Merge branch 'rbac' into lsf

2026-02-06 15:44:43 +08:00
parent cd5f5ef6da 6a4c4ae3d7
commit 38e58ba864
61 changed files with 2525 additions and 247 deletions
--- a/scripts/db/zz-auth-init.sql
+++ b/scripts/db/zz-auth-init.sql
@@ -0,0 +1,149 @@
+USE datamate;
+
+-- =============================================
+-- 认证与授权（RBAC）基础表
+-- 注意：该脚本命名为 zz- 前缀，确保在 users 表初始化后执行
+-- =============================================
+
+CREATE TABLE IF NOT EXISTS t_auth_roles
+(
+    id          VARCHAR(36) PRIMARY KEY COMMENT '角色ID',
+    role_code   VARCHAR(100) NOT NULL COMMENT '角色编码',
+    role_name   VARCHAR(100) NOT NULL COMMENT '角色名称',
+    description VARCHAR(255) DEFAULT '' COMMENT '角色描述',
+    enabled     TINYINT      DEFAULT 1 COMMENT '是否启用：1-启用，0-禁用',
+    is_built_in TINYINT      DEFAULT 1 COMMENT '是否内置：1-是，0-否',
+    created_at  TIMESTAMP    DEFAULT CURRENT_TIMESTAMP COMMENT '创建时间',
+    updated_at  TIMESTAMP    DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT '更新时间',
+    UNIQUE KEY uk_auth_role_code (role_code)
+) ENGINE = InnoDB
+  DEFAULT CHARSET = utf8mb4 COMMENT ='角色表';
+
+CREATE TABLE IF NOT EXISTS t_auth_permissions
+(
+    id              VARCHAR(36) PRIMARY KEY COMMENT '权限ID',
+    permission_code VARCHAR(120) NOT NULL COMMENT '权限编码',
+    permission_name VARCHAR(120) NOT NULL COMMENT '权限名称',
+    module          VARCHAR(100) NOT NULL COMMENT '模块',
+    action          VARCHAR(50)  NOT NULL COMMENT '动作',
+    path_pattern    VARCHAR(255) DEFAULT '' COMMENT '路径模式',
+    method          VARCHAR(20)  DEFAULT '' COMMENT 'HTTP方法',
+    enabled         TINYINT      DEFAULT 1 COMMENT '是否启用：1-启用，0-禁用',
+    is_built_in     TINYINT      DEFAULT 1 COMMENT '是否内置：1-是，0-否',
+    created_at      TIMESTAMP    DEFAULT CURRENT_TIMESTAMP COMMENT '创建时间',
+    updated_at      TIMESTAMP    DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT '更新时间',
+    UNIQUE KEY uk_auth_permission_code (permission_code),
+    INDEX idx_auth_permission_module_action (module, action)
+) ENGINE = InnoDB
+  DEFAULT CHARSET = utf8mb4 COMMENT ='权限表';
+
+CREATE TABLE IF NOT EXISTS t_auth_role_permissions
+(
+    id            BIGINT PRIMARY KEY AUTO_INCREMENT COMMENT '主键',
+    role_id       VARCHAR(36) NOT NULL COMMENT '角色ID',
+    permission_id VARCHAR(36) NOT NULL COMMENT '权限ID',
+    created_at    TIMESTAMP DEFAULT CURRENT_TIMESTAMP COMMENT '创建时间',
+    UNIQUE KEY uk_auth_role_permission (role_id, permission_id),
+    INDEX idx_auth_role_permission_role (role_id),
+    INDEX idx_auth_role_permission_permission (permission_id),
+    CONSTRAINT fk_auth_rp_role FOREIGN KEY (role_id) REFERENCES t_auth_roles (id) ON DELETE CASCADE,
+    CONSTRAINT fk_auth_rp_permission FOREIGN KEY (permission_id) REFERENCES t_auth_permissions (id) ON DELETE CASCADE
+) ENGINE = InnoDB
+  DEFAULT CHARSET = utf8mb4 COMMENT ='角色权限关系表';
+
+CREATE TABLE IF NOT EXISTS t_auth_user_roles
+(
+    id         BIGINT PRIMARY KEY AUTO_INCREMENT COMMENT '主键',
+    user_id    BIGINT      NOT NULL COMMENT '用户ID（users.id）',
+    role_id    VARCHAR(36) NOT NULL COMMENT '角色ID',
+    created_at TIMESTAMP DEFAULT CURRENT_TIMESTAMP COMMENT '创建时间',
+    UNIQUE KEY uk_auth_user_role (user_id, role_id),
+    INDEX idx_auth_user_role_user (user_id),
+    INDEX idx_auth_user_role_role (role_id),
+    CONSTRAINT fk_auth_ur_user FOREIGN KEY (user_id) REFERENCES users (id) ON DELETE CASCADE,
+    CONSTRAINT fk_auth_ur_role FOREIGN KEY (role_id) REFERENCES t_auth_roles (id) ON DELETE CASCADE
+) ENGINE = InnoDB
+  DEFAULT CHARSET = utf8mb4 COMMENT ='用户角色关系表';
+
+-- =============================================
+-- 角色初始化
+-- =============================================
+INSERT IGNORE INTO t_auth_roles (id, role_code, role_name, description, enabled, is_built_in)
+VALUES ('role-admin', 'ROLE_ADMIN', '系统管理员', '拥有平台全部权限', 1, 1),
+       ('role-data-editor', 'ROLE_DATA_EDITOR', '数据运营', '拥有业务模块读写权限', 1, 1),
+       ('role-knowledge-user', 'ROLE_KNOWLEDGE_USER', '知识用户', '以知识管理为主的业务权限', 1, 1);
+
+-- =============================================
+-- 权限初始化（接口级）
+-- =============================================
+INSERT IGNORE INTO t_auth_permissions (id, permission_code, permission_name, module, action, path_pattern, method, enabled, is_built_in)
+VALUES ('perm-dm-read', 'module:data-management:read', '数据管理读取', 'data-management', 'read', '/api/data-management/**', 'GET', 1, 1),
+       ('perm-dm-write', 'module:data-management:write', '数据管理写入', 'data-management', 'write', '/api/data-management/**', 'POST,PUT,PATCH,DELETE', 1, 1),
+       ('perm-da-read', 'module:data-annotation:read', '数据标注读取', 'data-annotation', 'read', '/api/annotation/**', 'GET', 1, 1),
+       ('perm-da-write', 'module:data-annotation:write', '数据标注写入', 'data-annotation', 'write', '/api/annotation/**', 'POST,PUT,PATCH,DELETE', 1, 1),
+       ('perm-dc-read', 'module:data-collection:read', '数据归集读取', 'data-collection', 'read', '/api/data-collection/**', 'GET', 1, 1),
+       ('perm-dc-write', 'module:data-collection:write', '数据归集写入', 'data-collection', 'write', '/api/data-collection/**', 'POST,PUT,PATCH,DELETE', 1, 1),
+       ('perm-de-read', 'module:data-evaluation:read', '数据评估读取', 'data-evaluation', 'read', '/api/evaluation/**', 'GET', 1, 1),
+       ('perm-de-write', 'module:data-evaluation:write', '数据评估写入', 'data-evaluation', 'write', '/api/evaluation/**', 'POST,PUT,PATCH,DELETE', 1, 1),
+       ('perm-ds-read', 'module:data-synthesis:read', '数据合成读取', 'data-synthesis', 'read', '/api/synthesis/**', 'GET', 1, 1),
+       ('perm-ds-write', 'module:data-synthesis:write', '数据合成写入', 'data-synthesis', 'write', '/api/synthesis/**', 'POST,PUT,PATCH,DELETE', 1, 1),
+       ('perm-km-read', 'module:knowledge-management:read', '知识管理读取', 'knowledge-management', 'read', '/api/data-management/knowledge/**', 'GET', 1, 1),
+       ('perm-km-write', 'module:knowledge-management:write', '知识管理写入', 'knowledge-management', 'write', '/api/data-management/knowledge/**', 'POST,PUT,PATCH,DELETE', 1, 1),
+       ('perm-kb-read', 'module:knowledge-base:read', '知识库读取', 'knowledge-base', 'read', '/api/knowledge-base/**', 'GET', 1, 1),
+       ('perm-kb-write', 'module:knowledge-base:write', '知识库写入', 'knowledge-base', 'write', '/api/knowledge-base/**', 'POST,PUT,PATCH,DELETE', 1, 1),
+       ('perm-om-read', 'module:operator-market:read', '算子市场读取', 'operator-market', 'read', '/api/operator-market/**', 'GET', 1, 1),
+       ('perm-om-write', 'module:operator-market:write', '算子市场写入', 'operator-market', 'write', '/api/operator-market/**', 'POST,PUT,PATCH,DELETE', 1, 1),
+       ('perm-orch-read', 'module:orchestration:read', '流程编排读取', 'orchestration', 'read', '/api/orchestration/**', 'GET', 1, 1),
+       ('perm-orch-write', 'module:orchestration:write', '流程编排写入', 'orchestration', 'write', '/api/orchestration/**', 'POST,PUT,PATCH,DELETE', 1, 1),
+       ('perm-agent-use', 'module:agent:use', '对话助手使用', 'agent', 'use', '/chat/**', 'GET', 1, 1),
+       ('perm-content-use', 'module:content-generation:use', '内容生成功能使用', 'content-generation', 'use', '/api/content-generation/**', 'POST,PUT,PATCH', 1, 1),
+       ('perm-user-manage', 'system:user:manage', '用户管理', 'system', 'manage-user', '/api/auth/users/**', 'GET,POST,PUT,PATCH,DELETE', 1, 1),
+       ('perm-role-manage', 'system:role:manage', '角色管理', 'system', 'manage-role', '/api/auth/roles/**', 'GET,POST,PUT,PATCH,DELETE', 1, 1),
+       ('perm-perm-manage', 'system:permission:manage', '权限管理', 'system', 'manage-permission', '/api/auth/permissions/**', 'GET,POST,PUT,PATCH,DELETE', 1, 1);
+
+-- 管理员拥有所有权限
+INSERT IGNORE INTO t_auth_role_permissions (role_id, permission_id)
+SELECT 'role-admin', p.id
+FROM t_auth_permissions p;
+
+-- 数据运营拥有业务模块读写权限（不含系统管理）
+INSERT IGNORE INTO t_auth_role_permissions (role_id, permission_id)
+SELECT 'role-data-editor', p.id
+FROM t_auth_permissions p
+WHERE p.permission_code IN (
+    'module:data-management:read', 'module:data-management:write',
+    'module:data-annotation:read', 'module:data-annotation:write',
+    'module:data-collection:read', 'module:data-collection:write',
+    'module:data-evaluation:read', 'module:data-evaluation:write',
+    'module:data-synthesis:read', 'module:data-synthesis:write',
+    'module:knowledge-management:read', 'module:knowledge-management:write',
+    'module:knowledge-base:read', 'module:knowledge-base:write',
+    'module:operator-market:read', 'module:operator-market:write',
+    'module:orchestration:read', 'module:orchestration:write',
+    'module:agent:use', 'module:content-generation:use'
+);
+
+-- 知识用户拥有知识相关权限及必要数据读取权限
+INSERT IGNORE INTO t_auth_role_permissions (role_id, permission_id)
+SELECT 'role-knowledge-user', p.id
+FROM t_auth_permissions p
+WHERE p.permission_code IN (
+    'module:data-management:read',
+    'module:knowledge-management:read', 'module:knowledge-management:write',
+    'module:knowledge-base:read', 'module:knowledge-base:write',
+    'module:agent:use'
+);
+
+-- =============================================
+-- 用户角色初始化（绑定到已有 users）
+-- =============================================
+INSERT IGNORE INTO t_auth_user_roles (user_id, role_id)
+SELECT u.id, 'role-admin'
+FROM users u
+WHERE u.username = 'admin';
+
+INSERT IGNORE INTO t_auth_user_roles (user_id, role_id)
+SELECT u.id, 'role-knowledge-user'
+FROM users u
+WHERE u.username = 'knowledge_user';
+