feat(default.py): add ENABLE_MULTI_TENANT_MODE

src/dashboard/apigateway/apigateway/apis/open/urls.py

@@ -16,6 +16,7 @@
 # We undertake not to change the open source license (MIT license) applicable
 # to the current version of the project delivered to anyone in the future.
 #
+from django.conf import settings
 from django.urls import include, path
 
 from apigateway.apis.open.esb.permission import views as esb_permission_views
@@ -87,27 +88,29 @@
     path("", include("apigateway.apis.open.monitor.urls")),
 ]
 
-urlpatterns += [
-    path("esb/systems/", include("apigateway.apis.open.esb.system.urls")),
-    path("esb/systems/<int:system_id>/permissions/", include("apigateway.apis.open.esb.permission.urls")),
-    path(
-        "esb/systems/permissions/renew/",
-        esb_permission_views.AppPermissionRenewAPIView.as_view({"post": "renew"}),
-        name="openapi.esb.permission.renew",
-    ),
-    path(
-        "esb/systems/permissions/app-permissions/",
-        esb_permission_views.AppPermissionViewSet.as_view({"get": "list"}),
-        name="openapi.esb.permission.app-permissions",
-    ),
-    path(
-        "esb/systems/permissions/apply-records/",
-        esb_permission_views.AppPermissionApplyRecordViewSet.as_view({"get": "list"}),
-        name="openapi.esb.permission.app-records",
-    ),
-    path(
-        "esb/systems/permissions/apply-records/<int:record_id>/",
-        esb_permission_views.AppPermissionApplyRecordViewSet.as_view({"get": "retrieve"}),
-        name="openapi.esb.permission.app-record-detail",
-    ),
-]
+# 非多租户模式才会有 esb 相关的接口
+if not settings.ENABLE_MULTI_TENANT_MODE:
+    urlpatterns += [
+        path("esb/systems/", include("apigateway.apis.open.esb.system.urls")),
+        path("esb/systems/<int:system_id>/permissions/", include("apigateway.apis.open.esb.permission.urls")),
+        path(
+            "esb/systems/permissions/renew/",
+            esb_permission_views.AppPermissionRenewAPIView.as_view({"post": "renew"}),
+            name="openapi.esb.permission.renew",
+        ),
+        path(
+            "esb/systems/permissions/app-permissions/",
+            esb_permission_views.AppPermissionViewSet.as_view({"get": "list"}),
+            name="openapi.esb.permission.app-permissions",
+        ),
+        path(
+            "esb/systems/permissions/apply-records/",
+            esb_permission_views.AppPermissionApplyRecordViewSet.as_view({"get": "list"}),
+            name="openapi.esb.permission.app-records",
+        ),
+        path(
+            "esb/systems/permissions/apply-records/<int:record_id>/",
+            esb_permission_views.AppPermissionApplyRecordViewSet.as_view({"get": "retrieve"}),
+            name="openapi.esb.permission.app-record-detail",
+        ),
+    ]

src/dashboard/apigateway/apigateway/apis/web/docs/urls.py

@@ -15,6 +15,7 @@
 # We undertake not to change the open source license (MIT license) applicable
 # to the current version of the project delivered to anyone in the future.
 #
+from django.conf import settings
 from django.urls import include, path
 
 urlpatterns = [
@@ -26,11 +27,17 @@
     path("gateways/<slug:gateway_name>/resources/", include("apigateway.apis.web.docs.gateway.resource.urls")),
     path("gateways/<slug:gateway_name>/stages/", include("apigateway.apis.web.docs.gateway.stage.urls")),
     path("gateways/<slug:gateway_name>/sdks/", include("apigateway.apis.web.docs.gateway.gateway_sdk.urls")),
-    # esb
-    path("esb/boards/<slug:board>/systems/", include("apigateway.apis.web.docs.esb.system.urls")),
-    path(
-        "esb/boards/<slug:board>/systems/<slug:system_name>/components/",
-        include("apigateway.apis.web.docs.esb.component.urls"),
-    ),
-    path("esb/boards/<slug:board>/sdks/", include("apigateway.apis.web.docs.esb.sdk.urls")),
 ]
+
+
+# 非多租户模式才会有 esb 相关的接口
+if not settings.ENABLE_MULTI_TENANT_MODE:
+    urlpatterns += [
+        # esb
+        path("esb/boards/<slug:board>/systems/", include("apigateway.apis.web.docs.esb.system.urls")),
+        path(
+            "esb/boards/<slug:board>/systems/<slug:system_name>/components/",
+            include("apigateway.apis.web.docs.esb.component.urls"),
+        ),
+        path("esb/boards/<slug:board>/sdks/", include("apigateway.apis.web.docs.esb.sdk.urls")),
+    ]

src/dashboard/apigateway/apigateway/apis/web/plugin/serializers.py

@@ -18,13 +18,14 @@
 
 from typing import Any, Dict
 
+from django.conf import settings
 from django.utils.translation import gettext as _
 from rest_framework import serializers
 from rest_framework.exceptions import ValidationError
 from rest_framework.settings import api_settings
 
 from apigateway.apis.web.plugin.convertor import PluginConfigYamlConvertor
-from apigateway.apps.plugin.constants import PluginBindingScopeEnum
+from apigateway.apps.plugin.constants import PluginBindingScopeEnum, PluginTypeCodeEnum
 from apigateway.apps.plugin.models import PluginConfig, PluginForm, PluginType
 from apigateway.common.fields import CurrentGatewayDefault
 from apigateway.common.plugin.validator import PluginConfigYamlValidator
@@ -157,6 +158,12 @@ def create(self, validated_data):
         if not plugin_type.is_public:
             raise ValidationError(_("此插件类型未公开，不能用于绑定插件。"))
 
+        if (
+            settings.ENABLE_MULTI_TENANT_MODE
+            and plugin_type.code == PluginTypeCodeEnum.BK_VERIFIED_USER_EXEMPTED_APPS.value
+        ):
+            raise ValidationError(_("多租户模式，不支持免用户认证应用白名单插件。"))
+
         return self._update_plugin(
             PluginConfig(gateway=validated_data["gateway"], type=validated_data["type_id"]), validated_data
         )

src/dashboard/apigateway/apigateway/biz/access_log/constants.py

@@ -17,6 +17,7 @@
 #
 import re
 
+from django.conf import settings
 from django.utils.translation import gettext_lazy as _
 
 ES_LOG_FIELDS = [
@@ -153,6 +154,17 @@
 ]
 
 
+# insert into the 3rd position of ES_LOG_FIELDS
+if settings.ENABLE_MULTI_TENANT_MODE:
+    ES_LOG_FIELDS.insert(
+        2,
+        {
+            "label": _("请求租户"),
+            "field": "bk_tenant_id",
+            "is_filter": True,
+        },
+    )
+
 # ES_QUERY_FIELDS = [field["field"] for field in ES_LOG_FIELDS if field["is_filter"]]
 
 

src/dashboard/apigateway/apigateway/biz/gateway/gateway.py

@@ -1,7 +1,7 @@
 # -*- coding: utf-8 -*-
 #
 # TencentBlueKing is pleased to support the open source community by making
-# 蓝鲸智云 - API 网关(BlueKing - APIGateway) available.
+# 蓝鲸智云 - API 网关 (BlueKing - APIGateway) available.
 # Copyright (C) 2017 THL A29 Limited, a Tencent company. All rights reserved.
 # Licensed under the MIT License (the "License"); you may not use this file except
 # in compliance with the License. You may obtain a copy of the License at
@@ -18,6 +18,7 @@
 #
 
 import copy
+import logging
 from collections import defaultdict
 from typing import Any, Dict, List, Optional
 
@@ -40,6 +41,8 @@
 from apigateway.core.models import Backend, BackendConfig, Context, Gateway, Release, Resource, Stage
 from apigateway.utils.dict import deep_update
 
+logger = logging.getLogger(__name__)
+
 
 class GatewayHandler:
     @staticmethod
@@ -112,7 +115,7 @@ def save_auth_config(
         :param api_type: 网关类型，只有 ESB 才能被设置为 SUPER_OFFICIAL_API 网关，网关会将所有请求参数透传给其后端服务
         :param allow_update_api_auth: 是否允许编辑网关资源安全设置中的应用认证配置
         :param unfiltered_sensitive_keys: 网关请求后端时，不去除的敏感字段
-        :param allow_auth_from_params: 网关从请求中获取认证信息时，是否允许从请求参数(querystring, body 等)获取认证信息；如果不允许，则只能从请求头获取
+        :param allow_auth_from_params: 网关从请求中获取认证信息时，是否允许从请求参数 (querystring, body 等) 获取认证信息；如果不允许，则只能从请求头获取
         :param allow_delete_sensitive_params: 网关转发请求到后端时，是否需要删除请求参数（querystring, body 等）中的敏感参数
         """
         new_config: Dict[str, Any] = {}
@@ -135,6 +138,14 @@ def save_auth_config(
         if allow_auth_from_params is not None:
             new_config["allow_auth_from_params"] = allow_auth_from_params
 
+            # 多租户版本，只允许从请求头获取认证信息，如果注册方配置 allow_auth_from_params 为 True，则强制设置为 False
+            if allow_auth_from_params and settings.ENABLE_MULTI_TENANT_MODE:
+                logger.warning(
+                    "multi-tenant mode, allow_auth_from_params=True is not supported, force set to False, gateway_id=%s",
+                    gateway_id,
+                )
+                new_config["allow_auth_from_params"] = False
+
         if allow_delete_sensitive_params is not None:
             new_config["allow_delete_sensitive_params"] = allow_delete_sensitive_params
 

src/dashboard/apigateway/apigateway/components/bk_log.py

@@ -23,8 +23,7 @@
 from bkapi_client_core.apigateway.django_helper import get_client_by_username as get_client_by_username_for_apigateway
 from django.conf import settings
 
-from apigateway.components.bkapi_client.log_search import Client as LogSearchClient
-from apigateway.components.esb_components import get_client_by_username as get_client_by_username_for_esb
+from apigateway.components.bkapi_client.log_search import new_client_cls
 from apigateway.components.handler import RequestAPIHandler
 from apigateway.components.utils import inject_accept_language
 
@@ -46,15 +45,15 @@ def esquery_dsl(self, index: str, body: Any) -> Dict[str, Any]:
         return self._request_handler.parse_api_result(api_result, response, {"result": True}, itemgetter("data"))
 
     def _get_api_client(self) -> OperationGroup:
-        # use gateway: log-search
-        if settings.USE_BKAPI_BK_LOG:
-            apigw_client = get_client_by_username_for_apigateway(LogSearchClient, username="admin")
-            apigw_client.session.register_hook("request", inject_accept_language)
-            return apigw_client.api
-
-        esb_client = get_client_by_username_for_esb("admin")
-        esb_client.session.register_hook("request", inject_accept_language)
-        return esb_client.bk_log
+        # use gateway: log-search(te) / bk-log-search(ee)
+        gateway_name = "bk-log-search"
+        if settings.EDITION == "te":
+            gateway_name = "log-search"
+
+        client_cls = new_client_cls(gateway_name)
+        apigw_client = get_client_by_username_for_apigateway(client_cls, username="admin")
+        apigw_client.session.register_hook("request", inject_accept_language)
+        return apigw_client.api
 
 
 bk_log_component = BKLogComponent()

src/dashboard/apigateway/apigateway/components/bkapi_client/bkmonitorv3.py

@@ -34,3 +34,11 @@ class Client(APIGatewayClient):
     _api_name = "bkmonitorv3"
 
     api = bind_property(Group, name="api")
+
+
+def new_client_cls(api_name: str):
+    class Client(APIGatewayClient):
+        _api_name = api_name
+        api = bind_property(Group, name="api")
+
+    return Client

src/dashboard/apigateway/apigateway/components/bkapi_client/log_search.py

@@ -34,3 +34,11 @@ class Client(APIGatewayClient):
     _api_name = "log-search"
 
     api = bind_property(Group, name="api")
+
+
+def new_client_cls(api_name: str):
+    class Client(APIGatewayClient):
+        _api_name = api_name
+        api = bind_property(Group, name="api")
+
+    return Client

src/dashboard/apigateway/apigateway/components/prometheus.py

@@ -21,10 +21,8 @@
 
 from bkapi_client_core.apigateway import OperationGroup
 from bkapi_client_core.apigateway.django_helper import get_client_by_username as get_client_by_username_for_apigateway
-from django.conf import settings
 
-from apigateway.components.bkapi_client.bkmonitorv3 import Client as BkMonitorV3Client
-from apigateway.components.esb_components import get_client_by_username as get_client_by_username_for_esb
+from apigateway.components.bkapi_client.bkmonitorv3 import new_client_cls
 from apigateway.components.handler import RequestAPIHandler
 
 
@@ -85,13 +83,9 @@ def _promql_query(
 
     def _get_api_client(self) -> OperationGroup:
         # use gateway: bkmonitorv3
-        if settings.USE_BKAPI_BKMONITORV3:
-            apigw_client = get_client_by_username_for_apigateway(BkMonitorV3Client, username="admin")
-            return apigw_client.api
-
-        # use esb api
-        esb_client = get_client_by_username_for_esb("admin")
-        return esb_client.monitor_v3
+        client_cls = new_client_cls("bkmonitorv3")
+        apigw_client = get_client_by_username_for_apigateway(client_cls, username="admin")
+        return apigw_client.api
 
 
 prometheus_component = PrometheusComponent()

src/dashboard/apigateway/apigateway/conf/celery_conf.py

@@ -16,6 +16,8 @@
 # We undertake not to change the open source license (MIT license) applicable
 # to the current version of the project delivered to anyone in the future.
 #
+import os
+
 from celery.schedules import crontab
 
 # celery configuration
@@ -28,13 +30,15 @@
 
 CELERY_BEAT_SCHEDULER = "django_celery_beat.schedulers:DatabaseScheduler"
 
-CELERY_IMPORTS = (
+CELERY_IMPORTS = [
     "apigateway.apps.monitor.tasks",
     "apigateway.apps.metrics.tasks",
     "apigateway.apps.permission.tasks",
-    "apigateway.apps.esb.component.tasks",
     "apigateway.controller.tasks",
-)
+]
+
+if os.getenv("ENABLE_MULTI_TENANT_MODE", "False").lower() not in ("true", "on", "ok", "y", "yes", "1"):
+    CELERY_IMPORTS.append("apigateway.apps.esb.component.tasks")
 
 CELERY_BEAT_SCHEDULE = {
     # "add-every-minute": {