TencentBlueKing · zhangzhw8 · Aug 2, 2023 · Sep 13, 2023 · Sep 21, 2023 · Sep 12, 2023
diff --git a/dbm-services/common/go-pubpkg/errno/50000_dbpriv_code.go b/dbm-services/common/go-pubpkg/errno/50000_dbpriv_code.go
@@ -10,25 +10,15 @@
 
 package errno
 
+// dbpriv code start  50000
 var (
-	// dbpriv code start  50000
-
-	// PasswordNotConsistent TODO
-	PasswordNotConsistent = Errno{Code: 51008,
-		Message:   "user is exist,but the new password is not consistent with the old password, should be consistent",
-		CNMessage: "账号已存在，但是新密码与旧密码不一致，需要保持一致"}
 	// GrantPrivilegesFail TODO
 	GrantPrivilegesFail = Errno{Code: 51009, Message: "Grant Privileges Fail", CNMessage: "授权执行失败"}
 	// GrantPrivilegesSuccess TODO
 	GrantPrivilegesSuccess = Errno{Code: 0, Message: "Grant Privileges success", CNMessage: "授权执行成功"}
 	// GrantPrivilegesParameterCheckFail TODO
 	GrantPrivilegesParameterCheckFail = Errno{Code: 51010, Message: "Parameter of Grant Privileges Check Fail",
 		CNMessage: "授权单据的参数检查失败"}
-	// ErrPswNotIdentical TODO
-	ErrPswNotIdentical = Errno{Code: 51000,
-		Message: "Password is not identical to the password of existed account rules, " +
-			"same accounts should use same password.",
-		CNMessage: "密码与已存在的账号规则中的密码不同,相同账号的密码需要保持一致！"}
 	// AccountRuleExisted TODO
 	AccountRuleExisted = Errno{Code: 51001, Message: "Account rule of user on this db is existed ",
 		CNMessage: "用户对此DB授权的账号规则已存在"}
@@ -57,10 +47,8 @@ var (
 	AccountRuleNotExisted = Errno{Code: 51004, Message: "Account rule not existed ", CNMessage: "账号规则不存在"}
 	// OnlyOneDatabaseAllowed TODO
 	OnlyOneDatabaseAllowed = Errno{Code: 51005,
-		Message: "Only one database allowed, database name should not contain space", CNMessage: "只允许填写一个数据库，数据库名称不能包含空格"}
-	// ErrMysqlInstanceStruct TODO
-	ErrMysqlInstanceStruct = Errno{Code: 51006, Message: "Not either tendbha or orphan structure",
-		CNMessage: "不符合tendbha或者orphan的集群结构"}
+		Message:   "Only one database allowed, database name should not contain space",
+		CNMessage: "只允许填写一个数据库，数据库名称不能包含空格"}
 	// GenerateEncryptedPasswordErr TODO
 	GenerateEncryptedPasswordErr = Errno{Code: 51007, Message: "Generate Encrypted Password Err",
 		CNMessage: "创建账号，生成加密的密码时发生错误"}
@@ -70,11 +58,32 @@ var (
 	ClonePrivilegesCheckFail = Errno{Code: 51014, Message: "Clone privileges check fail", CNMessage: "克隆权限检查失败"}
 	// NoPrivilegesNothingToDo TODO
 	NoPrivilegesNothingToDo = Errno{Code: 51015, Message: "no privileges,nothing to do", CNMessage: "没有权限需要克隆"}
-	// IpPortFormatError TODO
-	IpPortFormatError = Errno{Code: 51017, Message: "format not in 'ip:port' format",
-		CNMessage: "格式不是ip:port的格式"}
 	// CloudIdRequired TODO
 	CloudIdRequired = Errno{Code: 51019, Message: "bk_cloud_id is required", CNMessage: "bk_cloud_id不能为空"}
 	// ClusterTypeIsEmpty TODO
-	ClusterTypeIsEmpty = Errno{Code: 51021, Message: "Cluster type can't be empty", CNMessage: "cluster type不能为空"}
+	ClusterTypeIsEmpty = Errno{Code: 51021, Message: "Cluster type can't be empty",
+		CNMessage: "cluster type不能为空"}
+	ModifyUserPasswordFail = Errno{Code: 51022, Message: "modify user password fail",
+		CNMessage: "修改用户密码失败"}
+	IncludeCharTypesLargerThanLength = Errno{Code: 51023, Message: "include char types larger than length",
+		CNMessage: "要求包含的字符类型大于字符串长度"}
+	TryTooManyTimes = Errno{Code: 51024, Message: "try too many times", CNMessage: "尝试太多次"}
+	RuleIdNull      = Errno{Code: 51025, Message: "Rule ID should not be empty",
+		CNMessage: "安全规则的id不能为空"}
+	RuleNameNull = Errno{Code: 51026, Message: "Rule name should not be empty",
+		CNMessage: "安全规则的名称不能为空"}
+	RuleExisted       = Errno{Code: 51027, Message: "Rule already existed ", CNMessage: "规则已存在"}
+	RuleNotExisted    = Errno{Code: 51028, Message: "Rule not existed ", CNMessage: "规则不存在"}
+	NotMeetComplexity = Errno{Code: 51030, Message: "Set Passwords must meet complexity requirements",
+		CNMessage: "设置的密码应该符合密码复杂度"}
+	NameNull = Errno{Code: 51031, Message: "username should not be empty ",
+		CNMessage: "用户名名称不能为空"}
+	ComponentNull = Errno{Code: 51032, Message: "component should not be empty ",
+		CNMessage: "组件名称不能为空"}
+	UseApiForMysqlAdmin = Errno{Code: 51033, Message: "use api for mysql admin",
+		CNMessage: "使用mysql admin专用的接口"}
+	PlatformPasswordNotAllowedModified = Errno{Code: 51034, Message: "platform password not allowed modified",
+		CNMessage: "平台级别的密码不允许修改或者删除"}
+	WrongMysqlAdminName = Errno{Code: 51035, Message: "wrong mysql admin name ",
+		CNMessage: "mysql管理用户名错误"}
 )
diff --git a/dbm-services/mysql/db-priv/.gitignore b/dbm-services/mysql/db-priv/.gitignore
@@ -13,4 +13,5 @@ pubkey.pem
 privkey.pem
 infile
 outfile
-.code.yml
+.code.yml
+*.log
diff --git a/dbm-services/mysql/db-priv/assests/migrate.go b/dbm-services/mysql/db-priv/assests/migrate.go
@@ -1,7 +1,10 @@
 package assests
 
 import (
+	"dbm-services/common/go-pubpkg/errno"
+	"dbm-services/mysql/priv-service/service"
 	"embed"
+	"encoding/json"
 	"fmt"
 
 	"github.com/golang-migrate/migrate/v4"
@@ -48,3 +51,52 @@ func DoMigrateFromEmbed() error {
 		}
 	}
 }
+func DoMigratePlatformPassword() error {
+	// 初始化安全规则
+	passwordSecurityRule := &service.SecurityRulePara{Name: "password",
+		Rule: "{\"max_length\":12,\"min_length\":8,\"include_rule\":{\"numbers\":true,\"symbols\":true,\"lowercase\":true,\"uppercase\":true},\"exclude_continuous_rule\":{\"limit\":4,\"letters\":false,\"numbers\":false,\"symbols\":false,\"keyboards\":false,\"repeats\":false}}", Operator: "admin"}
+	b, _ := json.Marshal(passwordSecurityRule)
+	errOuter := passwordSecurityRule.AddSecurityRule(string(b))
+	if errOuter != nil {
+		no, _ := errno.DecodeErr(errOuter)
+		if no != errno.RuleExisted.Code {
+			return errOuter
+		}
+	}
+
+	// 初始化平台密码，随机密码
+	type ComponentPlatformUser struct {
+		Component string
+		Usernames []string
+	}
+
+	// 平台密码初始化，不存在新增
+	var users []ComponentPlatformUser
+	users = append(users, ComponentPlatformUser{Component: "mysql", Usernames: []string{
+		"dba_bak_all_sel", "MONITOR", "MONITOR_ALL", "mysql", "repl", "yw"}})
+	users = append(users, ComponentPlatformUser{Component: "proxy", Usernames: []string{"proxy"}})
+	users = append(users, ComponentPlatformUser{Component: "tbinlogdumper", Usernames: []string{"ADMIN"}})
+
+	for _, component := range users {
+		for _, user := range component.Usernames {
+			defaultCloudId := int64(0)
+			getPara := &service.GetPasswordPara{Users: []service.UserInComponent{{user,
+				component.Component}},
+				Instances: []service.Address{{"0.0.0.0", 0, &defaultCloudId}}}
+			_, count, err := getPara.GetPassword()
+			if err != nil {
+				return fmt.Errorf("%s error: %s", "init platform password, get password", err.Error())
+			}
+			if count == 0 {
+				insertPara := &service.ModifyPasswordPara{UserName: user, Component: component.Component, Operator: "admin",
+					Instances:    []service.Address{{"0.0.0.0", 0, &defaultCloudId}},
+					InitPlatform: true, SecurityRuleName: "password"}
+				err = insertPara.ModifyPassword()
+				if err != nil {
+					return fmt.Errorf("%s error: %s", "init platform password, modify password", err.Error())
+				}
+			}
+		}
+	}
+	return nil
+}
diff --git a/...sests/migrations/000001_init.down.sql.sql → ...v/assests/migrations/000001_init.down.sql b/...sests/migrations/000001_init.down.sql.sql → ...v/assests/migrations/000001_init.down.sql
diff --git a/...sests/migrations/000003_init.down.sql.sql → ...v/assests/migrations/000003_init.down.sql b/...sests/migrations/000003_init.down.sql.sql → ...v/assests/migrations/000003_init.down.sql
diff --git a/dbm-services/mysql/db-priv/assests/migrations/000004_init.down.sql b/dbm-services/mysql/db-priv/assests/migrations/000004_init.down.sql
@@ -0,0 +1,2 @@
+DROP TABLE IF EXISTS tb_security_rules;
+DROP TABLE IF EXISTS tb_passwords;
diff --git a/dbm-services/mysql/db-priv/assests/migrations/000004_init.up.sql b/dbm-services/mysql/db-priv/assests/migrations/000004_init.up.sql
@@ -0,0 +1,27 @@
+SET NAMES utf8;
+CREATE TABLE IF NOT EXISTS `tb_security_rules` (
+    `id` int(11) NOT NULL AUTO_INCREMENT,
+    `name` varchar(200) NOT NULL COMMENT '规则名称',
+    `rule` json NOT NULL COMMENT '安全规则',
+    `creator` varchar(200) NOT NULL COMMENT '创建者',
+    `create_time` timestamp NOT NULL DEFAULT CURRENT_TIMESTAMP COMMENT '创建时间',
+    `operator` varchar(200) DEFAULT NULL COMMENT '最后一次变更者',
+    `update_time` timestamp NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT '最后一次变更时间',
+    PRIMARY KEY (`id`),
+    UNIQUE KEY `idx_name` (`name`)) ENGINE=InnoDB DEFAULT CHARSET=utf8;
+
+CREATE TABLE IF NOT EXISTS `tb_passwords` (
+    `ip` varchar(100) NOT NULL COMMENT '实例ip',
+    `port` int unsigned NOT NULL COMMENT '实例端口',
+    `bk_cloud_id` int unsigned NOT NULL COMMENT '云区域id',
+    `username`  varchar(800) NOT NULL COMMENT '用户名称',
+    `password` varchar(800) NOT NULL COMMENT '加密后的密码',
+    `component` varchar(100) NOT NULL COMMENT '组件，比如mysql、proxy',
+    `lock_until` timestamp COMMENT '锁定到的时间',
+    `operator` varchar(200) DEFAULT NULL COMMENT '最后一次变更者',
+    `update_time` timestamp NULL DEFAULT CURRENT_TIMESTAMP ON UPDATE CURRENT_TIMESTAMP COMMENT '最后一次变更时间',
+    UNIQUE KEY `idx_instance_user` (ip, port, bk_cloud_id, username, component),
+    KEY `idx_update_time` (ip, port, bk_cloud_id, username, component,update_time),
+    KEY `idx_component`(`component`),
+    KEY `idx_bk_cloud_id`(`bk_cloud_id`),
+    KEY `idx_lock` (username, component,lock_until,update_time)) ENGINE=InnoDB DEFAULT CHARSET=utf8;
diff --git a/dbm-services/mysql/db-priv/handler/account_rule.go b/dbm-services/mysql/db-priv/handler/account_rule.go
@@ -24,7 +24,7 @@ func (m *PrivService) GetAccountRuleList(c *gin.Context) {
 		return
 	}
 
-	if err := json.Unmarshal(body, &input); err != nil {
+	if err = json.Unmarshal(body, &input); err != nil {
 		slog.Error("msg", err)
 		SendResponse(c, errno.ErrBind, err)
 		return
@@ -51,18 +51,14 @@ func (m *PrivService) AddAccountRule(c *gin.Context) {
 		return
 	}
 
-	if err := json.Unmarshal(body, &input); err != nil {
+	if err = json.Unmarshal(body, &input); err != nil {
 		slog.Error("msg", err)
 		SendResponse(c, errno.ErrBind, err)
 		return
 	}
 
 	err = input.AddAccountRule(string(body))
-	if err != nil {
-		SendResponse(c, err, nil)
-		return
-	}
-	SendResponse(c, nil, nil)
+	SendResponse(c, err, nil)
 	return
 }
 
@@ -102,17 +98,13 @@ func (m *PrivService) ModifyAccountRule(c *gin.Context) {
 		return
 	}
 
-	if err := json.Unmarshal(body, &input); err != nil {
+	if err = json.Unmarshal(body, &input); err != nil {
 		slog.Error("msg", err)
 		SendResponse(c, errno.ErrBind, err)
 		return
 	}
 
 	err = input.ModifyAccountRule(string(body))
-	if err != nil {
-		SendResponse(c, err, nil)
-		return
-	}
-	SendResponse(c, nil, nil)
+	SendResponse(c, err, nil)
 	return
 }
diff --git a/dbm-services/mysql/db-priv/handler/admin_password.go b/dbm-services/mysql/db-priv/handler/admin_password.go
@@ -0,0 +1,136 @@
+package handler
+
+import (
+	"dbm-services/common/go-pubpkg/errno"
+	"dbm-services/mysql/priv-service/service"
+	"encoding/json"
+	"io/ioutil"
+
+	"github.com/gin-gonic/gin"
+	"golang.org/x/exp/slog"
+)
+
+// GetPassword 查询用户的密码
+func (m *PrivService) GetPassword(c *gin.Context) {
+	slog.Info("do GetPassword!")
+	var input service.GetPasswordPara
+	body, err := ioutil.ReadAll(c.Request.Body)
+	if err != nil {
+		slog.Error("msg", err)
+		SendResponse(c, errno.ErrBind, err)
+		return
+	}
+	if err = json.Unmarshal(body, &input); err != nil {
+		slog.Error("msg", err)
+		SendResponse(c, errno.ErrBind, err)
+		return
+	}
+	batch, count, err := input.GetPassword()
+	if err != nil {
+		slog.Error(err.Error())
+		SendResponse(c, err, nil)
+		return
+	}
+	SendResponse(c, err, ListResponse{
+		Count: int64(count),
+		Items: batch,
+	})
+	return
+}
+
+// ModifyPassword 新增或者修改密码
+func (m *PrivService) ModifyPassword(c *gin.Context) {
+	slog.Info("do ModifyPassword!")
+	var input service.ModifyPasswordPara
+	body, err := ioutil.ReadAll(c.Request.Body)
+	if err != nil {
+		slog.Error("msg", err)
+		SendResponse(c, errno.ErrBind, err)
+		return
+	}
+	if err = json.Unmarshal(body, &input); err != nil {
+		slog.Error("msg", err)
+		SendResponse(c, errno.ErrBind, err)
+		return
+	}
+	err = input.ModifyPassword()
+	SendResponse(c, err, nil)
+	return
+}
+
+// DeletePassword 删除密码
+func (m *PrivService) DeletePassword(c *gin.Context) {
+	slog.Info("do DeletePassword!")
+	var input service.GetPasswordPara
+	body, err := ioutil.ReadAll(c.Request.Body)
+	if err != nil {
+		slog.Error("msg", err)
+		SendResponse(c, errno.ErrBind, err)
+		return
+	}
+	if err = json.Unmarshal(body, &input); err != nil {
+		slog.Error("msg", err)
+		SendResponse(c, errno.ErrBind, err)
+		return
+	}
+	err = input.DeletePassword()
+	SendResponse(c, err, nil)
+	return
+}
+
+// GetMysqlAdminPassword 查询ysql实例中管理用户的密码
+func (m *PrivService) GetMysqlAdminPassword(c *gin.Context) {
+	slog.Info("do GetMysqlAdminPassword!")
+	var input service.GetAdminUserPasswordPara
+	body, err := ioutil.ReadAll(c.Request.Body)
+	if err != nil {
+		slog.Error("msg", err)
+		SendResponse(c, errno.ErrBind, err)
+		return
+	}
+	if err = json.Unmarshal(body, &input); err != nil {
+		slog.Error("msg", err)
+		SendResponse(c, errno.ErrBind, err)
+		return
+	}
+	batch, count, err := input.GetMysqlAdminPassword()
+	if err != nil {
+		slog.Error(err.Error())
+		SendResponse(c, err, nil)
+		return
+	}
+	SendResponse(c, err, ListResponse{
+		Count: int64(count),
+		Items: batch,
+	})
+	return
+}
+
+// ModifyMysqlAdminPassword 新增或者修改mysql实例中管理用户的密码，可用于随机化密码
+func (m *PrivService) ModifyMysqlAdminPassword(c *gin.Context) {
+	slog.Info("do ModifyMysqlAdminPassword!")
+	var input service.ModifyAdminUserPasswordPara
+
+	body, err := ioutil.ReadAll(c.Request.Body)
+	if err != nil {
+		slog.Error("msg", err)
+		SendResponse(c, errno.ErrBind, err)
+		return
+	}
+
+	if err = json.Unmarshal(body, &input); err != nil {
+		slog.Error("msg", err)
+		SendResponse(c, errno.ErrBind, err)
+		return
+	}
+	// 随机化定时任务异步返回，避免占用资源
+	if input.Async == true {
+		SendResponse(c, nil, nil)
+	}
+	// 前端页面调用等同步返回，返回修改成功的实例以及没有修改成功的实例
+	batch, err := input.ModifyMysqlAdminPassword()
+	if input.Async == false {
+		SendResponse(c, err, batch)
+	}
+	return
+}