hhyo · hhyo · Apr 24, 2022 · Apr 20, 2022 · Apr 20, 2022 · Apr 20, 2022
diff --git a/archery/settings.py b/archery/settings.py
@@ -3,6 +3,7 @@
 
 # Build paths inside the project like this: os.path.join(BASE_DIR, ...)
 import os
+from datetime import timedelta
 
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
 
@@ -32,6 +33,9 @@
     'sql',
     'sql_api',
     'common',
+    'rest_framework',
+    'django_filters',
+    'drf_spectacular',
 )
 
 MIDDLEWARE = (
@@ -172,6 +176,49 @@
     }
 }
 
+# API Framework
+REST_FRAMEWORK = {
+    'DEFAULT_SCHEMA_CLASS': 'drf_spectacular.openapi.AutoSchema',
+    'DEFAULT_RENDERER_CLASSES': ('rest_framework.renderers.JSONRenderer',),
+    # 鉴权
+    'DEFAULT_AUTHENTICATION_CLASSES': (
+        'rest_framework_simplejwt.authentication.JWTAuthentication',
+        'rest_framework.authentication.SessionAuthentication',
+    ),
+    # 权限
+    'DEFAULT_PERMISSION_CLASSES': ('sql_api.permissions.IsInUserWhitelist',),
+    # 限速（anon：未认证用户  user：认证用户）
+    'DEFAULT_THROTTLE_CLASSES': (
+        'rest_framework.throttling.AnonRateThrottle',
+        'rest_framework.throttling.UserRateThrottle',
+    ),
+    'DEFAULT_THROTTLE_RATES': {
+        'anon': '120/min',
+        'user': '600/min'
+    },
+    # 过滤
+    'DEFAULT_FILTER_BACKENDS': ('django_filters.rest_framework.DjangoFilterBackend',),
+    # 分页
+    'DEFAULT_PAGINATION_CLASS': 'rest_framework.pagination.PageNumberPagination',
+    'PAGE_SIZE': 5,
+}
+
+# Swagger UI
+SPECTACULAR_SETTINGS = {
+    'TITLE': 'Archery API',
+    'DESCRIPTION': 'OpenAPI 3.0',
+    'VERSION': '1.0.0',
+}
+
+# API Authentication
+SIMPLE_JWT = {
+    'ACCESS_TOKEN_LIFETIME': timedelta(hours=4),
+    'REFRESH_TOKEN_LIFETIME': timedelta(days=3),
+    'ALGORITHM': 'HS256',
+    'SIGNING_KEY': SECRET_KEY,
+    'AUTH_HEADER_TYPES': ('Bearer',),
+}
+
 # LDAP
 ENABLE_LDAP = False
 if ENABLE_LDAP:

diff --git a/common/middleware/check_login_middleware.py b/common/middleware/check_login_middleware.py
@@ -10,7 +10,7 @@
     '/api/info'
 ]
 
-IGNORE_URL_RE = r'/admin/\w*'
+IGNORE_URL_RE = r'(/admin/\w*|/api/(v1|auth)/\w+)'
 
 
 class CheckLoginMiddleware(MiddlewareMixin):

diff --git a/common/templates/base.html b/common/templates/base.html
@@ -267,6 +267,11 @@
                             <a href="/dbaprinciples/"><i class="fa fa-sitemap fa-fw"></i> 相关文档</a>
                         </li>
                     {% endif %}
+                    {% if perms.sql.menu_openapi %}
+                        <li>
+                            <a href="/api/swagger/" target="_blank"><i class="fa fa-code-fork fa-fw"></i> OpenAPI</a>
+                        </li>
+                    {% endif %}
                 </ul>
             </div>
             <!-- /.sidebar-collapse -->

diff --git a/common/templates/config.html b/common/templates/config.html
@@ -809,6 +809,19 @@ <h4 style="color: darkgrey"><b>其他配置</b></h4>
                                     </select>
                                 </div>
                             </div>
+                            <div class="form-group">
+                                <label for="api_user_whitelist"
+                                       class="col-sm-4 control-label">API_USER_WHITELIST</label>
+                                <div class="col-sm-5">
+                                    <select id="api_user_whitelist" key="api_user_whitelist"
+                                            class="selectpicker show-tick form-control bs-select-hidden"
+                                            data-live-search="true"
+                                            data-none-selected-text="API用户白名单"
+                                            multiple data-selected-text-format="count > 5"
+                                            required>
+                                    </select>
+                                </div>
+                            </div>
                             <div class="form-group">
                                 <label for="lock_time_threshold"
                                        class="col-sm-4 control-label">LOCK_TIME_THRESHOLD</label>
@@ -903,8 +916,9 @@ <h5 class="control-label text-bold">当前审批流程：<b id="workflow_auditor
     <link href="{% static 'bootstrap-switch/css/bootstrap-switch.min.css' %}" rel="stylesheet" type="text/css"/>
     <script src="{% static 'bootstrap-switch/js/bootstrap-switch.min.js' %}"></script>
     <script>
-        // notify_phase_control参数处理
+
         $(document).ready(function (){
+            // notify_phase_control参数处理
             let cfg_value = "{{ config.notify_phase_control }}";
             let phases = ['Apply', 'Pass', 'Execute', 'Cancel'];
             // notify_phase_control未设置时默认全部开启
@@ -927,6 +941,36 @@ <h5 class="control-label text-bold">当前审批流程：<b id="workflow_auditor
             }
             $("#notify_phase_control").selectpicker('render');
             $("#notify_phase_control").selectpicker('refresh');
+
+            // api_user_whitelist参数处理
+            let api_config = "{{ config.api_user_whitelist }}";
+            $.ajax({
+                type: "post",
+                url: "/user/list/",
+                dataType: "json",
+                success: function (data) {
+                    if (data.status === 0) {
+                        let users = data.data;
+                        let user_arr = api_config.split(',');
+                        for (let i=0;i<users.length;i++) {
+                            let user = "";
+                            if (user_arr.indexOf(users[i].id.toString()) >= 0) {
+                                user = "<option value=\"" + users[i].id+ "\" selected>" + users[i].display + "(" + users[i].username + ")</option>"
+                            } else {
+                                user = "<option value=\"" + users[i].id+ "\">" + users[i].display + "(" + users[i].username + ")</option>"
+                            }
+                            $("#api_user_whitelist").append(user)
+                            $("#api_user_whitelist").selectpicker('render');
+                            $("#api_user_whitelist").selectpicker('refresh');
+                        }
+                    } else {
+                        alert(data.msg);
+                    }
+                },
+                error: function (XMLHttpRequest, textStatus, errorThrown) {
+                    alert(errorThrown);
+                }
+            });
         })
 
         //配置项切换

diff --git a/requirements.txt b/requirements.txt
@@ -29,3 +29,8 @@ pycryptodome==3.10.1
 pandas==1.1.5
 pyodps==0.10.7.1
 clickhouse-driver==0.2.3
+djangorestframework==3.12.4
+djangorestframework-simplejwt==4.3.0
+django-filter==21.1
+drf-spectacular==0.22.0
+pyjwt==1.7.1
diff --git a/sql/fixtures/auth_group.sql b/sql/fixtures/auth_group.sql
@@ -23,7 +23,7 @@ where codename in ('menu_dashboard','menu_sqlcheck','menu_sqlworkflow','menu_sql
 insert into auth_group_permissions (group_id, permission_id)
 select 3,id
 from auth_permission
-where codename in ('menu_dashboard','menu_sqlcheck','menu_sqlworkflow','menu_sqlanalyze','menu_query','menu_sqlquery','menu_queryapplylist','menu_sqloptimize','menu_sqladvisor','menu_slowquery','menu_instance','menu_instance_list','menu_dbdiagnostic','menu_database','menu_instance_account','menu_param','menu_data_dictionary','menu_tools','menu_archive','menu_binlog2sql','menu_my2sql','menu_schemasync','menu_system','menu_document','sql_submit','sql_review','sql_execute_for_resource_group','sql_execute','sql_analyze','optimize_sqladvisor','optimize_sqltuning','optimize_soar','query_applypriv','query_mgtpriv','query_review','query_submit','query_all_instances','query_resource_group_instance','process_view','process_kill','tablespace_view','trx_view','trxandlocks_view','instance_account_manage','param_view','param_edit','data_dictionary_export','archive_apply','archive_review','archive_mgt');
+where codename in ('menu_dashboard','menu_sqlcheck','menu_sqlworkflow','menu_sqlanalyze','menu_query','menu_sqlquery','menu_queryapplylist','menu_sqloptimize','menu_sqladvisor','menu_slowquery','menu_instance','menu_instance_list','menu_dbdiagnostic','menu_database','menu_instance_account','menu_param','menu_data_dictionary','menu_tools','menu_archive','menu_binlog2sql','menu_my2sql','menu_schemasync','menu_system','menu_document','menu_openapi','sql_submit','sql_review','sql_execute_for_resource_group','sql_execute','sql_analyze','optimize_sqladvisor','optimize_sqltuning','optimize_soar','query_applypriv','query_mgtpriv','query_review','query_submit','query_all_instances','query_resource_group_instance','process_view','process_kill','tablespace_view','trx_view','trxandlocks_view','instance_account_manage','param_view','param_edit','data_dictionary_export','archive_apply','archive_review','archive_mgt');
 
 -- PM
 insert into auth_group_permissions (group_id, permission_id)

diff --git a/sql/models.py b/sql/models.py
@@ -705,6 +705,7 @@ class Meta:
             ('menu_schemasync', '菜单 SchemaSync'),
             ('menu_system', '菜单 系统管理'),
             ('menu_document', '菜单 相关文档'),
+            ('menu_openapi', '菜单 OpenAPI'),
             ('sql_submit', '提交SQL上线工单'),
             ('sql_review', '审核SQL上线工单'),
             ('sql_execute_for_resource_group', '执行SQL上线工单(资源组粒度)'),

diff --git a/sql/urls.py b/sql/urls.py
@@ -8,7 +8,7 @@
 import sql.sql_optimize
 from common import auth, config, workflow, dashboard, check
 from sql import views, sql_workflow, sql_analyze, query, slowlog, instance, instance_account, db_diagnostic, \
-    resource_group, binlog, data_dictionary, archiver, audit_log
+    resource_group, binlog, data_dictionary, archiver, audit_log, user
 from sql.utils import tasks
 from common.utils import ding_api
 
@@ -160,4 +160,5 @@
 
     path('audit/log/', audit_log.audit_log),
     path('audit/input/', audit_log.audit_input),
+    path('user/list/', user.lists),
 ]
diff --git a/sql/user.py b/sql/user.py
@@ -0,0 +1,19 @@
+# -*- coding: UTF-8 -*-
+import simplejson as json
+from common.utils.permission import superuser_required
+from common.utils.extend_json_encoder import ExtendJSONEncoder
+from django.http import HttpResponse
+from .models import Users
+
+
+@superuser_required
+def lists(request):
+    """获取用户列表"""
+    users = Users.objects.order_by('username')
+    users = users.values("id", "username", "display", "is_superuser", "is_staff", "is_active", "email")
+
+    rows = [row for row in users]
+
+    result = {"status": 0, "msg": "ok", "data": rows}
+    return HttpResponse(json.dumps(result, cls=ExtendJSONEncoder, bigint_as_string=True),
+                        content_type='application/json')