feat: IAM权限中心切换APIGW标准化 (closed #2433)

apps/iam/handlers/permission.py

@@ -62,7 +62,13 @@ def get_iam_client(cls):
             return DummyIAM(
                 settings.APP_ID, settings.APP_TOKEN, settings.BK_IAM_INNER_HOST, settings.BK_PAAS_INNER_HOST
             )
-        return IAM(settings.APP_ID, settings.APP_TOKEN, settings.BK_IAM_INNER_HOST, settings.BK_PAAS_INNER_HOST)
+        return IAM(
+            settings.APP_ID,
+            settings.APP_TOKEN,
+            settings.BK_IAM_INNER_HOST,
+            settings.BK_PAAS_INNER_HOST,
+            settings.BKAPP_BK_IAM_APIGATEWAY,
+        )
 
     def make_request(self, action: Union[ActionMeta, str], resources: List[Resource] = None) -> Request:
         """

apps/node_man/constants.py

@@ -78,9 +78,9 @@ class TimeUnit:
 # 自动选择接入点ID
 DEFAULT_AP_ID = int(os.environ.get("DEFAULT_AP_ID", -1))
 # 自动选择安装通道ID
-DEFAULT_INSTALL_CHANNEL_ID = int(os.environ.get("DEFAULT_INSTALL_CHANNEL_ID", -1))
+DEFAULT_INSTALL_CHANNEL_ID = int(os.environ.get("BKAPP_DEFAULT_INSTALL_CHANNEL_ID", -1))
 # 自动选择的云区域ID
-AUTOMATIC_CHOICE_CLOUD_ID = int(os.environ.get("AUTOMATIC_CHOICE_CLOUD_ID", -1))
+AUTOMATIC_CHOICE_CLOUD_ID = int(os.environ.get("BKAPP_AUTOMATIC_CHOICE_CLOUD_ID", -1))
 # 自动选择
 AUTOMATIC_CHOICE = os.environ.get("AUTOMATIC_CHOICE", _("自动选择"))
 # 默认安装通道

apps/node_man/handlers/iam.py

@@ -41,7 +41,11 @@ class IamHandler(APIModel):
 
     if settings.USE_IAM:
         _iam = IAM(
-            settings.APP_CODE, settings.SECRET_KEY, settings.BK_IAM_INNER_HOST, settings.BK_COMPONENT_API_OVERWRITE_URL
+            settings.APP_CODE,
+            settings.SECRET_KEY,
+            settings.BK_IAM_INNER_HOST,
+            settings.BK_COMPONENT_API_OVERWRITE_URL,
+            settings.BKAPP_BK_IAM_APIGATEWAY,
         )
     else:
         _iam = object

apps/node_man/iam_provider.py

@@ -126,6 +126,9 @@ def list_instance_by_policy(self, filter, page, **options):
         """
         return ListResult(results=[], count=0)
 
+    def search_instance(self, filter, page, **options):
+        pass
+
 
 class CloudResourceProvider(ResourceProvider):
     """
@@ -320,6 +323,9 @@ def list_instance_by_policy(self, filter, page, **options):
         """
         return ListResult(results=[], count=0)
 
+    def search_instance(self, filter, page, **options):
+        pass
+
 
 class PackageResourceProvider(ResourceProvider):
     """
@@ -591,7 +597,11 @@ class IamRegister(object):
 
     def __init__(self):
         self._iam = IAM(
-            settings.APP_CODE, settings.SECRET_KEY, settings.BK_IAM_INNER_HOST, settings.BK_COMPONENT_API_OVERWRITE_URL
+            settings.APP_CODE,
+            settings.SECRET_KEY,
+            settings.BK_IAM_INNER_HOST,
+            settings.BK_COMPONENT_API_OVERWRITE_URL,
+            settings.BKAPP_BK_IAM_APIGATEWAY,
         )
 
     def register_system(self):

apps/node_man/tests/utils.py

@@ -1177,11 +1177,12 @@ def get_apply_data(self, *args, **kwargs):
 
 
 class MockIAM(object):
-    def __init__(self, app_code, secret_key, bk_iam_inner_host, bk_component_api_url):
+    def __init__(self, app_code, secret_key, bk_iam_inner_host, bk_component_api_url, bk_apigateway_url):
         self.app_code = app_code
         self.secret_key = secret_key
         self.bk_iam_inner_host = bk_iam_inner_host
         self.bk_component_api_url = bk_component_api_url
+        self.bk_apigateway_url = bk_apigateway_url
 
     class _client:
         @staticmethod

config/default.py

@@ -338,6 +338,8 @@
 BK_IAM_CMDB_SYSTEM_ID = os.getenv("BKAPP_IAM_CMDB_SYSTEM_ID", "bk_cmdb")
 BK_IAM_MIGRATION_JSON_PATH = os.path.join(PROJECT_ROOT, "support-files/bkiam")
 BK_IAM_RESOURCE_API_HOST = env.BK_IAM_RESOURCE_API_HOST
+# IAM网关
+BKAPP_BK_IAM_APIGATEWAY = env.BKAPP_BK_IAM_APIGATEWAY
 
 BK_IAM_MIGRATION_APP_NAME = "iam_migrations"
 BK_IAM_SKIP = False

env/__init__.py

@@ -70,6 +70,8 @@
     # 自动选择安装通道相关配置
     "BKAPP_DEFAULT_INSTALL_CHANNEL_ID",
     "BKAPP_AUTOMATIC_CHOICE_CLOUD_ID",
+    # IAM网关路由
+    "BKAPP_BK_IAM_APIGATEWAY",
 ]
 
 # ===============================================================================
@@ -96,6 +98,7 @@
 )
 BKAPP_DEFAULT_INSTALL_CHANNEL_ID = get_type_env(key="BKAPP_DEFAULT_INSTALL_CHANNEL_ID", default=-1, _type=int)
 BKAPP_AUTOMATIC_CHOICE_CLOUD_ID = get_type_env(key="BKAPP_AUTOMATIC_CHOICE_CLOUD_ID", default=-1, _type=int)
+BKAPP_BK_IAM_APIGATEWAY = get_type_env(key="BKAPP_BK_IAM_APIGATEWAY", default="", _type=str)
 
 # ===============================================================================
 # 日志

requirements.txt

@@ -63,7 +63,7 @@ django-versionlog==1.6.0
 tencentcloud-sdk-python==3.0.1210
 
 # Iam SDK
-bk-iam==1.1.14
+bk-iam==1.3.6
 
 # 自监控
 supervisor==4.2.2

support-files/kubernetes/helm/bk-nodeman/README.md

@@ -311,6 +311,7 @@ externalRabbitMQ:
 | `config.bkAppIamResourceApiHost`         | 蓝鲸权限中心相关配置，权限中心拉取权限相关资源的访问地址，默认取 `{{ .Values.bkNodemanUrl }}`                                                                                                                                           | `""`                                                |
 | `config.bkAppBkNodeApiGateway`           | 组件 API 接入地址，节点管理网关地址，用于覆盖  `bkComponentApiUrl` 访问节点管理<br />⚠️ 配置为 `{{ .Values.bkNodemanApiUrl }`} 由于 JWT 校验问题，会导致 Agent 安装步骤中「安装预制插件」失败                                                                 | `""`                                                |
 | `config.bkAppBkGseApiGateway`            | 管控平台 API 访问地址，用于覆盖 `bkComponentApiUrl` 访问管控平台 API                                                                                                                                                       | `""`                                                |
+| `config.bkAppBkIamApiGateway`            | 权限中心 API 访问地址，用于覆盖 bkComponentApiUrl 访问权限中心 API 及标准化认证                                                                                                                                                  | `""`                                                |
 | `config.bkAppBackendHost`                | 节点管理自身模块依赖，后台访问地址，渲染时为空默认取 `{{ .Values.bkNodemanApiUrl }}`                                                                                                                                              | `""`                                                |
 | `config.bkAppNodemanCallbackUrl`         | 节点管理自身模块依赖，后台内网回调地址，渲染时为空取 `{{ .Values.bkNodemanUrl }}/backend`                                                                                                                                         | `""`                                                |
 | `config.bkAppNodemanOuterCallbackUrl`    | 节点管理自身模块依赖，后台外网回调地址，渲染时为空取 `{{ .Values.bkNodemanUrl }}/backend`                                                                                                                                         | `""`                                                |
@@ -347,11 +348,11 @@ externalRabbitMQ:
 | `config.concurrentNumber`                | 线程最大并发数                                                                                                                                                                                                 | `50`                                                |
 | `config.bkAppNavOpenSourceUrl`           | 导航栏开源社区地址                                                                                                                                                                                               | `https://github.com/TencentBlueKing/bk-nodeman`     |
 | `config.bkAppNavHelperUrl`               | 导航栏技术支持地址                                                                                                                                                                                               | `https://wpa1.qq.com/KziXGWJs?_type=wpa&qidian=true` |
-| `config.bkAppSyncProcStatusTaskInterval` | 插件进程状态同步周期                                                                                                                                                                                               | `20 * 60`                                           |
-| `config.bkAppScriptHooks`                | Agent安装前置脚本                                                                                                                                                                                               | `""`                                           |
-| `config.bkAppIEODActiveFirewallPolicyScriptInfo`                | WINDOWS IEOD脚本内容                                                                                                                                                                                               | `""`                                           |
-| `config.bkAppDefaultInstallChannelId`                | 自动选择安装通道ID                                                                                                                                                                                               | `-1`                                           |
-| `config.bkAppAutomaticChoiceCloudId`                | 自动选择安装通道对应云区域ID                                                                                                                                                                                               | `-1`                                           |
+| `config.bkAppSyncProcStatusTaskInterval` | 插件进程状态同步周期                                                                                                                                                                                              | `20 * 60`                                           |
+| `config.bkAppScriptHooks`                | Agent安装前置脚本                                                                                                                                                                                             | `""`                                           |
+| `config.bkAppIEODActiveFirewallPolicyScriptInfo`                | WINDOWS IEOD脚本内容                                                                                                                                                                                        | `""`                                           |
+| `config.bkAppDefaultInstallChannelId`                | 自动选择安装通道ID                                                                                                                                                                                              | `-1`                                           |
+| `config.bkAppAutomaticChoiceCloudId`                | 自动选择安装通道对应云区域ID                                                                                                                                                                                         | `-1`                                           |
 
 ## 额外的环境变量
 

support-files/kubernetes/helm/bk-nodeman/templates/configmaps/env-configmap.yaml

@@ -57,6 +57,7 @@ data:
   {{- if .Values.config.bkAppBkGseApiGateway }}
   BKAPP_BK_GSE_APIGATEWAY: "{{ .Values.config.bkAppBkGseApiGateway }}/"
   {{- end }}
+  BKAPP_BK_IAM_APIGATEWAY: "{{ .Values.config.bkAppBkIamApiGateway}}"
 
   BK_NODEMAN_URL: "{{ .Values.bkNodemanUrl }}"
   BKAPP_BACKEND_HOST: "{{ .Values.config.bkAppBackendHost | default .Values.bkNodemanApiUrl }}"

support-files/kubernetes/helm/bk-nodeman/values.yaml

@@ -364,6 +364,8 @@ config:
   bkAppBkNodeApiGateway: ""
   ## 管控平台 API 访问地址，用于覆盖 bkComponentApiUrl 访问管控平台 API
   bkAppBkGseApiGateway: ""
+  ## 权限中心 API 访问地址，用于覆盖 bkComponentApiUrl 访问权限中心 API 及标准化认证
+  bkAppBkIamApiGateway: ""
 
   ## 节点管理自身模块依赖
   ##