Add Create Application and Manage Application Master roles (#2309)

Add system property role.create-application.enabled to control whether anyone can create application or not.

Add system property role.manage-app-master.enabled to control whether any app master can add/delete other app master

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java

@@ -5,8 +5,10 @@ import com.ctrip.framework.apollo.portal.component.config.PortalConfig;
 import com.ctrip.framework.apollo.portal.constant.PermissionType;
 import com.ctrip.framework.apollo.portal.service.AppNamespaceService;
 import com.ctrip.framework.apollo.portal.service.RolePermissionService;
+import com.ctrip.framework.apollo.portal.service.SystemRoleManagerService;
 import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
 import com.ctrip.framework.apollo.portal.util.RoleUtils;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.stereotype.Component;
 
 @Component("permissionValidator")
@@ -16,16 +18,20 @@ public class PermissionValidator {
   private final RolePermissionService rolePermissionService;
   private final PortalConfig portalConfig;
   private final AppNamespaceService appNamespaceService;
+  private final SystemRoleManagerService systemRoleManagerService;
 
+  @Autowired
   public PermissionValidator(
-      final UserInfoHolder userInfoHolder,
-      final RolePermissionService rolePermissionService,
-      final PortalConfig portalConfig,
-      final AppNamespaceService appNamespaceService) {
+          final UserInfoHolder userInfoHolder,
+          final RolePermissionService rolePermissionService,
+          final PortalConfig portalConfig,
+          final AppNamespaceService appNamespaceService,
+          final SystemRoleManagerService systemRoleManagerService) {
     this.userInfoHolder = userInfoHolder;
     this.rolePermissionService = rolePermissionService;
     this.portalConfig = portalConfig;
     this.appNamespaceService = appNamespaceService;
+    this.systemRoleManagerService = systemRoleManagerService;
   }
 
   public boolean hasModifyNamespacePermission(String appId, String namespaceName) {
@@ -119,4 +125,18 @@ public class PermissionValidator {
     // 3. check app admin and operate permissions
     return !isAppAdmin(appId) && !hasOperateNamespacePermission(appId, namespaceName, env);
   }
+
+  public boolean hasCreateApplicationPermission() {
+    return hasCreateApplicationPermission(userInfoHolder.getUser().getUserId());
+  }
+
+  public boolean hasCreateApplicationPermission(String userId) {
+    return systemRoleManagerService.hasCreateApplicationPermission(userId);
+  }
+
+  public boolean hasManageAppMasterPermission(String appId) {
+    // the manage app master permission might not be initialized, so we need to check isSuperAdmin first
+    return isSuperAdmin() ||
+            systemRoleManagerService.hasManageAppMasterPermission(userInfoHolder.getUser().getUserId(), appId);
+  }
 }

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/config/PortalConfig.java

@@ -6,6 +6,7 @@ import com.ctrip.framework.apollo.common.config.RefreshablePropertySource;
 import com.ctrip.framework.apollo.core.enums.Env;
 import com.ctrip.framework.apollo.portal.entity.vo.Organization;
 import com.ctrip.framework.apollo.portal.service.PortalDBPropertySource;
+import com.ctrip.framework.apollo.portal.service.SystemRoleManagerService;
 import com.google.common.base.Strings;
 import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
@@ -171,6 +172,14 @@ public class PortalConfig extends RefreshableConfig {
     return getBooleanProperty("admin.createPrivateNamespace.switch", true);
   }
 
+  public boolean isCreateApplicationPermissionEnabled() {
+    return getBooleanProperty(SystemRoleManagerService.CREATE_APPLICATION_LIMIT_SWITCH_KEY, false);
+  }
+
+  public boolean isManageAppMasterPermissionEnabled() {
+    return getBooleanProperty(SystemRoleManagerService.MANAGE_APP_MASTER_LIMIT_SWITCH_KEY, false);
+  }
+
   /***
    * The following configurations are used in ctrip profile
    **/

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/constant/PermissionType.java

@@ -2,6 +2,12 @@ package com.ctrip.framework.apollo.portal.constant;
 
 public interface PermissionType {
 
+  /**
+   * system level permission
+   */
+  String CREATE_APPLICATION = "CreateApplication";
+  String MANAGE_APP_MASTER = "ManageAppMaster";
+
   /**
    * APP level permission
    */

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java

@@ -107,6 +107,7 @@ public class AppController {
     return appService.findByAppIds(appIds, page);
   }
 
+  @PreAuthorize(value = "@permissionValidator.hasCreateApplicationPermission()")
   @PostMapping
   public App create(@Valid @RequestBody AppModel appModel) {
 

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java

@@ -4,6 +4,8 @@ import com.ctrip.framework.apollo.common.exception.BadRequestException;
 import com.ctrip.framework.apollo.common.utils.RequestPrecondition;
 import com.ctrip.framework.apollo.core.enums.Env;
 import com.ctrip.framework.apollo.core.enums.EnvUtils;
+import com.ctrip.framework.apollo.portal.component.PermissionValidator;
+import com.ctrip.framework.apollo.portal.constant.PermissionType;
 import com.ctrip.framework.apollo.portal.constant.RoleType;
 import com.ctrip.framework.apollo.portal.entity.bo.UserInfo;
 import com.ctrip.framework.apollo.portal.entity.vo.AppRolesAssignedUsers;
@@ -12,10 +14,13 @@ import com.ctrip.framework.apollo.portal.entity.vo.NamespaceRolesAssignedUsers;
 import com.ctrip.framework.apollo.portal.entity.vo.PermissionCondition;
 import com.ctrip.framework.apollo.portal.service.RoleInitializationService;
 import com.ctrip.framework.apollo.portal.service.RolePermissionService;
+import com.ctrip.framework.apollo.portal.service.SystemRoleManagerService;
 import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
 import com.ctrip.framework.apollo.portal.spi.UserService;
 import com.ctrip.framework.apollo.portal.util.RoleUtils;
 import com.google.common.collect.Sets;
+import com.google.gson.JsonObject;
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.util.CollectionUtils;
@@ -27,7 +32,8 @@ import org.springframework.web.bind.annotation.RequestBody;
 import org.springframework.web.bind.annotation.RequestParam;
 import org.springframework.web.bind.annotation.RestController;
 
-import java.util.Set;
+import java.util.*;
+import java.util.stream.Collectors;
 
 
 @RestController
@@ -37,16 +43,23 @@ public class PermissionController {
   private final RolePermissionService rolePermissionService;
   private final UserService userService;
   private final RoleInitializationService roleInitializationService;
+  private final SystemRoleManagerService systemRoleManagerService;
+  private final PermissionValidator permissionValidator;
 
+  @Autowired
   public PermissionController(
-      final UserInfoHolder userInfoHolder,
-      final RolePermissionService rolePermissionService,
-      final UserService userService,
-      final RoleInitializationService roleInitializationService) {
+          final UserInfoHolder userInfoHolder,
+          final RolePermissionService rolePermissionService,
+          final UserService userService,
+          final RoleInitializationService roleInitializationService,
+          final SystemRoleManagerService systemRoleManagerService,
+          final PermissionValidator permissionValidator) {
     this.userInfoHolder = userInfoHolder;
     this.rolePermissionService = rolePermissionService;
     this.userService = userService;
     this.roleInitializationService = roleInitializationService;
+    this.systemRoleManagerService = systemRoleManagerService;
+    this.permissionValidator = permissionValidator;
   }
 
   @PostMapping("/apps/{appId}/initPermission")
@@ -227,7 +240,7 @@ public class PermissionController {
     return users;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasAssignRolePermission(#appId)")
+  @PreAuthorize(value = "@permissionValidator.hasManageAppMasterPermission(#appId)")
   @PostMapping("/apps/{appId}/roles/{roleType}")
   public ResponseEntity<Void> assignAppRoleToUser(@PathVariable String appId, @PathVariable String roleType,
                                                   @RequestBody String user) {
@@ -246,7 +259,7 @@ public class PermissionController {
     return ResponseEntity.ok().build();
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasAssignRolePermission(#appId)")
+  @PreAuthorize(value = "@permissionValidator.hasManageAppMasterPermission(#appId)")
   @DeleteMapping("/apps/{appId}/roles/{roleType}")
   public ResponseEntity<Void> removeAppRoleFromUser(@PathVariable String appId, @PathVariable String roleType,
                                                     @RequestParam String user) {
@@ -266,4 +279,70 @@ public class PermissionController {
     }
   }
 
+  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PostMapping("/system/role/createApplication")
+  public ResponseEntity<Void> addCreateApplicationRoleToUser(@RequestBody List<String> userIds) {
+
+    userIds.forEach(this::checkUserExists);
+    rolePermissionService.assignRoleToUsers(SystemRoleManagerService.CREATE_APPLICATION_ROLE_NAME,
+            new HashSet<>(userIds), userInfoHolder.getUser().getUserId());
+
+    return ResponseEntity.ok().build();
+  }
+
+  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @DeleteMapping("/system/role/createApplication/{userId}")
+  public ResponseEntity<Void> deleteCreateApplicationRoleFromUser(@PathVariable("userId") String userId) {
+    checkUserExists(userId);
+    Set<String> userIds = new HashSet<>();
+    userIds.add(userId);
+    rolePermissionService.removeRoleFromUsers(SystemRoleManagerService.CREATE_APPLICATION_ROLE_NAME,
+            userIds, userInfoHolder.getUser().getUserId());
+    return ResponseEntity.ok().build();
+  }
+
+  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @GetMapping("/system/role/createApplication")
+  public List<String> getCreateApplicationRoleUsers() {
+    return rolePermissionService.queryUsersWithRole(SystemRoleManagerService.CREATE_APPLICATION_ROLE_NAME)
+            .stream().map(UserInfo::getUserId).collect(Collectors.toList());
+  }
+
+  @GetMapping("/system/role/createApplication/{userId}")
+  public JsonObject hasCreateApplicationPermission(@PathVariable String userId) {
+    JsonObject rs = new JsonObject();
+    rs.addProperty("hasCreateApplicationPermission", permissionValidator.hasCreateApplicationPermission(userId));
+    return rs;
+  }
+
+  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PostMapping("/apps/{appId}/system/master/{userId}")
+  public ResponseEntity<Void> addManageAppMasterRoleToUser(@PathVariable String appId, @PathVariable String userId) {
+    checkUserExists(userId);
+    roleInitializationService.initManageAppMasterRole(appId, userInfoHolder.getUser().getUserId());
+    Set<String> userIds = new HashSet<>();
+    userIds.add(userId);
+    rolePermissionService.assignRoleToUsers(RoleUtils.buildManageAppMasterRoleName(PermissionType.MANAGE_APP_MASTER, appId),
+            userIds, userInfoHolder.getUser().getUserId());
+    return ResponseEntity.ok().build();
+  }
+
+  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @DeleteMapping("/apps/{appId}/system/master/{userId}")
+  public ResponseEntity<Void> forbidManageAppMaster(@PathVariable String appId, @PathVariable String  userId) {
+    checkUserExists(userId);
+    roleInitializationService.initManageAppMasterRole(appId, userInfoHolder.getUser().getUserId());
+    Set<String> userIds = new HashSet<>();
+    userIds.add(userId);
+    rolePermissionService.removeRoleFromUsers(RoleUtils.buildManageAppMasterRoleName(PermissionType.MANAGE_APP_MASTER, appId),
+            userIds, userInfoHolder.getUser().getUserId());
+    return ResponseEntity.ok().build();
+  }
+
+    @GetMapping("/system/role/manageAppMaster")
+    public JsonObject isManageAppMasterPermissionEnabled() {
+      JsonObject rs = new JsonObject();
+      rs.addProperty("isManageAppMasterPermissionEnabled", systemRoleManagerService.isManageAppMasterPermissionEnabled());
+      return rs;
+    }
 }

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/repository/RoleRepository.java

@@ -19,7 +19,8 @@ public interface RoleRepository extends PagingAndSortingRepository<Role, Long> {
 
   @Query("SELECT r.id from Role r where (r.roleName = CONCAT('Master+', ?1) "
       + "OR r.roleName like CONCAT('ModifyNamespace+', ?1, '+%') "
-      + "OR r.roleName like CONCAT('ReleaseNamespace+', ?1, '+%'))")
+      + "OR r.roleName like CONCAT('ReleaseNamespace+', ?1, '+%')  "
+      + "OR r.roleName = CONCAT('ManageAppMaster+', ?1))")
   List<Long> findRoleIdsByAppId(String appId);
 
   @Query("SELECT r.id from Role r where (r.roleName = CONCAT('ModifyNamespace+', ?1, '+', ?2) "

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/RoleInitializationService.java

@@ -12,4 +12,8 @@ public interface RoleInitializationService {
 
   public void initNamespaceSpecificEnvRoles(String appId, String namespaceName, String env, String operator);
 
+  public void initCreateAppRole();
+
+  public void initManageAppMasterRole(String appId, String operator);
+
 }

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/SystemRoleManagerService.java

+package com.ctrip.framework.apollo.portal.service;
+
+import com.ctrip.framework.apollo.portal.component.config.PortalConfig;
+import com.ctrip.framework.apollo.portal.constant.PermissionType;
+import com.ctrip.framework.apollo.portal.util.RoleUtils;
+import javax.annotation.PostConstruct;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.stereotype.Service;
+
+@Service
+public class SystemRoleManagerService {
+  public static final Logger logger = LoggerFactory.getLogger(SystemRoleManagerService.class);
+
+  public static final String SYSTEM_PERMISSION_TARGET_ID = "SystemRole";
+
+  public static final String CREATE_APPLICATION_ROLE_NAME = RoleUtils.buildCreateApplicationRoleName(PermissionType.CREATE_APPLICATION, SYSTEM_PERMISSION_TARGET_ID);
+
+  public static final String CREATE_APPLICATION_LIMIT_SWITCH_KEY = "role.create-application.enabled";
+  public static final String MANAGE_APP_MASTER_LIMIT_SWITCH_KEY = "role.manage-app-master.enabled";
+
+  private final RolePermissionService rolePermissionService;
+
+  private final PortalConfig portalConfig;
+
+  private final RoleInitializationService roleInitializationService;
+
+  @Autowired
+  public SystemRoleManagerService(final RolePermissionService rolePermissionService,
+                                  final PortalConfig portalConfig,
+                                  final RoleInitializationService roleInitializationService) {
+    this.rolePermissionService = rolePermissionService;
+    this.portalConfig = portalConfig;
+    this.roleInitializationService = roleInitializationService;
+  }
+
+  @PostConstruct
+  private void init() {
+    roleInitializationService.initCreateAppRole();
+  }
+
+  private boolean isCreateApplicationPermissionEnabled() {
+    return portalConfig.isCreateApplicationPermissionEnabled();
+  }
+
+  public boolean isManageAppMasterPermissionEnabled() {
+    return portalConfig.isManageAppMasterPermissionEnabled();
+  }
+
+  public boolean hasCreateApplicationPermission(String userId) {
+    if (!isCreateApplicationPermissionEnabled()) {
+      return true;
+    }
+
+    return rolePermissionService.userHasPermission(userId, PermissionType.CREATE_APPLICATION, SYSTEM_PERMISSION_TARGET_ID);
+  }
+
+  public boolean hasManageAppMasterPermission(String userId, String appId) {
+    if (!isManageAppMasterPermissionEnabled()) {
+      return true;
+    }
+
+    return rolePermissionService.userHasPermission(userId, PermissionType.MANAGE_APP_MASTER, appId);
+  }
+}

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/spi/defaultimpl/DefaultRoleInitializationService.java

@@ -9,15 +9,16 @@ import com.ctrip.framework.apollo.portal.constant.PermissionType;
 import com.ctrip.framework.apollo.portal.constant.RoleType;
 import com.ctrip.framework.apollo.portal.entity.po.Permission;
 import com.ctrip.framework.apollo.portal.entity.po.Role;
+import com.ctrip.framework.apollo.portal.repository.PermissionRepository;
 import com.ctrip.framework.apollo.portal.service.RoleInitializationService;
 import com.ctrip.framework.apollo.portal.service.RolePermissionService;
-import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
+import com.ctrip.framework.apollo.portal.service.SystemRoleManagerService;
 import com.ctrip.framework.apollo.portal.util.RoleUtils;
-import com.google.common.collect.Lists;
 import com.google.common.collect.Sets;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.transaction.annotation.Transactional;
 
+import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import java.util.stream.Collectors;
@@ -28,12 +29,12 @@ import java.util.stream.Stream;
  */
 public class DefaultRoleInitializationService implements RoleInitializationService {
 
-  @Autowired
-  private UserInfoHolder userInfoHolder;
   @Autowired
   private RolePermissionService rolePermissionService;
   @Autowired
   private PortalConfig portalConfig;
+  @Autowired
+  private PermissionRepository permissionRepository;
 
   @Transactional
   public void initAppRoles(App app) {
@@ -48,6 +49,8 @@ public class DefaultRoleInitializationService implements RoleInitializationServi
     String operator = app.getDataChangeCreatedBy();
     //create app permissions
     createAppMasterRole(appId, operator);
+    //create manageAppMaster permission
+    createManageAppMasterRole(appId, operator);
 
     //assign master role to user
     rolePermissionService
@@ -107,6 +110,44 @@ public class DefaultRoleInitializationService implements RoleInitializationServi
     }
   }
 
+  @Transactional
+  public void initCreateAppRole() {
+    if (rolePermissionService.findRoleByRoleName(SystemRoleManagerService.CREATE_APPLICATION_ROLE_NAME) != null) {
+      return;
+    }
+    Permission createAppPermission = permissionRepository.findTopByPermissionTypeAndTargetId(PermissionType.CREATE_APPLICATION, SystemRoleManagerService.SYSTEM_PERMISSION_TARGET_ID);
+    if (createAppPermission == null) {
+      // create application permission init
+      createAppPermission = createPermission(SystemRoleManagerService.SYSTEM_PERMISSION_TARGET_ID, PermissionType.CREATE_APPLICATION, "apollo");
+      rolePermissionService.createPermission(createAppPermission);
+    }
+    //  create application role init
+    Role createAppRole = createRole(SystemRoleManagerService.CREATE_APPLICATION_ROLE_NAME, "apollo");
+    rolePermissionService.createRoleWithPermissions(createAppRole, Sets.newHashSet(createAppPermission.getId()));
+  }
+
+  @Transactional
+  private void createManageAppMasterRole(String appId, String operator) {
+    Permission permission = createPermission(appId, PermissionType.MANAGE_APP_MASTER, operator);
+    rolePermissionService.createPermission(permission);
+    Role role = createRole(RoleUtils.buildManageAppMasterRoleName(PermissionType.MANAGE_APP_MASTER, appId), operator);
+    Set<Long> permissionIds = new HashSet<>();
+    permissionIds.add(permission.getId());
+    rolePermissionService.createRoleWithPermissions(role, permissionIds);
+  }
+
+  // fix historical data
+  @Transactional
+  public void initManageAppMasterRole(String appId, String operator) {
+    String manageAppMasterRoleName = RoleUtils.buildManageAppMasterRoleName(PermissionType.MANAGE_APP_MASTER, appId);
+    if (rolePermissionService.findRoleByRoleName(manageAppMasterRoleName) != null) {
+      return;
+    }
+    synchronized (DefaultRoleInitializationService.class) {
+      createManageAppMasterRole(appId, operator);
+    }
+  }
+
   private void createAppMasterRole(String appId, String operator) {
     Set<Permission> appPermissions =
         Stream.of(PermissionType.CREATE_CLUSTER, PermissionType.CREATE_NAMESPACE, PermissionType.ASSIGN_ROLE)

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/util/RoleUtils.java

@@ -86,5 +86,11 @@ public class RoleUtils {
     return STRING_JOINER.join(appId, ConfigConsts.NAMESPACE_APPLICATION);
   }
 
+  public static String buildCreateApplicationRoleName(String permissionType, String permissionTargetId) {
+    return STRING_JOINER.join(permissionType, permissionTargetId);
+  }
 
+  public static String buildManageAppMasterRoleName(String permissionType, String permissionTargetId) {
+    return STRING_JOINER.join(permissionType, permissionTargetId);
+  }
 }

apollo-portal/src/main/resources/static/app.html

@@ -47,6 +47,7 @@
                             <small>（应用唯一标识）</small>
                         </div>
                     </div>
+
                     <div class="form-group" valdr-form-group>
                         <label class="col-sm-3 control-label">
                             <apollorequiredfield></apollorequiredfield>
@@ -61,7 +62,8 @@
                             <apollorequiredfield></apollorequiredfield>
                             应用负责人</label>
                         <div class="col-sm-6 J_ownerSelectorPanel">
-                            <apollouserselector apollo-id="'ownerSelector'"></apollouserselector>
+                            <apollouserselector apollo-id="'ownerSelector'"  disabled="isOpenManageAppMasterRoleLimit"></apollouserselector>
+                            <small style="color: maroon" ng-if="isOpenManageAppMasterRoleLimit">(开启应用管理员添加限制后，应用负责人和项目管理员默认为本账号，不可选择)</small>
                         </div>
                     </div>
 
@@ -71,7 +73,7 @@
                         </label>
                         <div class="col-sm-9 J_adminSelectorPanel">
 
-                            <apollomultipleuserselector apollo-id="'adminSelector'"></apollomultipleuserselector>
+                            <apollomultipleuserselector apollo-id="'adminSelector'" ng-disabled="isOpenManageAppMasterRoleLimit"></apollomultipleuserselector>
                             <br>
                             <small>(应用负责人默认具有项目管理员权限，</small>
                             <br>
@@ -121,6 +123,8 @@
 <script type="application/javascript" src="scripts/services/CommonService.js"></script>
 <script type="application/javascript" src="scripts/services/PermissionService.js"></script>
 <script type="application/javascript" src="scripts/services/OrganizationService.js"></script>
+<script type="application/javascript" src="scripts/services/SystemRoleService.js"></script>
+<script type="application/javascript" src="scripts/services/UserService.js"></script>
 
 <script type="application/javascript" src="scripts/AppUtils.js"></script>
 <script type="application/javascript" src="scripts/directive/directive.js"></script>

apollo-portal/src/main/resources/static/app/setting.html

@@ -36,7 +36,7 @@
 
             <section class="context" ng-show="hasAssignUserPermission">
                 <!--project admin-->
-                <section class="form-horizontal">
+                <section class="form-horizontal" ng-show="hasManageAppMasterPermission">
                     <h5>管理员
                         <small>
                             (项目管理员具有以下权限: 1. 创建Namespace 2. 创建集群 3. 管理项目、Namespace权限)

apollo-portal/src/main/resources/static/index.html

@@ -25,7 +25,7 @@
             <h5>我的项目</h5>
         </aside>
         <aside class="media-body">
-            <div class="app-panel col-md-2 text-center" ng-click="goToCreateAppPage()">
+            <div class="app-panel col-md-2 text-center" ng-click="goToCreateAppPage()" ng-if="hasCreateApplicationPermission">
                 <div href="#" class="thumbnail create-btn hover cursor-pointer">
                     <img src="img/plus-white.png"/>
                     <h5>创建项目</h5>

apollo-portal/src/main/resources/static/scripts/controller/AppController.js

 app_module.controller('CreateAppController',
-                      ['$scope', '$window', 'toastr', 'AppService', 'AppUtil', 'OrganizationService',
+                      ['$scope', '$window', 'toastr', 'AppService', 'AppUtil', 'OrganizationService','SystemRoleService','UserService',
                        createAppController]);
 
-function createAppController($scope, $window, toastr, AppService, AppUtil, OrganizationService) {
+function createAppController($scope, $window, toastr, AppService, AppUtil, OrganizationService, SystemRoleService, UserService) {
 
     $scope.app = {};
     $scope.submitBtnDisabled = false;
@@ -13,6 +13,7 @@ function createAppController($scope, $window, toastr, AppService, AppUtil, Organ
 
     function init() {
         initOrganization();
+        initSystemRole();
     }
 
     function initOrganization() {
@@ -35,6 +36,24 @@ function createAppController($scope, $window, toastr, AppService, AppUtil, Organ
         });
     }
 
+    function initSystemRole() {
+        SystemRoleService.has_open_manage_app_master_role_limit().then(
+            function (value) {
+                $scope.isOpenManageAppMasterRoleLimit = value.isManageAppMasterPermissionEnabled;
+                UserService.load_user().then(
+                    function (value1) {
+                        $scope.currentUser = value1;
+                    },
+                    function (reason) {
+                        toastr.error(AppUtil.errorMsg(reason), "load current user info failed");
+                    })
+            },
+            function (reason) {
+                toastr.error(AppUtil.errorMsg(reason), "init system role of manageAppMaster failed");
+            }
+        );
+    }
+
     function create() {
         $scope.submitBtnDisabled = true;
 
@@ -42,6 +61,7 @@ function createAppController($scope, $window, toastr, AppService, AppUtil, Organ
 
         if (!selectedOrg.id) {
             toastr.warning("请选择部门");
+            $scope.submitBtnDisabled = false;
             return;
         }
 
@@ -50,8 +70,12 @@ function createAppController($scope, $window, toastr, AppService, AppUtil, Organ
 
         // owner
         var owner = $('.ownerSelector').select2('data')[0];
+        if ($scope.isOpenManageAppMasterRoleLimit) {
+            owner  = {id:  $scope.currentUser.userId};
+        }
         if (!owner) {
             toastr.warning("请选择应用负责人");
+            $scope.submitBtnDisabled = false;
             return;
         }
         $scope.app.ownerName = owner.id;
@@ -59,6 +83,9 @@ function createAppController($scope, $window, toastr, AppService, AppUtil, Organ
         //admins
         $scope.app.admins = [];
         var admins = $(".adminSelector").select2('data');
+        if ($scope.isOpenManageAppMasterRoleLimit) {
+            admins  = [{id: $scope.currentUser.userId}];
+        }
         if (admins) {
             admins.forEach(function (admin) {
                 $scope.app.admins.push(admin.id);

apollo-portal/src/main/resources/static/scripts/controller/IndexController.js

@@ -15,6 +15,17 @@ function IndexController($scope, $window, toastr, AppUtil, AppService, UserServi
     $scope.toTop = toTop;
     $scope.deleteFavorite = deleteFavorite;
 
+    function  initCreateApplicationPermission() {
+        AppService.has_create_application_role($scope.userId).then(
+            function (value) {
+                $scope.hasCreateApplicationPermission = value.hasCreateApplicationPermission;
+            },
+            function (reason) {
+                toastr.warning(AppUtil.errorMsg(reason), "获取创建应用权限信息失败");
+            }
+        )
+    }
+
     UserService.load_user().then(function (result) {
         $scope.userId = result.userId;
 
@@ -26,6 +37,8 @@ function IndexController($scope, $window, toastr, AppUtil, AppService, UserServi
         $scope.hasMoreFavorites = true;
         $scope.visitedApps = [];
 
+        initCreateApplicationPermission();
+
         getUserCreatedApps();
 
         getUserFavorites();

apollo-portal/src/main/resources/static/scripts/controller/SettingController.js

@@ -62,6 +62,15 @@ function SettingController($scope, $location, toastr,
         PermissionService.has_assign_user_permission($scope.pageContext.appId)
             .then(function (result) {
                 $scope.hasAssignUserPermission = result.hasPermission;
+
+                PermissionService.has_manage_app_master_permission($scope.pageContext.appId).then(function (res) {
+                    $scope.hasManageAppMasterPermission = res.hasPermission && $scope.hasAssignUserPermission;
+
+                    PermissionService.has_root_permission().then(function (value) {
+                        $scope.hasManageAppMasterPermission = value.hasPermission || $scope.hasManageAppMasterPermission;
+                    });
+                });
+
             });
     }
 

apollo-portal/src/main/resources/static/scripts/controller/config/ConfigBaseInfoController.js

@@ -345,6 +345,7 @@ function ConfigBaseInfoController($rootScope, $scope, $window, $location, toastr
 
         });
 
+
         PermissionService.has_assign_user_permission(appId).then(function (result) {
             $scope.hasAssignUserPermission = result.hasPermission;
         }, function (result) {

apollo-portal/src/main/resources/static/scripts/controller/role/SystemRoleController.js

+angular.module('systemRole', ['app.service', 'apollo.directive', 'app.util', 'toastr', 'angular-loading-bar'])
+    .controller('SystemRoleController',
+    ['$scope', '$location', '$window', 'toastr', 'AppService', 'UserService', 'AppUtil', 'EnvService',
+        'PermissionService', 'SystemRoleService', function SystemRoleController($scope, $location, $window, toastr, AppService, UserService, AppUtil, EnvService,
+          PermissionService, SystemRoleService) {
+
+    $scope.addCreateApplicationBtnDisabled = false;
+    $scope.deleteCreateApplicationBtnDisabled = false;
+
+    $scope.modifySystemRoleWidgetId = 'modifySystemRoleWidgetId';
+    $scope.modifyManageAppMasterRoleWidgetId = 'modifyManageAppMasterRoleWidgetId';
+
+    $scope.hasCreateApplicationPermissionUserList = [];
+
+    $scope.operateManageAppMasterRoleBtn = true;
+
+    $scope.app = {
+        appId: "",
+        info: ""
+    };
+
+    initPermission();
+
+    $scope.addCreateApplicationRoleToUser = function() {
+        var user = $('.' + $scope.modifySystemRoleWidgetId).select2('data')[0];
+        if (!user) {
+            toastr.warning("请选择用户名");
+            return;
+        }
+        SystemRoleService.add_create_application_role(user.id)
+            .then(
+                function (value) {
+                    toastr.info("添加成功");
+                    getCreateApplicationRoleUsers();
+                },
+                function (reason) {
+                    toastr.warning(AppUtil.errorMsg(reason), "添加失败");
+                }
+            );
+    };
+
+    $scope.deleteCreateApplicationRoleFromUser = function(userId) {
+        SystemRoleService.delete_create_application_role(userId)
+            .then(
+                function (value) {
+                    toastr.info("删除成功");
+                    getCreateApplicationRoleUsers();
+                },
+                function (reason) {
+                    toastr.warn(AppUtil.errorMsg(reason), "删除失败");
+                }
+            );
+    };
+
+
+    function getCreateApplicationRoleUsers() {
+        SystemRoleService.get_create_application_role_users()
+            .then(
+                function (result) {
+                    $scope.hasCreateApplicationPermissionUserList = result;
+                },
+                function (reason) {
+                    toastr.warning(AppUtil.errorMsg(reason), "获取拥有创建项目的用户列表出错");
+                }
+            )
+    }
+
+    function initPermission() {
+        PermissionService.has_root_permission()
+            .then(function (result) {
+                $scope.isRootUser = result.hasPermission;
+            });
+        getCreateApplicationRoleUsers();
+    }
+
+    $scope.getAppInfo = function() {
+        if (!$scope.app.appId) {
+            toastr.warning("请输入appId");
+            $scope.operateManageAppMasterRoleBtn = true;
+            return;
+        }
+
+        $scope.app.info = "";
+
+        AppService.load($scope.app.appId).then(function (result) {
+            if (!result.appId) {
+                toastr.warning("AppId: " + $scope.app.appId + " 不存在！");
+                $scope.operateManageAppMasterRoleBtn = true;
+                return;
+            }
+
+            $scope.app.info = "应用名：" + result.name + " 部门：" + result.orgName + '(' + result.orgId + ')' + " 负责人：" + result.ownerName;
+
+            $scope.operateManageAppMasterRoleBtn = false;
+        }, function (result) {
+            AppUtil.showErrorMsg(result);
+            $scope.operateManageAppMasterRoleBt = true;
+        });
+    };
+
+    $scope.deleteAppMasterAssignRole   = function() {
+        if (!$scope.app.appId) {
+            toastr.warning("请输入appId");
+            return;
+        }
+        var user = $('.' + $scope.modifyManageAppMasterRoleWidgetId).select2('data')[0];
+        if (!user) {
+            toastr.warning("请选择用户名");
+            return;
+        }
+        if (confirm("确认删除AppId: " + $scope.app.appId + "的用户: " + user.id + " 分配应用管理员的权限？")) {
+            AppService.delete_app_master_assign_role($scope.app.appId, user.id).then(function (result) {
+                toastr.success("删除AppId: " + $scope.app.appId + "的用户: " + user.id + " 分配应用管理员的权限成功");
+                $scope.operateManageAppMasterRoleBtn = true;
+            }, function (result) {
+                AppUtil.showErrorMsg(result);
+            })
+        }
+    };
+
+    $scope.allowAppMasterAssignRole = function () {
+            if (!$scope.app.appId) {
+                toastr.warning("请输入appId");
+                return;
+            }
+            var user = $('.' + $scope.modifyManageAppMasterRoleWidgetId).select2('data')[0];
+            if (!user) {
+                toastr.warning("请选择用户名");
+                return;
+            }
+            if (confirm("确认添加AppId: " + $scope.app.appId + "的用户: " + user.id + " 分配应用管理员的权限？")) {
+                AppService.allow_app_master_assign_role($scope.app.appId, user.id).then(function (result) {
+                    toastr.success("添加AppId: " + $scope.app.appId + "的用户: " + user.id + " 分配应用管理员的权限成功");
+                    $scope.operateManageAppMasterRoleBtn = true;
+                }, function (result) {
+                    AppUtil.showErrorMsg(result);
+                })
+            }
+        };
+}]);

apollo-portal/src/main/resources/static/scripts/services/AppService.js

@@ -46,6 +46,18 @@ appService.service('AppService', ['$resource', '$q', function ($resource, $q) {
         delete_app: {
             method: 'DELETE',
             isArray: false
+        },
+        allow_app_master_assign_role: {
+            method: 'POST',
+            url: '/apps/:appId/system/master/:userId'
+        },
+        delete_app_master_assign_role: {
+            method: 'DELETE',
+            url: '/apps/:appId/system/master/:userId'
+        },
+        has_create_application_role: {
+            method: 'GET',
+            url: '/system/role/createApplication/:userId'
         }
     });
     return {
@@ -172,6 +184,41 @@ appService.service('AppService', ['$resource', '$q', function ($resource, $q) {
                 d.reject(result);
             });
             return d.promise;
+        },
+        allow_app_master_assign_role: function (appId, userId) {
+            var d = $q.defer();
+            app_resource.allow_app_master_assign_role({
+                appId: appId,
+                userId: userId
+            }, null, function (result) {
+                d.resolve(result);
+            }, function (result) {
+                d.reject(result);
+            });
+            return d.promise;
+        },
+        delete_app_master_assign_role: function (appId, userId) {
+            var d = $q.defer();
+            app_resource.delete_app_master_assign_role({
+                appId: appId,
+                userId: userId
+            }, function (result) {
+                d.resolve(result);
+            }, function (result) {
+                d.reject(result);
+            });
+            return d.promise;
+        },
+        has_create_application_role: function (userId) {
+            var d = $q.defer();
+            app_resource.has_create_application_role({
+                userId: userId
+            }, function (result) {
+                d.resolve(result);
+            }, function (result) {
+                d.reject(result);
+            });
+            return d.promise;
         }
     }
 }]);

apollo-portal/src/main/resources/static/scripts/services/PermissionService.js

@@ -196,6 +196,9 @@ appService.service('PermissionService', ['$resource', '$q', function ($resource,
         init_app_namespace_permission: function (appId, namespace) {
             return initAppNamespacePermission(appId, namespace);
         },
+        has_manage_app_master_permission: function (appId) {
+            return hasAppPermission(appId, 'ManageAppMaster');
+        },
         has_create_namespace_permission: function (appId) {
             return hasAppPermission(appId, 'CreateNamespace');
         },

apollo-portal/src/main/resources/static/scripts/services/SystemRoleService.js

+appService.service('SystemRoleService', ['$resource', '$q', function ($resource, $q) {
+    var system_role_service = $resource('', {}, {
+        add_create_application_role: {
+            method: 'POST',
+            url: '/system/role/createApplication'
+        },
+        delete_create_application_role: {
+            method: 'DELETE',
+            url: '/system/role/createApplication/:userId'
+        },
+        get_create_application_role_users: {
+            method: 'GET',
+            url: '/system/role/createApplication',
+            isArray: true
+        },
+        has_open_manage_app_master_role_limit: {
+            method: 'GET',
+            url: '/system/role/manageAppMaster'
+        }
+    });
+    return {
+        add_create_application_role: function (userId) {
+            var finished = false;
+            var d = $q.defer();
+            system_role_service.add_create_application_role([
+                   userId
+                ],
+                function (result) {
+                    finished = true;
+                    d.resolve(result);
+                },
+                function (result) {
+                    finished = true;
+                    d.reject(result);
+                });
+            return d.promise;
+        },
+        delete_create_application_role: function (userId) {
+            var finished = false;
+            var d = $q.defer();
+            system_role_service.delete_create_application_role({
+                    "userId" : userId
+                },
+                function (result) {
+                    finished = true;
+                    d.resolve(result);
+                },
+                function (result) {
+                    finished = true;
+                    d.reject(result);
+                });
+            return d.promise;
+        },
+        get_create_application_role_users: function () {
+            var finished = false;
+            var d = $q.defer();
+            system_role_service.get_create_application_role_users({},
+                function (result) {
+                    finished = true;
+                    d.resolve(result);
+                },
+                function (result) {
+                    finished = true;
+                    d.reject(result);
+                });
+            return d.promise;
+        },
+        has_open_manage_app_master_role_limit: function () {
+            var finished = false;
+            var d = $q.defer();
+            system_role_service.has_open_manage_app_master_role_limit({},
+                function (result) {
+                    finished = true;
+                    d.resolve(result);
+                },
+                function (result) {
+                    finished = true;
+                    d.reject(result);
+                });
+            return d.promise;
+        }
+
+    }
+}]);

apollo-portal/src/main/resources/static/system-role-manage.html

+<!doctype html>
+<html ng-app="systemRole">
+<head>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
+    <link rel="icon" href="../img/config.png">
+    <!-- styles -->
+    <link rel="stylesheet" type="text/css" href="../vendor/bootstrap/css/bootstrap.min.css">
+    <link rel="stylesheet" type="text/css" href="../vendor/angular/angular-toastr-1.4.1.min.css">
+    <link rel="stylesheet" type="text/css" media='all' href="../vendor/angular/loading-bar.min.css">
+    <link rel="stylesheet" type="text/css" href="../styles/common-style.css">
+    <link rel="stylesheet" type="text/css" href="../vendor/select2/select2.min.css">
+    <title>系统权限管理</title>
+</head>
+
+<body>
+
+<apollonav></apollonav>
+
+
+<div class="container-fluid" ng-controller="SystemRoleController">
+    <div class="col-md-10 col-md-offset-1 panel">
+
+        <section class="panel-body" ng-show="isRootUser">
+
+            <section class="row">
+                <h5>为用户添加创建应用权限
+                    <small>
+                        (暂时只允许系统管理员操作)
+                    </small>
+                </h5>
+                <hr>
+                <div class="row">
+                    <div class="form-horizontal">
+                        <div class="form-group">
+                            <label class="col-sm-2 control-label">用户选择<br></label>
+                            <div class="col-sm-8">
+                                <form class="form-inline" ng-submit="addCreateApplicationRoleToUser()">
+                                    <div class="form-group">
+                                        <apollouserselector apollo-id="modifySystemRoleWidgetId"></apollouserselector>
+                                    </div>
+                                    <button type="submit" class="btn btn-default" style="margin-left: 20px;">添加</button>
+                                </form>
+
+                                <div class="item-container">
+                                    <h5>已拥有权限用户</h5>
+                                    <div class="btn-group item-info" ng-repeat="user in hasCreateApplicationPermissionUserList">
+                                        <button type="button" class="btn btn-default" ng-bind="user"></button>
+                                        <button type="button" class="btn btn-default dropdown-toggle" data-toggle="dropdown"
+                                                aria-haspopup="true" aria-expanded="false" ng-click="deleteCreateApplicationRoleFromUser(user)">
+                                            <span class="glyphicon glyphicon-remove"></span>
+                                        </button>
+                                    </div>
+                                </div>
+
+                            </div>
+
+                        </div>
+                    </div>
+                </div>
+            </section>
+
+            <section class="row">
+                <h5>修改应用管理员分配权限
+                    <small>
+                        (应用管理员分配权限仅限制非superAdmin以外的用户能否为应用添加其他管理员，不影响其他权限)
+                    </small>
+                </h5>
+                <hr>
+                <form class="form-horizontal">
+                    <div class="form-group" valdr-form-group>
+                        <label class="col-sm-2 control-label">
+                            <apollorequiredfield></apollorequiredfield>
+                            应用AppId</label>
+                        <div class="col-sm-5">
+                            <input type="text" class="form-control" ng-model="app.appId">
+                            <small>(请先查询应用信息)</small>
+                        </div>
+                        <div class="col-sm-1">
+                            <button class="btn btn-info" ng-click="getAppInfo()">查询</button>
+                        </div>
+                    </div>
+                    <div class="form-group" valdr-form-group>
+                        <label class="col-sm-2 control-label">
+                            应用信息</label>
+                        <div class="col-sm-5">
+                            <h5 ng-show="app.info" ng-bind="app.info"></h5>
+                        </div>
+                    </div>
+
+                    <div class="form-group">
+                        <label class="col-sm-2 control-label">用户选择<br></label>
+                        <div class="col-sm-8">
+                            <form class="form-inline">
+                                <div class="form-group">
+                                    <apollouserselector apollo-id="modifyManageAppMasterRoleWidgetId"></apollouserselector>
+                                </div>
+                            </form>
+                        </div>
+                    </div>
+
+                    <div class="form-group">
+                        <div class="col-sm-offset-2 col-sm-9">
+                            <button type="submit" class="btn btn-primary"
+                                    ng-disabled="operateManageAppMasterRoleBtn"
+                                    ng-click="allowAppMasterAssignRole()">
+                                允许此用户作为管理员时添加Master
+                            </button>
+                            <button type="submit" class="btn btn-primary"
+                                    ng-disabled="operateManageAppMasterRoleBtn"
+                                    ng-click="deleteAppMasterAssignRole()">
+                                禁止此用户作为管理员时添加Master
+                            </button>
+                        </div>
+                    </div>
+                </form>
+            </section>
+
+        </section>
+
+        <section class="panel-body text-center" ng-if="!isRootUser">
+            <h4>当前页面只对Apollo管理员开放</h4>
+        </section>
+
+    </div>
+</div>
+
+<div ng-include="'../views/common/footer.html'"></div>
+
+<!-- jquery.js -->
+<script src="../vendor/jquery.min.js" type="text/javascript"></script>
+
+<!--angular-->
+<script src="../vendor/angular/angular.min.js"></script>
+<script src="../vendor/angular/angular-route.min.js"></script>
+<script src="../vendor/angular/angular-resource.min.js"></script>
+<script src="../vendor/angular/angular-toastr-1.4.1.tpls.min.js"></script>
+<script src="../vendor/angular/loading-bar.min.js"></script>
+
+<!--valdr-->
+<script src="../vendor/valdr/valdr.min.js" type="text/javascript"></script>
+<script src="../vendor/valdr/valdr-message.min.js" type="text/javascript"></script>
+
+<!-- bootstrap.js -->
+<script src="../vendor/bootstrap/js/bootstrap.min.js" type="text/javascript"></script>
+
+<script src="../vendor/lodash.min.js"></script>
+
+<script src="../vendor/select2/select2.min.js" type="text/javascript"></script>
+<!--biz-->
+<!--must import-->
+<script type="application/javascript" src="../scripts/app.js"></script>
+<script type="application/javascript" src="../scripts/services/AppService.js"></script>
+<script type="application/javascript" src="../scripts/services/EnvService.js"></script>
+<script type="application/javascript" src="../scripts/services/UserService.js"></script>
+<script type="application/javascript" src="../scripts/services/CommonService.js"></script>
+<script type="application/javascript" src="../scripts/services/PermissionService.js"></script>
+<script type="application/javascript" src="../scripts/services/ClusterService.js"></script>
+<script type="application/javascript" src="../scripts/services/NamespaceService.js"></script>
+<script type="application/javascript" src="../scripts/services/SystemRoleService.js"></script>
+
+<script type="application/javascript" src="../scripts/AppUtils.js"></script>
+
+<script type="application/javascript" src="../scripts/PageCommon.js"></script>
+<script type="application/javascript" src="../scripts/directive/directive.js"></script>
+<script type="application/javascript" src="../scripts/valdr.js"></script>
+
+<script type="application/javascript" src="../scripts/controller/role/SystemRoleController.js"></script>
+</body>
+</html>

apollo-portal/src/main/resources/static/views/common/nav.html

@@ -31,6 +31,7 @@
                         <span class="caret"></span></a>
                     <ul class="dropdown-menu">
                         <li><a href="/user-manage.html" target="_blank">用户管理</a></li>
+                        <li><a href="/system-role-manage.html" target="_blank">系统权限管理</a></li>
                         <li><a href="/open/manage.html" target="_blank">开放平台授权管理</a></li>
                         <li><a href="/server_config.html" target="_blank">系统参数</a></li>
                         <li><a href="/delete_app_cluster_namespace.html" target="_blank">删除应用、集群、AppNamespace</a></li>

apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/spi/defaultImpl/RoleInitializationServiceTest.java

@@ -67,8 +67,8 @@ public class RoleInitializationServiceTest extends AbstractUnitTest {
     verify(rolePermissionService, times(7)).findRoleByRoleName(anyString());
     verify(rolePermissionService, times(1)).assignRoleToUsers(
         RoleUtils.buildAppMasterRoleName(APP_ID), Sets.newHashSet(CURRENT_USER), CURRENT_USER);
-    verify(rolePermissionService, times(6)).createPermission(any());
-    verify(rolePermissionService, times(7)).createRoleWithPermissions(any(), anySet());
+    verify(rolePermissionService, times(7)).createPermission(any());
+    verify(rolePermissionService, times(8)).createRoleWithPermissions(any(), anySet());
   }
 
   @Test