feat: release v8 (Release Creation RBAC Scripts) (#5821)

* release rbac sql scripts

* script chnage

* sql constraints

* sql constraints

* sql constraints

* script number chnages

* refactoring

* role group mapping model

* script number chnage

Author: Shivam-nagar23

api/auth/user/UserRestHandler.go

@@ -135,7 +135,7 @@ func (handler UserRestHandlerImpl) CreateUser(w http.ResponseWriter, r *http.Req
 	}
 	if userInfo.RoleFilters != nil && len(userInfo.RoleFilters) > 0 {
 		for _, filter := range userInfo.RoleFilters {
-			if filter.AccessType == bean.APP_ACCESS_TYPE_HELM && !isActionUserSuperAdmin {
+			if filter.AccessType == bean2.APP_ACCESS_TYPE_HELM && !isActionUserSuperAdmin {
 				response.WriteResponse(http.StatusForbidden, "FORBIDDEN", w, errors.New("unauthorized"))
 				return
 			}
@@ -145,7 +145,7 @@ func (handler UserRestHandlerImpl) CreateUser(w http.ResponseWriter, r *http.Req
 					return
 				}
 			}
-			if filter.Entity == bean.CLUSTER_ENTITIY {
+			if filter.Entity == bean2.CLUSTER_ENTITIY {
 				if ok := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !ok {
 					response.WriteResponse(http.StatusForbidden, "FORBIDDEN", w, errors.New("unauthorized"))
 					return
@@ -170,7 +170,7 @@ func (handler UserRestHandlerImpl) CreateUser(w http.ResponseWriter, r *http.Req
 
 		if len(groupRoles) > 0 {
 			for _, groupRole := range groupRoles {
-				if groupRole.AccessType == bean.APP_ACCESS_TYPE_HELM && !isActionUserSuperAdmin {
+				if groupRole.AccessType == bean2.APP_ACCESS_TYPE_HELM && !isActionUserSuperAdmin {
 					response.WriteResponse(http.StatusForbidden, "FORBIDDEN", w, errors.New("unauthorized"))
 					return
 				}
@@ -315,7 +315,7 @@ func (handler UserRestHandlerImpl) GetById(w http.ResponseWriter, r *http.Reques
 					authPass = false
 				}
 			}
-			if filter.Entity == bean.CLUSTER_ENTITIY {
+			if filter.Entity == bean2.CLUSTER_ENTITIY {
 				if ok := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !ok {
 					authPass = false
 				}
@@ -381,7 +381,7 @@ func (handler UserRestHandlerImpl) GetAllV2(w http.ResponseWriter, r *http.Reque
 						break
 					}
 				}
-				if filter.Entity == bean.CLUSTER_ENTITIY {
+				if filter.Entity == bean2.CLUSTER_ENTITIY {
 					if ok := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); ok {
 						isAuthorised = true
 						break
@@ -451,7 +451,7 @@ func (handler UserRestHandlerImpl) GetAll(w http.ResponseWriter, r *http.Request
 						break
 					}
 				}
-				if filter.Entity == bean.CLUSTER_ENTITIY {
+				if filter.Entity == bean2.CLUSTER_ENTITIY {
 					if ok := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); ok {
 						isAuthorised = true
 						break
@@ -528,7 +528,7 @@ func (handler UserRestHandlerImpl) DeleteUser(w http.ResponseWriter, r *http.Req
 	}
 	if user.RoleFilters != nil && len(user.RoleFilters) > 0 {
 		for _, filter := range user.RoleFilters {
-			if filter.AccessType == bean.APP_ACCESS_TYPE_HELM && !isActionUserSuperAdmin {
+			if filter.AccessType == bean2.APP_ACCESS_TYPE_HELM && !isActionUserSuperAdmin {
 				common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
 				return
 			}
@@ -538,7 +538,7 @@ func (handler UserRestHandlerImpl) DeleteUser(w http.ResponseWriter, r *http.Req
 					return
 				}
 			}
-			if filter.Entity == bean.CLUSTER_ENTITIY {
+			if filter.Entity == bean2.CLUSTER_ENTITIY {
 				if ok := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !ok {
 					common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
 					return
@@ -649,7 +649,7 @@ func (handler UserRestHandlerImpl) FetchRoleGroupById(w http.ResponseWriter, r *
 					authPass = false
 				}
 			}
-			if filter.Entity == bean.CLUSTER_ENTITIY {
+			if filter.Entity == bean2.CLUSTER_ENTITIY {
 				if isValidAuth := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !isValidAuth {
 					authPass = false
 				}
@@ -705,7 +705,7 @@ func (handler UserRestHandlerImpl) CreateRoleGroup(w http.ResponseWriter, r *htt
 
 	if request.RoleFilters != nil && len(request.RoleFilters) > 0 {
 		for _, filter := range request.RoleFilters {
-			if filter.AccessType == bean.APP_ACCESS_TYPE_HELM && !isActionUserSuperAdmin {
+			if filter.AccessType == bean2.APP_ACCESS_TYPE_HELM && !isActionUserSuperAdmin {
 				common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
 				return
 			}
@@ -715,7 +715,7 @@ func (handler UserRestHandlerImpl) CreateRoleGroup(w http.ResponseWriter, r *htt
 					return
 				}
 			}
-			if filter.Entity == bean.CLUSTER_ENTITIY && !isActionUserSuperAdmin {
+			if filter.Entity == bean2.CLUSTER_ENTITIY && !isActionUserSuperAdmin {
 				if isValidAuth := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !isValidAuth {
 					common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
 					return
@@ -838,7 +838,7 @@ func (handler UserRestHandlerImpl) FetchRoleGroupsV2(w http.ResponseWriter, r *h
 						break
 					}
 				}
-				if filter.Entity == bean.CLUSTER_ENTITIY {
+				if filter.Entity == bean2.CLUSTER_ENTITIY {
 					if isValidAuth := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); isValidAuth {
 						isAuthorised = true
 						break
@@ -909,7 +909,7 @@ func (handler UserRestHandlerImpl) FetchRoleGroups(w http.ResponseWriter, r *htt
 						break
 					}
 				}
-				if filter.Entity == bean.CLUSTER_ENTITIY {
+				if filter.Entity == bean2.CLUSTER_ENTITIY {
 					if isValidAuth := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); isValidAuth {
 						isAuthorised = true
 						break
@@ -1004,7 +1004,7 @@ func (handler UserRestHandlerImpl) DeleteRoleGroup(w http.ResponseWriter, r *htt
 	}
 	if userGroup.RoleFilters != nil && len(userGroup.RoleFilters) > 0 {
 		for _, filter := range userGroup.RoleFilters {
-			if filter.AccessType == bean.APP_ACCESS_TYPE_HELM && !isActionUserSuperAdmin {
+			if filter.AccessType == bean2.APP_ACCESS_TYPE_HELM && !isActionUserSuperAdmin {
 				common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
 				return
 			}
@@ -1014,7 +1014,7 @@ func (handler UserRestHandlerImpl) DeleteRoleGroup(w http.ResponseWriter, r *htt
 					return
 				}
 			}
-			if filter.Entity == bean.CLUSTER_ENTITIY {
+			if filter.Entity == bean2.CLUSTER_ENTITIY {
 				if isValidAuth := handler.userCommonService.CheckRbacForClusterEntity(filter.Cluster, filter.Namespace, filter.Group, filter.Kind, filter.Resource, token, handler.CheckManagerAuth); !isValidAuth {
 					common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
 					return

api/bean/UserRequest.go

@@ -111,13 +111,10 @@ const (
 type PolicyType int
 
 const (
-	POLICY_DIRECT        PolicyType = 1
-	POLICY_GROUP         PolicyType = 1
-	SUPERADMIN                      = "role:super-admin___"
-	APP_ACCESS_TYPE_HELM            = "helm-app"
-	USER_TYPE_API_TOKEN             = "apiToken"
-	CHART_GROUP_ENTITY              = "chart-group"
-	CLUSTER_ENTITIY                 = "cluster"
+	POLICY_DIRECT       PolicyType = 1
+	POLICY_GROUP        PolicyType = 1
+	SUPERADMIN                     = "role:super-admin___"
+	USER_TYPE_API_TOKEN            = "apiToken"
 )
 
 type UserListingResponse struct {

pkg/auth/user/RoleGroupService.go

@@ -135,7 +135,7 @@ func (impl RoleGroupServiceImpl) CreateRoleGroup(request *bean.RoleGroup) (*bean
 		if request.SuperAdmin == false {
 			for index, roleFilter := range request.RoleFilters {
 				entity := roleFilter.Entity
-				if entity == bean.CLUSTER_ENTITIY {
+				if entity == bean2.CLUSTER_ENTITIY {
 					policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForClusterEntity(roleFilter, request.UserId, model, nil, "", nil, tx, mapping[index])
 					policies = append(policies, policiesToBeAdded...)
 					if err != nil {
@@ -279,7 +279,7 @@ func (impl RoleGroupServiceImpl) CreateOrUpdateRoleGroupForOtherEntity(roleFilte
 			}
 			if roleModel.Id == 0 {
 				request.Status = fmt.Sprintf("%s+%s,%s,%s,%s", bean2.RoleNotFoundStatusPrefix, roleFilter.Team, environment, entityName, actionType)
-				if roleFilter.Entity == bean2.ENTITY_APPS || roleFilter.Entity == bean.CHART_GROUP_ENTITY {
+				if roleFilter.Entity == bean2.ENTITY_APPS || roleFilter.Entity == bean2.CHART_GROUP_ENTITY {
 					flag, err, policiesAdded := impl.userCommonService.CreateDefaultPoliciesForAllTypes(roleFilter.Team, entityName, environment, entity, "", "", "", "", "", actionType, accessType, "", request.UserId)
 					if err != nil || flag == false {
 						return nil, err
@@ -426,7 +426,7 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
 
 		//Adding New Policies
 		for index, roleFilter := range request.RoleFilters {
-			if roleFilter.Entity == bean.CLUSTER_ENTITIY {
+			if roleFilter.Entity == bean2.CLUSTER_ENTITIY {
 				policiesToBeAdded, err := impl.CreateOrUpdateRoleGroupForClusterEntity(roleFilter, request.UserId, roleGroup, existingRoles, token, managerAuth, tx, mapping[index])
 				policies = append(policies, policiesToBeAdded...)
 				if err != nil {
@@ -474,10 +474,7 @@ func (impl RoleGroupServiceImpl) UpdateRoleGroup(request *bean.RoleGroup, token
 		}
 		if roleModel.Id > 0 {
 			roleGroupMappingModel := &repository.RoleGroupRoleMapping{RoleGroupId: roleGroup.Id, RoleId: roleModel.Id}
-			roleGroupMappingModel.CreatedBy = request.UserId
-			roleGroupMappingModel.UpdatedBy = request.UserId
-			roleGroupMappingModel.CreatedOn = time.Now()
-			roleGroupMappingModel.UpdatedOn = time.Now()
+			roleGroupMappingModel.CreateAuditLog(request.UserId)
 			roleGroupMappingModel, err = impl.roleGroupRepository.CreateRoleGroupRoleMapping(roleGroupMappingModel, tx)
 			if err != nil {
 				impl.logger.Errorw("error in creating role group role mapping", "err", err, "RoleGroupId", roleGroup.Id)

pkg/auth/user/UserCommonService.go

@@ -40,9 +40,6 @@ type UserCommonService interface {
 	RemoveRolesAndReturnEliminatedPoliciesForGroups(request *bean.RoleGroup, existingRoles map[int]*repository.RoleGroupRoleMapping, eliminatedRoles map[int]*repository.RoleGroupRoleMapping, tx *pg.Tx, token string, managerAuth func(resource string, token string, object string) bool) ([]casbin.Policy, error)
 	CheckRbacForClusterEntity(cluster, namespace, group, kind, resource, token string, managerAuth func(resource, token, object string) bool) bool
 	GetCapacityForRoleFilter(roleFilters []bean.RoleFilter) (int, map[int]int)
-	BuildRoleFilterKeyForCluster(roleFilterMap map[string]*bean.RoleFilter, role repository.RoleModel, key string)
-	BuildRoleFilterKeyForJobs(roleFilterMap map[string]*bean.RoleFilter, role repository.RoleModel, key string)
-	BuildRoleFilterKeyForOtherEntity(roleFilterMap map[string]*bean.RoleFilter, role repository.RoleModel, key string)
 	BuildRoleFilterForAllTypes(roleFilterMap map[string]*bean.RoleFilter, role repository.RoleModel, key string)
 	GetUniqueKeyForAllEntity(role repository.RoleModel) string
 	SetDefaultValuesIfNotPresent(request *bean.ListingRequest, isRoleGroup bool)
@@ -201,7 +198,7 @@ func getResolvedValueFromPValDetailObject(pValDetailObj repository.PValDetailObj
 func getPValUpdateMap(team, entityName, env, entity, cluster, namespace, group, kind, resource, workflow string) map[repository.PValUpdateKey]string {
 	pValUpdateMap := make(map[repository.PValUpdateKey]string)
 	pValUpdateMap[repository.EntityPValUpdateKey] = entity
-	if entity == bean.CLUSTER_ENTITIY {
+	if entity == bean2.CLUSTER_ENTITIY {
 		pValUpdateMap[repository.ClusterPValUpdateKey] = cluster
 		pValUpdateMap[repository.NamespacePValUpdateKey] = namespace
 		pValUpdateMap[repository.GroupPValUpdateKey] = group
@@ -242,7 +239,7 @@ func (impl UserCommonServiceImpl) RemoveRolesAndReturnEliminatedPolicies(userInf
 	var eliminatedPolicies []casbin.Policy
 	// DELETE Removed Items
 	for _, roleFilter := range userInfo.RoleFilters {
-		if roleFilter.Entity == bean.CLUSTER_ENTITIY {
+		if roleFilter.Entity == bean2.CLUSTER_ENTITIY {
 			namespaces := strings.Split(roleFilter.Namespace, ",")
 			groups := strings.Split(roleFilter.Group, ",")
 			kinds := strings.Split(roleFilter.Kind, ",")
@@ -336,7 +333,7 @@ func (impl UserCommonServiceImpl) RemoveRolesAndReturnEliminatedPolicies(userInf
 					if _, ok := existingRoleIds[roleModel.Id]; ok {
 						delete(eliminatedRoleIds, roleModel.Id)
 					}
-					isChartGroupEntity := roleFilter.Entity == bean.CHART_GROUP_ENTITY
+					isChartGroupEntity := roleFilter.Entity == bean2.CHART_GROUP_ENTITY
 					if _, ok := existingRoleIds[oldRoleModel.Id]; ok && !isChartGroupEntity {
 						//delete old role mapping from existing but not from eliminated roles (so that it gets deleted)
 						delete(existingRoleIds, oldRoleModel.Id)
@@ -362,7 +359,7 @@ func (impl UserCommonServiceImpl) RemoveRolesAndReturnEliminatedPolicies(userInf
 				continue
 			}
 		}
-		if role.Entity == bean.CLUSTER_ENTITIY {
+		if role.Entity == bean2.CLUSTER_ENTITIY {
 			isValidAuth := impl.CheckRbacForClusterEntity(role.Cluster, role.Namespace, role.Group, role.Kind, role.Resource, token, managerAuth)
 			if !isValidAuth {
 				continue
@@ -384,7 +381,7 @@ func (impl UserCommonServiceImpl) RemoveRolesAndReturnEliminatedPoliciesForGroup
 	//var policies []casbin.Policy
 	for _, roleFilter := range request.RoleFilters {
 		entity := roleFilter.Entity
-		if entity == bean.CLUSTER_ENTITIY {
+		if entity == bean2.CLUSTER_ENTITIY {
 			namespaces := strings.Split(roleFilter.Namespace, ",")
 			groups := strings.Split(roleFilter.Group, ",")
 			kinds := strings.Split(roleFilter.Kind, ",")
@@ -488,7 +485,7 @@ func (impl UserCommonServiceImpl) RemoveRolesAndReturnEliminatedPoliciesForGroup
 					if _, ok := existingRoles[roleModel.Id]; ok {
 						delete(eliminatedRoles, roleModel.Id)
 					}
-					isChartGroupEntity := roleFilter.Entity == bean.CHART_GROUP_ENTITY
+					isChartGroupEntity := roleFilter.Entity == bean2.CHART_GROUP_ENTITY
 					if _, ok := existingRoles[oldRoleModel.Id]; ok && !isChartGroupEntity {
 						//delete old role mapping from existing but not from eliminated roles (so that it gets deleted)
 						delete(existingRoles, oldRoleModel.Id)
@@ -514,7 +511,7 @@ func (impl UserCommonServiceImpl) RemoveRolesAndReturnEliminatedPoliciesForGroup
 				continue
 			}
 		}
-		if role.Entity == bean.CLUSTER_ENTITIY {
+		if role.Entity == bean2.CLUSTER_ENTITIY {
 			isValidAuth := impl.CheckRbacForClusterEntity(role.Cluster, role.Namespace, role.Group, role.Kind, role.Resource, token, managerAuth)
 			if !isValidAuth {
 				continue
@@ -608,22 +605,22 @@ func (impl UserCommonServiceImpl) GetCapacityForRoleFilter(roleFilters []bean.Ro
 
 func (impl UserCommonServiceImpl) BuildRoleFilterForAllTypes(roleFilterMap map[string]*bean.RoleFilter, role repository.RoleModel, key string) {
 	switch role.Entity {
-	case bean.CLUSTER_ENTITIY:
+	case bean2.CLUSTER_ENTITIY:
 		{
-			impl.BuildRoleFilterKeyForCluster(roleFilterMap, role, key)
+			BuildRoleFilterKeyForCluster(roleFilterMap, role, key)
 		}
 	case bean2.EntityJobs:
 		{
-			impl.BuildRoleFilterKeyForJobs(roleFilterMap, role, key)
+			BuildRoleFilterKeyForJobs(roleFilterMap, role, key)
 		}
 	default:
 		{
-			impl.BuildRoleFilterKeyForOtherEntity(roleFilterMap, role, key)
+			BuildRoleFilterKeyForOtherEntity(roleFilterMap, role, key)
 		}
 	}
 }
 
-func (impl UserCommonServiceImpl) BuildRoleFilterKeyForCluster(roleFilterMap map[string]*bean.RoleFilter, role repository.RoleModel, key string) {
+func BuildRoleFilterKeyForCluster(roleFilterMap map[string]*bean.RoleFilter, role repository.RoleModel, key string) {
 	namespaceArr := strings.Split(roleFilterMap[key].Namespace, ",")
 	if containsArr(namespaceArr, AllNamespace) {
 		roleFilterMap[key].Namespace = AllNamespace
@@ -650,7 +647,7 @@ func (impl UserCommonServiceImpl) BuildRoleFilterKeyForCluster(roleFilterMap map
 	}
 }
 
-func (impl UserCommonServiceImpl) BuildRoleFilterKeyForJobs(roleFilterMap map[string]*bean.RoleFilter, role repository.RoleModel, key string) {
+func BuildRoleFilterKeyForJobs(roleFilterMap map[string]*bean.RoleFilter, role repository.RoleModel, key string) {
 	envArr := strings.Split(roleFilterMap[key].Environment, ",")
 	if containsArr(envArr, AllEnvironment) {
 		roleFilterMap[key].Environment = AllEnvironment
@@ -671,7 +668,7 @@ func (impl UserCommonServiceImpl) BuildRoleFilterKeyForJobs(roleFilterMap map[st
 	}
 }
 
-func (impl UserCommonServiceImpl) BuildRoleFilterKeyForOtherEntity(roleFilterMap map[string]*bean.RoleFilter, role repository.RoleModel, key string) {
+func BuildRoleFilterKeyForOtherEntity(roleFilterMap map[string]*bean.RoleFilter, role repository.RoleModel, key string) {
 	envArr := strings.Split(roleFilterMap[key].Environment, ",")
 	if containsArr(envArr, AllEnvironment) {
 		roleFilterMap[key].Environment = AllEnvironment
@@ -692,7 +689,7 @@ func (impl UserCommonServiceImpl) GetUniqueKeyForAllEntity(role repository.RoleM
 	} else if role.Entity == bean2.EntityJobs {
 		key = fmt.Sprintf("%s_%s_%s_%s", role.Team, role.Action, role.AccessType, role.Entity)
 	} else if len(role.Entity) > 0 {
-		if role.Entity == bean.CLUSTER_ENTITIY {
+		if role.Entity == bean2.CLUSTER_ENTITIY {
 			key = fmt.Sprintf("%s_%s_%s_%s_%s", role.Entity, role.Action, role.Cluster,
 				role.Group, role.Kind)
 		} else {

pkg/auth/user/UserService.go

@@ -474,7 +474,7 @@ func (impl *UserServiceImpl) CreateOrUpdateUserRolesForAllTypes(roleFilter bean.
 	var policiesToBeAdded = make([]casbin2.Policy, 0, capacity)
 	var err error
 	rolesChanged := false
-	if entity == bean2.CLUSTER {
+	if entity == bean2.CLUSTER_ENTITIY {
 		policiesToBeAdded, rolesChanged, err = impl.createOrUpdateUserRolesForClusterEntity(roleFilter, userId, model, existingRoles, token, managerAuth, tx, entity, capacity)
 		if err != nil {
 			return nil, false, err
@@ -1698,7 +1698,7 @@ func (impl *UserServiceImpl) checkGroupAuth(groupName string, token string, mana
 			hasAccessToGroup = false
 			hasSuperAdminPermission = true
 		}
-		if role.AccessType == bean.APP_ACCESS_TYPE_HELM && !isActionUserSuperAdmin {
+		if role.AccessType == bean2.APP_ACCESS_TYPE_HELM && !isActionUserSuperAdmin {
 			hasAccessToGroup = false
 		}
 		if len(role.Team) > 0 {
@@ -1708,7 +1708,7 @@ func (impl *UserServiceImpl) checkGroupAuth(groupName string, token string, mana
 				hasAccessToGroup = false
 			}
 		}
-		if role.Entity == bean.CLUSTER_ENTITIY && !isActionUserSuperAdmin {
+		if role.Entity == bean2.CLUSTER_ENTITIY && !isActionUserSuperAdmin {
 			isValidAuth := impl.userCommonService.CheckRbacForClusterEntity(role.Cluster, role.Namespace, role.Group, role.Kind, role.Resource, token, managerAuth)
 			if !isValidAuth {
 				hasAccessToGroup = false
@@ -1782,7 +1782,7 @@ func (impl *UserServiceImpl) createOrUpdateUserRolesForOtherEntity(roleFilter be
 	environments := strings.Split(roleFilter.Environment, ",")
 	for _, environment := range environments {
 		for _, entityName := range entityNames {
-			if managerAuth != nil && entity != bean.CHART_GROUP_ENTITY {
+			if managerAuth != nil && entity != bean2.CHART_GROUP_ENTITY {
 				// check auth only for apps permission, skip for chart group
 				rbacObject := fmt.Sprintf("%s", roleFilter.Team)
 				isValidAuth := managerAuth(casbin2.ResourceUser, token, rbacObject)