From 63f678ae5ebadc025ba3fa353f282ef3b902f25f Mon Sep 17 00:00:00 2001
From: eball <liuy102@hotmail.com>
Date: Tue, 14 Oct 2025 19:12:14 +0800
Subject: [PATCH] system-server: add RBAC permissions for media server and hami
 services (#1922)

* feat: add RBAC permissions for media server and hami services; update proxy services

* chore: update app-service image version to 0.4.19
---
 .../templates/files-permission.yaml           | 14 +++++
 .../system-apps/templates/files-provider.yaml | 13 ++++
 .../templates/hami-permission.yaml            | 27 +++++++++
 .../system-apps/templates/hami-provider.yaml  | 26 ++++++++
 .../templates/search-permission.yaml          | 13 ++++
 .../templates/search-provider.yaml            | 12 ++++
 .../cluster/deploy/appservice_deploy.yaml     |  2 +-
 .../config/launcher/templates/bfl_deploy.yaml |  3 +
 .../systemserver/templates/proxy.yaml         | 60 +++++++++++++++++++
 9 files changed, 169 insertions(+), 1 deletion(-)
 create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/hami-permission.yaml
 create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/hami-provider.yaml
 create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/search-permission.yaml
 create mode 100644 apps/.olares/config/user/helm-charts/system-apps/templates/search-provider.yaml

diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/files-permission.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/files-permission.yaml
index 2f4ab62b2..f23956a5a 100644
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/files-permission.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/files-permission.yaml
@@ -11,3 +11,17 @@ subjects:
 - kind: ServiceAccount
   name: system-frontend
   namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ .Values.bfl.username }}:system-frontend:media-server-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:media-server-svc
+subjects:
+- kind: ServiceAccount
+  name: system-frontend
+  namespace: {{ .Release.Namespace }}
diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml
index bd3947157..4d7300aff 100644
--- a/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/files-provider.yaml
@@ -50,8 +50,21 @@ rules:
   - "/provider/update_search_folder_paths"
   - "/provider/get_dataset_folder_status"
   - "/provider/update_dataset_folder_paths"
+  - "/seahub/api/*"
   verbs: ["*"]
 
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:media-server-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/media-server-service
+    provider-service-ref: media-server-service.os-framework:9090
+rules:
+- nonResourceURLs: 
+  - "/System/Configuration/encoding"
+  verbs: ["*"]
 
 ---
 apiVersion: rbac.authorization.k8s.io/v1
diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/hami-permission.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/hami-permission.yaml
new file mode 100644
index 000000000..5bf254008
--- /dev/null
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/hami-permission.yaml
@@ -0,0 +1,27 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ .Values.bfl.username }}:system-frontend:hami-scheduler-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:hami-scheduler-svc
+subjects:
+- kind: ServiceAccount
+  name: system-frontend
+  namespace: {{ .Release.Namespace }}
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ .Values.bfl.username }}:system-frontend:hami-webui-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:hami-webui-svc
+subjects:
+- kind: ServiceAccount
+  name: system-frontend
+  namespace: {{ .Release.Namespace }}
diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/hami-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/hami-provider.yaml
new file mode 100644
index 000000000..c8d5eca84
--- /dev/null
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/hami-provider.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:hami-scheduler-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/hami-scheduler
+    provider-service-ref: hami-scheduler.kube-system:80
+rules:
+- nonResourceURLs: 
+  - "/gpus"
+  verbs: ["*"]
+
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:hami-webui-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/hami-webui
+    provider-service-ref: hami-webui.kube-system:3000
+rules:
+- nonResourceURLs: 
+  - "/api/vgpu/v1/*"
+  verbs: ["*"]  
\ No newline at end of file
diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/search-permission.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/search-permission.yaml
new file mode 100644
index 000000000..eae5ce852
--- /dev/null
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/search-permission.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: backend:{{ .Values.bfl.username }}:search-provider-svc
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ .Values.bfl.username }}:search-provider-svc
+subjects:
+- kind: ServiceAccount
+  name: system-frontend
+  namespace: {{ .Release.Namespace }}
\ No newline at end of file
diff --git a/apps/.olares/config/user/helm-charts/system-apps/templates/search-provider.yaml b/apps/.olares/config/user/helm-charts/system-apps/templates/search-provider.yaml
new file mode 100644
index 000000000..bf7f56d1f
--- /dev/null
+++ b/apps/.olares/config/user/helm-charts/system-apps/templates/search-provider.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ .Values.bfl.username }}:search-provider-svc
+  annotations:
+    provider-registry-ref: user-system-{{ .Values.bfl.username }}/search3
+    provider-service-ref: search3.os-framework:80
+rules:
+- nonResourceURLs: 
+  - "/document/search"
+  verbs: ["*"]
\ No newline at end of file
diff --git a/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml b/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml
index 8b9a82a64..3b856e5fc 100644
--- a/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml
+++ b/framework/app-service/.olares/config/cluster/deploy/appservice_deploy.yaml
@@ -170,7 +170,7 @@ spec:
       priorityClassName: "system-cluster-critical"
       containers:
       - name: app-service
-        image: beclab/app-service:0.4.18
+        image: beclab/app-service:0.4.19
         imagePullPolicy: IfNotPresent
         securityContext:
           runAsUser: 0
diff --git a/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml b/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml
index 030446f03..9768a7695 100644
--- a/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml
+++ b/framework/bfl/.olares/config/launcher/templates/bfl_deploy.yaml
@@ -319,6 +319,9 @@ spec:
       - name: ingress
         image: beclab/bfl-ingress:v0.3.22
         imagePullPolicy: IfNotPresent
+        env:
+        - name: AUTHELIA_AUTH_URL
+          value: 'http://authelia-backend-provider.user-system-{{ .Values.bfl.username }}:28080/api/authz/auth-request'
         volumeMounts:
         - name: ngxlog
           mountPath: /var/log/nginx
diff --git a/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/proxy.yaml b/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/proxy.yaml
index 8544b774a..10da916b0 100644
--- a/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/proxy.yaml
+++ b/framework/system-server/.olares/config/user/helm-charts/systemserver/templates/proxy.yaml
@@ -109,3 +109,63 @@ spec:
       port: 28080
       targetPort: 28080
 
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hami-webui
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hami-scheduler
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name:  media-server-service
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name:  search3
+  namespace: user-system-{{ .Values.bfl.username }}
+spec:
+  type: ClusterIP
+  selector:
+    app: systemserver
+  ports:
+    - protocol: TCP
+      port: 28080
+      targetPort: 28080