TencentBlueKing · IMBlues · Nov 3, 2021 · Nov 3, 2021
diff --git a/deploy/helm/bk-user-stack/values.yaml b/deploy/helm/bk-user-stack/values.yaml
@@ -14,6 +14,8 @@ global:
     BK_PAAS_URL: "http://paas.example.com"
     # ESB Api 访问地址
     BK_COMPONENT_API_URL: "http://bkapi.example.com"
+    # 由于用户管理先于权限中心拉起，所以默认禁用，后期所有产品就绪后，可手动开启
+    ENABLE_IAM: false
 
 bkuserapi:
   enabeld: true

diff --git a/deploy/helm/saas/values.yaml b/deploy/helm/saas/values.yaml
@@ -81,8 +81,6 @@ env:
   BK_LOGIN_API_URL: "http://bk-login-web"
   # 容器化版本默认采用子域名形式暴露服务
   SITE_URL: "/"
-  # 由于用户管理先于权限中心拉起，所以默认禁用，后期所有产品就绪后，可手动开启
-  DISABLE_IAM: true
 
 envFrom: []
 

diff --git a/src/api/bkuser_core/categories/handlers.py b/src/api/bkuser_core/categories/handlers.py
@@ -13,6 +13,7 @@
 from bkuser_core.bkiam.constants import IAMAction, ResourceType
 from bkuser_core.bkiam.helper import IAMHelper
 from bkuser_core.categories.signals import post_category_create
+from django.conf import settings
 from django.dispatch import receiver
 
 from .plugins.ldap.handlers import create_sync_tasks, delete_sync_tasks, update_sync_tasks  # noqa
@@ -24,6 +25,10 @@
 @receiver(post_category_create)
 def create_creator_actions(sender, instance, **kwargs):
     """请求权限中心，创建新建关联权限记录"""
+    if not settings.ENABLE_IAM:
+        logger.info("skip creation of resource_creator_action (category related) due to ENABLE_IAM is false")
+        return
+
     logger.info("going to create resource_creator_action for Category<%s>", instance.id)
     helper = IAMHelper()
     try:

diff --git a/src/api/bkuser_core/config/common/platform.py b/src/api/bkuser_core/config/common/platform.py
@@ -60,7 +60,7 @@
 # 权限中心相关配置
 # ==============================================================================
 # 默认启用，禁用时会跳过权限校验步骤
-ENABLE_IAM = True
+ENABLE_IAM = env.bool("ENABLE_IAM", default=True)
 
 
 def get_iam_config(app_id: str, app_token: str) -> dict:

diff --git a/src/saas/bkuser_shell/common/viewset.py b/src/saas/bkuser_shell/common/viewset.py
@@ -82,7 +82,7 @@ def get_api_client_by_request(self, request, force_action_id: str = "", no_auth:
             headers.update({settings.CLIENT_IP_FROM_SAAS_HEADER: ip})
 
         action_id = force_action_id or self.ACTION_ID
-        if not no_auth and action_id and not settings.DISABLE_IAM:
+        if not no_auth and action_id and settings.ENABLE_IAM:
             # 需要走 iam 主动标记
             headers.update(
                 {

diff --git a/src/saas/bkuser_shell/config/common/platform.py b/src/saas/bkuser_shell/config/common/platform.py
@@ -54,7 +54,7 @@
 API_IAM_ACTION_ID_HEADER_NAME = "Action-Id"
 
 # 默认开启 IAM，但是可以通过部署的环境变量关闭
-DISABLE_IAM = env.bool("DISABLE_IAM", default=False)
+ENABLE_IAM = env.bool("ENABLE_IAM", default=True)
 
 # 特殊标记从 SaaS 请求到 Api 的 IP
 CLIENT_IP_FROM_SAAS_HEADER = "Client-IP-From-SaaS"