核心模块设计: CI管理、关系管理、自动发现、权限控制、操作审计
2025/9/7大约 16 分钟
配置管理数据库(CMDB)作为企业IT运维的核心基础设施,其核心模块的设计直接决定了系统的功能完整性、性能表现和用户体验。一个优秀的CMDB系统需要具备完善的CI管理、关系管理、自动发现、权限控制和操作审计等核心模块。本文将深入探讨这些核心模块的设计原理、实现方法和最佳实践。
核心模块设计的重要性
为什么核心模块设计至关重要?
核心模块是CMDB系统的功能基石,其设计质量直接影响系统的整体表现:
- 功能完整性:核心模块决定了系统能够提供哪些功能
- 性能表现:模块设计影响系统的响应速度和处理能力
- 可维护性:良好的模块设计便于系统维护和升级
- 扩展能力:模块化设计支持未来的功能扩展
- 用户体验:核心模块的易用性直接影响用户满意度
核心模块设计原则
1. 高内聚低耦合
每个模块应该具有高度的内聚性,专注于特定的功能领域,同时模块之间保持低耦合:
# 高内聚的CI管理模块
class CIManager:
def __init__(self, storage_engine):
self.storage_engine = storage_engine
self.validator = CIValidator()
self.lifecycle_manager = CILifecycleManager()
def create_ci(self, ci_data):
"""创建CI"""
# 数据验证
if not self.validator.validate(ci_data):
raise ValidationError("CI数据验证失败")
# 生命周期管理
ci_id = self.lifecycle_manager.create(ci_data)
# 存储
self.storage_engine.save_ci(ci_id, ci_data)
return ci_id
def update_ci(self, ci_id, update_data):
"""更新CI"""
# 权限检查
if not self._check_permission(ci_id, 'update'):
raise PermissionError("权限不足")
# 更新操作
self.storage_engine.update_ci(ci_id, update_data)
# 触发事件
self._trigger_event('ci_updated', ci_id, update_data)2. 可扩展性设计
模块设计应该支持未来的功能扩展:
# 插件化的关系管理模块
class RelationshipManager:
def __init__(self):
self.relationship_types = {}
self.calculators = {}
def register_relationship_type(self, type_name, calculator):
"""注册关系类型和计算器"""
self.relationship_types[type_name] = calculator
self.calculators[type_name] = calculator
def calculate_relationships(self, ci_data):
"""计算所有类型的关系"""
relationships = []
for type_name, calculator in self.calculators.items():
try:
type_relationships = calculator.calculate(ci_data)
relationships.extend(type_relationships)
except Exception as e:
logger.error(f"关系计算失败 {type_name}: {str(e)}")
return relationships3. 容错性设计
模块应该具备良好的容错能力:
class FaultTolerantModule:
def __init__(self):
self.retry_policy = RetryPolicy(max_attempts=3)
self.circuit_breaker = CircuitBreaker()
def execute_with_fault_tolerance(self, operation):
"""带容错机制的操作执行"""
if not self.circuit_breaker.is_closed():
raise ServiceUnavailable("服务暂时不可用")
try:
return self.retry_policy.execute(operation)
except Exception as e:
self.circuit_breaker.record_failure()
raise eCI管理模块设计
核心功能
CI管理模块是CMDB系统的核心,负责配置项的全生命周期管理:
- CI创建:支持手动创建和自动发现创建
- CI查询:提供多种查询方式和过滤条件
- CI更新:支持属性更新和状态变更
- CI删除:安全的删除机制
- CI生命周期管理:管理CI的状态转换
架构设计
1. CI模型设计
class CIModel:
def __init__(self):
self.attributes = {}
self.relationships = []
self.metadata = {}
def set_attribute(self, name, value):
"""设置属性"""
self.attributes[name] = value
def get_attribute(self, name, default=None):
"""获取属性"""
return self.attributes.get(name, default)
def add_relationship(self, relationship):
"""添加关系"""
self.relationships.append(relationship)
def get_relationships(self, relationship_type=None):
"""获取关系"""
if relationship_type:
return [r for r in self.relationships
if r.type == relationship_type]
return self.relationships
class CISchema:
def __init__(self, ci_type):
self.ci_type = ci_type
self.required_attributes = set()
self.optional_attributes = set()
self.attribute_validators = {}
def validate(self, ci_data):
"""验证CI数据"""
# 检查必需属性
missing_attrs = self.required_attributes - set(ci_data.keys())
if missing_attrs:
raise ValidationError(f"缺少必需属性: {missing_attrs}")
# 验证属性值
for attr_name, value in ci_data.items():
validator = self.attribute_validators.get(attr_name)
if validator and not validator.validate(value):
raise ValidationError(f"属性 {attr_name} 验证失败")
return True2. CI操作管理
class CIOperations:
def __init__(self, storage_engine, event_bus):
self.storage_engine = storage_engine
self.event_bus = event_bus
self.lock_manager = LockManager()
def create_ci(self, ci_type, ci_data):
"""创建CI"""
# 获取类型schema
schema = self._get_schema(ci_type)
# 验证数据
if not schema.validate(ci_data):
raise ValidationError("CI数据验证失败")
# 生成CI ID
ci_id = self._generate_ci_id(ci_type)
# 设置元数据
ci_data['_id'] = ci_id
ci_data['_type'] = ci_type
ci_data['_created_time'] = datetime.now()
ci_data['_status'] = 'active'
# 保存到存储引擎
self.storage_engine.save_ci(ci_id, ci_data)
# 发布事件
self.event_bus.publish('ci_created', {
'ci_id': ci_id,
'ci_type': ci_type,
'data': ci_data
})
return ci_id
def update_ci(self, ci_id, update_data):
"""更新CI"""
# 获取锁
with self.lock_manager.acquire_lock(f"ci:{ci_id}"):
# 获取当前数据
current_data = self.storage_engine.get_ci(ci_id)
if not current_data:
raise CIError(f"CI {ci_id} 不存在")
# 合并更新数据
updated_data = {**current_data, **update_data}
updated_data['_updated_time'] = datetime.now()
# 验证更新数据
ci_type = current_data['_type']
schema = self._get_schema(ci_type)
if not schema.validate(updated_data):
raise ValidationError("更新数据验证失败")
# 保存更新
self.storage_engine.update_ci(ci_id, updated_data)
# 发布事件
self.event_bus.publish('ci_updated', {
'ci_id': ci_id,
'ci_type': ci_type,
'old_data': current_data,
'new_data': updated_data
})
def delete_ci(self, ci_id):
"""删除CI"""
# 检查依赖关系
dependencies = self._check_dependencies(ci_id)
if dependencies:
raise CIError(f"CI {ci_id} 存在依赖关系,无法删除")
# 获取当前数据
current_data = self.storage_engine.get_ci(ci_id)
if not current_data:
raise CIError(f"CI {ci_id} 不存在")
# 标记为已删除
current_data['_status'] = 'deleted'
current_data['_deleted_time'] = datetime.now()
# 保存更新
self.storage_engine.update_ci(ci_id, current_data)
# 发布事件
self.event_bus.publish('ci_deleted', {
'ci_id': ci_id,
'ci_type': current_data['_type'],
'data': current_data
})查询优化
1. 索引设计
class CIIndexManager:
def __init__(self, storage_engine):
self.storage_engine = storage_engine
self.indexes = {}
def create_index(self, ci_type, attribute_name):
"""创建索引"""
index_key = f"{ci_type}:{attribute_name}"
# 在存储引擎中创建索引
self.storage_engine.create_index(ci_type, attribute_name)
# 缓存索引信息
self.indexes[index_key] = {
'ci_type': ci_type,
'attribute': attribute_name,
'created_time': datetime.now()
}
def query_by_index(self, ci_type, attribute_name, attribute_value):
"""基于索引查询"""
index_key = f"{ci_type}:{attribute_name}"
if index_key not in self.indexes:
raise IndexError(f"索引 {index_key} 不存在")
return self.storage_engine.query_by_index(
ci_type, attribute_name, attribute_value)2. 缓存策略
class CICacheManager:
def __init__(self):
self.l1_cache = LRUCache(maxsize=10000) # 内存缓存
self.l2_cache = RedisCache() # 分布式缓存
def get_ci(self, ci_id):
"""获取CI,带缓存"""
# 先查L1缓存
ci_data = self.l1_cache.get(ci_id)
if ci_data:
return ci_data
# 再查L2缓存
ci_data = self.l2_cache.get(ci_id)
if ci_data:
# 回填L1缓存
self.l1_cache.set(ci_id, ci_data)
return ci_data
# 缓存未命中,从存储引擎获取
return None
def update_cache(self, ci_id, ci_data):
"""更新缓存"""
self.l1_cache.set(ci_id, ci_data)
self.l2_cache.set(ci_id, ci_data, ttl=3600) # 1小时过期关系管理模块设计
核心功能
关系管理模块负责维护配置项之间的各种关系:
- 关系定义:支持多种关系类型的定义
- 关系创建:支持手动和自动创建关系
- 关系查询:提供灵活的关系查询能力
- 关系计算:自动计算和推导关系
- 关系可视化:支持关系的图形化展示
架构设计
1. 关系模型
class Relationship:
def __init__(self, source_ci_id, target_ci_id, relationship_type):
self.source_ci_id = source_ci_id
self.target_ci_id = target_ci_id
self.type = relationship_type
self.attributes = {}
self.metadata = {
'created_time': datetime.now(),
'created_by': None,
'confidence': 1.0
}
def set_attribute(self, name, value):
"""设置关系属性"""
self.attributes[name] = value
def get_attribute(self, name, default=None):
"""获取关系属性"""
return self.attributes.get(name, default)
class RelationshipType:
def __init__(self, name, description, direction='bidirectional'):
self.name = name
self.description = description
self.direction = direction # 'unidirectional', 'bidirectional'
self.attributes = []
self.rules = []
def add_rule(self, rule):
"""添加关系规则"""
self.rules.append(rule)
def validate(self, relationship):
"""验证关系"""
for rule in self.rules:
if not rule.validate(relationship):
return False
return True2. 关系操作
class RelationshipOperations:
def __init__(self, storage_engine, ci_manager):
self.storage_engine = storage_engine
self.ci_manager = ci_manager
self.relationship_types = {}
def register_relationship_type(self, rel_type):
"""注册关系类型"""
self.relationship_types[rel_type.name] = rel_type
def create_relationship(self, source_ci_id, target_ci_id,
relationship_type, attributes=None):
"""创建关系"""
# 验证CI存在性
if not self.ci_manager.exists(source_ci_id):
raise CIError(f"源CI {source_ci_id} 不存在")
if not self.ci_manager.exists(target_ci_id):
raise CIError(f"目标CI {target_ci_id} 不存在")
# 获取关系类型
rel_type = self.relationship_types.get(relationship_type)
if not rel_type:
raise RelationshipError(f"关系类型 {relationship_type} 未注册")
# 创建关系对象
relationship = Relationship(source_ci_id, target_ci_id, relationship_type)
# 设置属性
if attributes:
for name, value in attributes.items():
relationship.set_attribute(name, value)
# 验证关系
if not rel_type.validate(relationship):
raise RelationshipError("关系验证失败")
# 保存关系
self.storage_engine.save_relationship(relationship)
return relationship
def delete_relationship(self, source_ci_id, target_ci_id, relationship_type):
"""删除关系"""
self.storage_engine.delete_relationship(
source_ci_id, target_ci_id, relationship_type)
def get_relationships(self, ci_id, relationship_type=None):
"""获取CI的关系"""
return self.storage_engine.get_relationships(ci_id, relationship_type)3. 关系计算引擎
class RelationshipCalculator:
def __init__(self):
self.calculators = {}
def register_calculator(self, relationship_type, calculator):
"""注册关系计算器"""
self.calculators[relationship_type] = calculator
def calculate_relationships(self, ci_data):
"""计算CI的关系"""
relationships = []
for rel_type, calculator in self.calculators.items():
try:
rels = calculator.calculate(ci_data)
relationships.extend(rels)
except Exception as e:
logger.error(f"关系计算失败 {rel_type}: {str(e)}")
return relationships
# 网络连接关系计算器示例
class NetworkConnectionCalculator:
def calculate(self, ci_data):
"""计算网络连接关系"""
relationships = []
# 如果是服务器CI
if ci_data.get('_type') == 'server':
# 获取网络接口信息
network_interfaces = ci_data.get('network_interfaces', [])
for interface in network_interfaces:
ip_address = interface.get('ip_address')
if ip_address:
# 查找连接到同一网段的其他设备
connected_devices = self._find_connected_devices(ip_address)
for device in connected_devices:
relationship = Relationship(
ci_data['_id'], device['_id'], 'connected_to')
relationship.set_attribute('interface', interface['name'])
relationship.set_attribute('ip_address', ip_address)
relationships.append(relationship)
return relationships自动发现模块设计
核心功能
自动发现模块负责自动识别和采集IT环境中的配置项:
- 设备发现:自动发现网络中的设备
- 服务发现:自动发现运行的服务和应用
- 关系发现:自动发现配置项之间的关系
- 变更检测:检测配置项的变更
- 发现调度:管理发现任务的执行计划
架构设计
1. 发现器设计
class Discoverer:
def __init__(self, name, discovery_type):
self.name = name
self.type = discovery_type
self.config = {}
def configure(self, config):
"""配置发现器"""
self.config = config
def discover(self, target):
"""执行发现"""
raise NotImplementedError("子类必须实现discover方法")
class NetworkDiscoverer(Discoverer):
def __init__(self):
super().__init__('network_discoverer', 'network')
def discover(self, network_range):
"""发现网络设备"""
discovered_devices = []
# 执行ping扫描
active_hosts = self._ping_scan(network_range)
# 对每个活跃主机执行详细扫描
for host in active_hosts:
try:
device_info = self._detailed_scan(host)
if device_info:
discovered_devices.append(device_info)
except Exception as e:
logger.error(f"扫描主机 {host} 失败: {str(e)}")
return discovered_devices
def _ping_scan(self, network_range):
"""Ping扫描"""
# 实现ping扫描逻辑
pass
def _detailed_scan(self, host):
"""详细扫描"""
# 实现详细扫描逻辑
pass
class ApplicationDiscoverer(Discoverer):
def __init__(self):
super().__init__('application_discoverer', 'application')
def discover(self, server_info):
"""发现应用"""
applications = []
# 通过SSH连接到服务器
ssh_client = SSHClient()
try:
ssh_client.connect(server_info['ip_address'])
# 发现运行的进程
processes = self._discover_processes(ssh_client)
# 发现安装的软件
software = self._discover_software(ssh_client)
# 发现运行的服务
services = self._discover_services(ssh_client)
# 组装应用信息
for process in processes:
app_info = {
'type': 'application',
'name': process['name'],
'version': process.get('version'),
'pid': process['pid'],
'server_id': server_info['_id']
}
applications.append(app_info)
finally:
ssh_client.close()
return applications2. 发现调度器
class DiscoveryScheduler:
def __init__(self):
self.discoverers = {}
self.schedules = {}
self.task_queue = TaskQueue()
def register_discoverer(self, discoverer):
"""注册发现器"""
self.discoverers[discoverer.name] = discoverer
def schedule_discovery(self, discoverer_name, target, schedule):
"""调度发现任务"""
if discoverer_name not in self.discoverers:
raise DiscoveryError(f"发现器 {discoverer_name} 未注册")
schedule_id = self._generate_schedule_id()
self.schedules[schedule_id] = {
'discoverer_name': discoverer_name,
'target': target,
'schedule': schedule,
'next_run_time': self._calculate_next_run(schedule)
}
return schedule_id
def run_discovery_task(self, schedule_id):
"""执行发现任务"""
schedule = self.schedules.get(schedule_id)
if not schedule:
raise DiscoveryError(f"调度任务 {schedule_id} 不存在")
discoverer = self.discoverers.get(schedule['discoverer_name'])
if not discoverer:
raise DiscoveryError(f"发现器 {schedule['discoverer_name']} 不存在")
# 执行发现
try:
discovered_items = discoverer.discover(schedule['target'])
# 处理发现结果
self._process_discovery_results(discovered_items)
# 更新下次执行时间
schedule['next_run_time'] = self._calculate_next_run(
schedule['schedule'])
except Exception as e:
logger.error(f"发现任务执行失败: {str(e)}")
raise3. 变更检测
class ChangeDetector:
def __init__(self, storage_engine):
self.storage_engine = storage_engine
self.detectors = {}
def register_detector(self, ci_type, detector):
"""注册变更检测器"""
self.detectors[ci_type] = detector
def detect_changes(self, ci_id, new_data):
"""检测CI变更"""
# 获取当前数据
current_data = self.storage_engine.get_ci(ci_id)
if not current_data:
# 新CI,不是变更
return None
# 获取变更检测器
ci_type = current_data.get('_type')
detector = self.detectors.get(ci_type)
if detector:
# 使用专门的检测器
changes = detector.detect(current_data, new_data)
else:
# 使用通用检测器
changes = self._generic_change_detection(current_data, new_data)
if changes:
return {
'ci_id': ci_id,
'ci_type': ci_type,
'changes': changes,
'timestamp': datetime.now()
}
return None
def _generic_change_detection(self, old_data, new_data):
"""通用变更检测"""
changes = []
# 检查所有属性
all_keys = set(old_data.keys()) | set(new_data.keys())
for key in all_keys:
old_value = old_data.get(key)
new_value = new_data.get(key)
if old_value != new_value:
changes.append({
'attribute': key,
'old_value': old_value,
'new_value': new_value
})
return changes权限控制模块设计
核心功能
权限控制模块确保系统的安全访问:
- 身份认证:验证用户身份
- 权限授权:控制用户访问权限
- 角色管理:管理用户角色和权限映射
- 资源访问控制:控制对具体资源的访问
- 会话管理:管理用户会话状态
架构设计
1. RBAC模型实现
class RBACManager:
def __init__(self):
self.roles = {}
self.users = {}
self.permissions = set()
def create_role(self, role_name, description=None):
"""创建角色"""
self.roles[role_name] = {
'name': role_name,
'description': description,
'permissions': set(),
'users': set()
}
def assign_permission_to_role(self, role_name, permission):
"""为角色分配权限"""
if role_name not in self.roles:
raise RBACError(f"角色 {role_name} 不存在")
self.roles[role_name]['permissions'].add(permission)
self.permissions.add(permission)
def assign_user_to_role(self, username, role_name):
"""为用户分配角色"""
if role_name not in self.roles:
raise RBACError(f"角色 {role_name} 不存在")
if username not in self.users:
self.users[username] = {
'roles': set(),
'permissions': set()
}
self.users[username]['roles'].add(role_name)
self.roles[role_name]['users'].add(username)
def check_permission(self, username, permission):
"""检查用户是否有权限"""
if username not in self.users:
return False
user = self.users[username]
# 直接权限
if permission in user['permissions']:
return True
# 角色权限
for role_name in user['roles']:
role = self.roles.get(role_name)
if role and permission in role['permissions']:
return True
return False
# 权限定义
class Permission:
CI_READ = 'ci:read'
CI_WRITE = 'ci:write'
CI_DELETE = 'ci:delete'
RELATIONSHIP_READ = 'relationship:read'
RELATIONSHIP_WRITE = 'relationship:write'
REPORT_READ = 'report:read'
ADMIN = 'admin:*'2. 资源级权限控制
class ResourceAccessController:
def __init__(self, rbac_manager):
self.rbac_manager = rbac_manager
self.resource_policies = {}
def set_resource_policy(self, resource_type, resource_id, policy):
"""设置资源访问策略"""
policy_key = f"{resource_type}:{resource_id}"
self.resource_policies[policy_key] = policy
def check_resource_access(self, username, resource_type,
resource_id, action):
"""检查资源访问权限"""
# 先检查全局权限
global_permission = f"{resource_type}:{action}"
if self.rbac_manager.check_permission(username, global_permission):
return True
# 再检查资源级策略
policy_key = f"{resource_type}:{resource_id}"
policy = self.resource_policies.get(policy_key)
if policy:
return policy.check_access(username, action)
# 默认拒绝
return False
class ResourcePolicy:
def __init__(self, resource_type, resource_id):
self.resource_type = resource_type
self.resource_id = resource_id
self.allowed_users = set()
self.allowed_roles = set()
self.denied_users = set()
def allow_user(self, username):
"""允许用户访问"""
self.allowed_users.add(username)
def allow_role(self, role_name):
"""允许角色访问"""
self.allowed_roles.add(role_name)
def deny_user(self, username):
"""拒绝用户访问"""
self.denied_users.add(username)
def check_access(self, username, action):
"""检查访问权限"""
# 检查是否被明确拒绝
if username in self.denied_users:
return False
# 检查是否被明确允许
if username in self.allowed_users:
return True
# 检查角色
user_roles = self._get_user_roles(username)
if any(role in self.allowed_roles for role in user_roles):
return True
return False3. 会话管理
class SessionManager:
def __init__(self, config):
self.config = config
self.sessions = {}
self.session_store = SessionStore()
def create_session(self, user_info):
"""创建会话"""
session_id = self._generate_session_id()
session_data = {
'session_id': session_id,
'user_info': user_info,
'created_time': datetime.now(),
'last_access_time': datetime.now(),
'expires_at': datetime.now() + timedelta(
seconds=self.config.session_timeout)
}
# 存储会话
self.session_store.save(session_id, session_data)
self.sessions[session_id] = session_data
return session_id
def validate_session(self, session_id):
"""验证会话"""
session_data = self.sessions.get(session_id)
if not session_data:
# 从存储中加载
session_data = self.session_store.get(session_id)
if not session_data:
return None
self.sessions[session_id] = session_data
# 检查是否过期
if datetime.now() > session_data['expires_at']:
self.destroy_session(session_id)
return None
# 更新最后访问时间
session_data['last_access_time'] = datetime.now()
self.session_store.update(session_id, session_data)
return session_data
def destroy_session(self, session_id):
"""销毁会话"""
if session_id in self.sessions:
del self.sessions[session_id]
self.session_store.delete(session_id)操作审计模块设计
核心功能
操作审计模块记录所有关键操作,确保系统的可追溯性:
- 操作日志:记录用户操作日志
- 变更审计:记录配置项变更历史
- 安全审计:记录安全相关事件
- 报表生成:生成审计报表
- 告警机制:对异常操作进行告警
架构设计
1. 审计日志管理
class AuditLogger:
def __init__(self, config):
self.config = config
self.log_store = LogStore()
self.log_queue = LogQueue()
def log_operation(self, operation_type, user, resource, details=None):
"""记录操作日志"""
log_entry = {
'timestamp': datetime.now(),
'operation_type': operation_type,
'user': user,
'resource': resource,
'details': details or {},
'ip_address': self._get_client_ip(),
'user_agent': self._get_user_agent()
}
# 异步记录日志
self.log_queue.enqueue(log_entry)
def log_change(self, ci_id, change_type, old_value, new_value, user):
"""记录变更日志"""
change_log = {
'timestamp': datetime.now(),
'change_type': change_type,
'ci_id': ci_id,
'old_value': old_value,
'new_value': new_value,
'user': user,
'reason': self._get_change_reason()
}
self.log_store.save_change_log(change_log)
def log_security_event(self, event_type, severity, details):
"""记录安全事件"""
security_log = {
'timestamp': datetime.now(),
'event_type': event_type,
'severity': severity,
'details': details,
'source_ip': self._get_source_ip()
}
self.log_store.save_security_log(security_log)
# 检查是否需要告警
if severity >= self.config.security_alert_threshold:
self._trigger_security_alert(security_log)
class LogStore:
def __init__(self):
self.operation_logs = []
self.change_logs = []
self.security_logs = []
def save_operation_log(self, log_entry):
"""保存操作日志"""
self.operation_logs.append(log_entry)
# 同时保存到持久化存储
self._persist_operation_log(log_entry)
def save_change_log(self, change_log):
"""保存变更日志"""
self.change_logs.append(change_log)
# 同时保存到持久化存储
self._persist_change_log(change_log)
def save_security_log(self, security_log):
"""保存安全日志"""
self.security_logs.append(security_log)
# 同时保存到持久化存储
self._persist_security_log(security_log)2. 审计查询和分析
class AuditAnalyzer:
def __init__(self, log_store):
self.log_store = log_store
def query_operation_logs(self, filters=None, limit=100):
"""查询操作日志"""
return self.log_store.query_operation_logs(filters, limit)
def query_change_history(self, ci_id, date_range=None):
"""查询变更历史"""
return self.log_store.query_change_logs(ci_id, date_range)
def generate_audit_report(self, report_type, date_range):
"""生成审计报表"""
if report_type == 'operation_summary':
return self._generate_operation_summary(date_range)
elif report_type == 'change_analysis':
return self._generate_change_analysis(date_range)
elif report_type == 'security_events':
return self._generate_security_report(date_range)
else:
raise AuditError(f"不支持的报表类型: {report_type}")
def _generate_operation_summary(self, date_range):
"""生成操作摘要报表"""
logs = self.log_store.query_operation_logs_by_date(date_range)
# 统计各类操作数量
operation_counts = {}
user_activities = {}
for log in logs:
op_type = log['operation_type']
user = log['user']
operation_counts[op_type] = operation_counts.get(op_type, 0) + 1
user_activities[user] = user_activities.get(user, 0) + 1
return {
'period': date_range,
'total_operations': len(logs),
'operation_distribution': operation_counts,
'active_users': user_activities,
'generated_time': datetime.now()
}3. 异常检测和告警
class AnomalyDetector:
def __init__(self, audit_analyzer, alert_manager):
self.audit_analyzer = audit_analyzer
self.alert_manager = alert_manager
self.baseline_profiles = {}
def build_baseline_profile(self, user, days=30):
"""构建用户行为基线"""
date_range = (datetime.now() - timedelta(days=days), datetime.now())
logs = self.audit_analyzer.query_operation_logs(
{'user': user}, limit=10000)
# 分析用户行为模式
profile = {
'user': user,
'normal_operations': self._analyze_normal_operations(logs),
'typical_access_times': self._analyze_access_times(logs),
'common_resources': self._analyze_common_resources(logs),
'created_time': datetime.now()
}
self.baseline_profiles[user] = profile
return profile
def detect_anomalies(self, recent_logs):
"""检测异常行为"""
anomalies = []
for log in recent_logs:
user = log['user']
profile = self.baseline_profiles.get(user)
if not profile:
continue
# 检查操作是否异常
if self._is_anomalous_operation(log, profile):
anomaly = {
'type': 'unusual_operation',
'log': log,
'severity': 'medium',
'details': '执行了不常见的操作'
}
anomalies.append(anomaly)
# 检查访问时间是否异常
if self._is_anomalous_time(log, profile):
anomaly = {
'type': 'unusual_time',
'log': log,
'severity': 'low',
'details': '在不常见的时间访问系统'
}
anomalies.append(anomaly)
# 发送告警
for anomaly in anomalies:
self.alert_manager.send_alert(anomaly)
return anomalies
def _is_anomalous_operation(self, log, profile):
"""判断操作是否异常"""
operation_type = log['operation_type']
normal_operations = profile['normal_operations']
# 如果操作类型不在正常范围内,认为是异常
return operation_type not in normal_operations模块间协作机制
事件驱动架构
class EventBus:
def __init__(self):
self.subscribers = {}
def subscribe(self, event_type, handler):
"""订阅事件"""
if event_type not in self.subscribers:
self.subscribers[event_type] = []
self.subscribers[event_type].append(handler)
def publish(self, event_type, data):
"""发布事件"""
handlers = self.subscribers.get(event_type, [])
for handler in handlers:
try:
handler(data)
except Exception as e:
logger.error(f"事件处理失败 {event_type}: {str(e)}")
# 模块间事件处理示例
def on_ci_created(event_data):
"""CI创建事件处理"""
ci_id = event_data['ci_id']
# 触发关系计算
relationship_manager.calculate_and_save_relationships(ci_id)
# 记录审计日志
audit_logger.log_operation('ci_create',
event_data['user'],
ci_id,
event_data['data'])
def on_ci_updated(event_data):
"""CI更新事件处理"""
ci_id = event_data['ci_id']
# 检查是否需要重新计算关系
if _needs_relationship_recalculation(event_data):
relationship_manager.calculate_and_save_relationships(ci_id)
# 记录变更日志
audit_logger.log_change(ci_id,
'attribute_update',
event_data['old_data'],
event_data['new_data'],
event_data['user'])
# 注册事件处理器
event_bus.subscribe('ci_created', on_ci_created)
event_bus.subscribe('ci_updated', on_ci_updated)性能优化策略
1. 缓存优化
class MultiLevelCache:
def __init__(self):
self.l1_cache = {} # 内存缓存
self.l2_cache = RedisClient() # Redis缓存
def get(self, key):
"""多级缓存获取"""
# 先查内存缓存
if key in self.l1_cache:
return self.l1_cache[key]
# 再查Redis缓存
value = self.l2_cache.get(key)
if value:
# 回填内存缓存
self.l1_cache[key] = value
return value
return None
def set(self, key, value, ttl=3600):
"""多级缓存设置"""
# 同时设置到两级缓存
self.l1_cache[key] = value
self.l2_cache.set(key, value, ex=ttl)2. 数据库优化
class OptimizedStorage:
def __init__(self):
self.db_pool = DatabasePool()
self.read_replicas = []
def query_with_replica(self, query):
"""使用读副本查询"""
# 负载均衡选择读副本
replica = self._select_replica()
return replica.execute(query)
def batch_operations(self, operations):
"""批量操作"""
with self.db_pool.get_connection() as conn:
with conn.transaction():
for op in operations:
op.execute(conn)安全设计
1. 数据加密
class DataEncryption:
def __init__(self, config):
self.config = config
self.key_manager = KeyManager()
def encrypt_sensitive_data(self, data):
"""加密敏感数据"""
if isinstance(data, dict):
encrypted_data = {}
for key, value in data.items():
if key in self.config.sensitive_fields:
encrypted_data[key] = self._encrypt_value(value)
else:
encrypted_data[key] = value
return encrypted_data
else:
return self._encrypt_value(data)
def decrypt_sensitive_data(self, data):
"""解密敏感数据"""
if isinstance(data, dict):
decrypted_data = {}
for key, value in data.items():
if key in self.config.sensitive_fields:
decrypted_data[key] = self._decrypt_value(value)
else:
decrypted_data[key] = value
return decrypted_data
else:
return self._decrypt_value(data)2. 输入验证
class InputValidator:
def __init__(self):
self.validators = {}
def register_validator(self, field_name, validator):
"""注册验证器"""
self.validators[field_name] = validator
def validate_input(self, data):
"""验证输入数据"""
errors = []
for field_name, value in data.items():
validator = self.validators.get(field_name)
if validator:
try:
validator.validate(value)
except ValidationError as e:
errors.append({
'field': field_name,
'error': str(e)
})
if errors:
raise ValidationError("输入验证失败", errors)
return True总结
CMDB系统的核心模块设计是确保系统功能完整性、性能表现和用户体验的关键。通过深入理解CI管理、关系管理、自动发现、权限控制和操作审计等核心模块的设计原理和实现方法,可以构建出高质量的CMDB系统。
在实际实施过程中,需要注意:
- 模块化设计:每个模块应该具有清晰的职责边界
- 松耦合:模块间通过定义良好的接口进行协作
- 可扩展性:设计应该支持未来的功能扩展
- 性能优化:在关键路径上实施性能优化措施
- 安全防护:在每个模块中都要考虑安全防护措施
只有深入理解核心模块的设计原则和实现方法,才能构建出真正满足企业需求的CMDB系统,为企业的数字化转型提供有力支撑。