其他
蓝鲸社区版5.1自主接入企业内部ldap
用户管理可以说是运维工作最基础的部分,随着企业的发展,我们面对的将不仅仅使一个或多个系统,用户也可能成倍增长。此时统一用户认证LDAP或许是你的一种解决方案。
蓝鲸作为腾讯互动娱乐事业群(Interactive Entertainment Group,简称 IEG)自研自用的一套用于构建企业研发运营一体化体系的 PaaS 开发框架,提供了 aPaaS(DevOps 流水线、运行环境托管、前后台框架)和 iPaaS(持续集成、CMDB、作业平台、容器管理、数据平台、AI 等原子平台)等模块,帮助企业技术人员快速构建基础运营 PaaS。
当二者结合在一起会给你工作带来意想不到的收获!
蓝鲸官方文档社区版: “蓝鲸登录接入企业内部登录”中已经通过接入google登录的例子进行说明;但是公司内部只有ldap作为内部服务的统一认证,并不提供相关登录API,难道我们还要再自己搭建API?
以上恐怕也是很多中小企业的现状,这种情况下该如何接入企业内部ldap呢?
源码分析
下面我们来分析下蓝鲸paas平台统一登录服务基本函数接口来看下登录流程,供我们参考
蓝鲸统一登录提供的基本函数
from bkaccount.accounts import Account从以上python的模块导入来看,蓝鲸的登录跳转函数主要由Account类实现,其中登录页面和登录动作的功能主要由login实现:
def login(self, request, template_name='login/login.html', authentication_form=AuthenticationForm, current_app=None, extra_context=None): """ 登录页面和登录动作 """ redirect_field_name = self.REDIRECT_FIELD_NAME redirect_to = request.POST.get(redirect_field_name, request.GET.get(redirect_field_name, '')) app_id = request.POST.get('app_id', request.GET.get('app_id', ''))
if request.method == 'POST': form = authentication_form(request, data=request.POST) if form.is_valid(): return self.login_success_response(request, form, redirect_to, app_id) else: form = authentication_form(request)
current_site = get_current_site(request) context = { 'form': form, redirect_field_name: redirect_to, 'site': current_site, 'site_name': current_site.name, 'app_id': app_id, } if extra_context is not None: context.update(extra_context) if current_app is not None: request.current_app = current_app
response = TemplateResponse(request, template_name, context) response = self.set_bk_token_invalid(request, response) return response其中当登录页面输入用户名、密码登录会发出POST请求,代码段如下:
if request.method == 'POST': form = authentication_form(request, data=request.POST) if form.is_valid(): return self.login_success_response(request, form, redirect_to, app_id) else: form = authentication_form(request)authentication_form处理接收提交到用户名和密码,引用自:
authentication_form=AuthenticationForm
from django.contrib.auth.forms import AuthenticationForm
其中AuthenticationForm是一个表单。
登录表单认证
AuthenticationForm是一个表单,定义如下:
class AuthenticationForm(forms.Form): """ Base class for authenticating users. Extend this to get a form that accepts username/password logins. """ username = forms.CharField(max_length=254) password = forms.CharField(label=_("Password"), widget=forms.PasswordInput)
error_messages = { 'invalid_login': _("Please enter a correct %(username)s and password. " "Note that both fields may be case-sensitive."), 'inactive': _("This account is inactive."), }
def __init__(self, request=None, *args, **kwargs): """ The 'request' parameter is set for custom auth use by subclasses. The form data comes in via the standard 'data' kwarg. """ self.request = request self.user_cache = None super(AuthenticationForm, self).__init__(*args, **kwargs)
# Set the label for the "username" field. UserModel = get_user_model() self.username_field = UserModel._meta.get_field(UserModel.USERNAME_FIELD) if self.fields['username'].label is None: self.fields['username'].label = capfirst(self.username_field.verbose_name)
def clean(self): username = self.cleaned_data.get('username') password = self.cleaned_data.get('password')
if username and password: self.user_cache = authenticate(username=username, password=password) if self.user_cache is None: raise forms.ValidationError( self.error_messages['invalid_login'], code='invalid_login', params={'username': self.username_field.verbose_name}, ) else: self.confirm_login_allowed(self.user_cache)
return self.cleaned_data
def confirm_login_allowed(self, user): """ Controls whether the given User may log in. This is a policy setting, independent of end-user authentication. This default behavior is to allow login by active users, and reject login by inactive users.
If the given user cannot log in, this method should raise a ``forms.ValidationError``.
If the given user may log in, this method should return None. """ if not user.is_active: raise forms.ValidationError( self.error_messages['inactive'], code='inactive', )
def get_user_id(self): if self.user_cache: return self.user_cache.id return None
def get_user(self): return self.user_cachedjango的表单功能我们可以知道,获取到前端request.post的数据需要经表单进行clean验证,最终返回cleaned_data字典,代码段如下:
def clean(self): username = self.cleaned_data.get('username') password = self.cleaned_data.get('password')
if username and password: self.user_cache = authenticate(username=username, password=password) if self.user_cache is None: raise forms.ValidationError( self.error_messages['invalid_login'], code='invalid_login', params={'username': self.username_field.verbose_name}, ) else: self.confirm_login_allowed(self.user_cache)
return self.cleaned_data从代码看出,如果用户名、密码不为空,调用authenticate进行验证。
引用来自:
from
django.contrib.auth import authenticate
而authenticate正是自定义接入企业登录模块需要重写的函数,也就和“蓝鲸登录接入企业内部登录”中的说明对上了。
登录总结
公司在没有登录API的情况下,我们最终可以通过重写AuthenticationForm表单的clean方法来进行自主本地认证。
企业接入
登录功能描述
1.普通用户登录先经ldap认证
a.若ldap中存在,蓝鲸中不存在,则创建新用户并将其设置为普通用户;
b.若ldap中不存在,则进入蓝鲸默认的页面跳转动作;
2.admin用户登录跳过ldap认证,直接走蓝鲸认证;
思考:
对于ldap无法连接或连接失败的状况,可以跳过ldap认证,走蓝鲸认证。这个功能在本次开发中没有完成,大家可自行实现。
目录结构
ee_login/├── enterprise_ldap ##自定义登录模块目录│ ├── backends.py ##验证用户合法性 │ ├── __init__.py│ ├── ldap.py ##接入ldap并获取用户信息│ ├── utils.py ##自定义表单,集成AuthenticationForm,重写clean方法│ ├── views.py ##登录处理逻辑函数├── __init__.py└── settings_login.py ##自定义登录配置文件
创建模块目录及配置文件
#paas所在机器#安装ldap模块workon open_paas-loginpip install ldap3一定要是在open_paas-login这个虚拟环境下,否则ldap会找不到
#中控机cd /data/bkce/open_paas/login/ee_login#创建自定义登录模块目录#此目录下的py文件可使用以下代码部分直接创建即可mkdir enterprise_ldap#修改配置文件vim settings_login.py# -*- coding: utf-8 -*-# 蓝鲸登录方式:bk_login# 自定义登录方式:custom_login
#LOGIN_TYPE = 'bk_login'LOGIN_TYPE = 'custom_login'
# 默认bk_login,无需设置其他配置
############################ 自定义登录 custom_login ############################# 配置自定义登录请求和登录回调的响应函数, 如:CUSTOM_LOGIN_VIEW = 'ee_official_login.oauth.google.views.login'CUSTOM_LOGIN_VIEW = 'ee_login.enterprise_ldap.views.login'# 配置自定义验证是否登录的认证函数, 如:CUSTOM_AUTHENTICATION_BACKEND = 'ee_official_login.oauth.google.backends.OauthBackend'CUSTOM_AUTHENTICATION_BACKEND = 'ee_login.enterprise_ldap.backends.ldapbackend'登录请求和登录回调函数
vim enterprise_ldap/views.py# -*- coding: utf-8 -*- from django.http.response import HttpResponsefrom bkaccount.accounts import Accountfrom django.contrib.sites.shortcuts import get_current_sitefrom django.template.response import TemplateResponsefrom .utils import CustomLoginForm
def login(request, template_name='login/login.html', authentication_form=CustomLoginForm, current_app=None, extra_context=None): """ 登录处理, """ account = Account() # 获取用户实际请求的 URL, 目前 account.REDIRECT_FIELD_NAME = 'c_url' redirect_to = request.GET.get(account.REDIRECT_FIELD_NAME, '') # 获取用户实际访问的蓝鲸应用 app_id = request.GET.get('app_id', '') redirect_field_name = account.REDIRECT_FIELD_NAME if request.method == 'POST': #通过自定义表单CustomLoginForm实现登录验证 form = authentication_form(request, data=request.POST) if form.is_valid(): #验证通过跳转 return account.login_success_response(request, form, redirect_to, app_id) else: form = authentication_form(request) current_site = get_current_site(request) context = { 'form': form, redirect_field_name: redirect_to, 'site': current_site, 'site_name': current_site.name, 'app_id': app_id, } if extra_context is not None: context.update(extra_context) if current_app is not None: request.current_app = current_app response = TemplateResponse(request, template_name, context) response = account.set_bk_token_invalid(request, response) return responselogin函数是参照蓝鲸自带的login函数,它们之间的区别就是调用了不同的表单,在此我们调用的是重写AuthenticationForm后的表单,引用于:
from .utils import CustomLoginForm
这样login登录就不需要走API了,在本地就可实现。
登录后的跳转处理仍使用原来的处理,通过account调用跳转函数即可。
自定义表单
vim enterprise_ldap/utils.py# -*- coding: utf-8 -*-from django import formsfrom django.contrib.auth.forms import AuthenticationFormfrom django.contrib.auth import authenticatefrom common.log import logger
class CustomLoginForm(AuthenticationForm): """ 重写AuthenticationForm类,用于自定义登录custom_login """ def clean(self): username = self.cleaned_data.get('username') password = self.cleaned_data.get('password') if username and password: self.user_cache = authenticate(username=username, password=password) if self.user_cache is None: raise forms.ValidationError( self.error_messages['invalid_login'], code='invalid_login', params={'username': self.username_field.verbose_name}, ) else: super(CustomLoginForm, self).confirm_login_allowed(self.user_cache)
return self.cleaned_data重写了父类AuthenticationForm中的clean方法,因为clean方法中调用了authenticate进行了对用户名、密码的验证。
用户认证功能实现
vim enterprise_ldap/backends.py# -*- coding: utf-8 -*-
from django.contrib.auth.backends import ModelBackendfrom .ldap import SearchLdapfrom django.contrib.auth import get_user_modelfrom bkaccount.constants import RoleCodeEnumfrom common.log import logger
class ldapbackend(ModelBackend): def authenticate(self, **credentials): username = credentials.get('username') password = credentials.get('password') if username and password: logger.info("username: %s,password: %s" % (username,password)) #当登录账号为admin时,直接在蓝鲸验证,不走ldap认证 if username == 'admin': logger.info(u'用户为admin,直接蓝鲸验证') return super(ldapbackend, self).authenticate(username=username, password=password) else: ldapinfo = SearchLdap() resp = ldapinfo.get_user_info(username=username, password=password) #如果ldap中存在此用户 if resp["result"] == "success": # 获取用户类 Model(即对应用户表) user_model = get_user_model() try: user = user_model.objects.get(username=username) except user_model.DoesNotExist: # 创建 User 对象 user = user_model.objects.create_user(username) # 获取用户信息,只在第一次创建时设置,已经存在不更新 chname = resp['data']['chname'] phone = resp['data']['mobile'] email = resp['data']['email'] user.chname = chname user.phone = phone user.email = email user.save() # 设置新增用户角色为普通管理员 logger.info(u'新建用户:%s 权限:%s' % (chname, u'普通用户')) result, message = user_model.objects.modify_user_role(username, RoleCodeEnum.STAFF) return user else: return None else: return None用户认证主要通过authenticate函数实现:
1.登录ldap后过滤相应的用户cn、mail、mobile字段,并判断是否在蓝鲸数据库中存在,不存在则新建用户并授予普通管理员角色;
2.登录用户为admin,则直接蓝鲸认证;
LDAP获取用户信息
vim enterprise_ldap/ldap.py# -*- coding: utf-8 -*-
from ldap3 import Connection, Server, SUBTREEfrom common.log import logger
class SearchLdap: host = '10.90.10.123' port = 389 ldap_base = 'dc=test,dc=cn' def get_user_info(self, **kwargs): username = kwargs.get("username") password = kwargs.get("password")
ldap_user = 'cn='+username+','+self.ldap_base
try: #与ldap建立连接 s = Server(host=self.host, port=self.port, use_ssl=False, get_info='ALL', connect_timeout=5) #bind打开连接 c = Connection(s, user=ldap_user, password=password, auto_bind='NONE', version=3, authentication='SIMPLE', client_strategy='SYNC', auto_referrals=True, check_names=True, read_only=True, lazy=False, raise_exceptions=False) c.bind() logger.info(c.result) #认证正确-success 不正确-invalidCredentials if c.result['description'] == 'success': res = c.search(search_base=self.ldap_base, search_filter = "(cn="+username+")", search_scope = SUBTREE, attributes = ['cn', 'mobile', 'mail'], paged_size = 5) if res: attr_dict = c.response[0]["attributes"] chname = attr_dict['cn'][0] email = attr_dict['mail'][0] mobile = attr_dict['mobile'][0] data = { 'username': "%s" % username, 'password': "%s" % password, 'chname': "%s" % chname, 'email': "%s" % email, 'mobile' : "%s" % mobile, } logger.info(u'ldap成功匹配用户') result = { 'result': "success", 'message':'验证成功', 'data':data } else: logger.info(u'ldap无此用户信息') result = { 'result': "null", 'message':'result is null' } #关闭连接 c.unbind() else: logger.info(u"用户认证失败") result = { 'result': "auth_failure", 'message': "user auth failure" } except Exception as e: logger.info(u'ldap连接出错: %s' % e) result = { 'result': 'conn_error', 'message': "connect error" } return result登录验证用户是否存在,需注意:
1.ldap用户名、密码登录是否成功一定要通过c.result的description字段是否为success来确认,否则即使认证不成功,也能连接并过滤到信息。此时在蓝鲸登录时会出现,只要是ldap中有的账户,即使密码不正确也能成功登录;
2.ldap登录时的用户名一定要是“cn=test,dc=test,dc=cn”(具体格式根据实际情况调整),否则登录是不成功的,但也能正常过滤信息;
3.ldap中的用户一定要有cn,mail,mobile等字段,否则账户即使存在登录也会不成功;
重启login服务并使配置生效
/data/install/bkcec stop paas login/data/install/bkcec start paas login登录查看访问日志
cd /data/bkce/logs/open_paas/login_uwsgi.log login.log总结
通过蓝鲸paas平台的统一登录服务的源码解析,不仅仅是功能上的实现,更重要的是参考大厂研发代码的布局、流程、规范等,给我们自身带来的启发。