v2.3.6

deploy/helm/bk-user/Chart.yaml

@@ -18,13 +18,13 @@ dependencies:
   condition: redis.enabled
 
 - name: api
-  version: "1.0.0"
+  version: "1.0.1"
   condition: api.enabled
 
 - name: login
-  version: "1.0.0"
+  version: "1.0.1"
   condition: login.enabled
 
 - name: saas
-  version: "1.0.0"
+  version: "1.0.1"
   condition: saas.enabled

src/api/bkuser_core/audit/constants.py

@@ -21,6 +21,7 @@ class LogInFailReason(AutoLowerEnum):
     TOO_MANY_FAILURE = auto()
     LOCKED_USER = auto()
     DISABLED_USER = auto()
+    EXPIRED_USER = auto()
     SHOULD_CHANGE_INITIAL_PASSWORD = auto()
 
     _choices_labels = (
@@ -29,6 +30,7 @@ class LogInFailReason(AutoLowerEnum):
         (TOO_MANY_FAILURE, "密码错误次数过多"),
         (LOCKED_USER, "用户已锁定"),
         (DISABLED_USER, "用户已删除"),
+        (EXPIRED_USER, "用户账号已过期"),
         (SHOULD_CHANGE_INITIAL_PASSWORD, "需要修改初始密码"),
     )
 

src/api/bkuser_core/audit/migrations/0005_auto_20220526_1048.py

@@ -0,0 +1,23 @@
+# Generated by Django 3.2.5 on 2022-05-26 02:48
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('audit', '0004_auto_20211021_1852'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='generallog',
+            name='status',
+            field=models.CharField(choices=[('succeed', '成功'), ('failed', '失败')], max_length=16, verbose_name='状态'),
+        ),
+        migrations.AlterField(
+            model_name='login',
+            name='reason',
+            field=models.CharField(blank=True, choices=[('bad_password', '密码错误'), ('expired_password', '密码过期'), ('too_many_failure', '密码错误次数过多'), ('locked_user', '用户已锁定'), ('disabled_user', '用户已删除'), ('expired_user', '用户账号已过期'), ('should_change_initial_password', '需要修改初始密码')], max_length=32, null=True, verbose_name='登陆失败原因'),
+        ),
+    ]

src/api/bkuser_core/bkiam/constants.py

@@ -211,6 +211,8 @@ def get_id_name_pair(cls, resource_type: "ResourceType") -> tuple:
             cls.CATEGORY: ("id", "display_name"),
             cls.FIELD: ("id", "display_name"),
             cls.PROFILE: ("id", "username"),
+            # FIXME: not sure
+            cls.SYNCTASK: ("id", "id"),
         }
         return _map[resource_type]
 

src/api/bkuser_core/categories/management/commands/make_crontab_sync_task_for_category.py

@@ -9,6 +9,7 @@
 specific language governing permissions and limitations under the License.
 """
 import logging
+import traceback
 
 from django.core.management.base import BaseCommand
 
@@ -44,4 +45,5 @@ def handle(self, *args, **options):
         try:
             make_periodic_sync_task(int(category_id), operator, interval)
         except Exception:  # pylint: disable=broad-except
+            self.stdout.write(traceback.format_exc())
             self.stdout.write(f"Failed to add sync task for category {category_id}")

src/api/bkuser_core/categories/management/commands/test_category_sync.py

@@ -9,6 +9,7 @@
 specific language governing permissions and limitations under the License.
 """
 import logging
+import traceback
 import uuid
 
 from django.core.management.base import BaseCommand
@@ -42,10 +43,12 @@ def handle(self, *args, **options):
                     raw_data_file=excel_file,
                 )
             except Exception:  # pylint: disable=broad-except
+                self.stdout.write(traceback.format_exc())
                 logger.exception("can not find category by type<%s>", category_type)
             return
 
         try:
             adapter_sync(ProfileCategory.objects.filter(type=category_type)[0].pk, task_id=task_id)
         except Exception:  # pylint: disable=broad-except
+            self.stdout.write(traceback.format_exc())
             logger.exception("can not find category by type<%s>", category_type)

src/api/bkuser_core/categories/plugins/base.py

@@ -281,7 +281,7 @@ def try_to_add_profile_department_relation(self, profile: Profile, department: D
                 profile=profile, department_id__in=exempt_department_ids
             ).exists()
         ):
-            logger.debug(
+            logger.info(
                 "profile<%s> is in the exempted department<%s>, skip",
                 profile,
                 department,

src/api/bkuser_core/categories/plugins/custom/helpers.py

@@ -51,7 +51,7 @@ def _get_code(self, raw_key: Union[str, int]) -> str:
         # 添加 category_id ，code 可以在多目录中唯一
         code = f"{self.category.pk}-{str(raw_key)}"
         sha = hashlib.sha256(force_bytes(code)).hexdigest()
-        logger.debug("transform code to sha: %s -> %s", code, sha)
+        logger.info("transform code to sha: %s -> %s", code, sha)
         return sha
 
 
@@ -156,7 +156,7 @@ def _load_base_info(self):
                 validate_username(value=info.username)
             except ValidationError as e:
                 self.context.add_record(step=SyncStep.USERS, success=False, username=info.username, error=str(e))
-                logger.warning("username<%s:%s> does not meet format", info.code, info.username)
+                logger.warning("username<%s:%s> does not meet format, will skip", info.code, info.username)
                 continue
 
             # 1. 先更新 profile 本身
@@ -165,6 +165,7 @@ def _load_base_info(self):
             if info.extras:
                 # note: the priority of extras from origin api is higher than `code=info.code`
                 extras.update(info.extras)
+
             profile_params = {
                 "category_id": self.category.pk,
                 "domain": self.category.domain,
@@ -209,7 +210,9 @@ def _load_base_info(self):
                         department=dep_id,
                         error=_("部门不存在"),
                     )
-                    logger.warning("the department<%s> of profile<%s:%s> is missing", dep_id, info.code, info.username)
+                    logger.warning(
+                        "the department<%s> of profile<%s:%s> is missing, will skip", dep_id, info.code, info.username
+                    )
                     continue
 
                 self.try_add_relation(
@@ -231,15 +234,19 @@ def _load_leader_info(self):
                 self.context.add_record(
                     step=SyncStep.USERS_RELATIONSHIP, success=False, username=info.username, error=_("用户信息不存在")
                 )
-                logger.warning("profile<%s:%s> not exists, will not be synced, skip", info.code, info.username)
+                logger.warning(
+                    "profile<%s:%s> not exists, the profile leaders will not be synced, will skip",
+                    info.code,
+                    info.username,
+                )
                 continue
 
             for leader_id in info.leaders:
                 if leader_id == profile.code:
                     self.context.add_record(
                         step=SyncStep.USERS_RELATIONSHIP, success=False, username=info.username, error=_("无法设置自己为上级")
                     )
-                    logger.warning("profile<%s:%s> can not regard self as leader, skip", info.code, info.username)
+                    logger.warning("profile<%s:%s> can not regard self as leader, will skip", info.code, info.username)
                     continue
 
                 leader = self.db_sync_manager.magic_get(self._get_code(leader_id), CustomProfileMeta)
@@ -250,7 +257,9 @@ def _load_leader_info(self):
                         username=info.username,
                         error=_("上级【{username}】不存在").format(username=leader_id),
                     )
-                    logger.warning("the leader<%s> of profile<%s:%s> is missing", leader_id, info.code, info.username)
+                    logger.warning(
+                        "the leader<%s> of profile<%s:%s> is missing, will skip", leader_id, info.code, info.username
+                    )
                     continue
 
                 self.try_add_relation(

src/api/bkuser_core/categories/plugins/ldap/__init__.py

@@ -24,3 +24,5 @@
     category_type="ldap",
     settings_path=os.path.dirname(__file__) / Path("settings.yaml"),
 ).register()
+
+# NOTE: 策略-每一次排查, 都简化复杂度, 加相关的日志等, 为未来的排查降低成本

src/api/bkuser_core/categories/plugins/ldap/adaptor.py

@@ -49,19 +49,19 @@ def get_value(
         if dynamic_field:
             ldap_field_name = field_name
             if ldap_field_name not in self.dynamic_fields_mapping.values():
-                logger.info("no config[%s] in configs of dynamic_fields_mapping", field_name)
+                logger.warning("no config[%s] in configs of dynamic_fields_mapping", field_name)
                 return ""
 
         else:
             # 从目录配置中获取 字段名
             ldap_field_name = self.config_loader.get(field_name)
             if not ldap_field_name:
-                logger.info("no config[%s] in configs of category", field_name)
+                logger.warning("no config[%s] in configs of category", field_name)
                 return ""
 
         # 1. 通过字段名，获取具体值
         if ldap_field_name not in user_meta or not user_meta[ldap_field_name]:
-            logger.info("field[%s] is missing in raw attributes of user data from ldap", field_name)
+            logger.warning("field[%s] is missing in raw attributes of user data from ldap", field_name)
             return ""
 
         # 2. 类似 memberOf 字段，将会返回原始列表

src/api/bkuser_core/categories/plugins/ldap/client.py

@@ -114,6 +114,7 @@ def search(
         )
 
         if not result and not self.con.result["result"] == 0 and not self.con.last_error:
+            logger.error("failed to search %s from %s, last_error: %s", search_filter, start_root, self.con.last_error)
             raise local_exceptions.SearchFailed
 
         return self.con.response

src/api/bkuser_core/categories/plugins/ldap/handlers.py

@@ -71,6 +71,9 @@ def update_or_create_sync_tasks(instance: "Setting", operator: str):
 @receiver(post_category_delete)
 def delete_sync_tasks(sender, instance: "ProfileCategory", **kwargs):
     if instance.type not in [CategoryType.LDAP.value, CategoryType.MAD.value]:
+        logger.warning(
+            "category<%s> is %s, not a ldap or mad category, skip delete sync tasks", instance.id, instance.type
+        )
         return
 
     logger.info("going to delete periodic task for Category<%s>, the category type is %s", instance.id, instance.type)
@@ -81,14 +84,18 @@ def delete_sync_tasks(sender, instance: "ProfileCategory", **kwargs):
 @receiver(post_setting_create)
 def update_sync_tasks(sender, instance: "Setting", operator: str, **kwargs):
     if instance.category.type not in [CategoryType.LDAP.value, CategoryType.MAD.value]:
+        logger.warning(
+            "category<%s> is %s, not a ldap or mad category, skip update sync tasks", instance.id, instance.type
+        )
         return
 
     # 针对 pull_cycle 配置更新同步任务
+    logger.info("going to update periodic task for Category<%s>, the category type is %s", instance.id, instance.type)
     update_or_create_sync_tasks(instance, operator)
 
 
 @receiver(post_dynamic_field_delete)
 def update_dynamic_field_mapping(sender, instance: "DynamicFieldInfo", **kwargs):
     """尝试刷新自定义字段映射配置"""
-    delete_dynamic_filed(dynamic_field=instance.name)
     logger.info("going to delete <%s> from dynamic_field_mapping", instance.name)
+    delete_dynamic_filed(dynamic_field=instance.name)

src/api/bkuser_core/categories/plugins/ldap/helper.py

@@ -152,7 +152,7 @@ def _load_base_info(self):
                     username=info.username,
                     error=str(e),
                 )
-                logger.warning("username<%s> does not meet format", info.username)
+                logger.warning("username<%s> does not meet format, will skip", info.username)
                 continue
 
             # 1. 先更新 profile 本身
@@ -201,7 +201,7 @@ def _load_base_info(self):
                         error=_("部门不存在"),
                     )
                     logger.warning(
-                        "the department<%s> of profile<%s> is missing",
+                        "the department<%s> of profile<%s> is missing, will skip",
                         department_key,
                         info.username,
                     )

src/api/bkuser_core/categories/plugins/ldap/login.py

@@ -8,13 +8,17 @@
 an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
 specific language governing permissions and limitations under the License.
 """
+import logging
+
 from django.utils.encoding import force_str
 
 from bkuser_core.categories.plugins.ldap.adaptor import ProfileFieldMapper
 from bkuser_core.categories.plugins.ldap.client import LDAPClient
 from bkuser_core.categories.plugins.ldap.exceptions import FetchUserMetaInfoFailed
 from bkuser_core.user_settings.loader import ConfigProvider
 
+logger = logging.getLogger(__name__)
+
 
 class LoginHandler:
     @staticmethod
@@ -31,13 +35,22 @@ def check(self, profile, password):
         client = LDAPClient(config_loader)
         field_fetcher = ProfileFieldMapper(config_loader)
 
+        logger.debug(
+            "going to search users, object_class: %s, attributes: %s",
+            config_loader["user_class"],
+            field_fetcher.get_user_attributes(),
+        )
         users = client.search(
             object_class=config_loader["user_class"],
             attributes=field_fetcher.get_user_attributes(),
         )
+        logger.debug("search results users: %s", users)
+
+        # NOTE: 1. 如果用户反馈登录一直不成功, 怎么排查? 2.target_dn可能被后面命中的覆盖?
         target_dn = None
         for user in users:
             if not user.get("raw_attributes"):
+                logger.debug("user %s has no raw_attributes, skip", user)
                 continue
 
             if self.fetch_username(field_fetcher, user) == profile.username:
@@ -47,4 +60,5 @@ def check(self, profile, password):
             raise FetchUserMetaInfoFailed("获取用户基本信息失败")
 
         # 检验
+        logger.debug("going to check user, dn: %s", target_dn)
         client.check(username=target_dn, password=password)

src/api/bkuser_core/categories/plugins/ldap/syncer.py

@@ -79,14 +79,22 @@ def _fetch_data(
             else:
                 groups = []
         except Exception as e:
-            logger.exception("failed to get groups from remote server")
+            logger.exception(
+                "failed to get groups from remote server. basic_pull_node: %s, user_group_filter: %s",
+                basic_pull_node,
+                user_group_filter,
+            )
             error_detail = f" ({type(e).__module__}.{type(e).__name__}: {str(e)})"
             raise FetchDataFromRemoteFailed(_("无法获取用户组，请检查配置") + error_detail)
 
         try:
             departments = self.client.search(start_root=basic_pull_node, object_class=organization_class)
         except Exception as e:
-            logger.exception("failed to get departments from remote server")
+            logger.exception(
+                "failed to get departments from remote server. basic_pull_node: %s, organization_class: %s",
+                basic_pull_node,
+                organization_class,
+            )
             error_detail = f" ({type(e).__module__}.{type(e).__name__}: {str(e)})"
             raise FetchDataFromRemoteFailed(_("无法获取组织部门，请检查配置") + error_detail)
 
@@ -97,7 +105,12 @@ def _fetch_data(
                 attributes=attributes or [],
             )
         except Exception as e:
-            logger.exception("failed to get users from remote server")
+            logger.exception(
+                "failed to get users from remote server. basic_pull_node: %s, user_filter: %s, attributes: %s",
+                basic_pull_node,
+                user_filter,
+                attributes,
+            )
             error_detail = f" ({type(e).__module__}.{type(e).__name__}: {str(e)})"
             raise FetchDataFromRemoteFailed(_("无法获取用户数据, 请检查配置") + error_detail)
 
@@ -122,7 +135,7 @@ def fetch_profiles(self, restrict_types: List[str]):
         profiles = []
         for user in users:
             if not user.get("dn"):
-                logger.info("no dn field, skipping for %s", user)
+                logger.warning("no dn field, skipping for profile: %s", user)
                 continue
 
             profiles.append(
@@ -141,7 +154,7 @@ def fetch_departments(self, restrict_types: List[str]):
         results = []
         for is_group, dept_meta in chain.from_iterable(iter([product([False], departments), product([True], groups)])):
             if not dept_meta.get("dn"):
-                logger.info("no dn field, skipping for %s", dept_meta)
+                logger.warning("no dn field, skipping for %s:%s", ("group" if is_group else "department"), dept_meta)
                 continue
             results.append(
                 department_adapter(

src/api/bkuser_core/categories/plugins/local/handlers.py

@@ -25,6 +25,7 @@
 @receiver(post_category_create)
 def make_local_default_settings(sender, instance: "ProfileCategory", **kwargs):
     if instance.type not in [CategoryType.LOCAL.value]:
+        logger.info("category<%s> is not local, skip make_local_default_settings", instance.id)
         return
 
     logger.info("going to make default settings for Category<%s>", instance.id)