Skip to content

Commit

Permalink
feat(backend): 外部集群过期访问校验 #8616
Browse files Browse the repository at this point in the history
  • Loading branch information
iSecloud committed Dec 16, 2024
1 parent d669f9e commit 8455f5c
Show file tree
Hide file tree
Showing 8 changed files with 91 additions and 16 deletions.
3 changes: 1 addition & 2 deletions dbm-ui/backend/bk_dataview/grafana/views.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@
from django.views.decorators.csrf import csrf_exempt
from django.views.generic import View

from backend import env
from backend.bk_web.exceptions import ExternalClusterIdInvalidException
from backend.configuration.constants import SystemSettingsEnum
from backend.configuration.models import SystemSettings
Expand Down Expand Up @@ -416,7 +415,7 @@ def _auth(self, request):
result = IAMPermission(actions, resources).has_permission(request, "")

# 针对外部查询,需在判断是否集群是否在允许的白名单内
if env.ENABLE_EXTERNAL_PROXY and cluster.id not in SystemSettings.get_external_whitelist_cluster_ids():
if request.is_external and not SystemSettings.check_access_external_cluster(cluster.id):
raise ExternalClusterIdInvalidException(cluster_id=cluster.id)

if not result:
Expand Down
4 changes: 2 additions & 2 deletions dbm-ui/backend/bk_web/middleware.py
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,7 @@ def check_create_ticket():
# 目前只放开数据导出
if data["ticket_type"] not in EXTERNAL_TICKET_TYPE_WHITELIST:
raise ExternalRouteInvalidException(_("单据类型[{}]非法,未开通白名单").format(data["ticket_type"]))
if data["details"]["cluster_id"] not in SystemSettings.get_external_whitelist_cluster_ids():
if SystemSettings.check_access_external_cluster(data["details"]["cluster_id"]):
raise ExternalClusterIdInvalidException(cluster_id=data["cluster_id"])

# 单据过滤校验函数
Expand All @@ -185,7 +185,7 @@ def check_list_ticket():
def check_webconsole():
data = json.loads(request.body.decode("utf-8"))
# 校验集群是否在白名单中
if data["cluster_id"] not in SystemSettings.get_external_whitelist_cluster_ids():
if SystemSettings.check_access_external_cluster(data["cluster_id"]):
raise ExternalClusterIdInvalidException(cluster_id=data["cluster_id"])

check_action_func_map = {
Expand Down
1 change: 1 addition & 0 deletions dbm-ui/backend/configuration/constants.py
Original file line number Diff line number Diff line change
Expand Up @@ -105,6 +105,7 @@ class SystemSettingsEnum(str, StructuredEnum):
INDEPENDENT_HOSTING_BIZS = EnumField("INDEPENDENT_HOSTING_BIZS", _("独立托管机器的业务列表"))
BF_WHITELIST_BIZS = EnumField("BF_WHITELIST_BIZS", _("BF业务白名单"))
EXTERNAL_WHITELIST_CLUSTER_IDS = EnumField("EXTERNAL_WHITELIST_CLUSTER_IDS", _("外部访问集群ID白名单列表"))
EXTERNAL_WHITELIST_CLUSTER_EXPIRE = EnumField("EXTERNAL_WHITELIST_CLUSTER_EXPIRE", _("外部访问集群过期时间"))
SPEC_OFFSET = EnumField("SPEC_OFFSET", _("默认的规格参数偏移量"))
DEVICE_CLASSES = EnumField("DEVICE_CLASSES", _("机型列表"))
BKM_DUTY_NOTICE = EnumField("BKM_DUTY_NOTICE", _("轮值通知设置"))
Expand Down
74 changes: 63 additions & 11 deletions dbm-ui/backend/configuration/models/system.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,18 +9,22 @@
specific language governing permissions and limitations under the License.
"""
import logging
from collections import defaultdict
from datetime import datetime, timedelta
from typing import Any, Dict, List, Optional, Union

from django.conf import settings
from django.db import connection, models
from django.db import connection, models, transaction
from django.utils.translation import ugettext_lazy as _

from backend import env
from backend.bk_web.constants import LEN_LONG, LEN_NORMAL
from backend.bk_web.models import AuditedModel
from backend.configuration import constants
from backend.configuration.constants import BizSettingsEnum
from backend.configuration.constants import SystemSettingsEnum
from backend.db_meta.enums import ClusterType
from backend.utils.time import date2str, str2date

logger = logging.getLogger("root")

Expand All @@ -34,10 +38,13 @@ class AbstractSettings(AuditedModel):
desc = models.CharField(_("描述"), max_length=LEN_LONG)

@classmethod
def get_setting_value(cls, key: dict, default: Optional[Any] = None) -> Union[str, Dict, List]:
def get_setting_value(cls, key: dict, default: Optional[Any] = None, lock: bool = False) -> Union[str, Dict, List]:
"""插入一条配置记录"""
try:
setting_value = cls.objects.get(**key).value
if lock:
setting_value = cls.objects.select_for_update().get(**key).value
else:
setting_value = cls.objects.get(**key).value
except cls.DoesNotExist:
if default is None:
setting_value = ""
Expand Down Expand Up @@ -104,11 +111,13 @@ def register_system_settings(cls):
setattr(settings, system_setting.key, system_setting.value)

@classmethod
def get_setting_value(cls, key: str, default: Optional[Any] = None) -> Union[str, Dict, List]:
def get_setting_value(cls, key: str, default: Optional[Any] = None, lock: bool = False) -> Union[str, Dict, List]:
return super().get_setting_value(key={"key": key}, default=default)

@classmethod
def insert_setting_value(cls, key: str, value: Any, value_type: str = "str", user: str = "admin") -> None:
def insert_setting_value(
cls, key: str, value: Any, value_type: str = "str", user: str = "admin", desc: str = ""
) -> None:
return super().insert_setting_value(
key={"key": key},
value=value,
Expand All @@ -118,13 +127,56 @@ def insert_setting_value(cls, key: str, value: Any, value_type: str = "str", use
)

@classmethod
def get_external_whitelist_cluster_ids(cls) -> List:
return [
conf["cluster_id"]
for conf in cls.get_setting_value(
key=constants.SystemSettingsEnum.EXTERNAL_WHITELIST_CLUSTER_IDS.value, default=[]
def check_access_external_cluster(cls, cluster_id) -> bool:
"""
获取是否可访问外部合法白名单集群,数据格式
"$cluster_id": {"bk_biz_id": 123, "operator": "somebody", "update_at": "2024-12-13 10:23:33", "remark": "xxx"}
"""
today = datetime.today().date()
cluster_id = str(cluster_id)
with transaction.atomic():
# 用行锁控制并发时更新请求的不一致
whitelist = cls.get_setting_value(
key=SystemSettingsEnum.EXTERNAL_WHITELIST_CLUSTER_IDS, default={}, lock=True
)
if cluster_id not in whitelist:
return False

# 判断集群时间是否过期,如果过期则删除该key并报错,否则更新访问时间
expire_days = SystemSettings.get_setting_value(
SystemSettingsEnum.EXTERNAL_WHITELIST_CLUSTER_EXPIRE.value, default=30
)
access_date = str2date(whitelist[cluster_id]["update_at"])
if access_date - timedelta(days=expire_days) > today:
check_flag = False
else:
if access_date != today:
whitelist[cluster_id]["update_at"] = date2str(today)
cls.insert_setting_value(key=SystemSettingsEnum.EXTERNAL_WHITELIST_CLUSTER_IDS, value=whitelist)
check_flag = True

return check_flag

@classmethod
def update_external_cluster(cls, bk_biz_id, operator, cluster_ids, remark=""):
"""
更新外部可访问集群名单
"""
with transaction.atomic():
# 用行锁控制并发时更新请求的不一致
whitelist = cls.get_setting_value(
key=SystemSettingsEnum.EXTERNAL_WHITELIST_CLUSTER_IDS, default=defaultdict(dict), lock=True
)
for cluster_id in cluster_ids:
whitelist[cluster_id] = {
"bk_biz_id": bk_biz_id,
"operator": operator,
"remark": remark,
"update_at": date2str(datetime.today()),
}
cls.insert_setting_value(
key=SystemSettingsEnum.EXTERNAL_WHITELIST_CLUSTER_IDS, value=whitelist, value_type="dict"
)
]


class BizSettings(AbstractSettings):
Expand Down
7 changes: 7 additions & 0 deletions dbm-ui/backend/configuration/serializers.py
Original file line number Diff line number Diff line change
Expand Up @@ -254,3 +254,10 @@ class FunctionControllerSerializer(serializers.Serializer):
class Meta:
model = FunctionController
fields = "__all__"


class UpdateExternalClusterSerializer(serializers.Serializer):
cluster_ids = serializers.ListField(help_text=_("集群ID列表"), child=serializers.IntegerField())
bk_biz_id = serializers.IntegerField(help_text=_("业务ID"))
operator = serializers.CharField(help_text=_("更新人"))
remark = serializers.CharField(help_text=_("备注"), required=False, default="")
11 changes: 11 additions & 0 deletions dbm-ui/backend/configuration/views/system.py
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
ListBizSettingsSerializer,
UpdateBizSettingsSerializer,
UpdateDutyNoticeSerializer,
UpdateExternalClusterSerializer,
)
from backend.db_meta.models import AppCache
from backend.db_services.ipchooser.constants import IDLE_HOST_MODULE
Expand Down Expand Up @@ -126,6 +127,16 @@ def sensitive_environ(self, request):
}
)

@common_swagger_auto_schema(
operation_summary=_("更新外部集群白名单"),
tags=tags,
request_body=UpdateExternalClusterSerializer(),
)
@action(methods=["POST"], detail=False, pagination_class=None, serializer_class=UpdateExternalClusterSerializer)
def update_external_cluster(self, request):
SystemSettings.update_external_cluster(**self.validated_data)
return Response()


class BizSettingsViewSet(viewsets.AuditedModelViewSet):
"""业务设置视图"""
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@
from backend.ticket import builders
from backend.ticket.builders.mysql.mysql_dump_data import (
MySQLDumpDataDetailSerializer,
MySQLDumpDataFlowBuilder,
MySQLDumpDataFlowParamBuilder,
MySQLDumpDataItsmFlowParamsBuilder,
)
Expand All @@ -34,7 +35,7 @@ class TendbClusterDumpDataItsmFlowParamsBuilder(MySQLDumpDataItsmFlowParamsBuild


@builders.BuilderFactory.register(TicketType.TENDBCLUSTER_DUMP_DATA)
class TendbClusterDumpDataFlowBuilder(BaseTendbTicketFlowBuilder):
class TendbClusterDumpDataFlowBuilder(BaseTendbTicketFlowBuilder, MySQLDumpDataFlowBuilder):
serializer = TendbClusterDumpDataDetailSerializer
itsm_flow_builder = TendbClusterDumpDataItsmFlowParamsBuilder
inner_flow_builder = TendbClusterDumpDataFlowParamBuilder
Expand Down
4 changes: 4 additions & 0 deletions dbm-ui/backend/utils/time.py
Original file line number Diff line number Diff line change
Expand Up @@ -102,6 +102,10 @@ def date2str(o_date: datetime.date, fmt: str = DATE_PATTERN) -> str:
return datetime.date.strftime(o_date, fmt)


def str2date(date_str: str, fmt: str = DATE_PATTERN) -> datetime.date:
return datetime.datetime.strptime(date_str, fmt).date()


def calculate_cost_time(
end_time: Optional[Union[datetime.datetime, str]],
start_time: Optional[Union[datetime.datetime, str]],
Expand Down

0 comments on commit 8455f5c

Please sign in to comment.