diff --git a/CHANGES.md b/CHANGES.md
index 69b80c12229..2f8eaab887e 100644
--- a/CHANGES.md
+++ b/CHANGES.md
@@ -5,6 +5,7 @@ Release Notes.
 Apollo 2.5.0
 
 ------------------
+* [Refactor: align permission validator api between openapi and portal](https://github.com/apolloconfig/apollo/pull/5337)
 * [Feature: Provide a new configfiles API to return the raw content of configuration files directly](https://github.com/apolloconfig/apollo/pull/5336)
 
 ------------------
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/auth/ConsumerPermissionValidator.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/auth/ConsumerPermissionValidator.java
index 7480b77c5eb..71d5fe915a9 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/auth/ConsumerPermissionValidator.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/auth/ConsumerPermissionValidator.java
@@ -18,15 +18,16 @@
 
 import static com.ctrip.framework.apollo.portal.service.SystemRoleManagerService.SYSTEM_PERMISSION_TARGET_ID;
 
+import com.ctrip.framework.apollo.common.entity.AppNamespace;
 import com.ctrip.framework.apollo.openapi.service.ConsumerRolePermissionService;
 import com.ctrip.framework.apollo.openapi.util.ConsumerAuthUtil;
+import com.ctrip.framework.apollo.portal.component.PermissionValidator;
 import com.ctrip.framework.apollo.portal.constant.PermissionType;
 import com.ctrip.framework.apollo.portal.util.RoleUtils;
 import org.springframework.stereotype.Component;
-import javax.servlet.http.HttpServletRequest;
 
-@Component
-public class ConsumerPermissionValidator {
+@Component("consumerPermissionValidator")
+public class ConsumerPermissionValidator implements PermissionValidator {
 
   private final ConsumerRolePermissionService permissionService;
   private final ConsumerAuthUtil consumerAuthUtil;
@@ -37,44 +38,75 @@ public ConsumerPermissionValidator(final ConsumerRolePermissionService permissio
     this.consumerAuthUtil = consumerAuthUtil;
   }
 
-  public boolean hasModifyNamespacePermission(HttpServletRequest request, String appId,
-      String namespaceName, String env) {
-    if (hasCreateNamespacePermission(request, appId)) {
+  @Override
+  public boolean hasModifyNamespacePermission(String appId, String env, String clusterName,
+      String namespaceName) {
+    if (hasCreateNamespacePermission(appId)) {
       return true;
     }
-    return permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerId(request),
+    return permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerIdFromCtx(),
         PermissionType.MODIFY_NAMESPACE, RoleUtils.buildNamespaceTargetId(appId, namespaceName))
-        || permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerId(request),
-            PermissionType.MODIFY_NAMESPACE,
-            RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
-
+        || permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerIdFromCtx(),
+        PermissionType.MODIFY_NAMESPACE,
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
   }
 
-  public boolean hasReleaseNamespacePermission(HttpServletRequest request, String appId,
-      String namespaceName, String env) {
-    if (hasCreateNamespacePermission(request, appId)) {
+  @Override
+  public boolean hasReleaseNamespacePermission(String appId, String env, String clusterName,
+      String namespaceName) {
+    if (hasCreateNamespacePermission(appId)) {
       return true;
     }
-    return permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerId(request),
+    return permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerIdFromCtx(),
         PermissionType.RELEASE_NAMESPACE, RoleUtils.buildNamespaceTargetId(appId, namespaceName))
-        || permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerId(request),
-            PermissionType.RELEASE_NAMESPACE,
-            RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
+        || permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerIdFromCtx(),
+        PermissionType.RELEASE_NAMESPACE,
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
+  }
 
+  @Override
+  public boolean hasAssignRolePermission(String appId) {
+    return permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerIdFromCtx(),
+        PermissionType.ASSIGN_ROLE, appId);
   }
 
-  public boolean hasCreateNamespacePermission(HttpServletRequest request, String appId) {
-    return permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerId(request),
+  @Override
+  public boolean hasCreateNamespacePermission(String appId) {
+    return permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerIdFromCtx(),
         PermissionType.CREATE_NAMESPACE, appId);
   }
 
-  public boolean hasCreateClusterPermission(HttpServletRequest request, String appId) {
-    return permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerId(request),
+  @Override
+  public boolean hasCreateAppNamespacePermission(String appId, AppNamespace appNamespace) {
+    throw new UnsupportedOperationException("Not supported operation");
+  }
+
+  @Override
+  public boolean hasCreateClusterPermission(String appId) {
+    return permissionService.consumerHasPermission(consumerAuthUtil.retrieveConsumerIdFromCtx(),
         PermissionType.CREATE_CLUSTER, appId);
   }
 
-  public boolean hasCreateApplicationPermission(HttpServletRequest request) {
-    long consumerId = consumerAuthUtil.retrieveConsumerId(request);
+  @Override
+  public boolean isSuperAdmin() {
+    // openapi shouldn't be
+    return false;
+  }
+
+  @Override
+  public boolean shouldHideConfigToCurrentUser(String appId, String env, String clusterName,
+      String namespaceName) {
+    throw new UnsupportedOperationException("Not supported operation");
+  }
+
+  @Override
+  public boolean hasCreateApplicationPermission() {
+    long consumerId = consumerAuthUtil.retrieveConsumerIdFromCtx();
     return permissionService.consumerHasPermission(consumerId, PermissionType.CREATE_APPLICATION, SYSTEM_PERMISSION_TARGET_ID);
   }
+
+  @Override
+  public boolean hasManageAppMasterPermission(String appId) {
+    throw new UnsupportedOperationException("Not supported operation");
+  }
 }
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/util/ConsumerAuthUtil.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/util/ConsumerAuthUtil.java
index 1eff110210d..30009304366 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/util/ConsumerAuthUtil.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/util/ConsumerAuthUtil.java
@@ -21,6 +21,8 @@
 import org.springframework.stereotype.Service;
 
 import javax.servlet.http.HttpServletRequest;
+import org.springframework.web.context.request.RequestContextHolder;
+import org.springframework.web.context.request.ServletRequestAttributes;
 
 /**
  * @author Jason Song(song_s@ctrip.com)
@@ -55,4 +57,14 @@ public long retrieveConsumerId(HttpServletRequest request) {
       throw new IllegalStateException("No consumer id!", ex);
     }
   }
+
+  // retrieve from RequestContextHolder
+  public long retrieveConsumerIdFromCtx() {
+    ServletRequestAttributes attributes = (ServletRequestAttributes) RequestContextHolder.getRequestAttributes();
+    if (attributes == null) {
+      throw new IllegalStateException("No Request!");
+    }
+    HttpServletRequest request = attributes.getRequest();
+    return retrieveConsumerId(request);
+  }
 }
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/AppController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/AppController.java
index c9bf44b6871..92e25cefaf9 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/AppController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/AppController.java
@@ -26,7 +26,6 @@
 import com.ctrip.framework.apollo.portal.entity.model.AppModel;
 import java.util.Arrays;
 import java.util.Set;
-import javax.servlet.http.HttpServletRequest;
 import javax.transaction.Transactional;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.util.StringUtils;
@@ -56,11 +55,10 @@ public AppController(
    * @see com.ctrip.framework.apollo.portal.controller.AppController#create(AppModel)
    */
   @Transactional
-  @PreAuthorize(value = "@consumerPermissionValidator.hasCreateApplicationPermission(#request)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasCreateApplicationPermission()")
   @PostMapping(value = "/apps")
   public void createApp(
-      @RequestBody OpenCreateAppDTO req,
-      HttpServletRequest request
+      @RequestBody OpenCreateAppDTO req
   ) {
     if (null == req.getApp()) {
       throw new BadRequestException("App is null");
@@ -72,7 +70,7 @@ public void createApp(
     // create app
     this.appOpenApiService.createApp(req);
     if (req.isAssignAppRoleToSelf()) {
-      long consumerId = this.consumerAuthUtil.retrieveConsumerId(request);
+      long consumerId = this.consumerAuthUtil.retrieveConsumerIdFromCtx();
       consumerService.assignAppRoleToConsumer(consumerId, app.getAppId());
     }
   }
@@ -95,8 +93,8 @@ public List<OpenAppDTO> findApps(@RequestParam(value = "appIds", required = fals
    * @return which apps can be operated by open api
    */
   @GetMapping("/apps/authorized")
-  public List<OpenAppDTO> findAppsAuthorized(HttpServletRequest request) {
-    long consumerId = this.consumerAuthUtil.retrieveConsumerId(request);
+  public List<OpenAppDTO> findAppsAuthorized() {
+    long consumerId = this.consumerAuthUtil.retrieveConsumerIdFromCtx();
 
     Set<String> appIds = this.consumerService.findAppIdsAuthorizedByConsumerId(consumerId);
 
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ClusterController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ClusterController.java
index 1b9dbdb3673..403f747a23f 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ClusterController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ClusterController.java
@@ -54,10 +54,10 @@ public OpenClusterDTO getCluster(@PathVariable("appId") String appId, @PathVaria
     return this.clusterOpenApiService.getCluster(appId, env, clusterName);
   }
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasCreateClusterPermission(#request, #appId)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasCreateClusterPermission(#appId)")
   @PostMapping(value = "apps/{appId}/clusters")
   public OpenClusterDTO createCluster(@PathVariable String appId, @PathVariable String env,
-      @Valid @RequestBody OpenClusterDTO cluster, HttpServletRequest request) {
+      @Valid @RequestBody OpenClusterDTO cluster) {
 
     if (!Objects.equals(appId, cluster.getAppId())) {
       throw new BadRequestException(
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ItemController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ItemController.java
index f8c0f90a67b..1621744528b 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ItemController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ItemController.java
@@ -78,11 +78,11 @@ public OpenItemDTO getItemByEncodedKey(@PathVariable String appId, @PathVariable
         new String(Base64.getDecoder().decode(key.getBytes(StandardCharsets.UTF_8))));
   }
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#request, #appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/items")
   public OpenItemDTO createItem(@PathVariable String appId, @PathVariable String env,
                                 @PathVariable String clusterName, @PathVariable String namespaceName,
-                                @RequestBody OpenItemDTO item, HttpServletRequest request) {
+                                @RequestBody OpenItemDTO item) {
 
     RequestPrecondition.checkArguments(
         !StringUtils.isContainEmpty(item.getKey(), item.getDataChangeCreatedBy()),
@@ -99,12 +99,12 @@ public OpenItemDTO createItem(@PathVariable String appId, @PathVariable String e
     return this.itemOpenApiService.createItem(appId, env, clusterName, namespaceName, item);
   }
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#request, #appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PutMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/items/{key:.+}")
   public void updateItem(@PathVariable String appId, @PathVariable String env,
                          @PathVariable String clusterName, @PathVariable String namespaceName,
                          @PathVariable String key, @RequestBody OpenItemDTO item,
-                         @RequestParam(defaultValue = "false") boolean createIfNotExists, HttpServletRequest request) {
+                         @RequestParam(defaultValue = "false") boolean createIfNotExists) {
 
     RequestPrecondition.checkArguments(item != null, "item payload can not be empty");
 
@@ -132,23 +132,22 @@ public void updateItem(@PathVariable String appId, @PathVariable String env,
     }
   }
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#request, #appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PutMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/encodedItems/{key:.+}")
   public void updateItemByEncodedKey(@PathVariable String appId, @PathVariable String env,
       @PathVariable String clusterName, @PathVariable String namespaceName,
       @PathVariable String key, @RequestBody OpenItemDTO item,
-      @RequestParam(defaultValue = "false") boolean createIfNotExists, HttpServletRequest request) {
+      @RequestParam(defaultValue = "false") boolean createIfNotExists) {
     this.updateItem(appId, env, clusterName, namespaceName,
         new String(Base64.getDecoder().decode(key.getBytes(StandardCharsets.UTF_8))), item,
-        createIfNotExists, request);
+        createIfNotExists);
   }
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#request, #appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @DeleteMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/items/{key:.+}")
   public void deleteItem(@PathVariable String appId, @PathVariable String env,
                          @PathVariable String clusterName, @PathVariable String namespaceName,
-                         @PathVariable String key, @RequestParam String operator,
-                         HttpServletRequest request) {
+                         @PathVariable String key, @RequestParam String operator) {
 
     if (userService.findByUserId(operator) == null) {
       throw BadRequestException.userNotExists(operator);
@@ -162,15 +161,13 @@ public void deleteItem(@PathVariable String appId, @PathVariable String env,
     this.itemOpenApiService.removeItem(appId, env, clusterName, namespaceName, key, operator);
   }
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#request, #appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @DeleteMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/encodedItems/{key:.+}")
   public void deleteItemByEncodedKey(@PathVariable String appId, @PathVariable String env,
       @PathVariable String clusterName, @PathVariable String namespaceName,
-      @PathVariable String key, @RequestParam String operator,
-      HttpServletRequest request) {
+      @PathVariable String key, @RequestParam String operator) {
     this.deleteItem(appId, env, clusterName, namespaceName,
-        new String(Base64.getDecoder().decode(key.getBytes(StandardCharsets.UTF_8))), operator,
-        request);
+        new String(Base64.getDecoder().decode(key.getBytes(StandardCharsets.UTF_8))), operator);
   }
 
   @GetMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/items")
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/NamespaceBranchController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/NamespaceBranchController.java
index 73873b30d20..b22111e7b4d 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/NamespaceBranchController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/NamespaceBranchController.java
@@ -77,14 +77,13 @@ public OpenNamespaceDTO findBranch(@PathVariable String appId,
         return OpenApiBeanUtils.transformFromNamespaceBO(namespaceBO);
     }
 
-    @PreAuthorize(value = "@consumerPermissionValidator.hasCreateNamespacePermission(#request, #appId)")
+    @PreAuthorize(value = "@consumerPermissionValidator.hasCreateNamespacePermission(#appId)")
     @PostMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/branches")
     public OpenNamespaceDTO createBranch(@PathVariable String appId,
                                          @PathVariable String env,
                                          @PathVariable String clusterName,
                                          @PathVariable String namespaceName,
-                                         @RequestParam("operator") String operator,
-                                         HttpServletRequest request) {
+                                         @RequestParam("operator") String operator) {
         RequestPrecondition.checkArguments(!StringUtils.isContainEmpty(operator),"operator can not be empty");
 
         if (userService.findByUserId(operator) == null) {
@@ -98,23 +97,22 @@ public OpenNamespaceDTO createBranch(@PathVariable String appId,
         return BeanUtils.transform(OpenNamespaceDTO.class, namespaceDTO);
     }
 
-    @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#request, #appId, #namespaceName, #env)")
+    @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
     @DeleteMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}")
     public void deleteBranch(@PathVariable String appId,
                              @PathVariable String env,
                              @PathVariable String clusterName,
                              @PathVariable String namespaceName,
                              @PathVariable String branchName,
-                             @RequestParam("operator") String operator,
-                             HttpServletRequest request) {
+                             @RequestParam("operator") String operator) {
         RequestPrecondition.checkArguments(!StringUtils.isContainEmpty(operator),"operator can not be empty");
 
         if (userService.findByUserId(operator) == null) {
             throw BadRequestException.userNotExists(operator);
         }
 
-        boolean canDelete = consumerPermissionValidator.hasReleaseNamespacePermission(request, appId, namespaceName, env) ||
-            (consumerPermissionValidator.hasModifyNamespacePermission(request, appId, namespaceName, env) &&
+        boolean canDelete = consumerPermissionValidator.hasReleaseNamespacePermission(appId, env, clusterName, namespaceName) ||
+            (consumerPermissionValidator.hasModifyNamespacePermission(appId, env, clusterName, namespaceName) &&
                 releaseService.loadLatestRelease(appId, Env.valueOf(env), branchName, namespaceName) == null);
 
         if (!canDelete) {
@@ -139,13 +137,12 @@ public OpenGrayReleaseRuleDTO getBranchGrayRules(@PathVariable String appId, @Pa
         return OpenApiBeanUtils.transformFromGrayReleaseRuleDTO(grayReleaseRuleDTO);
     }
 
-    @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#request, #appId, #namespaceName, #env)")
+    @PreAuthorize(value = "@consumerPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
     @PutMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/rules")
     public void updateBranchRules(@PathVariable String appId, @PathVariable String env,
                                   @PathVariable String clusterName, @PathVariable String namespaceName,
                                   @PathVariable String branchName, @RequestBody OpenGrayReleaseRuleDTO rules,
-                                  @RequestParam("operator") String operator,
-                                  HttpServletRequest request) {
+                                  @RequestParam("operator") String operator) {
         RequestPrecondition.checkArguments(!StringUtils.isContainEmpty(operator),"operator can not be empty");
 
         if (userService.findByUserId(operator) == null) {
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/NamespaceController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/NamespaceController.java
index a3cf2ce5054..b1bcb92f21f 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/NamespaceController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/NamespaceController.java
@@ -50,11 +50,10 @@ public NamespaceController(
     this.namespaceOpenApiService = namespaceOpenApiService;
   }
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasCreateNamespacePermission(#request, #appId)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasCreateNamespacePermission(#appId)")
   @PostMapping(value = "/openapi/v1/apps/{appId}/appnamespaces")
   public OpenAppNamespaceDTO createNamespace(@PathVariable String appId,
-                                             @RequestBody OpenAppNamespaceDTO appNamespaceDTO,
-                                             HttpServletRequest request) {
+                                             @RequestBody OpenAppNamespaceDTO appNamespaceDTO) {
 
     if (!Objects.equals(appId, appNamespaceDTO.getAppId())) {
       throw new BadRequestException("AppId not equal. AppId in path = %s, AppId in payload = %s", appId,
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ReleaseController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ReleaseController.java
index b12895bb5af..d1f6fa57433 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ReleaseController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/openapi/v1/controller/ReleaseController.java
@@ -73,13 +73,12 @@ public ReleaseController(
     this.publisher = publisher;
   }
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasReleaseNamespacePermission(#request, #appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasReleaseNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/releases")
   public OpenReleaseDTO createRelease(@PathVariable String appId, @PathVariable String env,
                                       @PathVariable String clusterName,
                                       @PathVariable String namespaceName,
-                                      @RequestBody NamespaceReleaseDTO model,
-                                      HttpServletRequest request) {
+                                      @RequestBody NamespaceReleaseDTO model) {
     RequestPrecondition.checkArguments(!StringUtils.isContainEmpty(model.getReleasedBy(), model
             .getReleaseTitle()),
         "Params(releaseTitle and releasedBy) can not be empty");
@@ -110,13 +109,13 @@ public OpenReleaseDTO loadLatestActiveRelease(@PathVariable String appId, @PathV
     return this.releaseOpenApiService.getLatestActiveRelease(appId, env, clusterName, namespaceName);
   }
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasReleaseNamespacePermission(#request, #appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasReleaseNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/merge")
   public OpenReleaseDTO merge(@PathVariable String appId, @PathVariable String env,
       @PathVariable String clusterName, @PathVariable String namespaceName,
       @PathVariable String branchName,
       @RequestParam(value = "deleteBranch", defaultValue = "true") boolean deleteBranch,
-      @RequestBody NamespaceReleaseDTO model, HttpServletRequest request) {
+      @RequestBody NamespaceReleaseDTO model) {
     RequestPrecondition.checkArguments(
         !StringUtils.isContainEmpty(model.getReleasedBy(), model.getReleaseTitle()),
         "Params(releaseTitle and releasedBy) can not be empty");
@@ -137,12 +136,11 @@ public OpenReleaseDTO merge(@PathVariable String appId, @PathVariable String env
     return OpenApiBeanUtils.transformFromReleaseDTO(mergedRelease);
   }
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasReleaseNamespacePermission(#request, #appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasReleaseNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/releases")
   public OpenReleaseDTO createGrayRelease(@PathVariable String appId, @PathVariable String env,
       @PathVariable String clusterName, @PathVariable String namespaceName,
-      @PathVariable String branchName, @RequestBody NamespaceReleaseDTO model,
-      HttpServletRequest request) {
+      @PathVariable String branchName, @RequestBody NamespaceReleaseDTO model) {
     RequestPrecondition.checkArguments(
         !StringUtils.isContainEmpty(model.getReleasedBy(), model.getReleaseTitle()),
         "Params(releaseTitle and releasedBy) can not be empty");
@@ -168,12 +166,11 @@ public OpenReleaseDTO createGrayRelease(@PathVariable String appId, @PathVariabl
     return OpenApiBeanUtils.transformFromReleaseDTO(releaseDTO);
   }
 
-  @PreAuthorize(value = "@consumerPermissionValidator.hasReleaseNamespacePermission(#request, #appId, #namespaceName, #env)")
+  @PreAuthorize(value = "@consumerPermissionValidator.hasReleaseNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/gray-del-releases")
   public OpenReleaseDTO createGrayDelRelease(@PathVariable String appId, @PathVariable String env,
       @PathVariable String clusterName, @PathVariable String namespaceName,
-      @PathVariable String branchName, @RequestBody NamespaceGrayDelReleaseDTO model,
-      HttpServletRequest request) {
+      @PathVariable String branchName, @RequestBody NamespaceGrayDelReleaseDTO model) {
     RequestPrecondition.checkArguments(
         !StringUtils.isContainEmpty(model.getReleasedBy(), model.getReleaseTitle()),
         "Params(releaseTitle and releasedBy) can not be empty");
@@ -197,7 +194,7 @@ public OpenReleaseDTO createGrayDelRelease(@PathVariable String appId, @PathVari
 
   @PutMapping(path = "/releases/{releaseId}/rollback")
   public void rollback(@PathVariable String env,
-      @PathVariable long releaseId, @RequestParam String operator, HttpServletRequest request) {
+      @PathVariable long releaseId, @RequestParam String operator) {
     RequestPrecondition.checkArguments(!StringUtils.isContainEmpty(operator),
         "Param operator can not be empty");
 
@@ -211,7 +208,7 @@ public void rollback(@PathVariable String env,
       throw new BadRequestException("release not found");
     }
 
-    if (!consumerPermissionValidator.hasReleaseNamespacePermission(request,release.getAppId(), release.getNamespaceName(), env)) {
+    if (!consumerPermissionValidator.hasReleaseNamespacePermission(release.getAppId(), env, release.getClusterName(), release.getNamespaceName())) {
       throw new AccessDeniedException("Forbidden operation. you don't have release permission");
     }
 
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/audit/ApolloAuditLogQueryApiPortalPreAuthorizer.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/audit/ApolloAuditLogQueryApiPortalPreAuthorizer.java
index 445dbd60b75..f39aaf4561e 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/audit/ApolloAuditLogQueryApiPortalPreAuthorizer.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/audit/ApolloAuditLogQueryApiPortalPreAuthorizer.java
@@ -17,7 +17,7 @@
 package com.ctrip.framework.apollo.portal.audit;
 
 import com.ctrip.framework.apollo.audit.spi.ApolloAuditLogQueryApiPreAuthorizer;
-import com.ctrip.framework.apollo.portal.component.PermissionValidator;
+import com.ctrip.framework.apollo.portal.component.UserPermissionValidator;
 import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty;
 import org.springframework.stereotype.Component;
 
@@ -25,14 +25,14 @@
 @ConditionalOnProperty(prefix = "apollo.audit.log", name = "enabled", havingValue = "true")
 public class ApolloAuditLogQueryApiPortalPreAuthorizer implements
     ApolloAuditLogQueryApiPreAuthorizer {
-  private final PermissionValidator permissionValidator;
+  private final UserPermissionValidator userPermissionValidator;
 
-  public ApolloAuditLogQueryApiPortalPreAuthorizer(PermissionValidator permissionValidator) {
-    this.permissionValidator = permissionValidator;
+  public ApolloAuditLogQueryApiPortalPreAuthorizer(UserPermissionValidator userPermissionValidator) {
+    this.userPermissionValidator = userPermissionValidator;
   }
 
   @Override
   public boolean hasQueryPermission() {
-    return permissionValidator.isSuperAdmin();
+    return userPermissionValidator.isSuperAdmin();
   }
 }
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
index 56d681656c7..936bf91a7fc 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
@@ -17,176 +17,43 @@
 package com.ctrip.framework.apollo.portal.component;
 
 import com.ctrip.framework.apollo.common.entity.AppNamespace;
-import com.ctrip.framework.apollo.portal.component.config.PortalConfig;
-import com.ctrip.framework.apollo.portal.constant.PermissionType;
-import com.ctrip.framework.apollo.portal.service.AppNamespaceService;
-import com.ctrip.framework.apollo.portal.service.RolePermissionService;
-import com.ctrip.framework.apollo.portal.service.SystemRoleManagerService;
-import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
-import com.ctrip.framework.apollo.portal.util.RoleUtils;
-import org.springframework.stereotype.Component;
 
-@Component("permissionValidator")
-public class PermissionValidator {
+public interface PermissionValidator {
 
-  private final UserInfoHolder userInfoHolder;
-  private final RolePermissionService rolePermissionService;
-  private final PortalConfig portalConfig;
-  private final AppNamespaceService appNamespaceService;
-  private final SystemRoleManagerService systemRoleManagerService;
+  boolean hasModifyNamespacePermission(String appId, String env, String clusterName,
+      String namespaceName);
 
-  public PermissionValidator(
-          final UserInfoHolder userInfoHolder,
-          final RolePermissionService rolePermissionService,
-          final PortalConfig portalConfig,
-          final AppNamespaceService appNamespaceService,
-          final SystemRoleManagerService systemRoleManagerService) {
-    this.userInfoHolder = userInfoHolder;
-    this.rolePermissionService = rolePermissionService;
-    this.portalConfig = portalConfig;
-    this.appNamespaceService = appNamespaceService;
-    this.systemRoleManagerService = systemRoleManagerService;
-  }
-
-  private boolean hasModifyNamespacePermission(String appId, String namespaceName) {
-    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
-        PermissionType.MODIFY_NAMESPACE,
-        RoleUtils.buildNamespaceTargetId(appId, namespaceName));
-  }
-
-  private boolean hasModifyNamespacePermission(String appId, String namespaceName, String env) {
-    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
-        PermissionType.MODIFY_NAMESPACE,
-        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
-  }
-
-  private boolean hasModifyNamespacesInClusterPermission(String appId, String env, String clusterName) {
-    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
-        PermissionType.MODIFY_NAMESPACES_IN_CLUSTER,
-        RoleUtils.buildClusterTargetId(appId, env, clusterName));
-  }
-
-  public boolean hasModifyNamespacePermission(String appId, String env, String clusterName, String namespaceName) {
-    if (hasModifyNamespacePermission(appId, namespaceName)) {
-      return true;
-    }
-    if (hasModifyNamespacePermission(appId, namespaceName, env)) {
-      return true;
-    }
-    if (hasModifyNamespacesInClusterPermission(appId, env, clusterName)) {
-      return true;
-    }
-    return false;
-  }
+  boolean hasReleaseNamespacePermission(String appId, String env, String clusterName,
+      String namespaceName);
 
-  private boolean hasReleaseNamespacePermission(String appId, String namespaceName) {
-    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
-        PermissionType.RELEASE_NAMESPACE,
-        RoleUtils.buildNamespaceTargetId(appId, namespaceName));
-  }
-
-  private boolean hasReleaseNamespacePermission(String appId, String namespaceName, String env) {
-    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
-        PermissionType.RELEASE_NAMESPACE,
-        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
-  }
-
-  private boolean hasReleaseNamespacesInClusterPermission(String appId, String env, String clusterName) {
-    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
-        PermissionType.RELEASE_NAMESPACES_IN_CLUSTER,
-        RoleUtils.buildClusterTargetId(appId, env, clusterName));
-  }
-
-  public boolean hasReleaseNamespacePermission(String appId, String env, String clusterName, String namespaceName) {
-    if (hasReleaseNamespacePermission(appId, namespaceName)) {
-      return true;
-    }
-    if (hasReleaseNamespacePermission(appId, namespaceName, env)) {
-      return true;
-    }
-    if (hasReleaseNamespacesInClusterPermission(appId, env, clusterName)) {
-      return true;
-    }
-    return false;
-  }
-
-  public boolean hasDeleteNamespacePermission(String appId) {
+  default boolean hasDeleteNamespacePermission(String appId) {
     return hasAssignRolePermission(appId) || isSuperAdmin();
   }
 
-  public boolean hasOperateNamespacePermission(String appId, String env, String clusterName, String namespaceName) {
+  default boolean hasOperateNamespacePermission(String appId, String env, String clusterName,
+      String namespaceName) {
     return hasModifyNamespacePermission(appId, env, clusterName, namespaceName)
         || hasReleaseNamespacePermission(appId, env, clusterName, namespaceName);
   }
 
-  public boolean hasAssignRolePermission(String appId) {
-    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
-        PermissionType.ASSIGN_ROLE,
-        appId);
-  }
-
-  public boolean hasCreateNamespacePermission(String appId) {
+  boolean hasAssignRolePermission(String appId);
 
-    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
-        PermissionType.CREATE_NAMESPACE,
-        appId);
-  }
+  boolean hasCreateNamespacePermission(String appId);
 
-  public boolean hasCreateAppNamespacePermission(String appId, AppNamespace appNamespace) {
+  boolean hasCreateAppNamespacePermission(String appId, AppNamespace appNamespace);
 
-    boolean isPublicAppNamespace = appNamespace.isPublic();
+  boolean hasCreateClusterPermission(String appId);
 
-    if (portalConfig.canAppAdminCreatePrivateNamespace() || isPublicAppNamespace) {
-      return hasCreateNamespacePermission(appId);
-    }
-
-    return isSuperAdmin();
-  }
-
-  public boolean hasCreateClusterPermission(String appId) {
-    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
-        PermissionType.CREATE_CLUSTER,
-        appId);
-  }
-
-  public boolean isAppAdmin(String appId) {
+  default boolean isAppAdmin(String appId) {
     return isSuperAdmin() || hasAssignRolePermission(appId);
   }
 
-  public boolean isSuperAdmin() {
-    return rolePermissionService.isSuperAdmin(userInfoHolder.getUser().getUserId());
-  }
+  boolean isSuperAdmin();
 
-  public boolean shouldHideConfigToCurrentUser(String appId, String env, String clusterName,
-      String namespaceName) {
-    // 1. check whether the current environment enables member only function
-    if (!portalConfig.isConfigViewMemberOnly(env)) {
-      return false;
-    }
-
-    // 2. public namespace is open to every one
-    AppNamespace appNamespace = appNamespaceService.findByAppIdAndName(appId, namespaceName);
-    if (appNamespace != null && appNamespace.isPublic()) {
-      return false;
-    }
-
-    // 3. check app admin and operate permissions
-    return !isAppAdmin(appId) && !hasOperateNamespacePermission(appId, env, clusterName, namespaceName);
-  }
+  boolean shouldHideConfigToCurrentUser(String appId, String env, String clusterName,
+      String namespaceName);
 
-  public boolean hasCreateApplicationPermission() {
-    return hasCreateApplicationPermission(userInfoHolder.getUser().getUserId());
-  }
-
-  public boolean hasCreateApplicationPermission(String userId) {
-    return systemRoleManagerService.hasCreateApplicationPermission(userId);
-  }
+  boolean hasCreateApplicationPermission();
 
-  public boolean hasManageAppMasterPermission(String appId) {
-    // the manage app master permission might not be initialized, so we need to check isSuperAdmin first
-    return isSuperAdmin() ||
-        (hasAssignRolePermission(appId) &&
-         systemRoleManagerService.hasManageAppMasterPermission(userInfoHolder.getUser().getUserId(), appId)
-        );
-  }
+  boolean hasManageAppMasterPermission(String appId);
 }
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/UserPermissionValidator.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/UserPermissionValidator.java
new file mode 100644
index 00000000000..a284b1cb7cb
--- /dev/null
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/UserPermissionValidator.java
@@ -0,0 +1,188 @@
+/*
+ * Copyright 2024 Apollo Authors
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+package com.ctrip.framework.apollo.portal.component;
+
+import com.ctrip.framework.apollo.common.entity.AppNamespace;
+import com.ctrip.framework.apollo.portal.component.config.PortalConfig;
+import com.ctrip.framework.apollo.portal.constant.PermissionType;
+import com.ctrip.framework.apollo.portal.service.AppNamespaceService;
+import com.ctrip.framework.apollo.portal.service.RolePermissionService;
+import com.ctrip.framework.apollo.portal.service.SystemRoleManagerService;
+import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
+import com.ctrip.framework.apollo.portal.util.RoleUtils;
+import org.springframework.stereotype.Component;
+
+@Component("userPermissionValidator")
+public class UserPermissionValidator implements PermissionValidator {
+
+  private final UserInfoHolder userInfoHolder;
+  private final RolePermissionService rolePermissionService;
+  private final PortalConfig portalConfig;
+  private final AppNamespaceService appNamespaceService;
+  private final SystemRoleManagerService systemRoleManagerService;
+
+  public UserPermissionValidator(
+          final UserInfoHolder userInfoHolder,
+          final RolePermissionService rolePermissionService,
+          final PortalConfig portalConfig,
+          final AppNamespaceService appNamespaceService,
+          final SystemRoleManagerService systemRoleManagerService) {
+    this.userInfoHolder = userInfoHolder;
+    this.rolePermissionService = rolePermissionService;
+    this.portalConfig = portalConfig;
+    this.appNamespaceService = appNamespaceService;
+    this.systemRoleManagerService = systemRoleManagerService;
+  }
+
+  private boolean hasModifyNamespacePermission(String appId, String namespaceName) {
+    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.MODIFY_NAMESPACE,
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName));
+  }
+
+  private boolean hasModifyNamespacePermission(String appId, String namespaceName, String env) {
+    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.MODIFY_NAMESPACE,
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
+  }
+
+  private boolean hasModifyNamespacesInClusterPermission(String appId, String env, String clusterName) {
+    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.MODIFY_NAMESPACES_IN_CLUSTER,
+        RoleUtils.buildClusterTargetId(appId, env, clusterName));
+  }
+
+  @Override
+  public boolean hasModifyNamespacePermission(String appId, String env, String clusterName, String namespaceName) {
+    if (hasModifyNamespacePermission(appId, namespaceName)) {
+      return true;
+    }
+    if (hasModifyNamespacePermission(appId, namespaceName, env)) {
+      return true;
+    }
+    if (hasModifyNamespacesInClusterPermission(appId, env, clusterName)) {
+      return true;
+    }
+    return false;
+  }
+
+  private boolean hasReleaseNamespacePermission(String appId, String namespaceName) {
+    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.RELEASE_NAMESPACE,
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName));
+  }
+
+  private boolean hasReleaseNamespacePermission(String appId, String namespaceName, String env) {
+    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.RELEASE_NAMESPACE,
+        RoleUtils.buildNamespaceTargetId(appId, namespaceName, env));
+  }
+
+  private boolean hasReleaseNamespacesInClusterPermission(String appId, String env, String clusterName) {
+    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.RELEASE_NAMESPACES_IN_CLUSTER,
+        RoleUtils.buildClusterTargetId(appId, env, clusterName));
+  }
+
+  @Override
+  public boolean hasReleaseNamespacePermission(String appId, String env, String clusterName, String namespaceName) {
+    if (hasReleaseNamespacePermission(appId, namespaceName)) {
+      return true;
+    }
+    if (hasReleaseNamespacePermission(appId, namespaceName, env)) {
+      return true;
+    }
+    if (hasReleaseNamespacesInClusterPermission(appId, env, clusterName)) {
+      return true;
+    }
+    return false;
+  }
+
+  @Override
+  public boolean hasAssignRolePermission(String appId) {
+    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.ASSIGN_ROLE,
+        appId);
+  }
+
+  @Override
+  public boolean hasCreateNamespacePermission(String appId) {
+    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.CREATE_NAMESPACE,
+        appId);
+  }
+
+  @Override
+  public boolean hasCreateAppNamespacePermission(String appId, AppNamespace appNamespace) {
+
+    boolean isPublicAppNamespace = appNamespace.isPublic();
+
+    if (portalConfig.canAppAdminCreatePrivateNamespace() || isPublicAppNamespace) {
+      return hasCreateNamespacePermission(appId);
+    }
+
+    return isSuperAdmin();
+  }
+
+  @Override
+  public boolean hasCreateClusterPermission(String appId) {
+    return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(),
+        PermissionType.CREATE_CLUSTER,
+        appId);
+  }
+
+  @Override
+  public boolean isSuperAdmin() {
+    return rolePermissionService.isSuperAdmin(userInfoHolder.getUser().getUserId());
+  }
+
+  @Override
+  public boolean shouldHideConfigToCurrentUser(String appId, String env, String clusterName,
+      String namespaceName) {
+    // 1. check whether the current environment enables member only function
+    if (!portalConfig.isConfigViewMemberOnly(env)) {
+      return false;
+    }
+
+    // 2. public namespace is open to every one
+    AppNamespace appNamespace = appNamespaceService.findByAppIdAndName(appId, namespaceName);
+    if (appNamespace != null && appNamespace.isPublic()) {
+      return false;
+    }
+
+    // 3. check app admin and operate permissions
+    return !isAppAdmin(appId) && !hasOperateNamespacePermission(appId, env, clusterName, namespaceName);
+  }
+
+  @Override
+  public boolean hasCreateApplicationPermission() {
+    return hasCreateApplicationPermission(userInfoHolder.getUser().getUserId());
+  }
+
+  public boolean hasCreateApplicationPermission(String userId) {
+    return systemRoleManagerService.hasCreateApplicationPermission(userId);
+  }
+
+  @Override
+  public boolean hasManageAppMasterPermission(String appId) {
+    // the manage app master permission might not be initialized, so we need to check isSuperAdmin first
+    return isSuperAdmin() ||
+        (hasAssignRolePermission(appId) &&
+         systemRoleManagerService.hasManageAppMasterPermission(userInfoHolder.getUser().getUserId(), appId)
+        );
+  }
+}
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AccessKeyController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AccessKeyController.java
index b5ef6f123f5..122ebdbb913 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AccessKeyController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AccessKeyController.java
@@ -46,7 +46,7 @@ public AccessKeyController(
     this.accessKeyService = accessKeyService;
   }
 
-  @PreAuthorize(value = "@permissionValidator.isAppAdmin(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.isAppAdmin(#appId)")
   @PostMapping(value = "/apps/{appId}/envs/{env}/accesskeys")
   @ApolloAuditLog(type = OpType.CREATE, name = "AccessKey.create")
   public AccessKeyDTO save(@PathVariable String appId, @PathVariable String env,
@@ -57,14 +57,14 @@ public AccessKeyDTO save(@PathVariable String appId, @PathVariable String env,
     return accessKeyService.createAccessKey(Env.valueOf(env), accessKeyDTO);
   }
 
-  @PreAuthorize(value = "@permissionValidator.isAppAdmin(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.isAppAdmin(#appId)")
   @GetMapping(value = "/apps/{appId}/envs/{env}/accesskeys")
   public List<AccessKeyDTO> findByAppId(@PathVariable String appId,
       @PathVariable String env) {
     return accessKeyService.findByAppId(Env.valueOf(env), appId);
   }
 
-  @PreAuthorize(value = "@permissionValidator.isAppAdmin(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.isAppAdmin(#appId)")
   @DeleteMapping(value = "/apps/{appId}/envs/{env}/accesskeys/{id}")
   @ApolloAuditLog(type = OpType.DELETE, name = "AccessKey.delete")
   public void delete(@PathVariable String appId,
@@ -74,7 +74,7 @@ public void delete(@PathVariable String appId,
     accessKeyService.deleteAccessKey(Env.valueOf(env), appId, id, operator);
   }
 
-  @PreAuthorize(value = "@permissionValidator.isAppAdmin(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.isAppAdmin(#appId)")
   @PutMapping(value = "/apps/{appId}/envs/{env}/accesskeys/{id}/enable")
   @ApolloAuditLog(type = OpType.UPDATE, name = "AccessKey.enable")
   public void enable(@PathVariable String appId,
@@ -85,7 +85,7 @@ public void enable(@PathVariable String appId,
     accessKeyService.enable(Env.valueOf(env), appId, id, mode, operator);
   }
 
-  @PreAuthorize(value = "@permissionValidator.isAppAdmin(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.isAppAdmin(#appId)")
   @PutMapping(value = "/apps/{appId}/envs/{env}/accesskeys/{id}/disable")
   @ApolloAuditLog(type = OpType.UPDATE, name = "AccessKey.disable")
   public void disable(@PathVariable String appId,
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java
index 97503ac77ad..83bbe8dd081 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java
@@ -119,7 +119,7 @@ public List<App> findAppsByOwner(@RequestParam("owner") String owner, Pageable p
     return appService.findByAppIds(appIds, page);
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasCreateApplicationPermission()")
+  @PreAuthorize(value = "@userPermissionValidator.hasCreateApplicationPermission()")
   @PostMapping
   @ApolloAuditLog(type = OpType.CREATE, name = "App.create")
   public App create(@Valid @RequestBody AppModel appModel) {
@@ -128,7 +128,7 @@ public App create(@Valid @RequestBody AppModel appModel) {
     return appService.createAppAndAddRolePermission(app, appModel.getAdmins());
   }
 
-  @PreAuthorize(value = "@permissionValidator.isAppAdmin(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.isAppAdmin(#appId)")
   @PutMapping("/{appId:.+}")
   @ApolloAuditLog(type = OpType.UPDATE, name = "App.update")
   public void update(@PathVariable String appId, @Valid @RequestBody AppModel appModel) {
@@ -181,7 +181,7 @@ public AppDTO load(@PathVariable String appId) {
   }
 
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @DeleteMapping("/{appId:.+}")
   @ApolloAuditLog(type = OpType.RPC, name = "App.delete")
   public void deleteApp(@PathVariable String appId) {
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ClusterController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ClusterController.java
index 2831f150876..5a995709263 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ClusterController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ClusterController.java
@@ -44,7 +44,7 @@ public ClusterController(final ClusterService clusterService, final UserInfoHold
     this.userInfoHolder = userInfoHolder;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasCreateClusterPermission(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.hasCreateClusterPermission(#appId)")
   @PostMapping(value = "apps/{appId}/envs/{env}/clusters")
   @ApolloAuditLog(type = OpType.CREATE, name = "Cluster.create")
   public ClusterDTO createCluster(@PathVariable String appId, @PathVariable String env,
@@ -56,7 +56,7 @@ public ClusterDTO createCluster(@PathVariable String appId, @PathVariable String
     return clusterService.createCluster(Env.valueOf(env), cluster);
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @DeleteMapping(value = "apps/{appId}/envs/{env}/clusters/{clusterName:.+}")
   @ApolloAuditLog(type = OpType.DELETE, name = "Cluster.delete")
   public ResponseEntity<Void> deleteCluster(@PathVariable String appId, @PathVariable String env,
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/CommitController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/CommitController.java
index c9cb5ba3efd..445e357e9f6 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/CommitController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/CommitController.java
@@ -19,7 +19,7 @@
 import com.ctrip.framework.apollo.common.dto.CommitDTO;
 import com.ctrip.framework.apollo.core.utils.StringUtils;
 import com.ctrip.framework.apollo.portal.environment.Env;
-import com.ctrip.framework.apollo.portal.component.PermissionValidator;
+import com.ctrip.framework.apollo.portal.component.UserPermissionValidator;
 import com.ctrip.framework.apollo.portal.service.CommitService;
 import javax.validation.Valid;
 import javax.validation.constraints.Positive;
@@ -38,11 +38,11 @@
 public class CommitController {
 
   private final CommitService commitService;
-  private final PermissionValidator permissionValidator;
+  private final UserPermissionValidator userPermissionValidator;
 
-  public CommitController(final CommitService commitService, final PermissionValidator permissionValidator) {
+  public CommitController(final CommitService commitService, final UserPermissionValidator userPermissionValidator) {
     this.commitService = commitService;
-    this.permissionValidator = permissionValidator;
+    this.userPermissionValidator = userPermissionValidator;
   }
 
   @GetMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/commits")
@@ -51,7 +51,7 @@ public List<CommitDTO> find(@PathVariable String appId, @PathVariable String env
                               @RequestParam(required = false) String key,
                               @Valid @PositiveOrZero(message = "page should be positive or 0") @RequestParam(defaultValue = "0") int page,
                               @Valid @Positive(message = "size should be positive number") @RequestParam(defaultValue = "10") int size) {
-    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
+    if (userPermissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       return Collections.emptyList();
     }
 
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsExportController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsExportController.java
index 565959fc0e6..1b13947f9eb 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsExportController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsExportController.java
@@ -78,7 +78,7 @@ public ConfigsExportController(
    *   application.json
    * </pre>
    */
-  @PreAuthorize(value = "!@permissionValidator.shouldHideConfigToCurrentUser(#appId, #env, #clusterName, #namespaceName)")
+  @PreAuthorize(value = "!@userPermissionValidator.shouldHideConfigToCurrentUser(#appId, #env, #clusterName, #namespaceName)")
   @GetMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/items/export")
   public void exportItems(@PathVariable String appId, @PathVariable String env,
                                   @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -111,7 +111,7 @@ public void exportItems(@PathVariable String appId, @PathVariable String env,
    * Export all configs in a compressed file. Just export namespace which current exists read permission. The permission
    * check in service.
    */
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @GetMapping("/configs/export")
   public void exportAll(@RequestParam(value = "envs") String envs,
                         HttpServletRequest request, HttpServletResponse response) throws IOException {
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsImportController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsImportController.java
index 60e8b74f5ea..71514d3a657 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsImportController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConfigsImportController.java
@@ -61,7 +61,7 @@ public ConfigsImportController(
    *             etc.
    * @throws IOException
    */
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
+  @PreAuthorize(value = "@userPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/items/import")
   public void importConfigFile(@PathVariable String appId, @PathVariable String env,
                                @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -76,7 +76,7 @@ public void importConfigFile(@PathVariable String appId, @PathVariable String en
     configsImportService.forceImportNamespaceFromFile(Env.valueOf(env), standardFilename, file.getInputStream());
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @PostMapping(value = "/configs/import", params = "conflictAction=cover")
   public void importConfigByZipWithCoverConflictNamespace(@RequestParam(value = "envs") String envs,
                                 @RequestParam("file") MultipartFile file) throws IOException {
@@ -91,7 +91,7 @@ public void importConfigByZipWithCoverConflictNamespace(@RequestParam(value = "e
     }
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @PostMapping(value = "/configs/import", params = "conflictAction=ignore")
   public void importConfigByZipWithIgnoreConflictNamespace(@RequestParam(value = "envs") String envs,
                                 @RequestParam("file") MultipartFile file) throws IOException {
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConsumerController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConsumerController.java
index 0bc1d08e56e..f1aba8bec82 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConsumerController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ConsumerController.java
@@ -61,7 +61,7 @@ private Consumer convertToConsumer(ConsumerCreateRequestVO requestVO) {
   }
 
   @Transactional
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @PostMapping(value = "/consumers")
   public ConsumerInfo create(
       @RequestBody ConsumerCreateRequestVO requestVO,
@@ -102,19 +102,19 @@ public ConsumerInfo create(
     return consumerService.getConsumerInfoByAppId(requestVO.getAppId());
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @GetMapping(value = "/consumer-tokens/by-appId")
   public ConsumerToken getConsumerTokenByAppId(@RequestParam String appId) {
     return consumerService.getConsumerTokenByAppId(appId);
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @GetMapping(value = "/consumer/info/by-appId")
   public ConsumerInfo getConsumerInfoByAppId(@RequestParam String appId) {
     return consumerService.getConsumerInfoByAppId(appId);
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @PostMapping(value = "/consumers/{token}/assign-role")
   public List<ConsumerRole> assignNamespaceRoleToConsumer(
       @PathVariable String token,
@@ -163,13 +163,13 @@ public List<ConsumerRole> assignNamespaceRoleToConsumer(
   }
 
   @GetMapping("/consumers")
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   public List<ConsumerInfo> getConsumerList(Pageable page) {
     return consumerService.findConsumerInfoList(page);
   }
 
   @DeleteMapping(value = "/consumers/by-appId")
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   public void deleteConsumers(@RequestParam String appId) {
     consumerService.deleteConsumer(appId);
   }
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/GlobalSearchController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/GlobalSearchController.java
index bb44b22932f..e4c850ef469 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/GlobalSearchController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/GlobalSearchController.java
@@ -39,7 +39,7 @@ public GlobalSearchController(final GlobalSearchService globalSearchService, fin
         this.portalConfig = portalConfig;
     }
 
-    @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+    @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
     @GetMapping("/global-search/item-info/by-key-or-value")
     public SearchResponseEntity<List<ItemInfo>> getItemInfoBySearch(@RequestParam(value = "key", required = false, defaultValue = "") String key,
                                                                     @RequestParam(value = "value", required = false , defaultValue = "") String value) {
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
index d4becc38e7b..2d4f34eb667 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
@@ -23,7 +23,7 @@
 import com.ctrip.framework.apollo.core.enums.ConfigFileFormat;
 import com.ctrip.framework.apollo.portal.environment.Env;
 import com.ctrip.framework.apollo.core.utils.StringUtils;
-import com.ctrip.framework.apollo.portal.component.PermissionValidator;
+import com.ctrip.framework.apollo.portal.component.UserPermissionValidator;
 import com.ctrip.framework.apollo.portal.entity.model.NamespaceSyncModel;
 import com.ctrip.framework.apollo.portal.entity.model.NamespaceTextModel;
 import com.ctrip.framework.apollo.portal.entity.vo.ItemDiffs;
@@ -63,17 +63,17 @@ public class ItemController {
   private final ItemService configService;
   private final NamespaceService namespaceService;
   private final UserInfoHolder userInfoHolder;
-  private final PermissionValidator permissionValidator;
+  private final UserPermissionValidator userPermissionValidator;
 
   public ItemController(final ItemService configService, final UserInfoHolder userInfoHolder,
-                        final PermissionValidator permissionValidator, final NamespaceService namespaceService) {
+                        final UserPermissionValidator userPermissionValidator, final NamespaceService namespaceService) {
     this.configService = configService;
     this.userInfoHolder = userInfoHolder;
-    this.permissionValidator = permissionValidator;
+    this.userPermissionValidator = userPermissionValidator;
     this.namespaceService = namespaceService;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
+  @PreAuthorize(value = "@userPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PutMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/items", consumes = {
       "application/json"})
   public void modifyItemsByText(@PathVariable String appId, @PathVariable String env,
@@ -87,7 +87,7 @@ public void modifyItemsByText(@PathVariable String appId, @PathVariable String e
     configService.updateConfigItemByText(model);
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
+  @PreAuthorize(value = "@userPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/item")
   public ItemDTO createItem(@PathVariable String appId, @PathVariable String env,
                             @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -106,7 +106,7 @@ public ItemDTO createItem(@PathVariable String appId, @PathVariable String env,
     return configService.createItem(appId, Env.valueOf(env), clusterName, namespaceName, item);
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
+  @PreAuthorize(value = "@userPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PutMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/item")
   public void updateItem(@PathVariable String appId, @PathVariable String env,
                          @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -120,7 +120,7 @@ public void updateItem(@PathVariable String appId, @PathVariable String env,
   }
 
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
+  @PreAuthorize(value = "@userPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @DeleteMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/items/{itemId}")
   public void deleteItem(@PathVariable String appId, @PathVariable String env,
                          @PathVariable String clusterName, @PathVariable String namespaceName,
@@ -142,7 +142,7 @@ public List<ItemDTO> findItems(@PathVariable String appId, @PathVariable String
                                  @PathVariable String clusterName, @PathVariable String namespaceName,
                                  @RequestParam(defaultValue = "lineNum") String orderBy) {
 
-    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
+    if (userPermissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       return Collections.emptyList();
     }
 
@@ -182,7 +182,7 @@ public List<ItemDiffs> diff(@RequestBody NamespaceSyncModel model) {
         continue;
       }
 
-      if (permissionValidator
+      if (userPermissionValidator
           .shouldHideConfigToCurrentUser(namespace.getAppId(), namespace.getEnv().getName(),
               namespace.getClusterName(), namespace.getNamespaceName())) {
         diff.setDiffs(new ItemChangeSets());
@@ -202,7 +202,7 @@ public ResponseEntity<Void> update(@PathVariable String appId, @PathVariable Str
     boolean hasPermission = true;
     for (NamespaceIdentifier namespaceIdentifier : model.getSyncToNamespaces()) {
       // once user has not one of the namespace's ModifyNamespace permission, then break the loop
-      hasPermission = permissionValidator.hasModifyNamespacePermission(
+      hasPermission = userPermissionValidator.hasModifyNamespacePermission(
           namespaceIdentifier.getAppId(),
           namespaceIdentifier.getEnv().getName(),
           namespaceIdentifier.getClusterName(),
@@ -220,7 +220,7 @@ public ResponseEntity<Void> update(@PathVariable String appId, @PathVariable Str
     throw new AccessDeniedException(String.format("You don't have the permission to modify namespace: %s", noPermissionNamespace));
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
+  @PreAuthorize(value = "@userPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/syntax-check", consumes = {
       "application/json"})
   public ResponseEntity<Void> syntaxCheckText(@PathVariable String appId, @PathVariable String env,
@@ -231,7 +231,7 @@ public ResponseEntity<Void> syntaxCheckText(@PathVariable String appId, @PathVar
     return ResponseEntity.ok().build();
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
+  @PreAuthorize(value = "@userPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PutMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/revoke-items")
   public void revokeItems(@PathVariable String appId, @PathVariable String env, @PathVariable String clusterName,
       @PathVariable String namespaceName) {
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java
index 95cb5d9fb17..2e8305af04f 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java
@@ -23,7 +23,7 @@
 import com.ctrip.framework.apollo.common.dto.ReleaseDTO;
 import com.ctrip.framework.apollo.common.exception.BadRequestException;
 import com.ctrip.framework.apollo.portal.environment.Env;
-import com.ctrip.framework.apollo.portal.component.PermissionValidator;
+import com.ctrip.framework.apollo.portal.component.UserPermissionValidator;
 import com.ctrip.framework.apollo.portal.component.config.PortalConfig;
 import com.ctrip.framework.apollo.portal.entity.bo.NamespaceBO;
 import com.ctrip.framework.apollo.portal.entity.model.NamespaceReleaseModel;
@@ -45,19 +45,19 @@
 @RestController
 public class NamespaceBranchController {
 
-  private final PermissionValidator permissionValidator;
+  private final UserPermissionValidator userPermissionValidator;
   private final ReleaseService releaseService;
   private final NamespaceBranchService namespaceBranchService;
   private final ApplicationEventPublisher publisher;
   private final PortalConfig portalConfig;
 
   public NamespaceBranchController(
-      final PermissionValidator permissionValidator,
+      final UserPermissionValidator userPermissionValidator,
       final ReleaseService releaseService,
       final NamespaceBranchService namespaceBranchService,
       final ApplicationEventPublisher publisher,
       final PortalConfig portalConfig) {
-    this.permissionValidator = permissionValidator;
+    this.userPermissionValidator = userPermissionValidator;
     this.releaseService = releaseService;
     this.namespaceBranchService = namespaceBranchService;
     this.publisher = publisher;
@@ -71,14 +71,14 @@ public NamespaceBO findBranch(@PathVariable String appId,
                                 @PathVariable String namespaceName) {
     NamespaceBO namespaceBO = namespaceBranchService.findBranch(appId, Env.valueOf(env), clusterName, namespaceName);
 
-    if (namespaceBO != null && permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
+    if (namespaceBO != null && userPermissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       namespaceBO.hideItems();
     }
 
     return namespaceBO;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
+  @PreAuthorize(value = "@userPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches")
   @ApolloAuditLog(type = OpType.CREATE, name = "NamespaceBranch.create")
   public NamespaceDTO createBranch(@PathVariable String appId,
@@ -97,8 +97,8 @@ public void deleteBranch(@PathVariable String appId,
                            @PathVariable String namespaceName,
                            @PathVariable String branchName) {
 
-    boolean hasModifyPermission = permissionValidator.hasModifyNamespacePermission(appId, env, clusterName, namespaceName);
-    boolean hasReleasePermission = permissionValidator.hasReleaseNamespacePermission(appId, env, clusterName, namespaceName);
+    boolean hasModifyPermission = userPermissionValidator.hasModifyNamespacePermission(appId, env, clusterName, namespaceName);
+    boolean hasReleasePermission = userPermissionValidator.hasReleaseNamespacePermission(appId, env, clusterName, namespaceName);
     boolean canDelete = hasReleasePermission
         || (hasModifyPermission && releaseService.loadLatestRelease(appId, Env.valueOf(env), branchName, namespaceName) == null);
 
@@ -116,7 +116,7 @@ public void deleteBranch(@PathVariable String appId,
 
 
 
-  @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
+  @PreAuthorize(value = "@userPermissionValidator.hasModifyNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/merge")
   @ApolloAuditLog(type = OpType.UPDATE, name = "NamespaceBranch.merge")
   public ReleaseDTO merge(@PathVariable String appId, @PathVariable String env,
@@ -156,7 +156,7 @@ public GrayReleaseRuleDTO getBranchGrayRules(@PathVariable String appId, @PathVa
   }
 
 
-  @PreAuthorize(value = "@permissionValidator.hasOperateNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
+  @PreAuthorize(value = "@userPermissionValidator.hasOperateNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PutMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/rules")
   @ApolloAuditLog(type = OpType.UPDATE, name = "NamespaceBranch.updateBranchRules")
   public void updateBranchRules(@PathVariable String appId, @PathVariable String env,
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java
index ed362bf8542..86eb0ed1508 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceController.java
@@ -30,7 +30,7 @@
 import com.ctrip.framework.apollo.portal.entity.vo.NamespaceUsage;
 import com.ctrip.framework.apollo.portal.environment.Env;
 import com.ctrip.framework.apollo.portal.api.AdminServiceAPI;
-import com.ctrip.framework.apollo.portal.component.PermissionValidator;
+import com.ctrip.framework.apollo.portal.component.UserPermissionValidator;
 import com.ctrip.framework.apollo.portal.component.config.PortalConfig;
 import com.ctrip.framework.apollo.portal.entity.bo.NamespaceBO;
 import com.ctrip.framework.apollo.portal.entity.model.NamespaceCreationModel;
@@ -76,7 +76,7 @@ public class NamespaceController {
   private final AppNamespaceService appNamespaceService;
   private final RoleInitializationService roleInitializationService;
   private final PortalConfig portalConfig;
-  private final PermissionValidator permissionValidator;
+  private final UserPermissionValidator userPermissionValidator;
   private final AdminServiceAPI.NamespaceAPI namespaceAPI;
 
   public NamespaceController(
@@ -86,7 +86,7 @@ public NamespaceController(
       final AppNamespaceService appNamespaceService,
       final RoleInitializationService roleInitializationService,
       final PortalConfig portalConfig,
-      final PermissionValidator permissionValidator,
+      final UserPermissionValidator userPermissionValidator,
       final AdminServiceAPI.NamespaceAPI namespaceAPI) {
     this.publisher = publisher;
     this.userInfoHolder = userInfoHolder;
@@ -94,7 +94,7 @@ public NamespaceController(
     this.appNamespaceService = appNamespaceService;
     this.roleInitializationService = roleInitializationService;
     this.portalConfig = portalConfig;
-    this.permissionValidator = permissionValidator;
+    this.userPermissionValidator = userPermissionValidator;
     this.namespaceAPI = namespaceAPI;
   }
 
@@ -111,7 +111,7 @@ public List<NamespaceBO> findNamespaces(@PathVariable String appId, @PathVariabl
     List<NamespaceBO> namespaceBOs = namespaceService.findNamespaceBOs(appId, Env.valueOf(env), clusterName);
 
     for (NamespaceBO namespaceBO : namespaceBOs) {
-      if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceBO.getBaseInfo().getNamespaceName())) {
+      if (userPermissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceBO.getBaseInfo().getNamespaceName())) {
         namespaceBO.hideItems();
       }
     }
@@ -125,7 +125,7 @@ public NamespaceBO findNamespace(@PathVariable String appId, @PathVariable Strin
 
     NamespaceBO namespaceBO = namespaceService.loadNamespaceBO(appId, Env.valueOf(env), clusterName, namespaceName);
 
-    if (namespaceBO != null && permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
+    if (namespaceBO != null && userPermissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       namespaceBO.hideItems();
     }
 
@@ -141,7 +141,7 @@ public NamespaceBO findPublicNamespaceForAssociatedNamespace(@PathVariable Strin
     return namespaceService.findPublicNamespaceForAssociatedNamespace(Env.valueOf(env), appId, clusterName, namespaceName);
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasCreateNamespacePermission(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.hasCreateNamespacePermission(#appId)")
   @PostMapping("/apps/{appId}/namespaces")
   @ApolloAuditLog(type = OpType.CREATE, name = "Namespace.create")
   public ResponseEntity<Void> createNamespace(@PathVariable String appId,
@@ -172,7 +172,7 @@ public ResponseEntity<Void> createNamespace(@PathVariable String appId,
     return ResponseEntity.ok().build();
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasDeleteNamespacePermission(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.hasDeleteNamespacePermission(#appId)")
   @DeleteMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/linked-namespaces/{namespaceName:.+}")
   @ApolloAuditLog(type = OpType.DELETE, name = "Namespace.deleteLinkedNamespace")
   public ResponseEntity<Void> deleteLinkedNamespace(@PathVariable String appId, @PathVariable String env,
@@ -195,7 +195,7 @@ public List<NamespaceUsage> findNamespaceUsage(@PathVariable String appId, @Path
     return namespaceService.getNamespaceUsageByAppId(appId, namespaceName);
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasDeleteNamespacePermission(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.hasDeleteNamespacePermission(#appId)")
   @DeleteMapping("/apps/{appId}/appnamespaces/{namespaceName:.+}")
   @ApolloAuditLog(type = OpType.DELETE, name = "AppNamespace.delete")
   public ResponseEntity<Void> deleteAppNamespace(@PathVariable String appId, @PathVariable String namespaceName) {
@@ -218,7 +218,7 @@ public AppNamespaceDTO findAppNamespace(@PathVariable String appId, @PathVariabl
     return BeanUtils.transform(AppNamespaceDTO.class, appNamespace);
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasCreateAppNamespacePermission(#appId, #appNamespace)")
+  @PreAuthorize(value = "@userPermissionValidator.hasCreateAppNamespacePermission(#appId, #appNamespace)")
   @PostMapping("/apps/{appId}/appnamespaces")
   @ApolloAuditLog(type = OpType.CREATE, name = "AppNamespace.create")
   public AppNamespace createAppNamespace(@PathVariable String appId,
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java
index 9d56e5d6fc2..56f92a47b26 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/PermissionController.java
@@ -20,7 +20,7 @@
 import com.ctrip.framework.apollo.audit.annotation.OpType;
 import com.ctrip.framework.apollo.common.exception.BadRequestException;
 import com.ctrip.framework.apollo.common.utils.RequestPrecondition;
-import com.ctrip.framework.apollo.portal.component.PermissionValidator;
+import com.ctrip.framework.apollo.portal.component.UserPermissionValidator;
 import com.ctrip.framework.apollo.portal.constant.PermissionType;
 import com.ctrip.framework.apollo.portal.constant.RoleType;
 import com.ctrip.framework.apollo.portal.entity.bo.UserInfo;
@@ -57,7 +57,7 @@ public class PermissionController {
   private final UserService userService;
   private final RoleInitializationService roleInitializationService;
   private final SystemRoleManagerService systemRoleManagerService;
-  private final PermissionValidator permissionValidator;
+  private final UserPermissionValidator userPermissionValidator;
 
   public PermissionController(
           final UserInfoHolder userInfoHolder,
@@ -65,13 +65,13 @@ public PermissionController(
           final UserService userService,
           final RoleInitializationService roleInitializationService,
           final SystemRoleManagerService systemRoleManagerService,
-          final PermissionValidator permissionValidator) {
+          final UserPermissionValidator userPermissionValidator) {
     this.userInfoHolder = userInfoHolder;
     this.rolePermissionService = rolePermissionService;
     this.userService = userService;
     this.roleInitializationService = roleInitializationService;
     this.systemRoleManagerService = systemRoleManagerService;
-    this.permissionValidator = permissionValidator;
+    this.userPermissionValidator = userPermissionValidator;
   }
 
   @PostMapping("/apps/{appId}/initPermission")
@@ -166,7 +166,7 @@ public NamespaceEnvRolesAssignedUsers getNamespaceEnvRoles(@PathVariable String
     return assignedUsers;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasAssignRolePermission(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.hasAssignRolePermission(#appId)")
   @PostMapping("/apps/{appId}/envs/{env}/namespaces/{namespaceName}/roles/{roleType}")
   @ApolloAuditLog(type = OpType.CREATE, name = "Auth.assignNamespaceEnvRoleToUser")
   public ResponseEntity<Void> assignNamespaceEnvRoleToUser(@PathVariable String appId, @PathVariable String env, @PathVariable String namespaceName,
@@ -191,7 +191,7 @@ public ResponseEntity<Void> assignNamespaceEnvRoleToUser(@PathVariable String ap
     return ResponseEntity.ok().build();
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasAssignRolePermission(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.hasAssignRolePermission(#appId)")
   @DeleteMapping("/apps/{appId}/envs/{env}/namespaces/{namespaceName}/roles/{roleType}")
   @ApolloAuditLog(type = OpType.DELETE, name = "Auth.removeNamespaceEnvRoleFromUser")
   public ResponseEntity<Void> removeNamespaceEnvRoleFromUser(@PathVariable String appId, @PathVariable String env, @PathVariable String namespaceName,
@@ -234,7 +234,7 @@ public ClusterNamespaceRolesAssignedUsers getClusterNamespaceRoles(@PathVariable
     return assignedUsers;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasAssignRolePermission(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.hasAssignRolePermission(#appId)")
   @PostMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/ns_roles/{roleType}")
   public ResponseEntity<Void> assignClusterNamespaceRoleToUser(@PathVariable String appId, @PathVariable String env, @PathVariable String clusterName,
       @PathVariable String roleType, @RequestBody String user) {
@@ -258,7 +258,7 @@ public ResponseEntity<Void> assignClusterNamespaceRoleToUser(@PathVariable Strin
     return ResponseEntity.ok().build();
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasAssignRolePermission(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.hasAssignRolePermission(#appId)")
   @DeleteMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/ns_roles/{roleType}")
   public ResponseEntity<Void> removeClusterNamespaceRoleFromUser(@PathVariable String appId, @PathVariable String env, @PathVariable String clusterName,
       @PathVariable String roleType, @RequestParam String user) {
@@ -294,7 +294,7 @@ public NamespaceRolesAssignedUsers getNamespaceRoles(@PathVariable String appId,
     return assignedUsers;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasAssignRolePermission(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.hasAssignRolePermission(#appId)")
   @PostMapping("/apps/{appId}/namespaces/{namespaceName}/roles/{roleType}")
   @ApolloAuditLog(type = OpType.CREATE, name = "Auth.assignNamespaceRoleToUser")
   public ResponseEntity<Void> assignNamespaceRoleToUser(@PathVariable String appId, @PathVariable String namespaceName,
@@ -314,7 +314,7 @@ public ResponseEntity<Void> assignNamespaceRoleToUser(@PathVariable String appId
     return ResponseEntity.ok().build();
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasAssignRolePermission(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.hasAssignRolePermission(#appId)")
   @DeleteMapping("/apps/{appId}/namespaces/{namespaceName}/roles/{roleType}")
   @ApolloAuditLog(type = OpType.DELETE, name = "Auth.removeNamespaceRoleFromUser")
   public ResponseEntity<Void> removeNamespaceRoleFromUser(@PathVariable String appId, @PathVariable String namespaceName,
@@ -340,7 +340,7 @@ public AppRolesAssignedUsers getAppRoles(@PathVariable String appId) {
     return users;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasManageAppMasterPermission(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.hasManageAppMasterPermission(#appId)")
   @PostMapping("/apps/{appId}/roles/{roleType}")
   @ApolloAuditLog(type = OpType.CREATE, name = "Auth.assignAppRoleToUser")
   public ResponseEntity<Void> assignAppRoleToUser(@PathVariable String appId, @PathVariable String roleType,
@@ -360,7 +360,7 @@ public ResponseEntity<Void> assignAppRoleToUser(@PathVariable String appId, @Pat
     return ResponseEntity.ok().build();
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasManageAppMasterPermission(#appId)")
+  @PreAuthorize(value = "@userPermissionValidator.hasManageAppMasterPermission(#appId)")
   @DeleteMapping("/apps/{appId}/roles/{roleType}")
   @ApolloAuditLog(type = OpType.DELETE, name = "Auth.removeAppRoleFromUser")
   public ResponseEntity<Void> removeAppRoleFromUser(@PathVariable String appId, @PathVariable String roleType,
@@ -381,7 +381,7 @@ private void checkUserExists(String userId) {
     }
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @PostMapping("/system/role/createApplication")
   @ApolloAuditLog(type = OpType.CREATE, name = "Auth.addCreateApplicationRoleToUser")
   public ResponseEntity<Void> addCreateApplicationRoleToUser(@RequestBody List<String> userIds) {
@@ -393,7 +393,7 @@ public ResponseEntity<Void> addCreateApplicationRoleToUser(@RequestBody List<Str
     return ResponseEntity.ok().build();
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @DeleteMapping("/system/role/createApplication/{userId}")
   @ApolloAuditLog(type = OpType.DELETE, name = "Auth.deleteCreateApplicationRoleFromUser")
   public ResponseEntity<Void> deleteCreateApplicationRoleFromUser(@PathVariable("userId") String userId) {
@@ -405,7 +405,7 @@ public ResponseEntity<Void> deleteCreateApplicationRoleFromUser(@PathVariable("u
     return ResponseEntity.ok().build();
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @GetMapping("/system/role/createApplication")
   public List<String> getCreateApplicationRoleUsers() {
     return rolePermissionService.queryUsersWithRole(SystemRoleManagerService.CREATE_APPLICATION_ROLE_NAME)
@@ -415,11 +415,11 @@ public List<String> getCreateApplicationRoleUsers() {
   @GetMapping("/system/role/createApplication/{userId}")
   public JsonObject hasCreateApplicationPermission(@PathVariable String userId) {
     JsonObject rs = new JsonObject();
-    rs.addProperty("hasCreateApplicationPermission", permissionValidator.hasCreateApplicationPermission(userId));
+    rs.addProperty("hasCreateApplicationPermission", userPermissionValidator.hasCreateApplicationPermission(userId));
     return rs;
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @PostMapping("/apps/{appId}/system/master/{userId}")
   @ApolloAuditLog(type = OpType.CREATE, name = "Auth.addManageAppMasterRoleToUser")
   public ResponseEntity<Void> addManageAppMasterRoleToUser(@PathVariable String appId, @PathVariable String userId) {
@@ -432,7 +432,7 @@ public ResponseEntity<Void> addManageAppMasterRoleToUser(@PathVariable String ap
     return ResponseEntity.ok().build();
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @DeleteMapping("/apps/{appId}/system/master/{userId}")
   @ApolloAuditLog(type = OpType.DELETE, name = "Auth.forbidManageAppMaster")
   public ResponseEntity<Void> forbidManageAppMaster(@PathVariable String appId, @PathVariable String  userId) {
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java
index 8a1e9127a6f..91cfea9e22c 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseController.java
@@ -20,7 +20,7 @@
 import com.ctrip.framework.apollo.common.exception.BadRequestException;
 import com.ctrip.framework.apollo.common.exception.NotFoundException;
 import com.ctrip.framework.apollo.portal.environment.Env;
-import com.ctrip.framework.apollo.portal.component.PermissionValidator;
+import com.ctrip.framework.apollo.portal.component.UserPermissionValidator;
 import com.ctrip.framework.apollo.portal.component.config.PortalConfig;
 import com.ctrip.framework.apollo.portal.entity.bo.ReleaseBO;
 import com.ctrip.framework.apollo.portal.entity.model.NamespaceReleaseModel;
@@ -53,23 +53,23 @@ public class ReleaseController {
   private final ReleaseService releaseService;
   private final ApplicationEventPublisher publisher;
   private final PortalConfig portalConfig;
-  private final PermissionValidator permissionValidator;
+  private final UserPermissionValidator userPermissionValidator;
   private final UserInfoHolder userInfoHolder;
 
   public ReleaseController(
       final ReleaseService releaseService,
       final ApplicationEventPublisher publisher,
       final PortalConfig portalConfig,
-      final PermissionValidator permissionValidator,
+      final UserPermissionValidator userPermissionValidator,
       final UserInfoHolder userInfoHolder) {
     this.releaseService = releaseService;
     this.publisher = publisher;
     this.portalConfig = portalConfig;
-    this.permissionValidator = permissionValidator;
+    this.userPermissionValidator = userPermissionValidator;
     this.userInfoHolder = userInfoHolder;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
+  @PreAuthorize(value = "@userPermissionValidator.hasReleaseNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/releases")
   public ReleaseDTO createRelease(@PathVariable String appId,
                                   @PathVariable String env, @PathVariable String clusterName,
@@ -98,7 +98,7 @@ public ReleaseDTO createRelease(@PathVariable String appId,
     return createdRelease;
   }
 
-  @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
+  @PreAuthorize(value = "@userPermissionValidator.hasReleaseNamespacePermission(#appId, #env, #clusterName, #namespaceName)")
   @PostMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/releases")
   public ReleaseDTO createGrayRelease(@PathVariable String appId,
                                       @PathVariable String env, @PathVariable String clusterName,
@@ -146,7 +146,7 @@ public List<ReleaseBO> findAllReleases(@PathVariable String appId,
                                          @PathVariable String namespaceName,
                                          @Valid @PositiveOrZero(message = "page should be positive or 0") @RequestParam(defaultValue = "0") int page,
                                          @Valid @Positive(message = "size should be positive number") @RequestParam(defaultValue = "5") int size) {
-    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
+    if (userPermissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       return Collections.emptyList();
     }
 
@@ -161,7 +161,7 @@ public List<ReleaseDTO> findActiveReleases(@PathVariable String appId,
                                              @Valid @PositiveOrZero(message = "page should be positive or 0") @RequestParam(defaultValue = "0") int page,
                                              @Valid @Positive(message = "size should be positive number") @RequestParam(defaultValue = "5") int size) {
 
-    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
+    if (userPermissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       return Collections.emptyList();
     }
 
@@ -187,7 +187,7 @@ public void rollback(@PathVariable String env,
       throw NotFoundException.releaseNotFound(releaseId);
     }
 
-    if (!permissionValidator.hasReleaseNamespacePermission(release.getAppId(), env, release.getClusterName(), release.getNamespaceName())) {
+    if (!userPermissionValidator.hasReleaseNamespacePermission(release.getAppId(), env, release.getClusterName(), release.getNamespaceName())) {
       throw new AccessDeniedException("Access is denied");
     }
 
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseHistoryController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseHistoryController.java
index 39f1f7f4db8..2102c08a0fa 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseHistoryController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ReleaseHistoryController.java
@@ -18,7 +18,7 @@
 
 
 import com.ctrip.framework.apollo.portal.environment.Env;
-import com.ctrip.framework.apollo.portal.component.PermissionValidator;
+import com.ctrip.framework.apollo.portal.component.UserPermissionValidator;
 import com.ctrip.framework.apollo.portal.entity.bo.ReleaseHistoryBO;
 import com.ctrip.framework.apollo.portal.service.ReleaseHistoryService;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -33,11 +33,11 @@
 public class ReleaseHistoryController {
 
   private final ReleaseHistoryService releaseHistoryService;
-  private final PermissionValidator permissionValidator;
+  private final UserPermissionValidator userPermissionValidator;
 
-  public ReleaseHistoryController(final ReleaseHistoryService releaseHistoryService, final PermissionValidator permissionValidator) {
+  public ReleaseHistoryController(final ReleaseHistoryService releaseHistoryService, final UserPermissionValidator userPermissionValidator) {
     this.releaseHistoryService = releaseHistoryService;
-    this.permissionValidator = permissionValidator;
+    this.userPermissionValidator = userPermissionValidator;
   }
 
   @GetMapping("/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/releases/histories")
@@ -48,7 +48,7 @@ public List<ReleaseHistoryBO> findReleaseHistoriesByNamespace(@PathVariable Stri
                                                                 @RequestParam(value = "page", defaultValue = "0") int page,
                                                                 @RequestParam(value = "size", defaultValue = "10") int size) {
 
-    if (permissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
+    if (userPermissionValidator.shouldHideConfigToCurrentUser(appId, env, clusterName, namespaceName)) {
       return Collections.emptyList();
     }
 
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ServerConfigController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ServerConfigController.java
index bfa2810321b..ec32e9f3cdd 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ServerConfigController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ServerConfigController.java
@@ -42,27 +42,27 @@ public ServerConfigController(final ServerConfigService serverConfigService) {
     this.serverConfigService = serverConfigService;
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @PostMapping("/server/portal-db/config")
   @ApolloAuditLog(type = OpType.CREATE, name = "ServerConfig.createOrUpdatePortalDBConfig")
   public ServerConfig createOrUpdatePortalDBConfig(@Valid @RequestBody ServerConfig serverConfig) {
     return serverConfigService.createOrUpdatePortalDBConfig(serverConfig);
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @PostMapping("/server/envs/{env}/config-db/config")
   @ApolloAuditLog(type = OpType.CREATE, name = "ServerConfig.createOrUpdateConfigDBConfig")
   public ServerConfig createOrUpdateConfigDBConfig(@Valid @RequestBody ServerConfig serverConfig, @PathVariable String env) {
     return serverConfigService.createOrUpdateConfigDBConfig(Env.transformEnv(env), serverConfig);
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @GetMapping("/server/portal-db/config/find-all-config")
   public List<ServerConfig> findAllPortalDBServerConfig() {
     return serverConfigService.findAllPortalDBConfig();
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @GetMapping("/server/envs/{env}/config-db/config/find-all-config")
   public List<ServerConfig> findAllConfigDBServerConfig(@PathVariable String env) {
     return serverConfigService.findAllConfigDBConfig(Env.transformEnv(env));
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/SystemInfoController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/SystemInfoController.java
index a58c26e4359..72e33b4304d 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/SystemInfoController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/SystemInfoController.java
@@ -65,7 +65,7 @@ private void init() {
     restTemplate = restTemplateFactory.getObject();
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @GetMapping
   public SystemInfo getSystemInfo() {
     SystemInfo systemInfo = new SystemInfo();
@@ -86,7 +86,7 @@ public SystemInfo getSystemInfo() {
     return systemInfo;
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @GetMapping(value = "/health")
   public Health checkHealth(@RequestParam String instanceId) {
     List<Env> allEnvs = portalSettings.getAllEnvs();
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/UserInfoController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/UserInfoController.java
index 86be1feffb3..95ca76952b2 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/UserInfoController.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/UserInfoController.java
@@ -58,7 +58,7 @@ public UserInfoController(
     this.passwordChecker = passwordChecker;
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @PostMapping("/users")
   public void createOrUpdateUser(
       @RequestParam(value = "isCreate", defaultValue = "false") boolean isCreate,
@@ -83,7 +83,7 @@ public void createOrUpdateUser(
     }
   }
 
-  @PreAuthorize(value = "@permissionValidator.isSuperAdmin()")
+  @PreAuthorize(value = "@userPermissionValidator.isSuperAdmin()")
   @PutMapping("/users/enabled")
   public void changeUserEnabled(@RequestBody UserPO user) {
     if (userService instanceof SpringSecurityUserService) {
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/ConfigsExportService.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/ConfigsExportService.java
index 1dc32fd4586..9db7e653136 100644
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/ConfigsExportService.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/ConfigsExportService.java
@@ -24,7 +24,7 @@
 import com.ctrip.framework.apollo.common.exception.BadRequestException;
 import com.ctrip.framework.apollo.common.exception.ServiceException;
 import com.ctrip.framework.apollo.core.enums.ConfigFileFormat;
-import com.ctrip.framework.apollo.portal.component.PermissionValidator;
+import com.ctrip.framework.apollo.portal.component.UserPermissionValidator;
 import com.ctrip.framework.apollo.portal.component.PortalSettings;
 import com.ctrip.framework.apollo.portal.entity.bo.ConfigBO;
 import com.ctrip.framework.apollo.portal.entity.bo.NamespaceBO;
@@ -66,7 +66,7 @@ public class ConfigsExportService {
 
   private final PortalSettings portalSettings;
 
-  private final PermissionValidator permissionValidator;
+  private final UserPermissionValidator userPermissionValidator;
 
   public ConfigsExportService(
       AppService appService,
@@ -74,13 +74,13 @@ public ConfigsExportService(
       final @Lazy NamespaceService namespaceService,
       final AppNamespaceService appNamespaceService,
       PortalSettings portalSettings,
-      PermissionValidator permissionValidator) {
+      UserPermissionValidator userPermissionValidator) {
     this.appService = appService;
     this.clusterService = clusterService;
     this.namespaceService = namespaceService;
     this.appNamespaceService = appNamespaceService;
     this.portalSettings = portalSettings;
-    this.permissionValidator = permissionValidator;
+    this.userPermissionValidator = userPermissionValidator;
   }
 
   /**
@@ -144,7 +144,7 @@ private List<App> findHasPermissionApps() {
     final Predicate<App> isAppAdmin =
         app -> {
           try {
-            return permissionValidator.isAppAdmin(app.getAppId());
+            return userPermissionValidator.isAppAdmin(app.getAppId());
           } catch (Exception e) {
             logger.error("permission check failed. app = {}", app);
             return false;
diff --git a/apollo-portal/src/test/java/com/ctrip/framework/apollo/SkipAuthorizationConfiguration.java b/apollo-portal/src/test/java/com/ctrip/framework/apollo/SkipAuthorizationConfiguration.java
index 1cba3858b5d..858eb470c40 100644
--- a/apollo-portal/src/test/java/com/ctrip/framework/apollo/SkipAuthorizationConfiguration.java
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/SkipAuthorizationConfiguration.java
@@ -19,7 +19,7 @@
 import com.ctrip.framework.apollo.openapi.auth.ConsumerPermissionValidator;
 import com.ctrip.framework.apollo.openapi.entity.ConsumerToken;
 import com.ctrip.framework.apollo.openapi.util.ConsumerAuthUtil;
-import com.ctrip.framework.apollo.portal.component.PermissionValidator;
+import com.ctrip.framework.apollo.portal.component.UserPermissionValidator;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.context.annotation.Primary;
@@ -42,7 +42,7 @@ public class SkipAuthorizationConfiguration {
   @Bean
   public ConsumerPermissionValidator consumerPermissionValidator() {
     final ConsumerPermissionValidator mock = mock(ConsumerPermissionValidator.class);
-    when(mock.hasCreateNamespacePermission(any(), any())).thenReturn(true);
+    when(mock.hasCreateNamespacePermission(any())).thenReturn(true);
     return mock;
   }
 
@@ -61,9 +61,9 @@ public ConsumerAuthUtil consumerAuthUtil() {
   }
 
   @Primary
-  @Bean("permissionValidator")
-  public PermissionValidator permissionValidator() {
-    final PermissionValidator mock = mock(PermissionValidator.class);
+  @Bean("userPermissionValidator")
+  public UserPermissionValidator permissionValidator() {
+    final UserPermissionValidator mock = mock(UserPermissionValidator.class);
     when(mock.isSuperAdmin()).thenReturn(true);
     when(mock.hasAssignRolePermission(any())).thenReturn(true);
     return mock;
diff --git a/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/v1/controller/AppControllerTest.java b/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/v1/controller/AppControllerTest.java
index eb3da356be5..138a54521f0 100644
--- a/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/v1/controller/AppControllerTest.java
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/v1/controller/AppControllerTest.java
@@ -107,7 +107,7 @@ public class AppControllerTest {
   @Test
   public void testFindAppsAuthorized() throws Exception {
     final long consumerId = 123456;
-    Mockito.when(this.consumerAuthUtil.retrieveConsumerId(Mockito.any())).thenReturn(consumerId);
+    Mockito.when(this.consumerAuthUtil.retrieveConsumerIdFromCtx()).thenReturn(consumerId);
 
     final List<ConsumerRole> consumerRoles = Arrays.asList(
         generateConsumerRoleByRoleId(6),
diff --git a/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/v1/controller/NamespaceControllerTest.java b/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/v1/controller/NamespaceControllerTest.java
index 93c1b3a182e..2c7be73af10 100644
--- a/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/v1/controller/NamespaceControllerTest.java
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/openapi/v1/controller/NamespaceControllerTest.java
@@ -39,7 +39,7 @@ public class NamespaceControllerTest extends AbstractControllerTest {
 
   @Test
   public void shouldFailWhenAppNamespaceNameIsInvalid() {
-    Assert.assertTrue(consumerPermissionValidator.hasCreateNamespacePermission(null, null));
+    Assert.assertTrue(consumerPermissionValidator.hasCreateNamespacePermission(null));
 
     OpenAppNamespaceDTO dto = new OpenAppNamespaceDTO();
     dto.setAppId("appId");
diff --git a/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/controller/ItemControllerTest.java b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/controller/ItemControllerTest.java
index 234e6fe797f..600866b627e 100644
--- a/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/controller/ItemControllerTest.java
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/controller/ItemControllerTest.java
@@ -18,7 +18,7 @@
 
 import com.ctrip.framework.apollo.common.exception.BadRequestException;
 import com.ctrip.framework.apollo.core.enums.ConfigFileFormat;
-import com.ctrip.framework.apollo.portal.component.PermissionValidator;
+import com.ctrip.framework.apollo.portal.component.UserPermissionValidator;
 import com.ctrip.framework.apollo.portal.entity.model.NamespaceTextModel;
 import com.ctrip.framework.apollo.portal.service.ItemService;
 import com.ctrip.framework.apollo.portal.service.NamespaceService;
@@ -44,14 +44,14 @@ public class ItemControllerTest {
   @Mock
   private UserInfoHolder userInfoHolder;
   @Mock
-  private PermissionValidator permissionValidator;
+  private UserPermissionValidator userPermissionValidator;
 
   @InjectMocks
   private ItemController itemController;
 
   @Before
   public void setUp() throws Exception {
-    itemController = new ItemController(configService, userInfoHolder, permissionValidator,
+    itemController = new ItemController(configService, userInfoHolder, userPermissionValidator,
         namespaceService);
   }
 
diff --git a/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/service/ConfigsExportServiceTest.java b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/service/ConfigsExportServiceTest.java
index 0dd544d6736..217ac2d40dd 100644
--- a/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/service/ConfigsExportServiceTest.java
+++ b/apollo-portal/src/test/java/com/ctrip/framework/apollo/portal/service/ConfigsExportServiceTest.java
@@ -23,7 +23,7 @@
 import com.ctrip.framework.apollo.common.entity.AppNamespace;
 import com.ctrip.framework.apollo.core.enums.ConfigFileFormat;
 import com.ctrip.framework.apollo.portal.AbstractUnitTest;
-import com.ctrip.framework.apollo.portal.component.PermissionValidator;
+import com.ctrip.framework.apollo.portal.component.UserPermissionValidator;
 import com.ctrip.framework.apollo.portal.entity.bo.ItemBO;
 import com.ctrip.framework.apollo.portal.entity.bo.NamespaceBO;
 import com.ctrip.framework.apollo.portal.entity.bo.UserInfo;
@@ -65,7 +65,7 @@ public class ConfigsExportServiceTest extends AbstractUnitTest {
   @Mock
   private NamespaceService          namespaceService;
   @Mock
-  private PermissionValidator       permissionValidator;
+  private UserPermissionValidator userPermissionValidator;
   @Mock
   private UserInfoHolder            userInfoHolder;
   @Mock
@@ -155,7 +155,7 @@ private void testExportImportScenario(boolean fillItemDetail) throws FileNotFoun
 
     when(appService.findAll()).thenReturn(exportApps);
     when(appNamespaceService.findAll()).thenReturn(appNamespaces);
-    when(permissionValidator.isAppAdmin(any())).thenReturn(true);
+    when(userPermissionValidator.isAppAdmin(any())).thenReturn(true);
     when(clusterService.findClusters(env, appId1)).thenReturn(app1Clusters);
     when(clusterService.findClusters(env, appId2)).thenReturn(app2Clusters);
     when(namespaceService.findNamespaceBOs(appId1, Env.DEV, clusterName1, fillItemDetail, false)).thenReturn(app1Cluster1Namespace);