894,7 @@ class PluginUpgradeFromGithubApi(Resource): @setup_required @login_required @account_initialization_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_INSTALL, resource_required=False) + @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MODEL_CONFIG, resource_required=False) @plugin_permission_required(install_required=True) @with_current_tenant_id def post(self, tenant_id: str): @@ -927,7 +922,7 @@ class PluginUninstallApi(Resource): @setup_required @login_required @account_initialization_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_INSTALL, resource_required=False) + @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_DELETE, resource_required=False) @plugin_permission_required(install_required=True) @with_current_tenant_id def post(self, tenant_id: str): @@ -995,7 +990,7 @@ class PluginFetchDynamicSelectOptionsApi(Resource): @setup_required @login_required @is_admin_or_owner_required - @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MANAGE, resource_required=False) + @rbac_permission_required(RBACResourceScope.WORKSPACE, RBACPermission.PLUGIN_MODEL_CONFIG, resource_required=False) @account_initialization_required @with_current_user @with_current_tenant_id diff --git a/api/core/rbac/entities.py b/api/core/rbac/entities.py index d65f11edf7b..16a05f13111 100644 --- a/api/core/rbac/entities.py +++ b/api/core/rbac/entities.py @@ -28,6 +28,8 @@ class RBACPermission(StrEnum): APP_IMPORT_EXPORT_DSL = "app_import_export_dsl" APP_EDIT = "app_edit" APP_MONITOR = "app_monitor" + APP_TRACING_CONFIG = "app_tracing_config" + APP_LOG_AND_ANNOTATION = "app_log_and_annotation" APP_DELETE = "app_delete" APP_ACCESS_CONFIG = "app_access_config" @@ -57,7 +59,9 @@ class RBACPermission(StrEnum): PLUGIN_INSTALL = "plugin_install" PLUGIN_PREFERENCES = "plugin_preferences" + PLUGIN_MODEL_CONFIG = "plugin_model_config" PLUGIN_MANAGE = "plugin_manage" + PLUGIN_DELETE = "plugin_delete" PLUGIN_DEBUG = "plugin_debug" CREDENTIAL_USE = "credential_use" diff --git a/api/services/enterprise/rbac_service.py b/api/services/enterprise/rbac_service.py index ec5a539f73a..11d7fa82399 100644 --- a/api/services/enterprise/rbac_service.py +++ b/api/services/enterprise/rbac_service.py @@ -309,7 +309,8 @@ _LEGACY_WORKSPACE_OWNER_KEYS: list[str] = [ "customization.manage", "plugin.install", "plugin.plugin_preferences", - "plugin.manage", + "plugin.model_config", + "plugin.delete", "plugin.debug", "credential.use", "credential.create", @@ -340,7 +341,8 @@ _LEGACY_WORKSPACE_ADMIN_KEYS: list[str] = [ "customization.manage", "plugin.install", "plugin.plugin_preferences", - "plugin.manage", + "plugin.model_config", + "plugin.delete", "plugin.debug", "credential.use", "credential.create", @@ -405,6 +407,8 @@ _LEGACY_APP_OWNER_KEYS: list[str] = [ "app.acl.release_and_version", "app.acl.monitor", "app.acl.access_config", + "app.acl.tracing_config", + "app.acl.log_and_annotation", ] _LEGACY_APP_ADMIN_KEYS: list[str] = [ @@ -417,6 +421,9 @@ _LEGACY_APP_ADMIN_KEYS: list[str] = [ "app.acl.release_and_version", "app.acl.monitor", "app.acl.access_config", + "app.acl.access_config", + "app.acl.tracing_config", + "app.acl.log_and_annotation", ] _LEGACY_APP_EDITOR_KEYS: list[str] = [ @@ -432,9 +439,6 @@ _LEGACY_APP_EDITOR_KEYS: list[str] = [ ] _LEGACY_APP_NORMAL_KEYS: list[str] = [ - "app.acl.preview", - "app.acl.view_layout", - "app.acl.test_and_run", "app.acl.monitor", ]