github/jumpserver
1
0
Fork 0
mirror of https://github.com/jumpserver/jumpserver.git synced 2025-07-17 00:11:42 +00:00
Code Issues Projects Releases Wiki Activity

perf: 优化 vault 配置 (#11313)

Browse Source 
Co-authored-by: feng <1304903146@qq.com>
This commit is contained in:
fit2bot 2023-08-17 12:12:58 +08:00 committed by GitHub
parent a084bc9962
commit b20abb494f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 14 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
apps/accounts/backends/__init__.py
View File

@ -12,8 +12,9 @@ logger = get_logger(__file__)
def get_vault_client(raise_exception=False, **kwargs): def get_vault_client(raise_exception=False, **kwargs):
enabled = kwargs.get('VAULT_ENABLED')
tp = 'hcp' if enabled else 'local'
try: try:
tp = kwargs.get('VAULT_TYPE')
module_path = f'apps.accounts.backends.{tp}.main' module_path = f'apps.accounts.backends.{tp}.main'
client = import_module(module_path).Vault(**kwargs) client = import_module(module_path).Vault(**kwargs)
except Exception as e: except Exception as e:
@ -22,7 +23,6 @@ def get_vault_client(raise_exception=False, **kwargs):
raise raise
tp = VaultTypeChoices.local tp = VaultTypeChoices.local
module_path = f'apps.accounts.backends.{tp}.main' module_path = f'apps.accounts.backends.{tp}.main'
kwargs['VAULT_TYPE'] = tp
client = import_module(module_path).Vault(**kwargs) client = import_module(module_path).Vault(**kwargs)
return client return client

5
apps/accounts/backends/base.py
View File

@ -8,10 +8,7 @@ __all__ = ['BaseVault']
class BaseVault(ABC): class BaseVault(ABC):
def __init__(self, *args, **kwargs): def __init__(self, *args, **kwargs):
self.type = kwargs.get('VAULT_TYPE') self.enabled = kwargs.get('VAULT_ENABLED')
def is_type(self, tp):
return self.type == tp
def get(self, instance): def get(self, instance):
""" 返回 secret 值 """ """ 返回 secret 值 """

7
apps/accounts/tasks/vault.py
View File

@ -8,7 +8,6 @@ from accounts.backends import vault_client
from accounts.models import Account, AccountTemplate from accounts.models import Account, AccountTemplate
from common.utils import get_logger from common.utils import get_logger
from orgs.utils import tmp_to_root_org from orgs.utils import tmp_to_root_org
from ..const import VaultTypeChoices
logger = get_logger(__name__) logger = get_logger(__name__)
@ -31,9 +30,9 @@ def sync_instance(instance):
@shared_task(verbose_name=_('Sync secret to vault')) @shared_task(verbose_name=_('Sync secret to vault'))
def sync_secret_to_vault(): def sync_secret_to_vault():
if vault_client.is_type(VaultTypeChoices.local): if not vault_client.enabled:
# 这里不能判断 settings.VAULT_TYPE, 必须判断当前 vault_client 的类型 # 这里不能判断 settings.VAULT_ENABLED, 必须判断当前 vault_client 的类型
print('\033[35m>>> 当前 Vault 类型为本地数据库, 不需要同步') print('\033[35m>>> 当前 Vault 功能未开启, 不需要同步')
return return
failed, skipped, succeeded = 0, 0, 0 failed, skipped, succeeded = 0, 0, 0

2
apps/jumpserver/conf.py
View File

@ -255,7 +255,7 @@ class Config(dict):
'AUTH_TEMP_TOKEN': False, 'AUTH_TEMP_TOKEN': False,
# Vault # Vault
'VAULT_TYPE': 'local', 'VAULT_ENABLED': False,
'VAULT_HCP_HOST': '', 'VAULT_HCP_HOST': '',
'VAULT_HCP_TOKEN': '', 'VAULT_HCP_TOKEN': '',
'VAULT_HCP_MOUNT_POINT': 'jumpserver', 'VAULT_HCP_MOUNT_POINT': 'jumpserver',

2
apps/jumpserver/settings/auth.py
View File

@ -175,7 +175,7 @@ AUTH_OAUTH2_LOGOUT_URL_NAME = "authentication:oauth2:logout"
AUTH_TEMP_TOKEN = CONFIG.AUTH_TEMP_TOKEN AUTH_TEMP_TOKEN = CONFIG.AUTH_TEMP_TOKEN
# Vault # Vault
VAULT_TYPE = CONFIG.VAULT_TYPE VAULT_ENABLED = CONFIG.VAULT_ENABLED
VAULT_HCP_HOST = CONFIG.VAULT_HCP_HOST VAULT_HCP_HOST = CONFIG.VAULT_HCP_HOST
VAULT_HCP_TOKEN = CONFIG.VAULT_HCP_TOKEN VAULT_HCP_TOKEN = CONFIG.VAULT_HCP_TOKEN
VAULT_HCP_MOUNT_POINT = CONFIG.VAULT_HCP_MOUNT_POINT VAULT_HCP_MOUNT_POINT = CONFIG.VAULT_HCP_MOUNT_POINT

2
apps/settings/api/vault.py
View File

@ -29,7 +29,7 @@ class VaultTestingAPI(GenericAPIView):
def post(self, request): def post(self, request):
config = self.get_config(request) config = self.get_config(request)
config['VAULT_TYPE'] = settings.VAULT_TYPE config['VAULT_ENABLED'] = settings.VAULT_ENABLED
try: try:
client = get_vault_client(raise_exception=True, **config) client = get_vault_client(raise_exception=True, **config)
ok, error = client.is_active() ok, error = client.is_active()

10
apps/settings/serializers/feature.py
View File

@ -3,7 +3,6 @@ import uuid
from django.utils.translation import gettext_lazy as _ from django.utils.translation import gettext_lazy as _
from rest_framework import serializers from rest_framework import serializers
from accounts.const import VaultTypeChoices
from common.serializers.fields import EncryptedField from common.serializers.fields import EncryptedField
__all__ = [ __all__ = [
@ -41,9 +40,8 @@ class AnnouncementSettingSerializer(serializers.Serializer):
class VaultSettingSerializer(serializers.Serializer): class VaultSettingSerializer(serializers.Serializer):
PREFIX_TITLE = _('Vault') PREFIX_TITLE = _('Vault')
VAULT_TYPE = serializers.ChoiceField( VAULT_ENABLED = serializers.BooleanField(
default=VaultTypeChoices.local, choices=VaultTypeChoices.choices, required=False, label=_('Enable Vault'), read_only=True
required=False, label=_('Type')
) )
VAULT_HCP_HOST = serializers.CharField( VAULT_HCP_HOST = serializers.CharField(
max_length=256, allow_blank=True, required=False, label=_('Host') max_length=256, allow_blank=True, required=False, label=_('Host')
@ -55,10 +53,6 @@ class VaultSettingSerializer(serializers.Serializer):
max_length=256, allow_blank=True, required=False, label=_('Mount Point') max_length=256, allow_blank=True, required=False, label=_('Mount Point')
) )
def validate(self, attrs):
attrs.pop('VAULT_TYPE', None)
return attrs
class TicketSettingSerializer(serializers.Serializer): class TicketSettingSerializer(serializers.Serializer):
PREFIX_TITLE = _('Ticket') PREFIX_TITLE = _('Ticket')

2
apps/settings/serializers/public.py
View File

@ -53,7 +53,7 @@ class PrivateSettingSerializer(PublicSettingSerializer):
TICKETS_ENABLED = serializers.BooleanField() TICKETS_ENABLED = serializers.BooleanField()
CONNECTION_TOKEN_REUSABLE = serializers.BooleanField() CONNECTION_TOKEN_REUSABLE = serializers.BooleanField()
CACHE_LOGIN_PASSWORD_ENABLED = serializers.BooleanField() CACHE_LOGIN_PASSWORD_ENABLED = serializers.BooleanField()
VAULT_TYPE = serializers.CharField() VAULT_ENABLED = serializers.BooleanField()
class ServerInfoSerializer(serializers.Serializer): class ServerInfoSerializer(serializers.Serializer):

4
config_example.yml
View File

@ -96,6 +96,6 @@ REDIS_PORT: 6379
# 仅允许已存在的用户登录,不允许第三方认证后,自动创建用户 # 仅允许已存在的用户登录,不允许第三方认证后,自动创建用户
# ONLY_ALLOW_EXIST_USER_AUTH: False # ONLY_ALLOW_EXIST_USER_AUTH: False
# 当前存储的类型,默认 local新增类型 hcp 为远端 vault 存储 # 开启 Vault 账号存储
# VAULT_TYPE: local # VAULT_ENABLED: False