feat: added audit operation for data source and user #1981

rolin999 · 2024-11-11T14:32:26Z

Description

用户管理 SaaS 操作审计（模型 + 数据源 + 用户）

Checklist

填写 PR 描述及相关 issue (write PR description and related issue)
代码风格检查通过 (code style check passed)
PR 中包含单元测试 (include unit test)
单元测试通过 (unit test passed)
本地开发联调环境验证通过 (local development environment verification passed)

narasux · 2024-11-12T02:44:17Z

src/bk-user/bkuser/apis/web/data_source/views.py

@@ -603,6 +608,8 @@ def post(self, request, *args, **kwargs):
            operation=OperationEnum.SYNC_DATA_SOURCE,
            object_type=ObjectTypeEnum.DATA_SOURCE,
            object_id=data_source.id,
+            data_before={},


建议 data_before, data_after, extras 都做成可选参数

narasux · 2024-11-12T02:44:58Z

src/bk-user/bkuser/apis/web/organization/views/mixins.py

+
+
+class CurrentUserDepartmentRelationMixin:
+    """获取用户与部门之间的映射关系"""


需要讨论：加这个 mixin 来算数据，是否合适？

narasux · 2024-11-12T02:46:25Z

src/bk-user/bkuser/apis/web/organization/views/users.py

+        )
+
+        # 【审计】批量添加审计记录
+        batch_add_audit_records(


@nannan00 感觉审计的逻辑有点太多了，比业务逻辑还要多 :(

narasux · 2024-11-12T02:47:41Z

src/bk-user/bkuser/apps/audit/recorder.py

-    )
+
+    # 若有数据变更，则添加记录
+    if data_before != data_after or extras != {}:


数据还能有没变更的情况么，如果有得加 warning 日志？

narasux

目前存在一个问题：操作审计的代码远多于业务代码，显得特别乱，可读性很差

wklken · 2024-11-12T02:49:40Z

src/bk-user/bkuser/apis/web/organization/views/relations.py

@@ -191,8 +293,38 @@ def delete(self, request, *args, **kwargs):
            id__in=data["user_ids"],
        ).values_list("data_source_user_id", flat=True)

+        # 【审计】记录变更前用户-部门映射
+        user_department_map_before = self.get_user_department_map(data_source_user_ids=data_source_user_ids)


为审计预留的数据，统一命名：

data_before_xxxxx data_after_xxxx

wklken · 2024-11-12T02:54:39Z

src/bk-user/bkuser/apis/web/organization/views/users.py

+            operator=request.user.username,
+            tenant_id=self.get_current_tenant_id(),
+            objects=audit_objects,
+        )


@nannan00
每个审计看起来还是非常复杂的，反客为主占用业务逻辑的带宽

是否能针对这类

构造 audit_objects 有没有更简单的方法，能够抽象出来

对象默认值设置好，只关注需要传入的对象

将审计代码抽成self._get_audit(xxxxx)?

nannan00 · 2024-11-13T04:03:14Z

src/bk-user/bkuser/apps/audit/data_model.py

+    # 操作后数据
+    data_after: Dict
+    # 额外信息
+    extras: Dict


# 操作对象名称 name: str = "" ... # 操作前数据 data_before: Dict = Field(default_factory=dict) # 操作后数据 data_after: Dict = Field(default_factory=dict) # 额外信息 extras: Dict = Field(default_factory=dict)

nannan00 · 2024-11-13T04:28:46Z

src/bk-user/bkuser/apis/web/organization/views/users.py

+            tenant_id=cur_tenant_id,
+            objects=audit_objects,
+        )
+


目前是 view -> apps.audit , view -> biz -> apps.audit

在 Biz 模块里，封装业务相关的审计，避免审计代码过多导致 view 里本身业务逻辑的可读性变差

比如 biz/auditor.py 里定义 TenantUserUpdateAuditor

# 是否定义对象更具体操作的审计？根据场景考虑，DataSourceDeleteAuditor、TenantUserUpdateAuditor 之类的 class TenantUserUpdateAuditor: """用于记录租户用户变更的审计""" def __init__(self, operator: str, tenant_id: str): self.operator = operator self.tenant_id = tenant_id // 根据实际需要定义 self.data_befores = {} def pre_record_data_before(self, tenant_user: TenantUser): # 执行变更前的相关数据记录 # 【审计】记录修改前的数据源用户数据 self.data_befores["data_source_user"] = get_model_dict(tenant_user.data_source_user) # 【审计】记录修改前的租户用户数据 self.data_befores["tenant_user"] = get_model_dict(tenant_user) # 【审计】记录修改前的用户部门 self.data_befores["department_ids"] = list( DataSourceDepartmentUserRelation.objects.filter( user=data_source_user, ).values_list("department_id", flat=True) ) # 【审计】记录修改前的用户上级 self.data_befores["leader_ids"] = list( DataSourceUserLeaderRelation.objects.filter(user=data_source_user).values_list("leader_id", flat=True) ) def record(self, tenant_user: TenantUser, data_source_user: DataSourceUser, leader_ids: List[int], department_ids: List[int]): # 组装相关数据，并调用 apps.audit 模块里的方法进行记录 ds_user_object = {"id": data_source_user.id, "name": data_source_user.username, "type": ObjectTypeEnum.DATA_SOURCE_USER} audit_objects = [ # 数据源用户本身信息 AuditObject( **ds_user_object, operation=OperationEnum.MODIFY_DATA_SOURCE_USER, data_before=self.data_befores["data_source_user"], data_after=get_model_dict(data_source_user), ), # 数据源用户的部门 AuditObject( **ds_user_object, operation=OperationEnum.MODIFY_USER_DEPARTMENT, data_before={"department_ids": self.data_befores["department_ids"]}, data_after={"department_ids": department_ids}, ), # 数据源用户的 Leader AuditObject( **ds_user_object, operation=OperationEnum.MODIFY_USER_LEADER, data_before={"leader_ids": self.data_befores["leader_ids"]}, data_after={"leader_ids": leader_ids}, ), # 租户用户 AuditObject( id=tenant_user.id, type=ObjectTypeEnum.TENANT_USER, operation=OperationEnum.MODIFY_TENANT_USER, data_before=self.data_befores["tenant_user_before"], data_after=get_model_dict(tenant_user), ) ] batch_add_audit_records(self.operator, self.tenant_id, audit_objects)

调用点（暂时不考虑 Context 方式调用）：

auditor = TenantUserUpdateAuditor(request.user.username, cur_tenant_id) auditor.pre_record_data_before(tenant_user) ...... # 执行变更 ...... auditor.record(tenant_user.id, data_source_dept_ids , data_source_leader_ids)

nannan00 · 2024-11-13T04:31:51Z

src/bk-user/bkuser/apis/web/organization/views/users.py

+                operation=OperationEnum.MODIFY_USER_LEADER_RELATIONS,
+                # 采用 sorted 为了 list 对象比较
+                data_before={"leader_ids": sorted(data_source_leader_ids_before)},
+                data_after={"leader_ids": sorted(data_source_leader_ids)},


比较是底层的审计方法职责，上层不需要关注

feat: added audit operation for data source and user

1dee6dc

rolin999 requested review from nannan00, narasux and wklken November 11, 2024 14:34

narasux reviewed Nov 12, 2024

View reviewed changes

narasux requested changes Nov 12, 2024

View reviewed changes

wklken reviewed Nov 12, 2024

View reviewed changes

nannan00 reviewed Nov 13, 2024

View reviewed changes

feat: added audit operation for data source and user

faf8305

rolin999 closed this Nov 13, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: added audit operation for data source and user #1981

feat: added audit operation for data source and user #1981

rolin999 commented Nov 11, 2024

narasux Nov 12, 2024

narasux Nov 12, 2024

narasux Nov 12, 2024

narasux Nov 12, 2024

narasux left a comment

wklken Nov 12, 2024

wklken Nov 12, 2024

nannan00 Nov 13, 2024

nannan00 Nov 13, 2024 •

edited

Loading

nannan00 Nov 13, 2024



		class CurrentUserDepartmentRelationMixin:
		"""获取用户与部门之间的映射关系"""

feat: added audit operation for data source and user #1981

feat: added audit operation for data source and user #1981

Conversation

rolin999 commented Nov 11, 2024

Description

Checklist

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

narasux left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

nannan00 Nov 13, 2024 • edited Loading

Choose a reason for hiding this comment

Choose a reason for hiding this comment

nannan00 Nov 13, 2024 •

edited

Loading