feat(backend): webconsole去除集群白名单限制 #8769

TencentBlueKing · Dec 23, 2024 · 87d0bc5 · 87d0bc5
1 parent e95ca31
commit 87d0bc5
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 25 deletions.
diff --git a/dbm-ui/backend/bk_dataview/grafana/views.py b/dbm-ui/backend/bk_dataview/grafana/views.py
@@ -21,8 +21,6 @@
 from django.views.decorators.csrf import csrf_exempt
 from django.views.generic import View
 
-from backend import env
-from backend.bk_web.exceptions import ExternalClusterIdInvalidException
 from backend.configuration.constants import SystemSettingsEnum
 from backend.configuration.models import SystemSettings
 from backend.db_meta.enums import ClusterType
@@ -415,10 +413,6 @@ def _auth(self, request):
         resources = [[resource] for resource in resource_meta.batch_create_instances([cluster.id])]
         result = IAMPermission(actions, resources).has_permission(request, "")
 
-        # 针对外部查询，需在判断是否集群是否在允许的白名单内
-        if env.ENABLE_EXTERNAL_PROXY and cluster.id not in SystemSettings.get_external_whitelist_cluster_ids():
-            raise ExternalClusterIdInvalidException(cluster_id=cluster.id)
-
         if not result:
             raise PermissionError
 

diff --git a/dbm-ui/backend/bk_web/middleware.py b/dbm-ui/backend/bk_web/middleware.py
@@ -29,14 +29,9 @@
     NON_EXTERNAL_PROXY_ROUTING,
     ROUTING_WHITELIST_PATTERNS,
 )
-from backend.bk_web.exceptions import (
-    ExternalClusterIdInvalidException,
-    ExternalProxyBaseException,
-    ExternalRouteInvalidException,
-)
+from backend.bk_web.exceptions import ExternalProxyBaseException, ExternalRouteInvalidException
 from backend.bk_web.handlers import _error
-from backend.configuration.models import SystemSettings
-from backend.db_services.dbbase.views import DBBaseViewSet
+from backend.components import BKBaseApi
 from backend.ticket.views import TicketViewSet
 from backend.utils.local import local
 from backend.utils.string import str2bool
@@ -171,8 +166,6 @@ def check_create_ticket():
             # 目前只放开数据导出
             if data["ticket_type"] not in EXTERNAL_TICKET_TYPE_WHITELIST:
                 raise ExternalRouteInvalidException(_("单据类型[{}]非法，未开通白名单").format(data["ticket_type"]))
-            if data["details"]["cluster_id"] not in SystemSettings.get_external_whitelist_cluster_ids():
-                raise ExternalClusterIdInvalidException(cluster_id=data["cluster_id"])
 
         # 单据过滤校验函数
         def check_list_ticket():
@@ -181,16 +174,9 @@ def check_list_ticket():
             data["ticket_type__in"] = ",".join(EXTERNAL_TICKET_TYPE_WHITELIST)
             request.GET = data
 
-        def check_webconsole():
-            data = json.loads(request.body.decode("utf-8"))
-            # 校验集群是否在白名单中
-            if data["cluster_id"] not in SystemSettings.get_external_whitelist_cluster_ids():
-                raise ExternalClusterIdInvalidException(cluster_id=data["cluster_id"])
-
         check_action_func_map = {
             f"{TicketViewSet.__name__}.{TicketViewSet.create.__name__}": check_create_ticket,
             f"{TicketViewSet.__name__}.{TicketViewSet.list.__name__}": check_list_ticket,
-            f"{DBBaseViewSet.__name__}.{DBBaseViewSet.webconsole.__name__}": check_webconsole,
         }
         # 根据请求的视图 + 动作判断是否特殊接口，以及接口参数是否合法
         try:
@@ -247,6 +233,10 @@ def __call__(self, request):
             request.is_external = str2bool(request.headers.get("IS-EXTERNAL", ""), strict=False)
         response = self.get_response(request)
 
+        # 如果是来自外部转发的请求，进行脱敏
+        if request.is_external and request.path.startswith("/apis/") and env.BKDATA_DATA_TOKEN:
+            response.data = json.loads(BKBaseApi.data_desensitization(response.content.decode("utf-8")))
+
         return response
 
 

diff --git a/dbm-ui/backend/bk_web/viewsets.py b/dbm-ui/backend/bk_web/viewsets.py
@@ -10,6 +10,7 @@
 """
 import copy
 import json
+import re
 from typing import Any, Dict, List, Optional, Tuple, Union
 
 from blueapps.account.decorators import login_exempt
@@ -21,8 +22,7 @@
 from rest_framework.viewsets import ModelViewSet, ReadOnlyModelViewSet
 
 from backend import env
-from backend.bk_web.constants import EXTERNAL_TICKET_TYPE_WHITELIST
-from backend.components import BKBaseApi
+from backend.bk_web.constants import EXTERNAL_TICKET_TYPE_WHITELIST, IP_RE
 from backend.components.dbconsole.client import DBConsoleApi
 from backend.iam_app.dataclass.actions import ActionEnum
 from backend.iam_app.handlers.drf_perm.base import RejectPermission
@@ -233,7 +233,7 @@ def after_response(self, request, response, *args, **kwargs):
         if request.path.startswith("/external/apis/") and response.headers.get("Content-Type").startswith(
             "application/json"
         ):
-            data = BKBaseApi.data_desensitization(response.content.decode("utf-8"))
+            data = re.sub(IP_RE, "*.*.*.*", response.content.decode("utf-8"))
             return Response(json.loads(data))
 
         # 按原样补充响应头