feat: RBAC

.github/workflows/build-push.yml

@@ -9,6 +9,7 @@ on:
       - "release/e-*"
       - "hotfix/**"
       - "feat/hitl-backend"
+      - "feat/rbac"
     tags:
       - "*"
 

.github/workflows/docker-build.yml

@@ -77,10 +77,10 @@ jobs:
             file: "web/Dockerfile"
     steps:
       - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
+        uses: docker/setup-buildx-action@98e3b2c9eab4f4f98a95c0c0a3ea5e5e672fd2a8 # v3.10.0
 
       - name: Build Docker Image
-        uses: docker/build-push-action@bcafcacb16a39f128d818304e6c9c0c18556b85f # v7.1.0
+        uses: docker/build-push-action@5cd29d66b4a8d8e6f4d5dfe2e9329f0b1d446289 # v6.18.0
         with:
           push: false
           context: ${{ matrix.context }}

api/commands/__init__.py

@@ -21,6 +21,7 @@
     setup_system_trigger_oauth_client,
     transform_datasource_credentials,
 )
+from .rbac import migrate_member_roles_to_rbac
 from .retention import (
     archive_workflow_runs,
     clean_expired_messages,
@@ -72,6 +73,7 @@
     "migrate_annotation_vector_database",
     "migrate_data_for_plugin",
     "migrate_knowledge_vector_database",
+    "migrate_member_roles_to_rbac",
     "migrate_oss",
     "migration_data_wizard",
     "old_metadata_migration",

api/commands/rbac.py

@@ -0,0 +1,109 @@
+from __future__ import annotations
+
+import click
+from sqlalchemy import select
+
+from core.db.session_factory import session_factory
+from models import TenantAccountJoin, TenantAccountRole
+from services.enterprise.rbac_service import ListOption, RBACService
+
+
+def _resolve_builtin_role_id(tenant_id: str, operator_account_id: str, legacy_role: str) -> str:
+    """Resolve a legacy workspace role to the current tenant's builtin RBAC role id.
+
+    The migration replays the old `TenantAccountJoin.role` values onto the
+    RBAC member-role binding API. Builtin RBAC roles are tenant-scoped and
+    identified by runtime ids, so the command must look them up per tenant.
+    """
+    expected_builtin_name = {
+        TenantAccountRole.OWNER.value: "所有者",
+        TenantAccountRole.ADMIN.value: "管理者",
+        TenantAccountRole.EDITOR.value: "编辑者",
+        TenantAccountRole.NORMAL.value: "普通用户",
+        TenantAccountRole.DATASET_OPERATOR.value: "知识库操作员",
+    }.get(legacy_role)
+    if not expected_builtin_name:
+        raise ValueError(f"Unsupported legacy workspace role: {legacy_role}")
+
+    roles = RBACService.Roles.list(
+        tenant_id=tenant_id,
+        account_id=operator_account_id,
+        options=ListOption(page_number=1, results_per_page=100),
+    ).data
+    for role in roles:
+        if role.is_builtin and role.category == "global_system_default" and role.name == expected_builtin_name:
+            return str(role.id)
+
+    raise ValueError(f"Builtin RBAC role not found for tenant={tenant_id}, legacy_role={legacy_role}")
+
+
+@click.command("rbac-migrate-member-roles", help="Migrate legacy workspace member roles into RBAC member-role bindings.")
+@click.option("--tenant-id", help="Only migrate a single workspace.")
+@click.option("--dry-run", is_flag=True, default=False, help="Preview the migration without writing RBAC bindings.")
+def migrate_member_roles_to_rbac(tenant_id: str | None, dry_run: bool) -> None:
+    """Backfill RBAC member-role bindings from legacy `TenantAccountJoin.role` data.
+
+    This is an offline migration command for workspaces that already have
+    members in the legacy role model but need matching records in the RBAC
+    member-role binding store.
+    """
+    click.echo(click.style("Starting RBAC member-role migration.", fg="green"))
+
+    with session_factory.create_session() as session:
+        stmt = select(TenantAccountJoin).order_by(TenantAccountJoin.tenant_id.asc(), TenantAccountJoin.id.asc())
+        if tenant_id:
+            stmt = stmt.where(TenantAccountJoin.tenant_id == tenant_id)
+
+        joins = list(session.scalars(stmt).all())
+
+    if not joins:
+        click.echo(click.style("No workspace members found for migration.", fg="yellow"))
+        return
+
+    owner_account_by_tenant: dict[str, str] = {}
+    resolved_role_ids: dict[tuple[str, str], str] = {}
+    migrated_count = 0
+
+    for join in joins:
+        workspace_id = str(join.tenant_id)
+        member_account_id = str(join.account_id)
+        legacy_role = str(join.role)
+
+        if workspace_id not in owner_account_by_tenant:
+            owner_join = next(
+                (
+                    item
+                    for item in joins
+                    if str(item.tenant_id) == workspace_id and str(item.role) == TenantAccountRole.OWNER.value
+                ),
+                None,
+            )
+            if not owner_join:
+                raise ValueError(f"Workspace owner not found for tenant={workspace_id}")
+            owner_account_by_tenant[workspace_id] = str(owner_join.account_id)
+
+        operator_account_id = owner_account_by_tenant[workspace_id]
+        cache_key = (workspace_id, legacy_role)
+        if cache_key not in resolved_role_ids:
+            resolved_role_ids[cache_key] = _resolve_builtin_role_id(workspace_id, operator_account_id, legacy_role)
+
+        resolved_role_id = resolved_role_ids[cache_key]
+        click.echo(
+            f"tenant={workspace_id} member={member_account_id} legacy_role={legacy_role} -> rbac_role_id={resolved_role_id}"
+        )
+
+        if dry_run:
+            continue
+
+        RBACService.MemberRoles.replace(
+            tenant_id=workspace_id,
+            account_id=operator_account_id,
+            member_account_id=member_account_id,
+            role_ids=[resolved_role_id],
+        )
+        migrated_count += 1
+
+    if dry_run:
+        click.echo(click.style("Dry run completed. No RBAC bindings were written.", fg="yellow"))
+    else:
+        click.echo(click.style(f"RBAC member-role migration completed. Migrated {migrated_count} members.", fg="green"))

api/configs/enterprise/__init__.py

@@ -29,6 +29,11 @@ class EnterpriseFeatureConfig(BaseSettings):
         "This helps gain runtime performance by trading off consistency.",
     )
 
+    RBAC_ENABLED: bool = Field(
+        description="Enable enterprise RBAC APIs. When disabled, compatibility responses fall back to legacy roles.",
+        default=False,
+    )
+
 
 class EnterpriseTelemetryConfig(BaseSettings):
     """

api/controllers/common/fields.py

@@ -125,6 +125,7 @@ class ApiBaseUrlResponse(ResponseModel):
 
 class NewAppResponse(ResponseModel):
     new_app_id: str
+    permission_keys: list[str] = Field(default_factory=list)
 
 
 class Parameters(BaseModel):

api/controllers/console/__init__.py

@@ -139,6 +139,7 @@
     models,
     plugin,
     snippets,
+    rbac,
     tool_providers,
     trigger_providers,
     workspace,
@@ -210,6 +211,7 @@
     "rag_pipeline_draft_variable",
     "rag_pipeline_import",
     "rag_pipeline_workflow",
+    "rbac",
     "recommended_app",
     "saved_message",
     "setup",

api/controllers/console/app/app.py

@@ -33,16 +33,18 @@
 from core.rag.entities import PreProcessingRule, Rule, Segmentation
 from core.rag.retrieval.retrieval_methods import RetrievalMethod
 from core.trigger.constants import TRIGGER_NODE_TYPES
+from configs import dify_config
 from extensions.ext_database import db
 from fields.base import ResponseModel
 from graphon.enums import WorkflowExecutionStatus
 from libs.helper import build_icon_url, to_timestamp
-from libs.login import login_required
+from libs.login import current_account_with_tenant as current_account_with_tenant, login_required
 from models import Account, App, DatasetPermissionEnum, Workflow
 from models.model import IconType
 from services.app_dsl_service import AppDslService
 from services.app_service import AppListParams, AppService, CreateAppParams
 from services.enterprise.enterprise_service import EnterpriseService
+from services.enterprise import rbac_service as enterprise_rbac_service
 from services.entities.dsl_entities import ImportMode, ImportStatus
 from services.entities.knowledge_entities.knowledge_entities import (
     DataSource,
@@ -377,6 +379,7 @@ class AppPartial(ResponseModel):
     create_user_name: str | None = None
     author_name: str | None = None
     has_draft_trigger: bool | None = None
+    permission_keys: list[str] = Field(default_factory=list)
 
     @computed_field(return_type=str | None)  # type: ignore
     @property
@@ -412,6 +415,7 @@ class AppDetail(ResponseModel):
     updated_at: int | None = None
     access_mode: str | None = None
     tags: list[Tag] = Field(default_factory=list)
+    permission_keys: list[str] = Field(default_factory=list)
 
     @field_validator("created_at", "updated_at", mode="before")
     @classmethod
@@ -446,6 +450,22 @@ class AppExportResponse(ResponseModel):
     data: str
 
 
+def _collect_app_access_permission_keys(access_matrix: enterprise_rbac_service.AppAccessMatrix) -> list[str]:
+    permission_keys: list[str] = []
+    seen_permission_keys: set[str] = set()
+
+    for item in access_matrix.items:
+        if not item.policy:
+            continue
+        for permission_key in item.policy.permission_keys:
+            if permission_key in seen_permission_keys:
+                continue
+            seen_permission_keys.add(permission_key)
+            permission_keys.append(permission_key)
+
+    return permission_keys
+
+
 register_enum_models(console_ns, RetrievalMethod, WorkflowExecutionStatus, DatasetPermissionEnum)
 register_response_schema_models(console_ns, RedirectUrlResponse, SimpleResultResponse)
 
@@ -534,6 +554,16 @@ def get(self, current_tenant_id: str, current_user_id: str, session: Session):
                 if str(app.id) in res:
                     app.access_mode = res[str(app.id)].access_mode
 
+        if app_pagination.items:
+            app_ids = [str(app.id) for app in app_pagination.items]
+            permission_keys_map = enterprise_rbac_service.RBACService.AppPermissions.batch_get(
+                str(current_tenant_id),
+                current_user_id,
+                app_ids,
+            )
+            for app in app_pagination.items:
+                app.permission_keys = permission_keys_map.get(str(app.id), [])
+
         workflow_capable_app_ids = [
             str(app.id) for app in app_pagination.items if app.mode in {"workflow", "advanced-chat"}
         ]
@@ -595,6 +625,12 @@ def post(self, current_tenant_id: str, current_user: Account):
 
         app_service = AppService()
         app = app_service.create_app(current_tenant_id, params, current_user)
+        permission_keys_map = enterprise_rbac_service.RBACService.AppPermissions.batch_get(
+            str(current_tenant_id),
+            current_user.id,
+            [str(app.id)],
+        )
+        setattr(app, "permission_keys", permission_keys_map.get(str(app.id), []))
         app_detail = AppDetail.model_validate(app, from_attributes=True)
         return app_detail.model_dump(mode="json"), 201
 
@@ -610,7 +646,9 @@ class AppApi(Resource):
     @account_initialization_required
     @enterprise_license_required
     @get_app_model(mode=None)
-    def get(self, app_model: App):
+    @with_current_user
+    @with_current_tenant_id
+    def get(self, current_tenant_id: str, current_user: Account, app_model: App):
         """Get app detail"""
         app_service = AppService()
 
@@ -620,6 +658,13 @@ def get(self, app_model: App):
             app_setting = EnterpriseService.WebAppAuth.get_app_access_mode_by_id(app_id=str(app_model.id))
             app_model.access_mode = app_setting.access_mode  # type: ignore[attr-defined]
 
+        permission_keys_map = enterprise_rbac_service.RBACService.AppPermissions.batch_get(
+            str(current_tenant_id),
+            current_user.id,
+            [str(app_model.id)],
+        )
+        setattr(app_model, "permission_keys", permission_keys_map.get(str(app_model.id), []))
+
         response_model = AppDetailWithSite.model_validate(app_model, from_attributes=True)
         return response_model.model_dump(mode="json")
 
@@ -686,12 +731,17 @@ class AppCopyApi(Resource):
     @get_app_model(mode=None)
     @edit_permission_required
     @with_current_user
-    def post(self, current_user: Account, app_model: App):
+    @with_current_tenant_id
+    def post(self, current_tenant_id: str, current_user: Account, app_model: App):
         """Copy app"""
         # The role of the current user in the ta table must be admin, owner, or editor
         args = CopyAppPayload.model_validate(console_ns.payload or {})
 
-        with Session(db.engine, expire_on_commit=False) as session:
+        session = Session(expire_on_commit=False)
+        if session.bind is None:
+            session.bind = db.engine
+
+        with session:
             import_service = AppDslService(session)
             yaml_content = import_service.export_dsl(app_model=app_model, include_secret=True)
             result = import_service.import_app(
@@ -728,6 +778,14 @@ def post(self, current_user: Account, app_model: App):
             stmt = select(App).where(App.id == result.app_id)
             app = session.scalar(stmt)
 
+        if app:
+            permission_keys_map = enterprise_rbac_service.RBACService.AppPermissions.batch_get(
+                str(current_tenant_id),
+                current_user.id,
+                [str(app.id)],
+            )
+            setattr(app, "permission_keys", permission_keys_map.get(str(app.id), []))
+
         response_model = AppDetailWithSite.model_validate(app, from_attributes=True)
         return response_model.model_dump(mode="json"), 201