fix(backend): 调整密码随机化接口 #1440

fix(backend): 更新依赖包 #1463 fix(backend): update password helm version #1465 feat: 新增mysql的ADMIN密码查询去除bk_cloud_id的功能 #1381 fix(backend): update password helm version #1485
TencentBlueKing · Nov 2, 2023 · 26bbf65 · 26bbf65
1 parent 75f29bf
commit 26bbf65
Show file tree

Hide file tree

Showing 16 changed files with 95 additions and 74 deletions.
diff --git a/dbm-services/.gitignore b/dbm-services/.gitignore
@@ -1,3 +1,5 @@
 .codecc
 .idea
-.vscode
+.vscode
+
+pkg/
diff --git a/dbm-services/mysql/db-priv/service/admin_password.go b/dbm-services/mysql/db-priv/service/admin_password.go
@@ -197,12 +197,7 @@ func (m *GetAdminUserPasswordPara) GetMysqlAdminPassword() ([]*TbPasswords, int,
 	where := fmt.Sprintf(" username='%s' and component='%s' and lock_until is not null", m.UserName, m.Component)
 	var filter []string
 	for _, item := range m.Instances {
-		if item.BkCloudId == nil {
-			return passwords, 0, errno.CloudIdRequired
-		}
-		// 目标实例
-		filter = append(filter, fmt.Sprintf("(ip='%s' and port=%d and bk_cloud_id=%d)",
-			item.Ip, item.Port, *item.BkCloudId))
+		filter = append(filter, fmt.Sprintf("(ip='%s' and port=%d)", item.Ip, item.Port))
 	}
 	filters := strings.Join(filter, " or ")
 	if filters != "" {
@@ -260,6 +255,7 @@ func (m *ModifyAdminUserPasswordPara) ModifyMysqlAdminPassword() (BatchResult, e
 	if m.Async && m.Range == "randmize_expired" {
 		errCheck = m.NeedToBeRandomized()
 		if errCheck != nil {
+			slog.Error("msg", "NeedToBeRandomized", errCheck)
 			return batch, errCheck
 		}
 	} else if m.Async && m.Range == "randmize_daily" {
@@ -303,9 +299,11 @@ func (m *ModifyAdminUserPasswordPara) ModifyMysqlAdminPassword() (BatchResult, e
 
 	for _, cluster := range m.Clusters {
 		if cluster.BkCloudId == nil {
+			slog.Error("msg", errno.CloudIdRequired)
 			return batch, errno.CloudIdRequired
 		}
 		if cluster.ClusterType == nil {
+			slog.Error("msg", errno.ClusterTypeIsEmpty)
 			return batch, errno.ClusterTypeIsEmpty
 		}
 		var psw, encrypt string
@@ -393,7 +391,7 @@ func (m *ModifyAdminUserPasswordPara) ModifyMysqlAdminPassword() (BatchResult, e
 					result := DB.Self.Exec(sql)
 					if result.Error != nil {
 						notOK.Addresses = append(notOK.Addresses, address)
-						slog.Error("msg", "excute sql error", result.Error)
+						slog.Error("msg", "sql", sql, "excute sql error", result.Error)
 						AddError(&errMsg, hostPort, result.Error)
 						continue
 					}
@@ -420,6 +418,7 @@ func (m *ModifyAdminUserPasswordPara) ModifyMysqlAdminPassword() (BatchResult, e
 	batch = BatchResult{Success: success.resources, Fail: fail.resources}
 	if len(errMsg.errs) > 0 {
 		errOuter := errno.ModifyUserPasswordFail.Add("\n" + strings.Join(errMsg.errs, "\n"))
+		slog.Error("msg", "modify error", errOuter)
 		return batch, errOuter
 	}
 	return batch, nil

diff --git a/dbm-services/mysql/db-priv/service/admin_password_object.go b/dbm-services/mysql/db-priv/service/admin_password_object.go
@@ -43,13 +43,13 @@ type UserInComponent struct {
 
 // GetAdminUserPasswordPara 函数的入参
 type GetAdminUserPasswordPara struct {
-	Instances []Address `json:"instances"`
-	UserName  string    `json:"username"`
-	Component string    `json:"component"`
-	Limit     *int      `json:"limit"`
-	Offset    *int      `json:"offset"`
-	BeginTime string    `json:"begin_time"`
-	EndTime   string    `json:"end_time"`
+	Instances []IpPort `json:"instances"`
+	UserName  string   `json:"username"`
+	Component string   `json:"component"`
+	Limit     *int     `json:"limit"`
+	Offset    *int     `json:"offset"`
+	BeginTime string   `json:"begin_time"`
+	EndTime   string   `json:"end_time"`
 }
 
 type TbPasswords struct {

diff --git a/dbm-ui/backend/configuration/handlers/password.py b/dbm-ui/backend/configuration/handlers/password.py
@@ -22,6 +22,7 @@
 from backend.core.encrypt.handlers import AsymmetricHandler
 from backend.db_meta.enums import ClusterType, InstanceInnerRole, InstanceRole, TenDBClusterSpiderRole
 from backend.db_periodic_task.models import DBPeriodicTask
+from backend.db_services.ipchooser.query.resource import ResourceQueryHelper
 from backend.flow.consts import MySQLPasswordRole
 
 
@@ -65,8 +66,8 @@ def query_mysql_admin_password(
         instance_list = []
         try:
             for address in instances:
-                bk_cloud_id, ip, port = address.split(":")
-                instance_list.append({"bk_cloud_id": int(bk_cloud_id), "ip": ip, "port": int(port)})
+                ip, port = address.split(":")
+                instance_list.append({"ip": ip, "port": int(port)})
         except (IndexError, ValueError):
             raise PasswordPolicyBaseException(_("请保证查询的实例输入格式合法"))
 
@@ -80,8 +81,10 @@ def query_mysql_admin_password(
 
         mysql_admin_password_data = MySQLPrivManagerApi.get_mysql_admin_password(params=filters)
         mysql_admin_password_data["results"] = mysql_admin_password_data.pop("items")
+        cloud_info = ResourceQueryHelper.search_cc_cloud(get_cache=True)
         for data in mysql_admin_password_data["results"]:
             data["password"] = base64.b64decode(data["password"]).decode("utf-8")
+            data["bk_cloud_name"] = cloud_info[str(data["bk_cloud_id"])]["bk_cloud_name"]
 
         return mysql_admin_password_data
 

diff --git a/dbm-ui/backend/configuration/serializers.py b/dbm-ui/backend/configuration/serializers.py
@@ -17,10 +17,11 @@
 from backend.bk_web.serializers import AuditedSerializer
 from backend.configuration import mock_data
 from backend.configuration.constants import DEFAULT_SETTINGS, DBType
-from backend.configuration.mock_data import BIZ_SETTINGS_DATA, PASSWORD_POLICY
+from backend.configuration.mock_data import BIZ_SETTINGS_DATA, PASSWORD_POLICY, VERIFY_PASSWORD_DATA
 from backend.configuration.models.function_controller import FunctionController
 from backend.configuration.models.ip_whitelist import IPWhitelist
 from backend.configuration.models.system import BizSettings, SystemSettings
+from backend.db_meta.enums import ClusterType
 from backend.db_services.mysql.permission.constants import AccountType
 
 
@@ -93,7 +94,7 @@ class GetMySQLAdminPasswordSerializer(serializers.Serializer):
 
     begin_time = serializers.CharField(help_text=_("开始时间"), required=False)
     end_time = serializers.CharField(help_text=_("结束时间"), required=False)
-    instances = serializers.CharField(help_text=_("过滤的实例列表(通过,分割，实例格式为--cloud_id:ip:port)"), required=False)
+    instances = serializers.CharField(help_text=_("过滤的实例列表(通过,分割，实例格式为--ip:port)"), required=False)
 
 
 class GetMySQLAdminPasswordResponseSerializer(serializers.Serializer):

diff --git a/dbm-ui/backend/configuration/tasks/password.py b/dbm-ui/backend/configuration/tasks/password.py
@@ -57,9 +57,7 @@ def get_mysql_instance(cluster_id: int):
     def _get_instances(_role, _instances):
         instance_info = {
             "role": _role,
-            "addresses": [
-                {"ip": instance.machine.ip, "port": instance.port, "id": instance.id} for instance in _instances
-            ],
+            "addresses": [{"ip": instance.machine.ip, "port": instance.port} for instance in _instances],
         }
         return instance_info
 

diff --git a/dbm-ui/backend/db_meta/api/cluster/tendbha/decommission.py b/dbm-ui/backend/db_meta/api/cluster/tendbha/decommission.py
@@ -16,8 +16,8 @@
 from backend.components import MySQLPrivManagerApi
 from backend.db_meta.exceptions import DBMetaException
 from backend.db_meta.models import Cluster, ClusterEntry, StorageInstanceTuple
-from backend.flow.consts import MySQLPrivComponent, UserName
 from backend.db_services.mysql.open_area.models import TendbOpenAreaConfig
+from backend.flow.consts import MySQLPrivComponent, UserName
 from backend.flow.utils.cc_manage import CcManage
 
 logger = logging.getLogger("root")

diff --git a/dbm-ui/backend/flow/engine/controller/mysql.py b/dbm-ui/backend/flow/engine/controller/mysql.py
@@ -539,6 +539,7 @@ def mysql_ha_standardize_scene(self):
     def mysql_randomize_password(self):
         flow = MySQLRandomizePassword(root_id=self.root_id, data=self.ticket_data)
         flow.mysql_randomize_password()
+
     def mysql_open_area_scene(self):
         flow = MysqlOpenAreaFlow(root_id=self.root_id, data=self.ticket_data)
         flow.mysql_open_area_flow()

diff --git a/dbm-ui/backend/flow/plugins/components/collections/spider/switch_remote_slave_routing.py b/dbm-ui/backend/flow/plugins/components/collections/spider/switch_remote_slave_routing.py
@@ -11,7 +11,7 @@
 
 from backend.components import DRSApi, MySQLPrivManagerApi
 from backend.constants import IP_PORT_DIVIDER
-from backend.core.encrypt.handlers import RSAHandler
+from backend.core.encrypt.handlers import AsymmetricHandler
 from backend.db_meta.models import Cluster
 from backend.flow.consts import TDBCTL_USER
 from backend.flow.plugins.components.collections.common.base_service import BaseService
@@ -27,8 +27,8 @@ def _create_tdbctl_user(self, cluster: Cluster, ctl_primary: str, new_ip: str, n
         再新的实例对中控primary授权
         """
         # 添加临时账号
-        encrypt_switch_pwd = RSAHandler.encrypt_password(
-            MySQLPrivManagerApi.fetch_public_key(), tdbctl_pass, salt=None
+        encrypt_switch_pwd = AsymmetricHandler.encrypt_with_pubkey(
+            pubkey=MySQLPrivManagerApi.fetch_public_key(), content=tdbctl_pass
         )
 
         MySQLPrivManagerApi.add_priv_without_account_rule(

diff --git a/dbm-ui/backend/flow/utils/cloud/cloud_act_payload.py b/dbm-ui/backend/flow/utils/cloud/cloud_act_payload.py
@@ -19,7 +19,8 @@
 from backend.configuration.models import SystemSettings
 from backend.core.encrypt.constants import AsymmetricCipherConfigType
 from backend.core.encrypt.handlers import AsymmetricHandler
-from backend.db_proxy.constants import NGINX_PUSH_TARGET_PATH, ExtensionType
+from backend.db_proxy.constants import NGINX_PUSH_TARGET_PATH, ExtensionServiceStatus, ExtensionType
+from backend.db_proxy.models import DBExtension
 from backend.flow.consts import (
     CLOUD_NGINX_DBM_DEFAULT_PORT,
     CLOUD_NGINX_MANAGE_DEFAULT_HOST,
@@ -189,7 +190,7 @@ def get_cloud_nginx_url(bk_cloud_id: int):
 
     @staticmethod
     def get_dns_nameservers(bk_cloud_id):
-        dns_rows = DBExtension.get_extension_in_cloud(bk_cloud_id=bk_cloud_id, extension_type=CloudServiceName.DNS)
+        dns_rows = DBExtension.get_extension_in_cloud(bk_cloud_id=bk_cloud_id, extension_type=ExtensionType.DNS)
         if not dns_rows:
             raise ServiceDoesNotApply(_("DNS服务未部署,请在DNS服务部署后再进行该服务的部署"))
         dns_nameservers = ["nameserver {}".format(dns.details["ip"]) for dns in dns_rows]

diff --git a/dbm-ui/backend/flow/utils/mysql/mysql_act_playload.py b/dbm-ui/backend/flow/utils/mysql/mysql_act_playload.py
@@ -1843,11 +1843,9 @@ def get_open_area_dump_schema_payload(self, **kwargs):
         @return:
         """
         fileserver = {}
-        rsa = RSAHandler.get_or_generate_rsa_in_db(RSAConfigType.PROXYPASS.value)
-        db_cloud_token = RSAHandler.encrypt_password(
-            rsa.rsa_public_key.content, f"{self.bk_cloud_id}_dbactuator_token"
+        db_cloud_token = AsymmetricHandler.encrypt(
+            name=AsymmetricCipherConfigType.PROXYPASS.value, content=f"{self.bk_cloud_id}_dbactuator_token"
         )
-
         nginx_ip = DBCloudProxy.objects.filter(bk_cloud_id=self.bk_cloud_id).last().internal_address
         bkrepo_url = f"http://{nginx_ip}/apis/proxypass" if self.bk_cloud_id else settings.BKREPO_ENDPOINT_URL
 
@@ -1912,9 +1910,8 @@ def get_open_area_dump_data_payload(self, **kwargs):
         @return:
         """
         fileserver = {}
-        rsa = RSAHandler.get_or_generate_rsa_in_db(RSAConfigType.PROXYPASS.value)
-        db_cloud_token = RSAHandler.encrypt_password(
-            rsa.rsa_public_key.content, f"{self.bk_cloud_id}_dbactuator_token"
+        db_cloud_token = AsymmetricHandler.encrypt(
+            name=AsymmetricCipherConfigType.PROXYPASS.value, content=f"{self.bk_cloud_id}_dbactuator_token"
         )
 
         nginx_ip = DBCloudProxy.objects.filter(bk_cloud_id=self.bk_cloud_id).last().internal_address