diff --git a/jperm/ansible_api.py b/jperm/ansible_api.py index 5ce5fe35f..1de8ef609 100644 --- a/jperm/ansible_api.py +++ b/jperm/ansible_api.py @@ -284,10 +284,10 @@ class Tasks(Command): """ push the ssh authorized key to target. """ - module_args = 'user="%s" key="{{ lookup("file", "%s") }}"' % (user, key_path) + module_args = 'user="%s" key="{{ lookup("file", "%s") }}" state=present' % (user, key_path) self.__run(module_args, "authorized_key") - return {"status": "failed","msg": self.msg} if self.msg else {"status": "ok"} + return {"status": "failed", "msg": self.msg} if self.msg else {"status": "ok"} def push_multi_key(self, **user_info): """ @@ -318,12 +318,15 @@ class Tasks(Command): return {"status": "failed", "msg": self.msg} if self.msg else {"status": "ok"} - def add_user(self, username, password): + def add_user(self, username, password=''): """ add a host user. """ - encrypt_pass = sha512_crypt.encrypt(password) - module_args = 'name=%s shell=/bin/bash password=%s' % (username, encrypt_pass) + if password: + encrypt_pass = sha512_crypt.encrypt(password) + module_args = 'name=%s shell=/bin/bash password=%s' % (username, encrypt_pass) + else: + module_args = 'name=%s shell=/bin/bash' % username self.__run(module_args, "user") return {"status": "failed", "msg": self.msg} if self.msg else {"status": "ok"} diff --git a/jperm/models.py b/jperm/models.py index d8c0052fd..e153f554c 100644 --- a/jperm/models.py +++ b/jperm/models.py @@ -59,7 +59,9 @@ class PermPush(models.Model): date_added = models.DateTimeField(auto_now=True) asset = models.ManyToManyField(Asset, related_name='perm_push') asset_group = models.ManyToManyField(AssetGroup, related_name='perm_push') - role = models.ManyToManyField(PermRole, related_name='perm_push') + role = models.ForeignKey(PermRole, related_name='perm_push') is_public_key = models.BooleanField(default=False) is_password = models.BooleanField(default=False) + success = models.BooleanField(default=False) + result = models.TextField() diff --git a/jperm/urls.py b/jperm/urls.py index 4d84ed325..1e2ccf4cd 100644 --- a/jperm/urls.py +++ b/jperm/urls.py @@ -12,7 +12,7 @@ urlpatterns = patterns('jperm.views', (r'^role/perm_role_delete/$', perm_role_delete), (r'^role/perm_role_detail/$', perm_role_detail), (r'^role/perm_role_edit/$', perm_role_edit), - (r'^role/perm_role_push/$', perm_role_push), + (r'^role/push/$', perm_role_push), (r'^sudo/$', perm_sudo_list), (r'^sudo/perm_sudo_add/$', perm_sudo_add), (r'^sudo/perm_sudo_delete/$', perm_sudo_delete), diff --git a/jperm/views.py b/jperm/views.py index ba4f993f2..86c8a5de4 100644 --- a/jperm/views.py +++ b/jperm/views.py @@ -263,6 +263,11 @@ def perm_role_add(request): try: if get_object(PermRole, name=name): raise ServerError('已经存在该用户 %s' % name) + default = get_object(Setting, name='default') + if default and name == default.field1: + raise ServerError('与默认管理账号同名') + if name == 'root': + raise ServerError('不能为root') if password: encrypt_pass = CRYPTOR.encrypt(password) else: @@ -398,15 +403,13 @@ def perm_role_push(request): """ # 渲染数据 header_title, path1, path2 = "系统角色", "角色管理", "角色推送" - - roles = PermRole.objects.all() + role_id = request.GET.get('id') + role = get_object(PermRole, id=role_id) assets = Asset.objects.all() asset_groups = AssetGroup.objects.all() if request.method == "POST": # 获取推荐角色的名称列表 - role_ids = request.POST.getlist("roles") - # 计算出需要推送的资产列表 asset_ids = request.POST.getlist("assets") asset_group_ids = request.POST.getlist("asset_groups") @@ -434,13 +437,7 @@ def perm_role_push(request): # "password": password}) push_resource = gen_resource(calc_assets) - # 获取角色的推送方式,以及推送需要的信息 - roles_obj = [PermRole.objects.get(id=role_id) for role_id in role_ids] - role_pass = {} - role_key = {} - for role in roles_obj: - role_pass[role.name] = role.password - role_key[role.name] = os.path.join(role.key_path, 'id_rsa.pub') + logger.debug('推送role res: %s' % push_resource) # 调用Ansible API 进行推送 password_push = request.POST.get("use_password") @@ -452,34 +449,31 @@ def perm_role_push(request): # 因为要先建立用户,所以password 是必选项,而push key是在 password也完成的情况下的 可选项 # 1. 以password 方式推送角色 if password_push: - ret["password_push"] = task.add_multi_user(**role_pass) + ret["password_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password)) if ret["password_push"].get("status") != "success": ret_failed["step1"] == "failed" # 2. 以秘钥 方式推送角色 if key_push: - ret["password_push"] = task.add_multi_user(**role_pass) - if ret["password_push"].get("status") != "success": + ret["password_push"] = task.add_user(role.name) + if ret["password_push"].get("status") != "ok": ret_failed["step2-1"] = "failed" - ret["key_push"] = task.push_multi_key(**role_key) - if ret["key_push"].get("status") != "success": + ret["key_push"] = task.push_key(role.name, os.path.join(role.key_path, 'id_rsa.pub')) + if ret["key_push"].get("status") != "ok": ret_failed["step2-2"] = "failed" # 3. 推送sudo配置文件 - role_chosen_aliase = {} # {'dev': 'NETWORKING, SHUTDOWN', 'sa': 'NETWORKING, SHUTDOWN'} - sudo_alias = set() # set(sudo1, sudo2, sudo3) - for role in roles_obj: - sudos = set([sudo for sudo in role.sudo.all()]) - sudo_alias.update(sudos) - role_chosen_aliase[role.name] = ','.join(sudo.name for sudo in sudos) + role_chosen_aliase = {} # {'dev': 'NETWORKING, SHUTDOWN'} + sudo_alias = set([sudo for sudo in role.sudo.all()]) # set(sudo1, sudo2, sudo3) + role_chosen_aliase[role.name] = ','.join(sudo.name for sudo in sudo_alias) add_sudo_script = get_add_sudo_script(role_chosen_aliase, sudo_alias) - ret_sudo = task.push_sudo_file(add_sudo_script) + ret['sudo'] = task.push_sudo_file(add_sudo_script) - if ret_sudo["step1"] != "ok" or ret_sudo["step2"] != "ok": + if ret['sudo']["step1"] != "ok" or ret['sudo']["step2"] != "ok": ret_failed["step3"] = "failed" os.remove(add_sudo_script) - print ret + logger.debug('推送role结果: %s' % ret) # 结果汇总统计 if ret_failed: # 推送失败 @@ -491,7 +485,7 @@ def perm_role_push(request): push.save() push.asset_group = asset_groups_obj push.asset = calc_assets - push.role = roles_obj + push.role = role push.save() return my_render('jperm/perm_role_push.html', locals(), request) @@ -592,5 +586,7 @@ def perm_sudo_delete(request): return HttpResponse(u"不支持该操作") - +def role_push_list(request): + push_all = PermPush.objects.all() + return my_render('jperm/role_push_list.html', locals(), request) diff --git a/jumpserver/templatetags/mytags.py b/jumpserver/templatetags/mytags.py index 8adfb724a..2adb62deb 100644 --- a/jumpserver/templatetags/mytags.py +++ b/jumpserver/templatetags/mytags.py @@ -5,7 +5,7 @@ import ast import time from django import template -# from jperm.models import CmdGroup +from jperm.models import PermPush from jumpserver.api import * from jasset.models import AssetAlias @@ -259,3 +259,16 @@ def role_contain_which_sudos(role): sudo_names = [sudo.name for sudo in role.sudo.all()] return ','.join(sudo_names) + +@register.filter(name='get_push_info') +def get_push_info(push_id, arg): + push = get_object(PermPush, id=push_id) + if push and arg: + if arg == 'asset': + return [asset.hostname for asset in push.asset.all()] + if arg == 'asset_group': + return [asset_group.name for asset_group in push.asset_group.all()] + if arg == 'role': + return [role.name for role in push.role.all()] + else: + return [] diff --git a/juser/views.py b/juser/views.py index dc02487a7..f204a53c5 100644 --- a/juser/views.py +++ b/juser/views.py @@ -146,7 +146,7 @@ def user_add(request): error = '' msg = '' header_title, path1, path2 = '添加用户', '用户管理', '添加用户' - user_role = {'SU': u'超级管理员', 'GA': u'组管理员', 'CU': u'普通用户'} + user_role = {'SU': u'超级管理员', 'CU': u'普通用户'} group_all = UserGroup.objects.all() if request.method == 'POST': @@ -349,7 +349,7 @@ def user_edit(request): if not user_id: return HttpResponseRedirect('/') - user_role = {'SU': u'超级管理员', 'GA': u'组管理员', 'CU': u'普通用户'} + user_role = {'SU': u'超级管理员', 'CU': u'普通用户'} user = get_object(User, id=user_id) group_all = UserGroup.objects.all() if user: diff --git a/templates/jasset/asset_add.html b/templates/jasset/asset_add.html index 210d583d4..d2761a3b0 100644 --- a/templates/jasset/asset_add.html +++ b/templates/jasset/asset_add.html @@ -48,7 +48,6 @@ {{ af.ip|bootstrap_horizontal }}
Tips: 如果IP地址不填写, IP默认会设置与主机名一致
-Tips: 管理用户为root或用户拥有NOPASSWD:ALL sudo权限的用户
-详情 编辑 + 推送 |