feat: 客户端克隆支持模糊匹配_权限克隆兼容scr的conn_log授权_查询权限补充域名视角 #6001

Author: fanfanyangyang

dbm-services/mysql/db-tools/dbactuator/pkg/util/mysqlutil/hide_passowrd.go renamed to dbm-services/common/go-pubpkg/mysqlcomm/hide_passowrd.go

@@ -8,7 +8,7 @@
  * specific language governing permissions and limitations under the License.
  */
 
-package mysqlutil
+package mysqlcomm
 
 import (
 	"regexp"

dbm-services/mysql/db-tools/dbactuator/pkg/util/mysqlutil/hide_password_test.go renamed to dbm-services/common/go-pubpkg/mysqlcomm/hide_password_test.go

@@ -8,16 +8,14 @@
  * specific language governing permissions and limitations under the License.
  */
 
-package mysqlutil_test
+package mysqlcomm
 
 import (
 	"testing"
-
-	"dbm-services/mysql/db-tools/dbactuator/pkg/util/mysqlutil"
 )
 
 func TestClearSensitiveInformatio(t *testing.T) {
 	t.Log("start ...")
 	textString := "mysqldump  \t\t-h1.1.1.1  \t\t-P26000  \t\t-uxasasda  \t\t-p{xasx}  \t\t--skip-opt  \t\t--create-options   \t"
-	t.Log(mysqlutil.ClearSensitiveInformation(textString))
+	t.Log(ClearSensitiveInformation(textString))
 }

dbm-services/mysql/db-partition/main.go

@@ -1,6 +1,7 @@
 package main
 
 import (
+	"dbm-services/mysql/db-partition/monitor"
 	"dbm-services/mysql/db-partition/service"
 	"net/http"
 	"os"
@@ -16,7 +17,6 @@ import (
 	"dbm-services/common/go-pubpkg/apm/trace"
 	"dbm-services/mysql/db-partition/assests"
 	"dbm-services/mysql/db-partition/model"
-	"dbm-services/mysql/db-partition/monitor"
 	"dbm-services/mysql/db-partition/router"
 )
 
@@ -33,7 +33,7 @@ func main() {
 		}
 	}
 
-	// 获取监控配置，多次尝试，获取监控配置失败，如果服务异常无法上报监控，所以让服务退出，可触发服务故障的告警。
+	// 获取监控配置，多次尝试，获取监控配置失败
 	monitor.InitMonitor()
 
 	// 注册定时任务

dbm-services/mysql/db-partition/model/init_env.go

@@ -28,6 +28,8 @@ func InitEnv() {
 	viper.BindEnv("dbm_ticket_service", "DBM_TICKET_SERVICE")
 	viper.BindEnv("bk_app_code", "BK_APP_CODE")
 	viper.BindEnv("bk_app_secret", "BK_APP_SECRET")
+	// 开启分区服务的蓝鲸监控
+	viper.BindEnv("monitor", "MONITOR")
 
 	// pt-osc参数
 	viper.BindEnv("pt.max_load.threads_running", "PT_MAX_LOAD_THREADS_RUNNING")

dbm-services/mysql/db-partition/monitor/monitor.go

@@ -128,6 +128,9 @@ func GetMonitorSetting() (Setting, error) {
 
 // InitMonitor 多次尝试获取监控配置，更新配置；获取失败退出
 func InitMonitor() {
+	if !viper.GetBool("monitor") {
+		return
+	}
 	i := 1
 	for ; i <= 10; i++ {
 		setting, err := GetMonitorSetting()

dbm-services/mysql/db-partition/service/check_partition.go

@@ -122,11 +122,15 @@ func CheckPartitionConfigs(configs []*PartitionConfig, dbtype string, splitCnt i
 	checkFailSet := ConfigIdLogSet{}
 	wg := sync.WaitGroup{}
 	limit := rate.Every(time.Millisecond * 200) // QPS：5
-	burst := 10                                 // 桶容量 10
+	burst := 5                                  // 桶容量 5
 	limiter := rate.NewLimiter(limit, burst)
+	tokenBucket := make(chan int, 10) // 最大并行度
+
 	for _, config := range configs {
 		wg.Add(1)
-		ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
+		tokenBucket <- 0
+
+		ctx, cancel := context.WithTimeout(context.Background(), 180*time.Second)
 		go func(config *PartitionConfig) {
 			err := limiter.Wait(context.Background())
 			if err != nil {
@@ -136,7 +140,7 @@ func CheckPartitionConfigs(configs []*PartitionConfig, dbtype string, splitCnt i
 				return
 			}
 			CheckOnePartitionConfig(ctx, cancel, *config, &wg, &sqlSet, &nothingToDoSet, &checkFailSet, dbtype, splitCnt,
-				fromCron, host)
+				fromCron, host, &tokenBucket)
 		}(config)
 	}
 	wg.Wait()
@@ -154,16 +158,16 @@ func CheckPartitionConfigs(configs []*PartitionConfig, dbtype string, splitCnt i
 // CheckOnePartitionConfig 检查一个分区规则是否需要执行，生成分区语句
 func CheckOnePartitionConfig(ctx context.Context, cancel context.CancelFunc, config PartitionConfig,
 	wg *sync.WaitGroup, sqlSet *PartitionSqlSet, nothingToDoSet *ConfigIdLogSet, checkFailSet *ConfigIdLogSet,
-	dbtype string, splitCnt int, fromCron bool, host Host) {
+	dbtype string, splitCnt int, fromCron bool, host Host, tokenBucket *chan int) {
 	fmt.Printf("do CheckOnePartitionConfig")
 	var addSql, dropSql []string
 	var err error
 	var initSql []InitSql
 	defer func() {
+		<-*tokenBucket
 		wg.Done()
 		cancel()
 	}()
-
 	finish := make(chan int, 1)
 	go func() {
 		defer func() {

dbm-services/mysql/db-partition/service/cron_basic_func.go

@@ -475,7 +475,7 @@ func DownLoadFilesCreateTicketByMachine(cloudMachineList map[int][]string, machi
 					slog.Error("msg", msg, err)
 					return
 				}
-				time.Sleep(60 * time.Second)
+				time.Sleep(120 * time.Second)
 				// 创建执行分区单据
 				err = CreatePartitionTicket(files, clusterType, "mixed", vdate)
 				if err != nil {
@@ -542,7 +542,7 @@ func DownLoadFilesCreateTicketByCluster(clusterIps map[string][]string, machineF
 				}
 				clusterFiles = append(clusterFiles, files...)
 			}
-			time.Sleep(60 * time.Second)
+			time.Sleep(120 * time.Second)
 			// 创建执行分区单据
 			err = CreatePartitionTicket(clusterFiles, clusterType, domain, vdate)
 			if err != nil {

dbm-services/mysql/db-priv/handler/add_priv.go

@@ -109,19 +109,20 @@ func (m *PrivService) GetPriv(c *gin.Context) {
 		SendResponse(c, errno.ErrBind, err)
 		return
 	}
-	formatted, count, download, hasPriv, noPriv, err := input.GetPriv()
+	formattedForIp, formattedForCluster, count, download, hasPriv, noPriv, err := input.GetPriv()
 	if err != nil {
 		slog.Error(err.Error())
 		SendResponse(c, err, nil)
 		return
 	}
 	data := struct {
-		Formatted []service.RelatedIp `json:"privs"`
-		Count     int                 `json:"count"`
-		Download  []service.GrantInfo `json:"download"`
-		HasPriv   []string            `json:"has_priv"`
-		NoPriv    []string            `json:"no_priv"`
-	}{formatted, count, download, hasPriv, noPriv}
+		FormattedForIp      []service.RelatedIp      `json:"privs_for_ip"`
+		FormattedForCluster []service.RelatedDomain2 `json:"privs_for_cluster"`
+		Count               int                      `json:"count"`
+		Download            []service.GrantInfo      `json:"download"`
+		HasPriv             []string                 `json:"has_priv"`
+		NoPriv              []string                 `json:"no_priv"`
+	}{formattedForIp, formattedForCluster, count, download, hasPriv, noPriv}
 	SendResponse(c, err, data)
 	return
 }

dbm-services/mysql/db-priv/handler/clone_client_priv.go

@@ -53,7 +53,14 @@ func (m *PrivService) CloneClientPriv(c *gin.Context) {
 		return
 	}
 
-	err = input.CloneClientPriv(string(body), ticket)
-	SendResponse(c, err, nil)
+	privs, err := input.CloneClientPriv(string(body), ticket)
+	if err != nil {
+		SendResponse(c, err, nil)
+		return
+	}
+	SendResponse(c, err, ListResponse{
+		Count: len(privs),
+		Items: privs,
+	})
 	return
 }

dbm-services/mysql/db-priv/service/account_rule_mongodb.go

@@ -52,12 +52,13 @@ func (m *AccountRulePara) MongoDBAddAccountRule(jsonPara string, ticket string)
 	userPriv = strings.Trim(userPriv, ",")
 	managerPriv = strings.Trim(managerPriv, ",")
 	allTypePriv = strings.Trim(allTypePriv, ",")
+	vtime := time.Now()
 
 	tx := DB.Self.Begin()
 	for _, db := range dbs {
 		accountRule = TbAccountRules{BkBizId: m.BkBizId, ClusterType: *m.ClusterType, AccountId: m.AccountId, Dbname: db,
 			Priv:       allTypePriv,
-			DmlDdlPriv: userPriv, GlobalPriv: managerPriv, Creator: m.Operator, CreateTime: time.Now()}
+			DmlDdlPriv: userPriv, GlobalPriv: managerPriv, Creator: m.Operator, CreateTime: vtime, UpdateTime: vtime}
 		err = tx.Debug().Model(&TbAccountRules{}).Create(&accountRule).Error
 		if err != nil {
 			tx.Rollback()
@@ -68,7 +69,7 @@ func (m *AccountRulePara) MongoDBAddAccountRule(jsonPara string, ticket string)
 	if err != nil {
 		return err
 	}
-	log := PrivLog{BkBizId: m.BkBizId, Ticket: ticket, Operator: m.Operator, Para: jsonPara, Time: time.Now()}
+	log := PrivLog{BkBizId: m.BkBizId, Ticket: ticket, Operator: m.Operator, Para: jsonPara, Time: vtime}
 	AddPrivLog(log)
 
 	return nil

dbm-services/mysql/db-priv/service/clone_client_priv.go

@@ -2,7 +2,9 @@ package service
 
 import (
 	"context"
+	"dbm-services/common/go-pubpkg/mysqlcomm"
 	"fmt"
+	"log/slog"
 	"strings"
 	"sync"
 	"time"
@@ -48,18 +50,19 @@ func (m *CloneClientPrivParaList) CloneClientPrivDryRun() error {
 }
 
 // CloneClientPriv 克隆客户端权限
-func (m *CloneClientPrivPara) CloneClientPriv(jsonPara string, ticket string) error {
+func (m *CloneClientPrivPara) CloneClientPriv(jsonPara string, ticket string) ([]ClusterGrantSql, error) {
 	var errMsg Err
+	var sqls ClusterGrants
 	wg := sync.WaitGroup{}
 	limit := rate.Every(time.Millisecond * 200) // QPS：5
 	burst := 10                                 // 桶容量 10
 	limiter := rate.NewLimiter(limit, burst)
 
 	if m.BkBizId == 0 {
-		return errno.BkBizIdIsEmpty
+		return nil, errno.BkBizIdIsEmpty
 	}
 	if m.BkCloudId == nil {
-		return errno.CloudIdRequired
+		return nil, errno.CloudIdRequired
 	}
 	if m.ClusterType == nil {
 		ct := mysql
@@ -71,7 +74,7 @@ func (m *CloneClientPrivPara) CloneClientPriv(jsonPara string, ticket string) er
 	client := util.NewClientByHosts(viper.GetString("dbmeta"))
 	resp, errOuter := GetAllClustersInfo(client, BkBizIdPara{m.BkBizId})
 	if errOuter != nil {
-		return errOuter
+		return nil, errOuter
 	}
 	var tempClusters []Cluster
 	var clusters []Cluster
@@ -104,7 +107,7 @@ func (m *CloneClientPrivPara) CloneClientPriv(jsonPara string, ticket string) er
 			}
 		}
 		if len(notExists) > 0 {
-			return errno.DomainNotExists.AddBefore(strings.Join(notExists, ","))
+			return nil, errno.DomainNotExists.AddBefore(strings.Join(notExists, ","))
 		}
 	} else {
 		clusters = make([]Cluster, len(tempClusters))
@@ -113,7 +116,7 @@ func (m *CloneClientPrivPara) CloneClientPriv(jsonPara string, ticket string) er
 
 	errMsg.errs = validateIP(m.SourceIp, m.TargetIp, m.BkCloudId)
 	if len(errMsg.errs) > 0 {
-		return errno.ClonePrivilegesFail.Add("\n" + strings.Join(errMsg.errs, "\n"))
+		return nil, errno.ClonePrivilegesFail.Add("\n" + strings.Join(errMsg.errs, "\n"))
 	}
 	// 获取业务下所有的集群，并行获取对旧的client授权的语句，替换旧client的ip为新client，执行导入
 	// 一个协程失败，其报错信息添加到errMsg.errs。主协程wg.Wait()，等待所有协程执行完成才会返回。
@@ -125,39 +128,68 @@ func (m *CloneClientPrivPara) CloneClientPriv(jsonPara string, ticket string) er
 			defer func() {
 				wg.Done()
 			}()
-
-			err := limiter.Wait(context.Background())
-			if err != nil {
-				AddError(&errMsg, item.ImmuteDomain, err)
+			errOuter = limiter.Wait(context.Background())
+			if errOuter != nil {
+				AddError(&errMsg, item.ImmuteDomain, errOuter)
 				return
 			}
-
+			clusterGrant := ClusterGrantSql{ImmuteDomain: item.ImmuteDomain}
 			if item.ClusterType == tendbha || item.ClusterType == tendbsingle {
 				for _, storage := range item.Storages {
 					address := fmt.Sprintf("%s:%d", storage.IP, storage.Port)
-					userGrants, err := GetRemotePrivilege(address, m.SourceIp, item.BkCloudId,
-						machineTypeBackend, m.User, false)
+					// 在后端mysql中获取匹配的user@host列表
+					_, _, matchHosts, err := MysqlUserList(address, item.BkCloudId, []string{m.SourceIp}, nil, "")
+					if err != nil {
+						AddError(&errMsg, address, err)
+						continue
+					}
+					slog.Info("msg", "matchHosts", matchHosts)
+					userGrants, err := GetRemotePrivilege(address, matchHosts, item.BkCloudId,
+						machineTypeBackend, m.User, true)
 					if err != nil {
 						AddError(&errMsg, address, err)
 						continue
 					}
-					userGrants = ReplaceHostInMysqlGrants(userGrants, m.SourceIp, m.TargetIp)
-					err = ImportMysqlPrivileges(userGrants, address, item.BkCloudId)
+					if len(userGrants) == 0 {
+						continue
+					}
+					userGrants = ReplaceHostInMysqlGrants(userGrants, m.TargetIp)
+					var grants []string
+					for _, sql := range userGrants {
+						grants = append(grants, sql.Grants...)
+					}
+					clusterGrant.Sqls = append(clusterGrant.Sqls, InstanceGrantSql{address,
+						mysqlcomm.ClearIdentifyByInSQLs(grants)})
+					err = ImportMysqlPrivileges(grants, address, item.BkCloudId)
 					if err != nil {
 						AddError(&errMsg, address, err)
 					}
 				}
 			} else {
 				for _, spider := range item.Proxies {
 					address := fmt.Sprintf("%s:%d", spider.IP, spider.Port)
-					userGrants, err := GetRemotePrivilege(address, m.SourceIp, item.BkCloudId,
-						machineTypeSpider, m.User, false)
+					_, _, matchHosts, err := MysqlUserList(address, item.BkCloudId, []string{m.SourceIp}, nil, "")
+					if err != nil {
+						AddError(&errMsg, address, err)
+						continue
+					}
+					userGrants, err := GetRemotePrivilege(address, matchHosts, item.BkCloudId,
+						machineTypeSpider, m.User, true)
 					if err != nil {
 						AddError(&errMsg, address, err)
 						continue
 					}
-					userGrants = ReplaceHostInMysqlGrants(userGrants, m.SourceIp, m.TargetIp)
-					err = ImportMysqlPrivileges(userGrants, address, item.BkCloudId)
+					if len(userGrants) == 0 {
+						continue
+					}
+					userGrants = ReplaceHostInMysqlGrants(userGrants, m.TargetIp)
+					var grants []string
+					for _, sql := range userGrants {
+						grants = append(grants, sql.Grants...)
+					}
+					clusterGrant.Sqls = append(clusterGrant.Sqls, InstanceGrantSql{address,
+						mysqlcomm.ClearIdentifyByInSQLs(grants)})
+					err = ImportMysqlPrivileges(grants, address, item.BkCloudId)
 					if err != nil {
 						AddError(&errMsg, address, err)
 					}
@@ -166,22 +198,39 @@ func (m *CloneClientPrivPara) CloneClientPriv(jsonPara string, ticket string) er
 			if item.ClusterType == tendbha {
 				for _, proxy := range item.Proxies {
 					address := fmt.Sprintf("%s:%d", proxy.IP, proxy.AdminPort)
-					proxyGrants, err := GetProxyPrivilege(address, m.SourceIp, item.BkCloudId, m.User)
+					_, _, matchHosts, err := ProxyWhiteList(address, item.BkCloudId, []string{m.SourceIp}, nil, "")
+					if err != nil {
+						slog.Error("msg", "ProxyWhiteList", err)
+						AddError(&errMsg, address, err)
+					}
+					slog.Info("msg", "matchHosts", matchHosts)
+					proxyGrants, err := GetProxyPrivilege(address, matchHosts, item.BkCloudId, m.User)
 					if err != nil {
+						slog.Error("msg", "GetProxyPrivilege", err)
 						AddError(&errMsg, address, err)
 					}
-					proxyGrants = ReplaceHostInProxyGrants(proxyGrants, m.SourceIp, m.TargetIp)
+					if len(proxyGrants) == 0 {
+						continue
+					}
+					proxyGrants = ReplaceHostInProxyGrants(proxyGrants, m.TargetIp)
+					clusterGrant.Sqls = append(clusterGrant.Sqls, InstanceGrantSql{address, proxyGrants})
 					err = ImportProxyPrivileges(proxyGrants, address, item.BkCloudId)
 					if err != nil {
 						AddError(&errMsg, address, err)
 					}
 				}
 			}
+			if len(clusterGrant.Sqls) > 0 {
+				sqls.mu.Lock()
+				sqls.resources = append(sqls.resources, clusterGrant)
+				sqls.mu.Unlock()
+			}
 		}(item)
 	}
 	wg.Wait()
+	slog.Info("msg", "clusterGrant", sqls.resources)
 	if len(errMsg.errs) > 0 {
-		return errno.ClonePrivilegesFail.Add("\n" + strings.Join(errMsg.errs, "\n"))
+		return nil, errno.ClonePrivilegesFail.Add("\n" + strings.Join(errMsg.errs, "\n"))
 	}
-	return nil
+	return sqls.resources, nil
 }