实现了权限精确到环境

cefdda6d · anthonywanted · nobodyiam · a6563b81 · cefdda6d · cefdda6d
Commit cefdda6d authored Jul 09, 2018 by anthonywanted Committed by nobodyiam Jul 24, 2018
25 changed files
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/auth/ConsumerPermissionValidator.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/auth/ConsumerPermissionValidator.java
@@ -27,7 +27,7 @@ public class ConsumerPermissionValidator {
    }
    return permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerId(request),
        PermissionType.MODIFY_NAMESPACE,
-        RoleUtils.buildNamespaceTargetId(appId, namespaceName));
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName, null));

  }

@@ -38,7 +38,7 @@ public class ConsumerPermissionValidator {
    }
    return permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerId(request),
        PermissionType.RELEASE_NAMESPACE,
-        RoleUtils.buildNamespaceTargetId(appId, namespaceName));
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName, null));

  }


--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/service/ConsumerService.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/service/ConsumerService.java
@@ -113,16 +113,16 @@ public class ConsumerService {
  }

  @Transactional
-  public List<ConsumerRole> assignNamespaceRoleToConsumer(String token, String appId, String namespaceName) {
+  public List<ConsumerRole> assignNamespaceRoleToConsumer(String token, String appId, String namespaceName, String env) {
    Long consumerId = getConsumerIdByToken(token);
    if (consumerId == null) {
      throw new BadRequestException("Token is Illegal");
    }

    Role namespaceModifyRole =
-        rolePermissionService.findRoleByRoleName(RoleUtils.buildModifyNamespaceRoleName(appId, namespaceName));
+        rolePermissionService.findRoleByRoleName(RoleUtils.buildModifyNamespaceRoleName(appId, namespaceName, env));
    Role namespaceReleaseRole =
-        rolePermissionService.findRoleByRoleName(RoleUtils.buildReleaseNamespaceRoleName(appId, namespaceName));
+        rolePermissionService.findRoleByRoleName(RoleUtils.buildReleaseNamespaceRoleName(appId, namespaceName, env));

    if (namespaceModifyRole == null || namespaceReleaseRole == null) {
      throw new BadRequestException("Namespace's role does not exist. Please check whether namespace has created.");

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
@@ -20,24 +20,24 @@ public class PermissionValidator {
  @Autowired
  private PortalConfig portalConfig;

-  public boolean hasModifyNamespacePermission(String appId, String namespaceName) {
+  public boolean hasModifyNamespacePermission(String appId, String namespaceName, String env) {
    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
        PermissionType.MODIFY_NAMESPACE,
-                                                   RoleUtils.buildNamespaceTargetId(appId, namespaceName));
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
  }

-  public boolean hasReleaseNamespacePermission(String appId, String namespaceName) {
+  public boolean hasReleaseNamespacePermission(String appId, String namespaceName, String env) {
    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
        PermissionType.RELEASE_NAMESPACE,
-                                                   RoleUtils.buildNamespaceTargetId(appId, namespaceName));
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
  }

  public boolean hasDeleteNamespacePermission(String appId) {
    return hasAssignRolePermission(appId) || isSuperAdmin();
  }

-  public boolean hasOperateNamespacePermission(String appId, String namespaceName) {
-    return hasModifyNamespacePermission(appId, namespaceName) || hasReleaseNamespacePermission(appId, namespaceName);
+  public boolean hasOperateNamespacePermission(String appId, String namespaceName, String env) {
+    return hasModifyNamespacePermission(appId, namespaceName, env) || hasReleaseNamespacePermission(appId, namespaceName, env);
  }

  public boolean hasAssignRolePermission(String appId) {
@@ -77,4 +77,8 @@ public class PermissionValidator {
  public boolean isSuperAdmin() {
    return rolePermissionService.isSuperAdmin(userInfoHolder.getUser().getUserId());
  }
+
+  public boolean alwaysTrue() {
+    return true;
+  }
 }
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/emailbuilder/ConfigPublishEmailBuilder.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/emailbuilder/ConfigPublishEmailBuilder.java
@@ -104,7 +104,7 @@ public abstract class ConfigPublishEmailBuilder {

    email.setSubject(subject());
    email.setSenderEmailAddress(portalConfig.emailSender());
-    email.setRecipients(recipients(releaseHistory.getAppId(), releaseHistory.getNamespaceName()));
+    email.setRecipients(recipients(releaseHistory.getAppId(), releaseHistory.getNamespaceName(), env.toString()));

    String emailBody = emailContent(env, releaseHistory);
    //clear not used module
@@ -208,13 +208,19 @@ public abstract class ConfigPublishEmailBuilder {
    return releaseService.compare(env, releaseHistory.getPreviousReleaseId(), releaseHistory.getReleaseId());
  }

-  private List<String> recipients(String appId, String namespaceName) {
+  private List<String> recipients(String appId, String namespaceName, String env) {
    Set<UserInfo> modifyRoleUsers =
            rolePermissionService
-                    .queryUsersWithRole(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.MODIFY_NAMESPACE));
+                    .queryUsersWithRole(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.MODIFY_NAMESPACE, null));
+    Set<UserInfo> envModifyRoleUsers =
+        rolePermissionService
+            .queryUsersWithRole(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.MODIFY_NAMESPACE, env));
    Set<UserInfo> releaseRoleUsers =
            rolePermissionService
-                    .queryUsersWithRole(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.RELEASE_NAMESPACE));
+                    .queryUsersWithRole(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.RELEASE_NAMESPACE, null));
+    Set<UserInfo> envReleaseRoleUsers =
+        rolePermissionService
+            .queryUsersWithRole(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.RELEASE_NAMESPACE, env));
    Set<UserInfo> owners = rolePermissionService.queryUsersWithRole(RoleUtils.buildAppMasterRoleName(appId));

    Set<String> userIds = new HashSet<>(modifyRoleUsers.size() + releaseRoleUsers.size() + owners.size());
@@ -223,10 +229,18 @@ public abstract class ConfigPublishEmailBuilder {
      userIds.add(userInfo.getUserId());
    }

+    for (UserInfo userInfo : envModifyRoleUsers) {
+      userIds.add(userInfo.getUserId());
+    }
+
    for (UserInfo userInfo : releaseRoleUsers) {
      userIds.add(userInfo.getUserId());
    }

+    for (UserInfo userInfo : envReleaseRoleUsers) {
+      userIds.add(userInfo.getUserId());
+    }
+
    for (UserInfo userInfo : owners) {
      userIds.add(userInfo.getUserId());
    }

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java
 package com.ctrip.framework.apollo.portal.controller;


+import com.ctrip.framework.apollo.core.ConfigConsts;
+import com.ctrip.framework.apollo.portal.service.RoleInitializationService;
+
 import com.ctrip.framework.apollo.common.entity.App;
 import com.ctrip.framework.apollo.common.exception.BadRequestException;
 import com.ctrip.framework.apollo.common.http.MultiResponseEntity;
@@ -53,6 +56,8 @@ public class AppController {
  private ApplicationEventPublisher publisher;
  @Autowired
  private RolePermissionService rolePermissionService;
+  @Autowired
+  private RoleInitializationService roleInitializationService;

  @RequestMapping(value = "", method = RequestMethod.GET)
  public List<App> findApps(@RequestParam(value = "appIds", required = false) String appIds) {
@@ -132,6 +137,8 @@ public class AppController {

    appService.createAppInRemote(Env.valueOf(env), app);

+    roleInitializationService.initNamespaceSpecificEnvRoles(app.getAppId(), ConfigConsts.NAMESPACE_APPLICATION, env, userInfoHolder.getUser().getUserId());
+
    return ResponseEntity.ok().build();
  }


--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConsumerController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConsumerController.java
@@ -2,6 +2,7 @@ package com.ctrip.framework.apollo.portal.controller;

 import com.ctrip.framework.apollo.common.dto.NamespaceDTO;
 import com.ctrip.framework.apollo.common.exception.BadRequestException;
+import com.ctrip.framework.apollo.core.enums.EnvUtils;
 import com.ctrip.framework.apollo.core.utils.StringUtils;
 import com.ctrip.framework.apollo.openapi.entity.Consumer;
 import com.ctrip.framework.apollo.openapi.entity.ConsumerRole;
@@ -19,12 +20,7 @@ import org.springframework.web.bind.annotation.RequestMethod;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;

-import java.util.Calendar;
-import java.util.Collections;
-import java.util.Date;
-import java.util.GregorianCalendar;
-import java.util.List;
-import java.util.Objects;
+import java.util.*;

 /**
 * @author Jason Song(song_s@ctrip.com)
@@ -69,6 +65,7 @@ public class ConsumerController {
  @RequestMapping(value = "/consumers/{token}/assign-role", method = RequestMethod.POST)
  public List<ConsumerRole> assignNamespaceRoleToConsumer(@PathVariable String token,
                                                          @RequestParam String type,
+                                                          @RequestParam(required = false) String envs,
                                                          @RequestBody NamespaceDTO namespace) {

    String appId = namespace.getAppId();
@@ -77,14 +74,29 @@ public class ConsumerController {
    if (StringUtils.isEmpty(appId)) {
      throw new BadRequestException("Params(AppId) can not be empty.");
    }
-
    if (Objects.equals("AppRole", type)) {
      return Collections.singletonList(consumerService.assignAppRoleToConsumer(token, appId));
    } else {
      if (StringUtils.isEmpty(namespaceName)) {
        throw new BadRequestException("Params(NamespaceName) can not be empty.");
      }
-      return consumerService.assignNamespaceRoleToConsumer(token, appId, namespaceName);
+      if (null != envs){
+        String[] envList = envs.split(",");
+        // validate env parameter
+        for (String env : envList) {
+          if (null != env && !"".equals(env) && null == EnvUtils.transformEnv(env)) {
+            throw new BadRequestException(String.format("env: %s is illegal", env));
+          }
+        }
+
+        List<ConsumerRole> consumeRoles = new ArrayList<>();
+        for (String env : envList) {
+          consumeRoles.addAll(consumerService.assignNamespaceRoleToConsumer(token, appId, namespaceName, env));
+        }
+        return consumeRoles;
+      }
+
+      return consumerService.assignNamespaceRoleToConsumer(token, appId, namespaceName, null);
    }
  }


--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
@@ -4,15 +4,18 @@ import com.ctrip.framework.apollo.common.dto.ItemDTO;
 import com.ctrip.framework.apollo.common.exception.BadRequestException;
 import com.ctrip.framework.apollo.core.enums.Env;
 import com.ctrip.framework.apollo.core.utils.StringUtils;
+import com.ctrip.framework.apollo.portal.component.PermissionValidator;
 import com.ctrip.framework.apollo.portal.entity.model.NamespaceSyncModel;
 import com.ctrip.framework.apollo.portal.entity.model.NamespaceTextModel;
 import com.ctrip.framework.apollo.portal.entity.vo.ItemDiffs;
+import com.ctrip.framework.apollo.portal.entity.vo.NamespaceIdentifier;
 import com.ctrip.framework.apollo.portal.service.ItemService;
 import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;

 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -34,8 +37,10 @@ public class ItemController {
  private ItemService configService;
  @Autowired
  private UserInfoHolder userInfoHolder;
+  @Autowired
+  private PermissionValidator permissionValidator;

-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
  @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/items", method = RequestMethod.PUT, consumes = {
      "application/json"})
  public void modifyItemsByText(@PathVariable String appId, @PathVariable String env,
@@ -52,7 +57,7 @@ public class ItemController {
    configService.updateConfigItemByText(model);
  }

-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
  @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/item", method = RequestMethod.POST)
  public ItemDTO createItem(@PathVariable String appId, @PathVariable String env,
                            @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -71,7 +76,7 @@ public class ItemController {
    return configService.createItem(appId, Env.valueOf(env), clusterName, namespaceName, item);
  }

-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
  @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/item", method = RequestMethod.PUT)
  public void updateItem(@PathVariable String appId, @PathVariable String env,
                         @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -85,7 +90,7 @@ public class ItemController {
  }


-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env) ")
  @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/items/{itemId}", method = RequestMethod.DELETE)
  public void deleteItem(@PathVariable String appId, @PathVariable String env,
                         @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -134,16 +139,35 @@ public class ItemController {
    return configService.compare(model.getSyncToNamespaces(), model.getSyncItems());
  }

-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName)")
+  //@PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName)")
+  @PreAuthorize(value="@permissionValidator.alwaysTrue()")
  @RequestMapping(value = "/apps/{appId}/namespaces/{namespaceName}/items", method = RequestMethod.PUT, consumes = {
      "application/json"})
-  public ResponseEntity<Void> update(@PathVariable String appId, @PathVariable String namespaceName,
+  public ResponseEntity update(@PathVariable String appId, @PathVariable String namespaceName,
                                     @RequestBody NamespaceSyncModel model) {
    checkModel(Objects.nonNull(model) && !model.isInvalid());
-
+    boolean hasPermission = permissionValidator.hasModifyNamespacePermission(appId, namespaceName, null);
+    Env envNoPermission = null;
+    // if uses has ModifyNamespace permission then he has permission
+    if (!hasPermission) {
+      // else check if user has every env's ModifyNamespace permission
+      hasPermission = true;
+      for (NamespaceIdentifier namespaceIdentifier : model.getSyncToNamespaces()) {
+        // once user has not one of the env's ModifyNamespace permission, then break the loop
+        hasPermission &= permissionValidator.hasModifyNamespacePermission(namespaceIdentifier.getAppId(), namespaceIdentifier.getNamespaceName(), namespaceIdentifier.getEnv().toString());
+        if (!hasPermission) {
+          envNoPermission = namespaceIdentifier.getEnv();
+          break;
+        }
+      }
+    }
+    if (hasPermission) {
      configService.syncItems(model.getSyncToNamespaces(), model.getSyncItems());
      return ResponseEntity.status(HttpStatus.OK).build();
    }
+    else
+      throw new AccessDeniedException(String.format("您没有修改环境%s的权限", envNoPermission));
+  }

  private boolean isValidItem(ItemDTO item) {
    return Objects.nonNull(item) && !StringUtils.isContainEmpty(item.getKey());

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java
@@ -46,7 +46,7 @@ public class NamespaceBranchController {
    return namespaceBranchService.findBranch(appId, Env.valueOf(env), clusterName, namespaceName);
  }

-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName)")
+  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
  @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches", method = RequestMethod.POST)
  public NamespaceDTO createBranch(@PathVariable String appId,
                                   @PathVariable String env,
@@ -63,8 +63,9 @@ public class NamespaceBranchController {
                           @PathVariable String namespaceName,
                           @PathVariable String branchName) {

-    boolean canDelete = permissionValidator.hasReleaseNamespacePermission(appId, namespaceName) ||
-                        (permissionValidator.hasModifyNamespacePermission(appId, namespaceName) &&
+    boolean canDelete = permissionValidator.hasReleaseNamespacePermission(appId, namespaceName, null) ||
+            permissionValidator.hasReleaseNamespacePermission(appId, namespaceName, env) ||
+            ((permissionValidator.hasModifyNamespacePermission(appId, namespaceName, null) || permissionValidator.hasModifyNamespacePermission(appId, namespaceName, env)) &&
                      releaseService.loadLatestRelease(appId, Env.valueOf(env), branchName, namespaceName) == null);


@@ -81,7 +82,7 @@ public class NamespaceBranchController {



-  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName)")
+  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, #env)")
  @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/merge", method = RequestMethod.POST)
  public ReleaseDTO merge(@PathVariable String appId, @PathVariable String env,
                          @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -120,7 +121,7 @@ public class NamespaceBranchController {
  }


-  @PreAuthorize(value = "@permissionValidator.hasOperateNamespacePermission(#appId, #namespaceName)")
+  @PreAuthorize(value = "@permissionValidator.hasOperateNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasOperateNamespacePermission(#appId, #namespaceName, #env)")
  @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/rules", method = RequestMethod.PUT)
  public void updateBranchRules(@PathVariable String appId, @PathVariable String env,
                                @PathVariable String clusterName, @PathVariable String namespaceName,

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java
@@ -104,6 +104,7 @@ public class NamespaceController {
    String operator = userInfoHolder.getUser().getUserId();

    roleInitializationService.initNamespaceRoles(appId, namespaceName, operator);
+    roleInitializationService.initNamespaceEnvRoles(appId, namespaceName, operator);

    for (NamespaceCreationModel model : models) {
      NamespaceDTO namespace = model.getNamespace();
@@ -207,10 +208,10 @@ public class NamespaceController {
    String operator = userInfoHolder.getUser().getUserId();

    rolePermissionService
-        .assignRoleToUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.MODIFY_NAMESPACE),
+        .assignRoleToUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.MODIFY_NAMESPACE, null),
                           Sets.newHashSet(operator), operator);
    rolePermissionService
-        .assignRoleToUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.RELEASE_NAMESPACE),
+        .assignRoleToUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, RoleType.RELEASE_NAMESPACE, null),
                           Sets.newHashSet(operator), operator);
  }
 }
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java
 package com.ctrip.framework.apollo.portal.controller;

+import com.ctrip.framework.apollo.core.enums.Env;
+import com.ctrip.framework.apollo.core.enums.EnvUtils;
+import com.ctrip.framework.apollo.portal.entity.vo.NamespaceEnvRolesAssignedUsers;
+import com.ctrip.framework.apollo.portal.service.RoleInitializationService;
 import com.google.common.collect.Sets;

 import com.ctrip.framework.apollo.common.exception.BadRequestException;
@@ -37,6 +41,14 @@ public class PermissionController {
  private RolePermissionService rolePermissionService;
  @Autowired
  private UserService userService;
+  @Autowired
+  private RoleInitializationService roleInitializationService;
+
+  @RequestMapping(value = "/apps/{appId}/initPermission", method = RequestMethod.POST)
+  public ResponseEntity<Void> initAppPermission(@PathVariable String appId, @RequestBody String namespaceName) {
+    roleInitializationService.initNamespaceEnvRoles(appId, namespaceName, userInfoHolder.getUser().getUserId());
+    return ResponseEntity.ok().build();
+  }

  @RequestMapping(value = "/apps/{appId}/permissions/{permissionType}", method = RequestMethod.GET)
  public ResponseEntity<PermissionCondition> hasPermission(@PathVariable String appId, @PathVariable String permissionType) {
@@ -55,7 +67,19 @@ public class PermissionController {

    permissionCondition.setHasPermission(
        rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(), permissionType,
-            RoleUtils.buildNamespaceTargetId(appId, namespaceName)));
+            RoleUtils.buildNamespaceTargetId(appId, namespaceName, null)));
+
+    return ResponseEntity.ok().body(permissionCondition);
+  }
+
+  @RequestMapping(value = "/apps/{appId}/envs/{env}/namespaces/{namespaceName}/permissions/{permissionType}", method = RequestMethod.GET)
+  public ResponseEntity<PermissionCondition> hasPermission(@PathVariable String appId, @PathVariable String env, @PathVariable String namespaceName,
+                                                           @PathVariable String permissionType) {
+    PermissionCondition permissionCondition = new PermissionCondition();
+
+    permissionCondition.setHasPermission(
+        rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(), permissionType,
+            RoleUtils.buildNamespaceTargetId(appId, namespaceName, env)));

    return ResponseEntity.ok().body(permissionCondition);
  }
@@ -70,6 +94,72 @@ public class PermissionController {
  }


+  @RequestMapping(value = "/apps/{appId}/envs/{env}/namespaces/{namespaceName}/role_users", method = RequestMethod.GET)
+  public NamespaceEnvRolesAssignedUsers getNamespaceEnvRoles(@PathVariable String appId, @PathVariable String env, @PathVariable String namespaceName) {
+
+    // validate env parameter
+    if (null == EnvUtils.transformEnv(env)) {
+      throw new BadRequestException("env is illegal");
+    }
+
+    NamespaceEnvRolesAssignedUsers assignedUsers = new NamespaceEnvRolesAssignedUsers();
+    assignedUsers.setNamespaceName(namespaceName);
+    assignedUsers.setAppId(appId);
+    assignedUsers.setEnv(Env.fromString(env));
+
+    Set<UserInfo> releaseNamespaceUsers =
+        rolePermissionService.queryUsersWithRole(RoleUtils.buildReleaseNamespaceRoleName(appId, namespaceName, env));
+    assignedUsers.setReleaseRoleUsers(releaseNamespaceUsers);
+
+    Set<UserInfo> modifyNamespaceUsers =
+        rolePermissionService.queryUsersWithRole(RoleUtils.buildModifyNamespaceRoleName(appId, namespaceName, env));
+    assignedUsers.setModifyRoleUsers(modifyNamespaceUsers);
+
+    return assignedUsers;
+  }
+
+  @PreAuthorize(value = "@permissionValidator.hasAssignRolePermission(#appId)")
+  @RequestMapping(value = "/apps/{appId}/envs/{env}/namespaces/{namespaceName}/roles/{roleType}", method = RequestMethod.POST)
+  public ResponseEntity<Void> assignNamespaceEnvRoleToUser(@PathVariable String appId, @PathVariable String env, @PathVariable String namespaceName,
+                                                           @PathVariable String roleType, @RequestBody String user) {
+    checkUserExists(user);
+    RequestPrecondition.checkArgumentsNotEmpty(user);
+
+    if (!RoleType.isValidRoleType(roleType)) {
+      throw new BadRequestException("role type is illegal");
+    }
+
+    // validate env parameter
+    if (null == EnvUtils.transformEnv(env)) {
+      throw new BadRequestException("env is illegal");
+    }
+    Set<String> assignedUser = rolePermissionService.assignRoleToUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, roleType, env),
+        Sets.newHashSet(user), userInfoHolder.getUser().getUserId());
+    if (CollectionUtils.isEmpty(assignedUser)) {
+      throw new BadRequestException(user + "已授权");
+    }
+
+    return ResponseEntity.ok().build();
+  }
+
+  @PreAuthorize(value = "@permissionValidator.hasAssignRolePermission(#appId)")
+  @RequestMapping(value = "/apps/{appId}/envs/{env}/namespaces/{namespaceName}/roles/{roleType}", method = RequestMethod.DELETE)
+  public ResponseEntity<Void> removeNamespaceEnvRoleFromUser(@PathVariable String appId, @PathVariable String env, @PathVariable String namespaceName,
+                                                             @PathVariable String roleType, @RequestParam String user) {
+    RequestPrecondition.checkArgumentsNotEmpty(user);
+
+    if (!RoleType.isValidRoleType(roleType)) {
+      throw new BadRequestException("role type is illegal");
+    }
+    // validate env parameter
+    if (null == EnvUtils.transformEnv(env)) {
+      throw new BadRequestException("env is illegal");
+    }
+    rolePermissionService.removeRoleFromUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, roleType, env),
+        Sets.newHashSet(user), userInfoHolder.getUser().getUserId());
+    return ResponseEntity.ok().build();
+  }
+
  @RequestMapping(value = "/apps/{appId}/namespaces/{namespaceName}/role_users", method = RequestMethod.GET)
  public NamespaceRolesAssignedUsers getNamespaceRoles(@PathVariable String appId, @PathVariable String namespaceName) {

@@ -78,11 +168,11 @@ public class PermissionController {
    assignedUsers.setAppId(appId);

    Set<UserInfo> releaseNamespaceUsers =
-        rolePermissionService.queryUsersWithRole(RoleUtils.buildReleaseNamespaceRoleName(appId, namespaceName));
+        rolePermissionService.queryUsersWithRole(RoleUtils.buildReleaseNamespaceRoleName(appId, namespaceName, null));
    assignedUsers.setReleaseRoleUsers(releaseNamespaceUsers);

    Set<UserInfo> modifyNamespaceUsers =
-        rolePermissionService.queryUsersWithRole(RoleUtils.buildModifyNamespaceRoleName(appId, namespaceName));
+        rolePermissionService.queryUsersWithRole(RoleUtils.buildModifyNamespaceRoleName(appId, namespaceName, null));
    assignedUsers.setModifyRoleUsers(modifyNamespaceUsers);

    return assignedUsers;
@@ -98,7 +188,7 @@ public class PermissionController {
    if (!RoleType.isValidRoleType(roleType)) {
      throw new BadRequestException("role type is illegal");
    }
-    Set<String> assignedUser = rolePermissionService.assignRoleToUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, roleType),
+    Set<String> assignedUser = rolePermissionService.assignRoleToUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, roleType, null),
        Sets.newHashSet(user), userInfoHolder.getUser().getUserId());
    if (CollectionUtils.isEmpty(assignedUser)) {
      throw new BadRequestException(user + "已授权");
@@ -116,7 +206,7 @@ public class PermissionController {
    if (!RoleType.isValidRoleType(roleType)) {
      throw new BadRequestException("role type is illegal");
    }
-    rolePermissionService.removeRoleFromUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, roleType),
+    rolePermissionService.removeRoleFromUsers(RoleUtils.buildNamespaceRoleName(appId, namespaceName, roleType, null),
        Sets.newHashSet(user), userInfoHolder.getUser().getUserId());
    return ResponseEntity.ok().build();
  }

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java
@@ -36,7 +36,7 @@ public class ReleaseController {
  @Autowired
  private PortalConfig portalConfig;

-  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName)")
+  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, #env)")
  @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/releases", method = RequestMethod.POST)
  public ReleaseDTO createRelease(@PathVariable String appId,
                                  @PathVariable String env, @PathVariable String clusterName,
@@ -67,7 +67,7 @@ public class ReleaseController {
    return createdRelease;
  }

-  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName)")
+  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, null) || @permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName, #env)")
  @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/releases",
      method = RequestMethod.POST)
  public ReleaseDTO createGrayRelease(@PathVariable String appId,

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/entity/vo/NamespaceEnvRolesAssignedUsers.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/entity/vo/NamespaceEnvRolesAssignedUsers.java
+package com.ctrip.framework.apollo.portal.entity.vo;
+
+import com.ctrip.framework.apollo.core.enums.Env;
+
+public class NamespaceEnvRolesAssignedUsers extends NamespaceRolesAssignedUsers {
+    private Env env;
+
+    public Env getEnv() {
+        return env;
+    }
+
+    public void setEnv(Env env) {
+        this.env = env;
+    }
+}
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/AppNamespaceService.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/AppNamespaceService.java
@@ -116,6 +116,7 @@ public class AppNamespaceService {
    AppNamespace createdAppNamespace = appNamespaceRepository.save(appNamespace);

    roleInitializationService.initNamespaceRoles(appNamespace.getAppId(), appNamespace.getName(), operator);
+    roleInitializationService.initNamespaceEnvRoles(appNamespace.getAppId(), appNamespace.getName(), operator);

    return createdAppNamespace;
  }

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/RoleInitializationService.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/RoleInitializationService.java
@@ -8,4 +8,8 @@ public interface RoleInitializationService {

  public void initNamespaceRoles(String appId, String namespaceName, String operator);

+  public void initNamespaceEnvRoles(String appId, String namespaceName, String operator);
+
+  public void initNamespaceSpecificEnvRoles(String appId, String namespaceName, String env, String operator);
+
 }
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/spi/defaultimpl/DefaultRoleInitializationService.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/spi/defaultimpl/DefaultRoleInitializationService.java
 package com.ctrip.framework.apollo.portal.spi.defaultimpl;

+import com.ctrip.framework.apollo.core.enums.Env;
+import com.ctrip.framework.apollo.portal.component.config.PortalConfig;
 import com.google.common.collect.FluentIterable;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
@@ -18,7 +20,7 @@ import com.ctrip.framework.apollo.portal.util.RoleUtils;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.transaction.annotation.Transactional;

-import java.util.Set;
+import java.util.*;

 /**
 * Created by timothy on 2017/4/26.
@@ -29,6 +31,8 @@ public class DefaultRoleInitializationService implements RoleInitializationServi
  private UserInfoHolder userInfoHolder;
  @Autowired
  private RolePermissionService rolePermissionService;
+  @Autowired
+  private PortalConfig portalConfig;

  @Transactional
  public void initAppRoles(App app) {
@@ -50,13 +54,14 @@ public class DefaultRoleInitializationService implements RoleInitializationServi
            operator);

    initNamespaceRoles(appId, ConfigConsts.NAMESPACE_APPLICATION, operator);
+    initNamespaceEnvRoles(appId, ConfigConsts.NAMESPACE_APPLICATION, operator);

    //assign modify、release namespace role to user
    rolePermissionService.assignRoleToUsers(
-        RoleUtils.buildNamespaceRoleName(appId, ConfigConsts.NAMESPACE_APPLICATION, RoleType.MODIFY_NAMESPACE),
+        RoleUtils.buildNamespaceRoleName(appId, ConfigConsts.NAMESPACE_APPLICATION, RoleType.MODIFY_NAMESPACE, null),
        Sets.newHashSet(operator), operator);
    rolePermissionService.assignRoleToUsers(
-        RoleUtils.buildNamespaceRoleName(appId, ConfigConsts.NAMESPACE_APPLICATION, RoleType.RELEASE_NAMESPACE),
+        RoleUtils.buildNamespaceRoleName(appId, ConfigConsts.NAMESPACE_APPLICATION, RoleType.RELEASE_NAMESPACE, null),
        Sets.newHashSet(operator), operator);

  }
@@ -64,16 +69,40 @@ public class DefaultRoleInitializationService implements RoleInitializationServi
  @Transactional
  public void initNamespaceRoles(String appId, String namespaceName, String operator) {

-    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(appId, namespaceName);
+    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(appId, namespaceName, null);
    if (rolePermissionService.findRoleByRoleName(modifyNamespaceRoleName) == null) {
      createNamespaceRole(appId, namespaceName, PermissionType.MODIFY_NAMESPACE,
-                          RoleUtils.buildModifyNamespaceRoleName(appId, namespaceName), operator);
+          modifyNamespaceRoleName, operator);
    }

-    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(appId, namespaceName);
+    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(appId, namespaceName, null);
    if (rolePermissionService.findRoleByRoleName(releaseNamespaceRoleName) == null) {
      createNamespaceRole(appId, namespaceName, PermissionType.RELEASE_NAMESPACE,
-                          RoleUtils.buildReleaseNamespaceRoleName(appId, namespaceName), operator);
+          releaseNamespaceRoleName, operator);
+    }
+  }
+
+  @Transactional
+  public void initNamespaceEnvRoles(String appId, String namespaceName, String operator) {
+    List<Env> portalEnvs = portalConfig.portalSupportedEnvs();
+
+    for (Env env : portalEnvs) {
+      initNamespaceSpecificEnvRoles(appId, namespaceName, env.toString(), operator);
+    }
+  }
+
+  @Transactional
+  public void initNamespaceSpecificEnvRoles(String appId, String namespaceName, String env, String operator) {
+    String modifyNamespaceEnvRoleName = RoleUtils.buildModifyNamespaceRoleName(appId, namespaceName, env);
+    if (rolePermissionService.findRoleByRoleName(modifyNamespaceEnvRoleName) == null) {
+      createNamespaceEnvRole(appId, namespaceName, PermissionType.MODIFY_NAMESPACE, env,
+          modifyNamespaceEnvRoleName, operator);
+    }
+
+    String releaseNamespaceEnvRoleName = RoleUtils.buildReleaseNamespaceRoleName(appId, namespaceName, env);
+    if (rolePermissionService.findRoleByRoleName(releaseNamespaceEnvRoleName) == null) {
+      createNamespaceEnvRole(appId, namespaceName, PermissionType.RELEASE_NAMESPACE, env,
+          releaseNamespaceEnvRoleName, operator);
    }
  }

@@ -114,7 +143,18 @@ public class DefaultRoleInitializationService implements RoleInitializationServi
                                   String roleName, String operator) {

    Permission permission =
-        createPermission(RoleUtils.buildNamespaceTargetId(appId, namespaceName), permissionType, operator);
+        createPermission(RoleUtils.buildNamespaceTargetId(appId, namespaceName, null), permissionType, operator);
+    Permission createdPermission = rolePermissionService.createPermission(permission);
+
+    Role role = createRole(roleName, operator);
+    rolePermissionService
+        .createRoleWithPermissions(role, Sets.newHashSet(createdPermission.getId()));
+  }
+
+  private void createNamespaceEnvRole(String appId, String namespaceName, String permissionType, String env,
+                                      String roleName, String operator) {
+    Permission permission =
+        createPermission(RoleUtils.buildNamespaceTargetId(appId, namespaceName, env), permissionType, operator);
    Permission createdPermission = rolePermissionService.createPermission(permission);

    Role role = createRole(roleName, operator);

--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/util/RoleUtils.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/util/RoleUtils.java
@@ -17,7 +17,9 @@ public class RoleUtils {
    return STRING_JOINER.join(roleType, appId);
  }

-  public static String buildModifyNamespaceRoleName(String appId, String namespaceName) {
+  public static String buildModifyNamespaceRoleName(String appId, String namespaceName, String env) {
+    if (null != env && !"".equals(env))
+      return STRING_JOINER.join(RoleType.MODIFY_NAMESPACE, appId, namespaceName, env);
    return STRING_JOINER.join(RoleType.MODIFY_NAMESPACE, appId, namespaceName);
  }

@@ -25,11 +27,15 @@ public class RoleUtils {
    return STRING_JOINER.join(RoleType.MODIFY_NAMESPACE, appId, ConfigConsts.NAMESPACE_APPLICATION);
  }

-  public static String buildReleaseNamespaceRoleName(String appId, String namespaceName) {
+  public static String buildReleaseNamespaceRoleName(String appId, String namespaceName, String env) {
+    if (null != env && !"".equals(env))
+      return STRING_JOINER.join(RoleType.RELEASE_NAMESPACE, appId, namespaceName, env);
    return STRING_JOINER.join(RoleType.RELEASE_NAMESPACE, appId, namespaceName);
  }

-  public static String buildNamespaceRoleName(String appId, String namespaceName, String roleType) {
+  public static String buildNamespaceRoleName(String appId, String namespaceName, String roleType, String env) {
+    if (null != env && !"".equals(env))
+      return STRING_JOINER.join(roleType, appId, namespaceName, env);
    return STRING_JOINER.join(roleType, appId, namespaceName);
  }

@@ -37,7 +43,9 @@ public class RoleUtils {
    return STRING_JOINER.join(RoleType.RELEASE_NAMESPACE, appId, ConfigConsts.NAMESPACE_APPLICATION);
  }

-  public static String buildNamespaceTargetId(String appId, String namespaceName) {
+  public static String buildNamespaceTargetId(String appId, String namespaceName, String env) {
+    if (null != env && !"".equals(env))
+      return STRING_JOINER.join(appId, namespaceName, env);
    return STRING_JOINER.join(appId, namespaceName);
  }


--- a/apollo-portal/src/main/resources/static/namespace/role.html
+++ b/apollo-portal/src/main/resources/static/namespace/role.html
@@ -35,21 +35,35 @@
            <div class="row">
                <div class="form-horizontal">
                    <div class="form-group">
-                        <label class="col-sm-2 control-label">修改权<br><small>(可以修改配置)</small></label>
+                        <label class="col-sm-2 control-label">修改权<br><small>(可以修改配置，不选择环境则对所有环境授权)</small></label>
                        <div class="col-sm-8">
                            <form class="form-inline" ng-submit="assignRoleToUser('ModifyNamespace')">
                                <div class="form-group">
                                    <apollouserselector apollo-id="modifyRoleWidgetId"></apollouserselector>
+                                    <select class="form-control input-sm" ng-model="modifyRoleSelectedEnv">
+                                        <option value="">可选环境</option>
+                                        <option ng-repeat="env in envs" ng-value="env">{{env}}</option>
+                                    </select>
                                </div>
                                <button type="submit" class="btn btn-default" style="margin-left: 20px;" ng-disabled="modifyRoleSubmitBtnDisabled">添加</button>
                            </form>
                            <!-- Split button -->
                            <div class="item-container">
-
+                                <h5>ALL</h5>
                                <div class="btn-group item-info" ng-repeat="user in rolesAssignedUsers.modifyRoleUsers">
                                    <button type="button" class="btn btn-default" ng-bind="user.userId"></button>
                                    <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown"
-                                            aria-haspopup="true" aria-expanded="false" ng-click="removeUserRole('ModifyNamespace', user.userId)">
+                                            aria-haspopup="true" aria-expanded="false" ng-click="removeUserRole('ModifyNamespace', user.userId, null)">
+                                        <span class="glyphicon glyphicon-remove"></span>
+                                    </button>
+                                </div>
+                            </div>
+                            <div class="item-container" ng-repeat="env in envs">
+                                <h5>{{env}}</h5>
+                                <div class="btn-group item-info" ng-repeat="user in envRolesAssignedUsers[env].modifyRoleUsers">
+                                    <button type="button" class="btn btn-default" ng-bind="user.userId"></button>
+                                    <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown"
+                                            aria-haspopup="true" aria-expanded="false" ng-click="removeUserRole('ModifyNamespace', user.userId, env)">
                                        <span class="glyphicon glyphicon-remove"></span>
                                    </button>
                                </div>
@@ -63,27 +77,41 @@
                <div class="row" style="margin-top: 10px;">
                    <div class="form-horizontal">
                        <div class="col-sm-2 text-right">
-                            <label class="control-label">发布权<br><small>(可以发布配置)</small></label>
+                            <label class="control-label">发布权<br><small>(可以发布配置，不选择环境则对所有环境授权)</small></label>
                        </div>
                        <div class="col-sm-8">
                            <form class="form-inline" ng-submit="assignRoleToUser('ReleaseNamespace')">
                                <div class="form-group">
                                    <apollouserselector apollo-id="releaseRoleWidgetId"></apollouserselector>
-
+                                    <select class="form-control input-sm" ng-model="releaseRoleSelectedEnv">
+                                        <option value="">可选环境</option>
+                                        <option ng-repeat="env in envs" ng-value="env">{{env}}</option>
+                                    </select>
                                </div>
                                <button type="submit" class="btn btn-default" style="margin-left: 20px;" ng-disabled="ReleaseRoleSubmitBtnDisabled">添加</button>
                            </form>
                            <!-- Split button -->
                            <div class="item-container">
+                                <h5>ALL</h5>
                                <div class="btn-group item-info" ng-repeat="user in rolesAssignedUsers.releaseRoleUsers">
                                    <button type="button" class="btn btn-default" ng-bind="user.userId"></button>
                                    <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown"
-                                            aria-haspopup="true" aria-expanded="false" ng-click="removeUserRole('ReleaseNamespace', user.userId)">
+                                            aria-haspopup="true" aria-expanded="false" ng-click="removeUserRole('ReleaseNamespace', user.userId, null)">
                                        <span class="glyphicon glyphicon-remove"></span>
                                    </button>
                                </div>
                            </div>

+                            <div class="item-container" ng-repeat="env in envs">
+                                <h5>{{env}}</h5>
+                                <div class="btn-group item-info" ng-repeat="user in envRolesAssignedUsers[env].releaseRoleUsers">
+                                    <button type="button" class="btn btn-default" ng-bind="user.userId"></button>
+                                    <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown"
+                                            aria-haspopup="true" aria-expanded="false" ng-click="removeUserRole('ReleaseNamespace', user.userId, env)">
+                                        <span class="glyphicon glyphicon-remove"></span>
+                                    </button>
+                                </div>
+                            </div>
                        </div>
                    </div>


--- a/apollo-portal/src/main/resources/static/open/manage.html
+++ b/apollo-portal/src/main/resources/static/open/manage.html
@@ -135,6 +135,17 @@
                            </label>
                        </div>
                    </div>
+                    <div class="form-group" valdr-form-group ng-show="consumerRole.type=='NamespaceRole'">
+                        <label class="col-sm-2 control-label">
+                            环境（不选择则所有环境都有权限）
+                        </label>
+                        <div class="col-sm-3">
+                            <label class="checkbox-inline" ng-repeat="env in envs">
+                                <input type="checkbox" ng-checked="env.checked" ng-click="switchSelect(env)" />
+                                {{env.env}}
+                            </label>
+                        </div>
+                    </div>
                    <div class="form-group">
                        <div class="col-sm-offset-2 col-sm-9">
                            <button type="submit" class="btn btn-primary"

--- a/apollo-portal/src/main/resources/static/scripts/controller/open/OpenManageController.js
+++ b/apollo-portal/src/main/resources/static/scripts/controller/open/OpenManageController.js
 open_manage_module.controller('OpenManageController',
-                              ['$scope', 'toastr', 'AppUtil', 'OrganizationService', 'ConsumerService', 'PermissionService',
+                              ['$scope', 'toastr', 'AppUtil', 'OrganizationService', 'ConsumerService', 'PermissionService','EnvService',
                               OpenManageController]);

-function OpenManageController($scope, toastr, AppUtil, OrganizationService, ConsumerService, PermissionService) {
+function OpenManageController($scope, toastr, AppUtil, OrganizationService, ConsumerService, PermissionService, EnvService) {

    var $orgWidget = $('#organization');

@@ -18,12 +18,10 @@ function OpenManageController($scope, toastr, AppUtil, OrganizationService, Cons
    $scope.createConsumer = createConsumer;
    $scope.assignRoleToConsumer = assignRoleToConsumer;

-    init();
-
    function init() {
        initOrganization();
        initPermission();
-
+        initEnv();
    }

    function initOrganization() {
@@ -50,7 +48,29 @@ function OpenManageController($scope, toastr, AppUtil, OrganizationService, Cons
        PermissionService.has_root_permission()
            .then(function (result) {
                  $scope.isRootUser = result.hasPermission;
-            })
+            });
+    }
+
+    function initEnv() {
+        EnvService.find_all_envs()
+            .then(function (result){
+                $scope.envs = new Array();
+                for (var iLoop  = 0; iLoop < result.length; iLoop++) {
+                    $scope.envs.push({ checked : false, env : result[iLoop] });
+                    $scope.envsChecked = new Array();
+                }
+
+                $scope.switchSelect = function (item) {
+                    item.checked = !item.checked;
+                    $scope.envsChecked = new Array();
+                    for (var iLoop = 0; iLoop < $scope.envs.length; iLoop++) {
+                        var env = $scope.envs[iLoop];
+                        if (env.checked) {
+                            $scope.envsChecked.push(env.env);
+                        }
+                    }
+                };
+            });
    }

    function getTokenByAppId() {
@@ -68,7 +88,7 @@ function OpenManageController($scope, toastr, AppUtil, OrganizationService, Cons
                } else {
                    $scope.consumerToken = {token: 'App(' + $scope.consumer.appId + ')未创建，请先创建'};
                }
-            })
+            });
    }

    function createConsumer() {
@@ -114,7 +134,8 @@ function OpenManageController($scope, toastr, AppUtil, OrganizationService, Cons
        ConsumerService.assignRoleToConsumer($scope.consumerRole.token,
                                             $scope.consumerRole.type,
                                             $scope.consumerRole.appId,
-                                             $scope.consumerRole.namespaceName)
+                                             $scope.consumerRole.namespaceName,
+                                             $scope.envsChecked)
            .then(function (consumerRoles) {
                toastr.success("赋权成功");
            }, function (response) {
@@ -122,4 +143,5 @@ function OpenManageController($scope, toastr, AppUtil, OrganizationService, Cons
            })
    }

+    init();
 }
--- a/apollo-portal/src/main/resources/static/scripts/controller/role/NamespaceRoleController.js
+++ b/apollo-portal/src/main/resources/static/scripts/controller/role/NamespaceRoleController.js
--- a/apollo-portal/src/main/resources/static/scripts/directive/namespace-panel-directive.js
+++ b/apollo-portal/src/main/resources/static/scripts/directive/namespace-panel-directive.js
@@ -217,22 +217,54 @@ function directive($window, toastr, AppUtil, EventManager, PermissionService, Na
                        scope.appId,
                        namespace.baseInfo.namespaceName)
                        .then(function (result) {
+                            if (!result.hasPermission) {
+                                PermissionService.has_modify_namespace_env_permission(
+                                    scope.appId,
+                                    scope.env,
+                                    namespace.baseInfo.namespaceName
+                                    )
+                                    .then(function (result) {
+                                        //branch has same permission
+                                        namespace.hasModifyPermission = result.hasPermission;
+                                        if (namespace.branch) {
+                                            namespace.branch.hasModifyPermission = result.hasPermission;
+                                        }
+                                    });
+                            }
+                            else {
                            //branch has same permission
                            namespace.hasModifyPermission = result.hasPermission;
                                if (namespace.branch) {
                                    namespace.branch.hasModifyPermission = result.hasPermission;
                                }
+                            }
                        });

                    PermissionService.has_release_namespace_permission(
                        scope.appId,
                        namespace.baseInfo.namespaceName)
                        .then(function (result) {
+                            if (!result.hasPermission) {
+                                PermissionService.has_release_namespace_env_permission(
+                                    scope.appId,
+                                    scope.env,
+                                    namespace.baseInfo.namespaceName
+                                    )
+                                    .then(function (result) {
+                                        //branch has same permission
+                                        namespace.hasReleasePermission = result.hasPermission;
+                                        if (namespace.branch) {
+                                            namespace.branch.hasReleasePermission = result.hasPermission;
+                                        }
+                                    });
+                            }
+                            else {
                                //branch has same permission
                                namespace.hasReleasePermission = result.hasPermission;
                                if (namespace.branch) {
                                    namespace.branch.hasReleasePermission = result.hasPermission;
                                }
+                            }
                        });
                }


--- a/apollo-portal/src/main/resources/static/scripts/services/ConsumerService.js
+++ b/apollo-portal/src/main/resources/static/scripts/services/ConsumerService.js
@@ -29,11 +29,12 @@ appService.service('ConsumerService', ['$resource', '$q', 'AppUtil',
                appId: appId
            });
        },
-        assignRoleToConsumer: function (token, type, appId, namespaceName) {
+        assignRoleToConsumer: function (token, type, appId, namespaceName, envs) {
            return AppUtil.ajax(resource.assign_role_to_consumer, 
                                {
                                    token: token,
-                                    type: type 
+                                    type: type,
+                                    envs: envs
                                },
                                {
                                    appId: appId,

--- a/apollo-portal/src/main/resources/static/scripts/services/PermissionService.js
+++ b/apollo-portal/src/main/resources/static/scripts/services/PermissionService.js
 appService.service('PermissionService', ['$resource', '$q', function ($resource, $q) {
    var permission_resource = $resource('', {}, {
+        init_app_namespace_permission: {
+            method: 'POST',
+            url: '/apps/:appId/initPermission?namespace=:namespace'
+        },
        has_app_permission: {
            method: 'GET',
            url: '/apps/:appId/permissions/:permissionType'
@@ -8,6 +12,10 @@ appService.service('PermissionService', ['$resource', '$q', function ($resource,
            method: 'GET',
            url: '/apps/:appId/namespaces/:namespaceName/permissions/:permissionType'
        },
+        has_namespace_env_permission: {
+            method: 'GET',
+            url: '/apps/:appId/envs/:env/namespaces/:namespaceName/permissions/:permissionType'
+        },
        has_root_permission:{
            method: 'GET',
            url: '/permissions/root'
@@ -16,14 +24,26 @@ appService.service('PermissionService', ['$resource', '$q', function ($resource,
            method: 'GET',
            url: '/apps/:appId/namespaces/:namespaceName/role_users'
        },
+        get_namespace_env_role_users: {
+            method: 'GET',
+            url: '/apps/:appId/envs/:env/namespaces/:namespaceName/role_users'
+        },
        assign_namespace_role_to_user: {
            method: 'POST',
            url: '/apps/:appId/namespaces/:namespaceName/roles/:roleType'
        },
+        assign_namespace_env_role_to_user: {
+            method: 'POST',
+            url: '/apps/:appId/envs/:env/namespaces/:namespaceName/roles/:roleType'
+        },
        remove_namespace_role_from_user: {
            method: 'DELETE',
            url: '/apps/:appId/namespaces/:namespaceName/roles/:roleType?user=:user'
        },
+        remove_namespace_env_role_from_user: {
+            method: 'DELETE',
+            url: '/apps/:appId/envs/:env/namespaces/:namespaceName/roles/:roleType?user=:user'
+        },
        get_app_role_users: {
            method: 'GET',
            url: '/apps/:appId/role_users'    
@@ -38,6 +58,20 @@ appService.service('PermissionService', ['$resource', '$q', function ($resource,
        }
    });

+    function initAppNamespacePermission(appId, namespace) {
+        var d = $q.defer();
+        permission_resource.init_app_namespace_permission({
+                appId: appId,
+                namespace: namespace
+            }, namespace,
+            function (result) {
+                d.resolve(result);
+            }, function (result) {
+                d.reject(result);
+            });
+        return d.promise;
+    }
+
    function hasAppPermission(appId, permissionType) {
        var d = $q.defer();
        permission_resource.has_app_permission({
@@ -67,6 +101,22 @@ appService.service('PermissionService', ['$resource', '$q', function ($resource,
        return d.promise;
    }

+    function hasNamespaceEnvPermission(appId, env, namespaceName, permissionType) {
+        var d = $q.defer();
+        permission_resource.has_namespace_env_permission({
+                appId: appId,
+                namespaceName: namespaceName,
+                permissionType: permissionType,
+                env: env
+            },
+            function (result) {
+                d.resolve(result);
+            }, function (result) {
+                d.reject(result);
+            });
+        return d.promise;
+    }
+
    function assignNamespaceRoleToUser(appId, namespaceName, roleType, user) {
        var d = $q.defer();
        permission_resource.assign_namespace_role_to_user({
@@ -82,7 +132,23 @@ appService.service('PermissionService', ['$resource', '$q', function ($resource,
        return d.promise;
    }

-    function removeRoleFromUser(appId, namespaceName, roleType, user) {
+    function assignNamespaceEnvRoleToUser(appId, env, namespaceName, roleType, user) {
+        var d = $q.defer();
+        permission_resource.assign_namespace_env_role_to_user({
+                appId: appId,
+                namespaceName: namespaceName,
+                roleType: roleType,
+                env: env
+            }, user,
+            function (result) {
+                d.resolve(result);
+            }, function (result) {
+                d.reject(result);
+            });
+        return d.promise;
+    }
+
+    function removeNamespaceRoleFromUser(appId, namespaceName, roleType, user) {
        var d = $q.defer();
        permission_resource.remove_namespace_role_from_user({
                                                                appId: appId,
@@ -98,7 +164,27 @@ appService.service('PermissionService', ['$resource', '$q', function ($resource,
        return d.promise;
    }

+    function removeNamespaceEnvRoleFromUser(appId, env, namespaceName, roleType, user) {
+        var d = $q.defer();
+        permission_resource.remove_namespace_env_role_from_user({
+                appId: appId,
+                namespaceName: namespaceName,
+                roleType: roleType,
+                user: user,
+                env: env
+            },
+            function (result) {
+                d.resolve(result);
+            }, function (result) {
+                d.reject(result);
+            });
+        return d.promise;
+    }
+
    return {
+        init_app_namespace_permission: function (appId, namespace) {
+            return initAppNamespacePermission(appId, namespace);
+        },
        has_create_namespace_permission: function (appId) {
            return hasAppPermission(appId, 'CreateNamespace');
        },
@@ -111,9 +197,15 @@ appService.service('PermissionService', ['$resource', '$q', function ($resource,
        has_modify_namespace_permission: function (appId, namespaceName) {
            return hasNamespacePermission(appId, namespaceName, 'ModifyNamespace');
        },
+        has_modify_namespace_env_permission: function (appId, env, namespaceName) {
+            return hasNamespaceEnvPermission(appId, env, namespaceName, 'ModifyNamespace');
+        },
        has_release_namespace_permission: function (appId, namespaceName) {
            return hasNamespacePermission(appId, namespaceName, 'ReleaseNamespace');
        },
+        has_release_namespace_env_permission: function (appId, env, namespaceName) {
+            return hasNamespaceEnvPermission(appId, env, namespaceName, 'ReleaseNamespace');
+        },
        has_root_permission: function () {
            var d = $q.defer();
            permission_resource.has_root_permission({ },
@@ -128,14 +220,26 @@ appService.service('PermissionService', ['$resource', '$q', function ($resource,
        assign_modify_namespace_role: function (appId, namespaceName, user) {
            return assignNamespaceRoleToUser(appId, namespaceName, 'ModifyNamespace', user);
        },
+        assign_modify_namespace_env_role: function (appId, env, namespaceName, user) {
+            return assignNamespaceEnvRoleToUser(appId, env, namespaceName, 'ModifyNamespace', user);
+        },
        assign_release_namespace_role: function (appId, namespaceName, user) {
            return assignNamespaceRoleToUser(appId, namespaceName, 'ReleaseNamespace', user);
        },
+        assign_release_namespace_env_role: function (appId, env, namespaceName, user) {
+            return assignNamespaceEnvRoleToUser(appId, env, namespaceName, 'ReleaseNamespace', user);
+        },
        remove_modify_namespace_role: function (appId, namespaceName, user) {
-            return removeRoleFromUser(appId, namespaceName, 'ModifyNamespace', user);
+            return removeNamespaceRoleFromUser(appId, namespaceName, 'ModifyNamespace', user);
+        },
+        remove_modify_namespace_env_role: function (appId, env, namespaceName, user) {
+            return removeNamespaceEnvRoleFromUser(appId, env, namespaceName, 'ModifyNamespace', user);
        },
        remove_release_namespace_role: function (appId, namespaceName, user) {
-            return removeRoleFromUser(appId, namespaceName, 'ReleaseNamespace', user);
+            return removeNamespaceRoleFromUser(appId, namespaceName, 'ReleaseNamespace', user);
+        },
+        remove_release_namespace_env_role: function (appId, env, namespaceName, user) {
+            return removeNamespaceEnvRoleFromUser(appId, env, namespaceName, 'ReleaseNamespace', user);
        },
        get_namespace_role_users: function (appId, namespaceName) {
            var d = $q.defer();
@@ -150,6 +254,20 @@ appService.service('PermissionService', ['$resource', '$q', function ($resource,
                });
            return d.promise;
        },
+        get_namespace_env_role_users: function (appId, env, namespaceName) {
+            var d = $q.defer();
+            permission_resource.get_namespace_env_role_users({
+                    appId: appId,
+                    namespaceName: namespaceName,
+                    env: env
+                },
+                function (result) {
+                    d.resolve(result);
+                }, function (result) {
+                    d.reject(result);
+                });
+            return d.promise;
+        },
        get_app_role_users: function (appId) {
            var d = $q.defer();
            permission_resource.get_app_role_users({

--- a/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/service/ConsumerServiceTest.java
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/service/ConsumerServiceTest.java
 package com.ctrip.framework.apollo.openapi.service;

+import com.ctrip.framework.apollo.core.enums.Env;
 import com.ctrip.framework.apollo.openapi.entity.Consumer;
 import com.ctrip.framework.apollo.openapi.entity.ConsumerRole;
 import com.ctrip.framework.apollo.openapi.entity.ConsumerToken;
@@ -176,14 +177,22 @@ public class ConsumerServiceTest extends AbstractUnitTest {
    doReturn(consumerId).when(consumerService).getConsumerIdByToken(token);

    String testNamespace = "namespace";
-    String modifyRoleName = RoleUtils.buildModifyNamespaceRoleName(testAppId, testNamespace);
-    String releaseRoleName = RoleUtils.buildReleaseNamespaceRoleName(testAppId, testNamespace);
+    String modifyRoleName = RoleUtils.buildModifyNamespaceRoleName(testAppId, testNamespace, null);
+    String releaseRoleName = RoleUtils.buildReleaseNamespaceRoleName(testAppId, testNamespace, null);
+    String envModifyRoleName = RoleUtils.buildModifyNamespaceRoleName(testAppId, testNamespace, Env.DEV.toString());
+    String envReleaseRoleName = RoleUtils.buildReleaseNamespaceRoleName(testAppId, testNamespace, Env.DEV.toString());
    long modifyRoleId = 1;
    long releaseRoleId = 2;
+    long envModifyRoleId = 3;
+    long envReleaseRoleId = 4;
    Role modifyRole = createRole(modifyRoleId, modifyRoleName);
    Role releaseRole = createRole(releaseRoleId, releaseRoleName);
+    Role envModifyRole = createRole(envModifyRoleId, modifyRoleName);
+    Role envReleaseRole = createRole(envReleaseRoleId, releaseRoleName);
    when(rolePermissionService.findRoleByRoleName(modifyRoleName)).thenReturn(modifyRole);
    when(rolePermissionService.findRoleByRoleName(releaseRoleName)).thenReturn(releaseRole);
+    when(rolePermissionService.findRoleByRoleName(envModifyRoleName)).thenReturn(envModifyRole);
+    when(rolePermissionService.findRoleByRoleName(envReleaseRoleName)).thenReturn(envReleaseRole);

    when(consumerRoleRepository.findByConsumerIdAndRoleId(consumerId, modifyRoleId)).thenReturn(null);

@@ -191,14 +200,21 @@ public class ConsumerServiceTest extends AbstractUnitTest {
    when(userInfoHolder.getUser()).thenReturn(owner);

    ConsumerRole namespaceModifyConsumerRole = createConsumerRole(consumerId, modifyRoleId);
+    ConsumerRole namespaceEnvModifyConsumerRole = createConsumerRole(consumerId, envModifyRoleId);
    ConsumerRole namespaceReleaseConsumerRole = createConsumerRole(consumerId, releaseRoleId);
+    ConsumerRole namespaceEnvReleaseConsumerRole = createConsumerRole(consumerId, envReleaseRoleId);
    doReturn(namespaceModifyConsumerRole).when(consumerService).createConsumerRole(consumerId, modifyRoleId, testOwner);
+    doReturn(namespaceEnvModifyConsumerRole).when(consumerService).createConsumerRole(consumerId, envModifyRoleId, testOwner);
    doReturn(namespaceReleaseConsumerRole).when(consumerService).createConsumerRole(consumerId, releaseRoleId, testOwner);
+    doReturn(namespaceEnvReleaseConsumerRole).when(consumerService).createConsumerRole(consumerId, envReleaseRoleId, testOwner);

-    consumerService.assignNamespaceRoleToConsumer(token, testAppId, testNamespace);
+    consumerService.assignNamespaceRoleToConsumer(token, testAppId, testNamespace, null);
+    consumerService.assignNamespaceRoleToConsumer(token, testAppId, testNamespace, Env.DEV.toString());

    verify(consumerRoleRepository).save(namespaceModifyConsumerRole);
+    verify(consumerRoleRepository).save(namespaceEnvModifyConsumerRole);
    verify(consumerRoleRepository).save(namespaceReleaseConsumerRole);
+    verify(consumerRoleRepository).save(namespaceEnvReleaseConsumerRole);


  }

--- a/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RoleInitializationServiceTest.java
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RoleInitializationServiceTest.java
 package com.ctrip.framework.apollo.portal.spi.defaultImpl;

 import com.ctrip.framework.apollo.common.entity.App;
+import com.ctrip.framework.apollo.core.enums.Env;
 import com.ctrip.framework.apollo.portal.AbstractUnitTest;
+import com.ctrip.framework.apollo.portal.component.config.PortalConfig;
 import com.ctrip.framework.apollo.portal.constant.PermissionType;
 import com.ctrip.framework.apollo.portal.entity.bo.UserInfo;
 import com.ctrip.framework.apollo.portal.entity.po.Permission;
@@ -15,6 +17,9 @@ import org.junit.Test;
 import org.mockito.InjectMocks;
 import org.mockito.Mock;

+import java.util.ArrayList;
+import java.util.List;
+
 import static org.mockito.Matchers.any;
 import static org.mockito.Matchers.anySetOf;
 import static org.mockito.Matchers.anyString;
@@ -32,6 +37,8 @@ public class RoleInitializationServiceTest extends AbstractUnitTest {
  private RolePermissionService rolePermissionService;
  @Mock
  private UserInfoHolder userInfoHolder;
+  @Mock
+  private PortalConfig portalConfig;
  @InjectMocks
  private DefaultRoleInitializationService roleInitializationService;

@@ -53,24 +60,25 @@ public class RoleInitializationServiceTest extends AbstractUnitTest {
    when(rolePermissionService.findRoleByRoleName(anyString())).thenReturn(null);
    when(userInfoHolder.getUser()).thenReturn(mockUser());
    when(rolePermissionService.createPermission(any())).thenReturn(mockPermission());
+    when(portalConfig.portalSupportedEnvs()).thenReturn(mockPortalSupportedEnvs());

    roleInitializationService.initAppRoles(mockApp());

-    verify(rolePermissionService, times(3)).findRoleByRoleName(anyString());
+    verify(rolePermissionService, times(7)).findRoleByRoleName(anyString());
    verify(rolePermissionService, times(1)).assignRoleToUsers(
        RoleUtils.buildAppMasterRoleName(APP_ID), Sets.newHashSet(CURRENT_USER), CURRENT_USER);
-    verify(rolePermissionService, times(2)).createPermission(any());
-    verify(rolePermissionService, times(3)).createRoleWithPermissions(any(), anySetOf(Long.class));
+    verify(rolePermissionService, times(6)).createPermission(any());
+    verify(rolePermissionService, times(7)).createRoleWithPermissions(any(), anySetOf(Long.class));
  }

  @Test
  public void testInitNamespaceRoleHasExisted(){

-    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(APP_ID, NAMESPACE);
+    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(APP_ID, NAMESPACE, null);
    when(rolePermissionService.findRoleByRoleName(modifyNamespaceRoleName)).
        thenReturn(mockRole(modifyNamespaceRoleName));

-    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(APP_ID, NAMESPACE);
+    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(APP_ID, NAMESPACE, null);
    when(rolePermissionService.findRoleByRoleName(releaseNamespaceRoleName)).
        thenReturn(mockRole(releaseNamespaceRoleName));

@@ -84,11 +92,11 @@ public class RoleInitializationServiceTest extends AbstractUnitTest {
  @Test
  public void testInitNamespaceRoleNotExisted(){

-    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(APP_ID, NAMESPACE);
+    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(APP_ID, NAMESPACE, null);
    when(rolePermissionService.findRoleByRoleName(modifyNamespaceRoleName)).
        thenReturn(null);

-    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(APP_ID, NAMESPACE);
+    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(APP_ID, NAMESPACE, null);
    when(rolePermissionService.findRoleByRoleName(releaseNamespaceRoleName)).
        thenReturn(null);

@@ -105,11 +113,11 @@ public class RoleInitializationServiceTest extends AbstractUnitTest {
  @Test
  public void testInitNamespaceRoleModifyNSExisted(){

-    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(APP_ID, NAMESPACE);
+    String modifyNamespaceRoleName = RoleUtils.buildModifyNamespaceRoleName(APP_ID, NAMESPACE, null);
    when(rolePermissionService.findRoleByRoleName(modifyNamespaceRoleName)).
        thenReturn(mockRole(modifyNamespaceRoleName));

-    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(APP_ID, NAMESPACE);
+    String releaseNamespaceRoleName = RoleUtils.buildReleaseNamespaceRoleName(APP_ID, NAMESPACE, null);
    when(rolePermissionService.findRoleByRoleName(releaseNamespaceRoleName)).
        thenReturn(null);

@@ -149,9 +157,15 @@ public class RoleInitializationServiceTest extends AbstractUnitTest {
  private Permission mockPermission(){
    Permission permission = new Permission();
    permission.setPermissionType(PermissionType.MODIFY_NAMESPACE);
-    permission.setTargetId(RoleUtils.buildNamespaceTargetId(APP_ID, NAMESPACE));
+    permission.setTargetId(RoleUtils.buildNamespaceTargetId(APP_ID, NAMESPACE, null));
    return permission;
  }

+  private List<Env> mockPortalSupportedEnvs(){
+    List<Env> envArray = new ArrayList<>();
+    envArray.add(Env.DEV);
+    envArray.add(Env.FAT);
+    return envArray;
+  }

 }