perf: 优化 vault 配置 (#11313)

Co-authored-by: feng <1304903146@qq.com>
2023-08-17 12:12:58 +08:00 · 2023-08-17 12:12:58 +08:00 · b20abb494f
parent a084bc9962
commit b20abb494f
9 changed files with 14 additions and 24 deletions
--- a/apps/accounts/backends/init.py
+++ b/apps/accounts/backends/init.py
@ -12,8 +12,9 @@ logger = get_logger(__file__)


 def get_vault_client(raise_exception=False, **kwargs):
+    enabled = kwargs.get('VAULT_ENABLED')
+    tp = 'hcp' if enabled else 'local'
    try:
-        tp = kwargs.get('VAULT_TYPE')
        module_path = f'apps.accounts.backends.{tp}.main'
        client = import_module(module_path).Vault(**kwargs)
    except Exception as e:
@ -22,7 +23,6 @@ def get_vault_client(raise_exception=False, **kwargs):
            raise
        tp = VaultTypeChoices.local
        module_path = f'apps.accounts.backends.{tp}.main'
-        kwargs['VAULT_TYPE'] = tp
        client = import_module(module_path).Vault(**kwargs)
    return client

--- a/apps/accounts/backends/base.py
+++ b/apps/accounts/backends/base.py
@ -8,10 +8,7 @@ __all__ = ['BaseVault']
 class BaseVault(ABC):

    def __init__(self, *args, **kwargs):
-        self.type = kwargs.get('VAULT_TYPE')
-
-    def is_type(self, tp):
-        return self.type == tp
+        self.enabled = kwargs.get('VAULT_ENABLED')

    def get(self, instance):
        """ 返回 secret 值 """
--- a/apps/accounts/tasks/vault.py
+++ b/apps/accounts/tasks/vault.py
@ -8,7 +8,6 @@ from accounts.backends import vault_client
 from accounts.models import Account, AccountTemplate
 from common.utils import get_logger
 from orgs.utils import tmp_to_root_org
-from ..const import VaultTypeChoices

 logger = get_logger(__name__)

@ -31,9 +30,9 @@ def sync_instance(instance):

@shared_task(verbose_name=_('Sync secret to vault'))
 def sync_secret_to_vault():
-    if vault_client.is_type(VaultTypeChoices.local):
-        # 这里不能判断 settings.VAULT_TYPE, 必须判断当前 vault_client 的类型
-        print('\033[35m>>> 当前 Vault 类型为本地数据库, 不需要同步')
+    if not vault_client.enabled:
+        # 这里不能判断 settings.VAULT_ENABLED, 必须判断当前 vault_client 的类型
+        print('\033[35m>>> 当前 Vault 功能未开启, 不需要同步')
        return

    failed, skipped, succeeded = 0, 0, 0
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@ -255,7 +255,7 @@ class Config(dict):
        'AUTH_TEMP_TOKEN': False,

        # Vault
-        'VAULT_TYPE': 'local',
+        'VAULT_ENABLED': False,
        'VAULT_HCP_HOST': '',
        'VAULT_HCP_TOKEN': '',
        'VAULT_HCP_MOUNT_POINT': 'jumpserver',
--- a/apps/jumpserver/settings/auth.py
+++ b/apps/jumpserver/settings/auth.py
@ -175,7 +175,7 @@ AUTH_OAUTH2_LOGOUT_URL_NAME = "authentication:oauth2:logout"
 AUTH_TEMP_TOKEN = CONFIG.AUTH_TEMP_TOKEN

 # Vault
-VAULT_TYPE = CONFIG.VAULT_TYPE
+VAULT_ENABLED = CONFIG.VAULT_ENABLED
 VAULT_HCP_HOST = CONFIG.VAULT_HCP_HOST
 VAULT_HCP_TOKEN = CONFIG.VAULT_HCP_TOKEN
 VAULT_HCP_MOUNT_POINT = CONFIG.VAULT_HCP_MOUNT_POINT
--- a/apps/settings/api/vault.py
+++ b/apps/settings/api/vault.py
@ -29,7 +29,7 @@ class VaultTestingAPI(GenericAPIView):

    def post(self, request):
        config = self.get_config(request)
-        config['VAULT_TYPE'] = settings.VAULT_TYPE
+        config['VAULT_ENABLED'] = settings.VAULT_ENABLED
        try:
            client = get_vault_client(raise_exception=True, **config)
            ok, error = client.is_active()
--- a/apps/settings/serializers/feature.py
+++ b/apps/settings/serializers/feature.py
@ -3,7 +3,6 @@ import uuid
 from django.utils.translation import gettext_lazy as _
 from rest_framework import serializers

-from accounts.const import VaultTypeChoices
 from common.serializers.fields import EncryptedField

 __all__ = [
@ -41,9 +40,8 @@ class AnnouncementSettingSerializer(serializers.Serializer):
 class VaultSettingSerializer(serializers.Serializer):
    PREFIX_TITLE = _('Vault')

-    VAULT_TYPE = serializers.ChoiceField(
-        default=VaultTypeChoices.local, choices=VaultTypeChoices.choices,
-        required=False, label=_('Type')
+    VAULT_ENABLED = serializers.BooleanField(
+        required=False, label=_('Enable Vault'), read_only=True
    )
    VAULT_HCP_HOST = serializers.CharField(
        max_length=256, allow_blank=True, required=False, label=_('Host')
@ -55,10 +53,6 @@ class VaultSettingSerializer(serializers.Serializer):
        max_length=256, allow_blank=True, required=False, label=_('Mount Point')
    )

-    def validate(self, attrs):
-        attrs.pop('VAULT_TYPE', None)
-        return attrs
-

 class TicketSettingSerializer(serializers.Serializer):
    PREFIX_TITLE = _('Ticket')
--- a/apps/settings/serializers/public.py
+++ b/apps/settings/serializers/public.py
@ -53,7 +53,7 @@ class PrivateSettingSerializer(PublicSettingSerializer):
    TICKETS_ENABLED = serializers.BooleanField()
    CONNECTION_TOKEN_REUSABLE = serializers.BooleanField()
    CACHE_LOGIN_PASSWORD_ENABLED = serializers.BooleanField()
-    VAULT_TYPE = serializers.CharField()
+    VAULT_ENABLED = serializers.BooleanField()


 class ServerInfoSerializer(serializers.Serializer):
--- a/config_example.yml
+++ b/config_example.yml
@ -96,6 +96,6 @@ REDIS_PORT: 6379
 # 仅允许已存在的用户登录，不允许第三方认证后，自动创建用户
 # ONLY_ALLOW_EXIST_USER_AUTH: False

-# 当前存储的类型，默认 local，新增类型 hcp 为远端 vault 存储
-# VAULT_TYPE: local
+# 开启 Vault 账号存储
+# VAULT_ENABLED: False