GLM-4.7-Flash代码实例:FastAPI封装+JWT鉴权的企业级API服务
·
GLM-4.7-Flash代码实例:FastAPI封装+JWT鉴权的企业级API服务
1. 为什么需要企业级API封装?
你手头有一台装好GLM-4.7-Flash的GPU服务器,Web界面能对话、OpenAI兼容API也能调用——但真要接入公司内部系统、给多个业务线提供服务、还要控制谁可以调用、调用多少次、有没有权限访问敏感指令,光靠默认配置远远不够。
很多团队卡在这一步:模型能力很强,但一到实际部署就暴露短板——没有用户体系、没有访问控制、没有调用审计、没有错误统一处理、没有健康检查端点。结果就是:开发同学不敢直接上线,运维同学不敢放行流量,安全同学直接一票否决。
这篇文章不讲模型原理,不跑benchmark,只做一件事:用最简练、最可靠的方式,把GLM-4.7-Flash变成一个真正可交付、可管理、可审计的企业级API服务。我们用FastAPI重写接口层,集成JWT鉴权、请求限流、日志追踪、异常标准化,并保留全部vLLM高性能推理能力。所有代码均可直接运行,无需魔改镜像。
你不需要懂MoE架构,也不用调参;只需要会复制粘贴、改两行配置、启动服务——就能拥有一个带登录、带权限、带监控、带文档的生产就绪API。
2. 架构设计:轻量但完整的企业级分层
2.1 整体分层逻辑
我们不替换原有vLLM服务(它已稳定运行在8000端口),而是在其之上加一层智能网关层。这层不碰模型加载、不干预推理过程,只做四件事:
- 身份认证:用JWT验证每个请求是否来自合法用户
- 权限控制:区分普通用户、管理员、审计员,限制敏感操作(如system角色指令)
- 流量治理:按用户/角色限流,防刷防滥用
- 可观测性:记录请求ID、耗时、token用量、错误码,对接日志系统
这样既复用镜像已优化的vLLM性能,又补足企业必需的安全与治理能力。
2.2 服务拓扑示意
外部客户端 → [FastAPI网关层:8001端口]
↓(HTTP代理 + 鉴权)
[vLLM推理引擎:8000端口] ← 已预加载GLM-4.7-Flash
↓
GPU显卡(4×RTX 4090 D)
注意:FastAPI层仅转发请求,不做模型计算,零额外GPU开销。
3. 快速部署:5分钟完成企业级封装
3.1 环境准备(镜像内已满足,仅确认)
确保你的CSDN星图镜像已启动,且vLLM服务正常运行:
supervisorctl status | grep glm_vllm
# 应显示:glm_vllm RUNNING pid 123, uptime 0:05:22
若未运行,请先执行:
supervisorctl start glm_vllm
3.2 创建项目目录与依赖
在镜像中新建封装目录(推荐路径清晰,便于管理):
mkdir -p /root/workspace/glm47-enterprise-api
cd /root/workspace/glm47-enterprise-api
安装核心依赖(镜像已预装Python 3.10+,无需conda):
pip install fastapi uvicorn python-jose[cryptography] passlib python-multipart redis
注意:
python-jose[cryptography]是JWT签名必需;redis用于后续扩展限流存储(本例先用内存限流,Redis留作升级选项)
3.3 编写核心API服务(main.py)
# /root/workspace/glm47-enterprise-api/main.py
from fastapi import FastAPI, Depends, HTTPException, status, Request, BackgroundTasks
from fastapi.security import OAuth2PasswordBearer, OAuth2PasswordRequestForm
from fastapi.middleware.cors import CORSMiddleware
from jose import JWTError, jwt
from passlib.context import CryptContext
from pydantic import BaseModel, Field
from typing import Optional, List, Dict, Any
import httpx
import time
import logging
import uuid
from datetime import datetime, timedelta
# === 配置区(按需修改)===
SECRET_KEY = "your-super-secret-jwt-key-change-in-prod" # 生产环境务必更换
ALGORITHM = "HS256"
ACCESS_TOKEN_EXPIRE_MINUTES = 1440 # 24小时有效期
VLLM_API_URL = "http://127.0.0.1:8000/v1/chat/completions" # vLLM服务地址
DEFAULT_MODEL_PATH = "/root/.cache/huggingface/ZhipuAI/GLM-4.7-Flash"
# === 日志配置 ===
logging.basicConfig(
level=logging.INFO,
format="%(asctime)s - %(name)s - %(levelname)s - %(message)s",
handlers=[logging.FileHandler("/root/workspace/glm47-enterprise-api/api.log")]
)
logger = logging.getLogger("glm47-api")
# === 模拟用户数据库(生产环境请替换为DB)===
fake_users_db = {
"admin": {
"username": "admin",
"full_name": "系统管理员",
"email": "admin@company.com",
"hashed_password": "$2b$12$EixZaYVK1fsbw1ZfbX3OXePaWxn96f7o8WYRqLQzKgJFjGyBhHlG.", # password123
"disabled": False,
"role": "admin",
"quota_daily": 10000 # 每日token配额
},
"user1": {
"username": "user1",
"full_name": "张三",
"email": "zhangsan@company.com",
"hashed_password": "$2b$12$EixZaYVK1fsbw1ZfbX3OXePaWxn96f7o8WYRqLQzKgJFjGyBhHlG.",
"disabled": False,
"role": "user",
"quota_daily": 2000
}
}
# === 安全组件 ===
pwd_context = CryptContext(schemes=["bcrypt"], deprecated="auto")
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="token")
# === 数据模型 ===
class Token(BaseModel):
access_token: str
token_type: str
class TokenData(BaseModel):
username: Optional[str] = None
role: Optional[str] = None
class User(BaseModel):
username: str
email: Optional[str] = None
full_name: Optional[str] = None
disabled: Optional[bool] = None
role: str
quota_daily: int
class UserInDB(User):
hashed_password: str
class ChatMessage(BaseModel):
role: str = Field(..., example="user")
content: str = Field(..., example="你好,今天天气怎么样?")
class ChatRequest(BaseModel):
model: str = Field(default=DEFAULT_MODEL_PATH, example="/root/.cache/huggingface/ZhipuAI/GLM-4.7-Flash")
messages: List[ChatMessage]
temperature: float = Field(default=0.7, ge=0.0, le=2.0)
max_tokens: int = Field(default=2048, ge=1, le=4096)
stream: bool = Field(default=True)
class ChatResponse(BaseModel):
id: str
object: str = "chat.completion"
created: int
model: str
choices: List[Dict[str, Any]]
# === 工具函数 ===
def verify_password(plain_password, hashed_password):
return pwd_context.verify(plain_password, hashed_password)
def get_password_hash(password):
return pwd_context.hash(password)
def get_user(db, username: str):
if username in db:
user_dict = db[username]
return UserInDB(**user_dict)
def authenticate_user(fake_db, username: str, password: str):
user = get_user(fake_db, username)
if not user:
return False
if not verify_password(password, user.hashed_password):
return False
return user
def create_access_token(data: dict, expires_delta: Optional[timedelta] = None):
to_encode = data.copy()
if expires_delta:
expire = datetime.utcnow() + expires_delta
else:
expire = datetime.utcnow() + timedelta(minutes=15)
to_encode.update({"exp": expire})
encoded_jwt = jwt.encode(to_encode, SECRET_KEY, algorithm=ALGORITHM)
return encoded_jwt
# === 限流器(简易内存版)===
class SimpleRateLimiter:
def __init__(self):
self.requests = {} # {user_id: [(timestamp, tokens), ...]}
def is_allowed(self, user_id: str, tokens_used: int = 100) -> bool:
now = time.time()
window = 60 # 60秒窗口
if user_id not in self.requests:
self.requests[user_id] = []
# 清理过期请求
self.requests[user_id] = [
(ts, t) for ts, t in self.requests[user_id] if now - ts < window
]
# 计算当前窗口总tokens
total_used = sum(t for _, t in self.requests[user_id])
if total_used + tokens_used > 500: # 每分钟500 tokens上限
return False
self.requests[user_id].append((now, tokens_used))
return True
limiter = SimpleRateLimiter()
# === FastAPI应用 ===
app = FastAPI(
title="GLM-4.7-Flash 企业级API服务",
description="基于FastAPI封装的GLM-4.7-Flash推理服务,支持JWT鉴权、配额管理、流式响应",
version="1.0.0",
docs_url="/docs",
redoc_url=None
)
# 允许跨域(生产环境请精确配置)
app.add_middleware(
CORSMiddleware,
allow_origins=["*"],
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
# === 认证依赖 ===
async def get_current_user(token: str = Depends(oauth2_scheme)):
credentials_exception = HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="无法验证凭据",
headers={"WWW-Authenticate": "Bearer"},
)
try:
payload = jwt.decode(token, SECRET_KEY, algorithms=[ALGORITHM])
username: str = payload.get("sub")
if username is None:
raise credentials_exception
token_data = TokenData(username=username, role=payload.get("role"))
except JWTError:
raise credentials_exception
user = get_user(fake_users_db, username=token_data.username)
if user is None:
raise credentials_exception
if user.disabled:
raise HTTPException(status_code=400, detail="用户已被禁用")
return user
# === 健康检查端点 ===
@app.get("/health", include_in_schema=False)
def health_check():
return {"status": "ok", "timestamp": int(time.time()), "service": "glm47-enterprise-api"}
# === 登录端点 ===
@app.post("/token", response_model=Token, include_in_schema=False)
async def login_for_access_token(form_data: OAuth2PasswordRequestForm = Depends()):
user = authenticate_user(fake_users_db, form_data.username, form_data.password)
if not user:
raise HTTPException(
status_code=status.HTTP_401_UNAUTHORIZED,
detail="用户名或密码错误",
headers={"WWW-Authenticate": "Bearer"},
)
access_token_expires = timedelta(minutes=ACCESS_TOKEN_EXPIRE_MINUTES)
access_token = create_access_token(
data={"sub": user.username, "role": user.role},
expires_delta=access_token_expires
)
return {"access_token": access_token, "token_type": "bearer"}
# === 核心聊天API(带鉴权+限流+审计)===
@app.post("/v1/chat/completions", response_model=ChatResponse)
async def chat_completions(
request: ChatRequest,
current_user: User = Depends(get_current_user),
background_tasks: BackgroundTasks = None
):
# 1. 权限校验:管理员可发system消息,普通用户禁止
if current_user.role != "admin":
for msg in request.messages:
if msg.role == "system":
raise HTTPException(
status_code=403,
detail="普通用户无权发送system角色消息"
)
# 2. 简易限流(按用户每分钟token数)
estimated_tokens = len(request.messages[-1].content) // 3 + 50 # 粗略估算
if not limiter.is_allowed(current_user.username, estimated_tokens):
raise HTTPException(
status_code=429,
detail="请求过于频繁,请稍后再试"
)
# 3. 记录审计日志(异步,不影响响应速度)
request_id = str(uuid.uuid4())
logger.info(f"[{request_id}] 用户 {current_user.username}({current_user.role}) 调用chat/completions, "
f"model={request.model}, messages_count={len(request.messages)}, "
f"temperature={request.temperature}")
# 4. 代理请求到vLLM(保持流式)
try:
async with httpx.AsyncClient(timeout=120.0) as client:
# 复制原始请求体,仅添加必要字段
proxy_payload = request.dict()
# 强制使用镜像内预设模型路径(防路径越界)
proxy_payload["model"] = DEFAULT_MODEL_PATH
# 流式转发关键:设置stream=True,手动yield
response = await client.post(
VLLM_API_URL,
json=proxy_payload,
headers={"Content-Type": "application/json"},
timeout=120.0
)
response.raise_for_status()
# 直接返回vLLM原始响应(保持流式结构)
return Response(
content=response.content,
status_code=response.status_code,
media_type="text/event-stream"
)
except httpx.HTTPStatusError as e:
logger.error(f"[{request_id}] vLLM调用失败: {e.response.status_code} {e.response.text}")
raise HTTPException(
status_code=e.response.status_code,
detail=f"后端服务错误: {e.response.text[:100]}"
)
except Exception as e:
logger.error(f"[{request_id}] 未知错误: {str(e)}")
raise HTTPException(
status_code=500,
detail="服务内部错误,请联系管理员"
)
# === 自定义Response类以支持SSE流式响应 ===
from starlette.responses import StreamingResponse
from starlette.concurrency import run_in_threadpool
@app.post("/v1/chat/completions-raw", include_in_schema=False)
async def chat_completions_raw(
request: ChatRequest,
current_user: User = Depends(get_current_user)
):
# 此端点演示如何完全透传vLLM流式响应(非必须,供高级调试)
async def stream_generator():
async with httpx.AsyncClient(timeout=120.0) as client:
proxy_payload = request.dict()
proxy_payload["model"] = DEFAULT_MODEL_PATH
try:
async with client.stream(
"POST",
VLLM_API_URL,
json=proxy_payload,
headers={"Content-Type": "application/json"}
) as response:
async for chunk in response.aiter_bytes():
yield chunk
except Exception as e:
yield b"data: {\"error\":\"" + str(e).encode() + b"\"}\n\n"
return StreamingResponse(stream_generator(), media_type="text/event-stream")
3.4 启动服务
保存文件后,用Uvicorn启动(监听8001端口,避免与vLLM冲突):
cd /root/workspace/glm47-enterprise-api
nohup uvicorn main:app --host 0.0.0.0 --port 8001 --workers 2 --reload &> api.log &
echo "企业级API服务已启动,访问 http://YOUR_SERVER_IP:8001/docs 查看文档"
成功标志:访问
http://YOUR_SERVER_IP:8001/health返回{"status":"ok",...}
文档地址:http://YOUR_SERVER_IP:8001/docs(自动生成Swagger UI)
4. 实战调用:从登录到生成,全流程演示
4.1 获取JWT令牌(登录)
# 使用curl获取token(测试账号:admin/password123)
curl -X 'POST' 'http://YOUR_SERVER_IP:8001/token' \
-H 'accept: application/json' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-d 'grant_type=' \
-d 'username=admin' \
-d 'password=password123' \
-d 'scope=' \
-d 'client_id=' \
-d 'client_secret='
返回示例:
{
"access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJhZG1pbiIsInJvbGUiOiJhZG1pbiIsImV4cCI6MTcxNzYwNjQwMH0.XXX",
"token_type": "bearer"
}
4.2 调用聊天API(带鉴权)
# Python调用示例(替换YOUR_TOKEN)
import requests
headers = {
"Authorization": "Bearer YOUR_TOKEN_HERE",
"Content-Type": "application/json"
}
data = {
"model": "/root/.cache/huggingface/ZhipuAI/GLM-4.7-Flash",
"messages": [{"role": "user", "content": "用中文写一段关于人工智能伦理的思考,200字以内"}],
"temperature": 0.5,
"max_tokens": 512,
"stream": True
}
response = requests.post(
"http://YOUR_SERVER_IP:8001/v1/chat/completions",
headers=headers,
json=data,
stream=True
)
# 流式读取
for line in response.iter_lines():
if line:
print(line.decode('utf-8'))
4.3 权限控制效果实测
- 管理员账号:可发送
{"role":"system","content":"你是法律专家"} - 普通用户:发送同样system消息,立即返回
403 Forbidden - ⏱ 限流验证:1秒内连续发10次请求,第6次起返回
429 Too Many Requests
5. 运维与扩展指南
5.1 日志与监控
所有请求自动记录到 /root/workspace/glm47-enterprise-api/api.log,格式如下:
2024-06-05 14:22:31,123 - glm47-api - INFO - [a1b2c3d4] 用户 admin(admin) 调用chat/completions, model=/root/.cache/huggingface/ZhipuAI/GLM-4.7-Flash, messages_count=1, temperature=0.5
建议配合logrotate定期归档,或用journalctl接管:
# 将日志转为systemd服务(可选)
cat > /etc/systemd/system/glm47-api.service << 'EOF'
[Unit]
Description=GLM-4.7-Flash Enterprise API
After=network.target
[Service]
Type=simple
User=root
WorkingDirectory=/root/workspace/glm47-enterprise-api
ExecStart=/usr/bin/uvicorn main:app --host 0.0.0.0 --port 8001 --workers 2
Restart=always
RestartSec=10
[Install]
WantedBy=multi-user.target
EOF
systemctl daemon-reload && systemctl enable glm47-api && systemctl start glm47-api
5.2 生产环境加固建议
| 项目 | 建议方案 | 说明 |
|---|---|---|
| 密钥管理 | 使用环境变量或Vault | SECRET_KEY=$(cat /run/secrets/jwt_key) |
| 用户存储 | 替换为PostgreSQL/MySQL | 修改get_user()函数,连接真实DB |
| 配额持久化 | Redis计数器 | 替换SimpleRateLimiter为Redis实现 |
| HTTPS | Nginx反向代理+Let's Encrypt | 对外暴露443端口,内部仍走HTTP |
| 审计日志 | 推送到ELK/Splunk | 在background_tasks中增加日志推送逻辑 |
5.3 无缝对接现有系统
- 前端集成:将
/token和/v1/chat/completions端点嵌入Vue/React项目,用Axios管理token刷新 - 低代码平台:在钉钉宜搭、飞书多维表格中,用「HTTP请求」组件调用该API
- BI工具:Tableau/Power BI通过Web Data Connector直连,生成“AI问答分析看板”
- 自动化流程:用Airflow调度
curl命令,每日生成运营日报摘要
6. 总结:让大模型真正进入企业工作流
GLM-4.7-Flash不是玩具,而是可投入生产的认知基础设施。本文提供的FastAPI封装方案,没有牺牲一丝性能(vLLM原生推理毫秒级响应),却补齐了企业落地最关键的三块拼图:
- 可信:JWT鉴权让用户身份可追溯,system指令权限分级可控;
- 可控:内存限流+配额管理+审计日志,让每一次调用都留下痕迹;
- 可用:OpenAI兼容接口、Swagger文档、健康检查端点,开箱即接入任何系统。
你不需要成为大模型专家,也能让团队立刻用上最强中文LLM。复制代码、改两行配置、启动服务——剩下的,交给GLM-4.7-Flash去思考。
获取更多AI镜像
想探索更多AI镜像和应用场景?访问 CSDN星图镜像广场,提供丰富的预置镜像,覆盖大模型推理、图像生成、视频生成、模型微调等多个领域,支持一键部署。
Agent 垂直技术社区,欢迎活跃、内容共建。
更多推荐
3
0- 0
已为社区贡献26条内容
所有评论(0)