chore: nwpu,1.2
diff --git a/project/nwpu/k8s-rancher/2.account-management/1.account-management/01-account-management-base.yaml b/project/nwpu/k8s-rancher/2.account-management/1.account-management/01-account-management-base.yaml
new file mode 100644
index 0000000..da2e069
--- /dev/null
+++ b/project/nwpu/k8s-rancher/2.account-management/1.account-management/01-account-management-base.yaml
@@ -0,0 +1,21 @@
+# 01-account-management-base.yaml
+
+####################################################
+# supwisdom harbor private docker registry
+####################################################
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: account-management
+ name: account-management-svc
+ labels:
+ app: account-management-svc
+spec:
+ ports:
+ - port: 80
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ app: account-management-ui
\ No newline at end of file
diff --git a/project/nwpu/k8s-rancher/2.account-management/1.account-management/02-account-management-env.yaml b/project/nwpu/k8s-rancher/2.account-management/1.account-management/02-account-management-env.yaml
new file mode 100644
index 0000000..33d95d0
--- /dev/null
+++ b/project/nwpu/k8s-rancher/2.account-management/1.account-management/02-account-management-env.yaml
@@ -0,0 +1 @@
+# 02-account-management-env.yaml
diff --git a/project/nwpu/k8s-rancher/2.account-management/1.account-management/03-account-management-ingresses.yaml b/project/nwpu/k8s-rancher/2.account-management/1.account-management/03-account-management-ingresses.yaml
new file mode 100644
index 0000000..5ba7843
--- /dev/null
+++ b/project/nwpu/k8s-rancher/2.account-management/1.account-management/03-account-management-ingresses.yaml
@@ -0,0 +1,18 @@
+# 03-account-management-ingresses.yaml
+
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+ namespace: account-management
+ name: account-management-ingress
+spec:
+ rules:
+ # 修改为学校的根域名
+ - host: account-management.paas.xxx.edu.cn
+ http:
+ paths:
+ - path: /
+ backend:
+ serviceName: account-management-svc
+ servicePort: http
diff --git a/project/nwpu/k8s-rancher/2.account-management/1.account-management/04-1-account-management.yaml b/project/nwpu/k8s-rancher/2.account-management/1.account-management/04-1-account-management.yaml
new file mode 100644
index 0000000..a6a7831
--- /dev/null
+++ b/project/nwpu/k8s-rancher/2.account-management/1.account-management/04-1-account-management.yaml
@@ -0,0 +1,71 @@
+# 04-1-account-management.yaml
+
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: account-management
+ name: account-management-env
+data:
+ # **修改** 学校的根域名
+ BASE_API: http://personal-security-center.paas.xxx.edu.cn/
+
+ AUTH_TYPE: cas
+
+ # AUTH_TYPE 为 cas 时,配置 AUTH_CAS、JWT_ISS、JWT_SECRET
+ AUTH_CAS: http://cas.paas.xxx.edu.cn/cas
+ JWT_ISS: http://cas.paas.xxx.edu.cn/cas
+ JWT_SECRET: (@<rhnPaUYKC_k770*DuWwYQ_#Zc#8c(2rB?kae)rN)>K7qy)awCjxp$L653Mf$2
+
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+ namespace: account-management
+ name: account-management-svc
+ labels:
+ app: account-management-svc
+spec:
+ ports:
+ - port: 80
+ targetPort: http
+ protocol: TCP
+ name: http
+ selector:
+ app: account-management
+
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ namespace: account-management
+ name: account-management
+spec:
+ selector:
+ matchLabels:
+ app: account-management
+ replicas: 1
+ template:
+ metadata:
+ labels:
+ app: account-management
+ spec:
+ containers:
+ - name: account-management
+ image: harbor.supwisdom.com/account-management/account-management:0.0.1
+ imagePullPolicy: Always
+ ports:
+ - containerPort: 80
+ name: http
+ envFrom:
+ - configMapRef:
+ name: account-management-env
+ resources:
+ requests:
+ memory: "128Mi"
+ limits:
+ memory: "256Mi"
+ imagePullSecrets:
+ - name: harbor-supwisdom
diff --git a/project/nwpu/k8s-rancher/2.account-management/10.0.init.sql b/project/nwpu/k8s-rancher/2.account-management/10.0.init.sql
new file mode 100644
index 0000000..4148c76
--- /dev/null
+++ b/project/nwpu/k8s-rancher/2.account-management/10.0.init.sql
@@ -0,0 +1,71 @@
+-- 10.0.init.sql
+
+
+/*
+将 paas.example.com 替换为 paas.学校域名.edu.cn
+*/
+
+
+use cas_server;
+
+-- account-management 认证对接信息
+
+INSERT INTO `TB_SERVICE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `NAME`, `DESCRIPTION`, `INFORMATION_URL`, `LOGOUT_URL`,
+ `RESPONSE_TYPE`, `LOGOUT_TYPE`,
+ `EVALUATION_ORDER`, `FRIENDLY_NAME`, `REGISTERED_SERVICE_ID`, `SERVICE_ID`,
+ `ENABLED`, `SSO_ENABLED`, `REQUIRE_ALL_ATTRIBUTES`,
+ `APPLICATION_ID`, `EXTERNAL_ID`)
+VALUES ('300', '1', 0, 'admin', '2020-07-01 00:00:00',
+ '帐号分级管理', '帐号分级管理', 'https://account-management.paas.example.com', 'https://account-management.paas.example.com/?clearCertification=clearCertification',
+ 'REDIRECT', 'FRONT_CHANNEL',
+ 300, '帐号分级管理', 300, 'https://account-management.paas.example.com/(.*)',
+ 1, 1, 1,
+ '300', '300');
+
+commit;
+
+-- 修改根域名
+update TB_SERVICE
+set
+ INFORMATION_URL='https://account-management.paas.example.com',
+ LOGOUT_URL='https://account-management.paas.example.com/?clearCertification=clearCertification',
+ SERVICE_ID='https://account-management.paas.example.com/(.*)',
+ ID_TOKEN_ENABLED=1,
+ JWT_AS_SERVICE_TICKET=1,
+ APPLICATION_DOMAIN='account-management.paas.example.com'
+where ID='300'; -- todo, modify
+
+commit;
+
+-- user_authz
+
+use user_authz;
+
+INSERT INTO `TB_R_SYSTEM` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `BUSINESS_DOMAIN_ID`,
+ `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`)
+VALUES ('300', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '1',
+ 'user-management-service', '用户管理服务', '用户管理服务', 1);
+
+
+INSERT INTO `TB_APPLICATION` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `BUSINESS_DOMAIN_ID`, `SYSTEM_ID`,
+ `NAME`, `APPLICATION_ID`, `SYNC_URL`, `ENABLED`)
+VALUES ('300', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '1', '300',
+ '用户管理服务', '300', '', 1);
+
+
+INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`)
+VALUES ('300_31', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '300', 'user-management-grant-admin', '用户业务管理员', '用户业务管理员', 1, '31');
+
+INSERT INTO `TB_ROLE` (`ID`, `COMPANY_ID`, `DELETED`, `ADD_ACCOUNT`, `ADD_TIME`,
+ `APPLICATION_ID`, `CODE`, `NAME`, `DESCRIPTION`, `ENABLED`, `EXTERNAL_ID`)
+VALUES ('300_32', '1', 0, 'admin', '2019-07-01 00:00:00',
+ '300', 'user-management-man-grant-admin', '用户分级管理员', '用户分级管理员', 1, '32');
+
+commit;
diff --git a/project/nwpu/k8s-rancher/2.account-management/readme.md b/project/nwpu/k8s-rancher/2.account-management/readme.md
new file mode 100644
index 0000000..4446e09
--- /dev/null
+++ b/project/nwpu/k8s-rancher/2.account-management/readme.md
@@ -0,0 +1,23 @@
+# readme.md
+
+## 帐号分级管理 实施说明
+
+帐号分级管理,主要基于岗位用户组,以 部门 的维度进行分级管理
+
+即,根据 用户业务管理员 所属某个岗位 下的 部门,来控制 其 可以对 哪些 部门(行政部门)下的帐号进行管理
+
+* 部署时,已经初始化了 用户业务管理员 的角色
+
+* 实施时,在授权管理下,将某个岗位用户组 与 用户业务管理员角色 进行授权
+
+* 此时,隶属于 该岗位用户组 下的 帐号,就拥有了 用户业务管理员 的权限,而该帐号 在 此岗位用户组 下的 部门,就是他可管理的 帐号数据 的范围
+
+注意:如果将 用户业务管理员角色 直接授权给 某个帐号时,此帐号 只会有该服务的访问权限,无法看到帐号数据(即没有数据权限)。除非,此帐号 还隶属于 某个授权了 用户业务管理员角色 的岗位用户组
+
+
+## 帐号分级管理 发布说明
+
+* 将此服务的访问地址 (一般为 `https://account-management.paas.xxx.edu.cn` )公布给使用人员。
+
+* 将此服务,由门户的服务管理进行发布,授予访问权限 给 用户业务管理员 角色 即可
+