Merge pull request #1277 from hanshuaikang/feature/develop_by_han

feat: 允许配置权限中心 sdk 的超时时间&对于创建人为 admin 的资源跳过自动授权

app.yml

@@ -5,7 +5,7 @@ author: 蓝鲸智云
 category: 办公应用
 introduction: 流程服务是蓝鲸推出的轻量级ITSM，通过可自定义设计的流程模块，覆盖IT服务中的不同管理活动或应用场景。帮助企业用户规范内部管理流程，提升沟通及管理效率。
 introduction_en: bk_itsm is a lightweight ITSM created by Blueking. It covers different application scenarios in IT services through customizable workflows and help enterprise users to implement standardize IT workflow, improve communication and management efficiency.
-version: 2.6.10-alpha.1
+version: 2.6.10-alpha.2
 language: python
 is_use_celery: True
 is_use_celery_with_gevent: False

app_desc.yaml

@@ -1,5 +1,5 @@
 spec_version: 2
-app_version: "2.6.10-alpha.1"
+app_version: "2.6.10-alpha.2"
 app:
     region: default
     bk_app_code: bk_itsm

config/default.py

@@ -951,3 +951,5 @@ def redirect_func(request):
 
 ENABLE_NOTIFY_ROUTER = os.getenv("BKAPP_ENABLE_NOTIFY_ROUTER", False)
 NOTIFY_ROUTER_NAME = os.getenv("BKAPP_NOTIFY_ROUTER_NAME", "router")
+
+IAM_SDK_CLIENT_TIMEOUT = int(os.getenv("BKAPP_IAM_SDK_CLIENT_TIMEOUT", 20))

iam/api/client.py

@@ -18,6 +18,7 @@
 
 from cachetools import cached, TTLCache
 from requests.models import PreparedRequest
+from django.conf import settings
 
 from .http import http_get, http_post, http_put, http_delete
 
@@ -51,8 +52,15 @@ def _call_api(self, http_func, host, path, data, headers, timeout=None):
         ok, _data = http_func(url, data, headers=headers, timeout=timeout)
 
         if logger.isEnabledFor(logging.DEBUG):
-            logger.debug("do http request: method=`%s`, url=`%s`, data=`%s`", http_func.__name__, url, json.dumps(data))
-            logger.debug("http request result: ok=`%s`, _data=`%s`", ok, json.dumps(_data))
+            logger.debug(
+                "do http request: method=`%s`, url=`%s`, data=`%s`",
+                http_func.__name__,
+                url,
+                json.dumps(data),
+            )
+            logger.debug(
+                "http request result: ok=`%s`, _data=`%s`", ok, json.dumps(_data)
+            )
             logger.debug("http request took %s ms", int((time.time() - begin) * 1000))
 
         if not ok:
@@ -71,7 +79,9 @@ def _call_iam_api(self, http_func, path, data, timeout=None):
             "X-BK-APP-SECRET": self._app_secret,
             "X-Bk-IAM-Version": BK_IAM_VERSION,
         }
-        return self._call_api(http_func, self._host, path, data, headers, timeout=timeout)
+        return self._call_api(
+            http_func, self._host, path, data, headers, timeout=timeout
+        )
 
     def _call_esb_api(self, http_func, path, data, bk_token, bk_username, timeout=None):
         headers = {
@@ -86,7 +96,9 @@ def _call_esb_api(self, http_func, path, data, bk_token, bk_username, timeout=No
                 "bk_username": bk_username,
             }
         )
-        return self._call_api(http_func, self._bk_paas_host, path, data, headers, timeout=timeout)
+        return self._call_api(
+            http_func, self._bk_paas_host, path, data, headers, timeout=timeout
+        )
 
     # ---------- system
     def add_system(self, data):
@@ -104,21 +116,25 @@ def update_system(self, system_id, data):
 
     # ---------- resource_type
     def batch_add_resource_types(self, system_id, data):
-        path = "/api/v1/model/systems/{system_id}/resource-types".format(system_id=system_id)
+        path = "/api/v1/model/systems/{system_id}/resource-types".format(
+            system_id=system_id
+        )
         ok, message, data = self._call_iam_api(http_post, path, data)
         # if alreay exists, return true
         return ok, message
 
     def update_resource_type(self, system_id, resource_type_id, data):
-        path = ("/api/v1/model/systems/{system_id}/resource-types/{resource_type_id}").format(
-            system_id=system_id, resource_type_id=resource_type_id
-        )
+        path = (
+            "/api/v1/model/systems/{system_id}/resource-types/{resource_type_id}"
+        ).format(system_id=system_id, resource_type_id=resource_type_id)
 
         ok, message, data = self._call_iam_api(http_put, path, data)
         return ok, message
 
     def batch_delete_resource_types(self, system_id, data):
-        path = "/api/v1/model/systems/{system_id}/resource-types?check_existence=false".format(system_id=system_id)
+        path = "/api/v1/model/systems/{system_id}/resource-types?check_existence=false".format(
+            system_id=system_id
+        )
         ok, message, data = self._call_iam_api(http_delete, path, data)
         return ok, message
 
@@ -129,49 +145,72 @@ def batch_add_actions(self, system_id, data):
         return ok, message
 
     def update_action(self, system_id, action_id, data):
-        path = "/api/v1/model/systems/{system_id}/actions/{action_id}".format(system_id=system_id, action_id=action_id)
+        path = "/api/v1/model/systems/{system_id}/actions/{action_id}".format(
+            system_id=system_id, action_id=action_id
+        )
         ok, message, data = self._call_iam_api(http_put, path, data)
         return ok, message
 
     def batch_delete_actions(self, system_id, data):
-        path = "/api/v1/model/systems/{system_id}/actions?check_existence=false".format(system_id=system_id)
+        path = "/api/v1/model/systems/{system_id}/actions?check_existence=false".format(
+            system_id=system_id
+        )
         ok, message, data = self._call_iam_api(http_delete, path, data)
         return ok, message
 
     # register create association permission action.
     def add_resource_creator_actions(self, system_id, data):
-        path = "/api/v1/model/systems/{system_id}/configs/resource_creator_actions".format(system_id=system_id)
+        path = (
+            "/api/v1/model/systems/{system_id}/configs/resource_creator_actions".format(
+                system_id=system_id
+            )
+        )
         ok, message, data = self._call_iam_api(http_post, path, data)
         return ok, message
 
     # update create association permission action.
     def update_resource_creator_actions(self, system_id, data):
-        path = "/api/v1/model/systems/{system_id}/configs/resource_creator_actions".format(system_id=system_id)
+        path = (
+            "/api/v1/model/systems/{system_id}/configs/resource_creator_actions".format(
+                system_id=system_id
+            )
+        )
         ok, message, data = self._call_iam_api(http_put, path, data)
         return ok, message
 
     # return resource instance creator to iam, esb needed.
     def grant_resource_creator_actions(self, bk_token, bk_username, data):
         path = "/api/c/compapi/v2/iam/authorization/resource_creator_action/"
 
-        ok, message, _data = self._call_esb_api(http_post, path, data, bk_token, bk_username, timeout=5)
+        ok, message, _data = self._call_esb_api(
+            http_post,
+            path,
+            data,
+            bk_token,
+            bk_username,
+            timeout=settings.IAM_SDK_CLIENT_TIMEOUT,
+        )
         if not ok:
             return False, message
 
         return True, "success"
 
     # ---------- action-topology
     def add_action_topology(self, system_id, action_type, data):
-        path = "/api/v1/model/systems/{system_id}/action-topologies/{action_type}".format(
-            system_id=system_id, action_type=action_type
+        path = (
+            "/api/v1/model/systems/{system_id}/action-topologies/{action_type}".format(
+                system_id=system_id, action_type=action_type
+            )
         )
         ok, message, data = self._call_iam_api(http_post, path, data)
         # if alreay exists, return true
         return ok, message
 
     def update_action_topology(self, system_id, action_type, data):
-        path = "/api/v1/model/systems/{system_id}/action-topologies/{action_type}".format(
-            system_id=system_id, action_type=action_type
+        path = (
+            "/api/v1/model/systems/{system_id}/action-topologies/{action_type}".format(
+                system_id=system_id, action_type=action_type
+            )
         )
         ok, message, data = self._call_iam_api(http_put, path, data)
         # if alreay exists, return true
@@ -186,7 +225,7 @@ def query(self, system_id):
     # ---------- ping
     def ping(self):
         url = "{host}{path}".format(host=self._host, path="/ping")
-        ok, data = http_get(url, None, timeout=5)
+        ok, data = http_get(url, None, timeout=settings.IAM_SDK_CLIENT_TIMEOUT)
         return ok, data
 
     # ---------- query system_id_set/resource_type_id_set, action_id_set
@@ -260,22 +299,43 @@ def get_token(self, system_id):
     def get_apply_url(self, bk_token, bk_username, data):
         path = "/api/c/compapi/v2/iam/application/"
 
-        ok, message, _data = self._call_esb_api(http_post, path, data, bk_token, bk_username, timeout=5)
+        ok, message, _data = self._call_esb_api(
+            http_post,
+            path,
+            data,
+            bk_token,
+            bk_username,
+            timeout=settings.IAM_SDK_CLIENT_TIMEOUT,
+        )
         if not ok:
             return False, message, ""
 
         return True, "success", _data.get("url", "")
 
     def instance_authorization(self, bk_token, bk_username, data):
         path = "/api/c/compapi/v2/iam/authorization/instance/"
-        ok, message, _data = self._call_esb_api(http_post, path, data, bk_token, bk_username, timeout=5)
+        ok, message, _data = self._call_esb_api(
+            http_post,
+            path,
+            data,
+            bk_token,
+            bk_username,
+            timeout=settings.IAM_SDK_CLIENT_TIMEOUT,
+        )
         if not ok:
             return False, message, ""
         return True, "success", _data.get("token", "")
 
     def path_authorization(self, bk_token, bk_username, data):
         path = "/api/c/compapi/v2/iam/authorization/path/"
-        ok, message, _data = self._call_esb_api(http_post, path, data, bk_token, bk_username, timeout=5)
+        ok, message, _data = self._call_esb_api(
+            http_post,
+            path,
+            data,
+            bk_token,
+            bk_username,
+            timeout=settings.IAM_SDK_CLIENT_TIMEOUT,
+        )
         if not ok:
             return False, message, ""
         return True, "success", _data.get("token", "")

iam/contrib/iam_migration/migrations/0002_update.py

@@ -21,6 +21,6 @@ class Migration(migrations.Migration):
     if settings.ENVIRONMENT == "dev":
         migration_json = "initial_dev.json"
 
-    dependencies = [('iam_migration', '0001_initial')]
+    dependencies = [("iam_migration", "0001_initial")]
 
-    operations = [migrations.RunPython(forward_func)]
+    operations = []

itsm/auth_iam/utils.py

@@ -244,6 +244,11 @@ def grant_resource_creator_related_actions(
     :param bk_token: 用户登录态
     :return:
     """
+
+    # 对于创建人是 admin 的资源，无需关联授权
+    if creator == "admin":
+        return
+
     iam_client = Client(
         settings.APP_CODE,
         settings.SECRET_KEY,
@@ -284,6 +289,9 @@ def grant_instance_creator_related_actions(
     :return:
     """
 
+    if instance.creator == "admin":
+        return
+
     resource_type = instance.auth_resource["resource_type"]
     if isinstance(instance, TemplateField):
         if instance.project_key == PUBLIC_PROJECT_PROJECT_KEY: