diff --git a/jperm/ansible_api.py b/jperm/ansible_api.py index 1de8ef609..0b54ffd58 100644 --- a/jperm/ansible_api.py +++ b/jperm/ansible_api.py @@ -451,12 +451,12 @@ class Tasks(Command): if not ret1["msg"]: result["step1"] = "ok" else: - result["step1"] = "failed" + result["msg"] = ret1["msg"] if not ret2["msg"] and "failed" not in ret2_status: result["step2"] = "ok" else: - result["step2"] = "failed" + result["msg"] = ret1["msg"] return result diff --git a/jperm/models.py b/jperm/models.py index e153f554c..3a280762e 100644 --- a/jperm/models.py +++ b/jperm/models.py @@ -13,12 +13,6 @@ class PermLog(models.Model): is_finish = models.BooleanField(default=False) -class SysUser(models.Model): - username = models.CharField(max_length=100) - password = models.CharField(max_length=100) - comment = models.CharField(max_length=100, null=True, blank=True, default='') - - class PermSudo(models.Model): name = models.CharField(max_length=100, unique=True) date_added = models.DateTimeField(auto_now=True) @@ -56,12 +50,11 @@ class PermRule(models.Model): class PermPush(models.Model): - date_added = models.DateTimeField(auto_now=True) - asset = models.ManyToManyField(Asset, related_name='perm_push') - asset_group = models.ManyToManyField(AssetGroup, related_name='perm_push') + asset = models.ForeignKey(Asset, related_name='perm_push') role = models.ForeignKey(PermRole, related_name='perm_push') is_public_key = models.BooleanField(default=False) is_password = models.BooleanField(default=False) success = models.BooleanField(default=False) result = models.TextField() + date_added = models.DateTimeField(auto_now=True) diff --git a/jperm/perm_api.py b/jperm/perm_api.py index 4ebfc7d3f..080f1cb39 100644 --- a/jperm/perm_api.py +++ b/jperm/perm_api.py @@ -6,8 +6,7 @@ import uuid import re from jumpserver.models import Setting -from jperm.models import PermRole -from jperm.models import PermRule +from jperm.models import PermRole, PermPush, PermRule def get_group_user_perm(ob): @@ -266,41 +265,21 @@ def get_role_info(role_id, type="all"): return u"不支持的查询" -def get_role_push_host(role, raw=False): +def get_role_push_host(role): """ - get the role push host - :return: the asset object + asset_pushed: {'success': push.success, 'key': push.is_public_key, 'password': push.is_password, + 'result': push.result} + asset_no_push: set(asset1, asset2) """ # 计算该role 所有push记录 总共推送的主机 - assets = [] - asset_groups = [] - for push in role.perm_push.all(): - assets.extend(push.asset.all()) - asset_groups.extend(push.asset_group.all()) - group_assets = [] - for asset_group in asset_groups: - group_assets.extend(asset_group.asset_set.all()) - cacl_assets = set(assets) | set(group_assets) - - if raw: - return {'asset': cacl_assets, 'asset_group': set(asset_groups)} - # 计算所有主机 在push记录里面的 使用密码和使用秘钥状况 - result = [] - for asset in cacl_assets: - all_push = asset.perm_push.all() - if True in [push.is_password for push in all_push if role in push.role.all()]: - is_password = u"是" - else: - is_password = u"否" - if True in [push.is_public_key for push in all_push if role in push.role.all()]: - is_public_key = u"是" - else: - is_public_key = u"否" - result.append({"ip": asset.ip, - "group": ','.join([group.name for group in asset.group.all()]), - "password": is_password, - "pubkey": is_public_key}) - return result + pushs = PermPush.objects.filter(role=role) + asset_all = Asset.objects.all() + asset_pushed = {} + for push in pushs: + asset_pushed[push.asset] = {'success': push.success, 'key': push.is_public_key, 'password': push.is_password, + 'result': push.result} + asset_no_push = set(asset_all) - set(asset_pushed.keys()) + return asset_pushed, asset_no_push if __name__ == "__main__": print get_role_info(1) diff --git a/jperm/views.py b/jperm/views.py index 86c8a5de4..38a003859 100644 --- a/jperm/views.py +++ b/jperm/views.py @@ -94,8 +94,8 @@ def perm_rule_add(request): # 获取需要授权的主机列表 assets_obj = [Asset.objects.get(id=asset_id) for asset_id in assets_select] asset_groups_obj = [AssetGroup.objects.get(id=group_id) for group_id in asset_groups_select] - # group_assets_obj = [asset for asset in [group.asset_set.all() for group in asset_groups_obj]] - # calc_assets = set(group_assets_obj) | set(assets_obj) + group_assets_obj = [asset for asset in [group.asset_set.all() for group in asset_groups_obj]] + calc_assets = set(group_assets_obj) | set(assets_obj) # 获取需要授权的用户列表 users_obj = [User.objects.get(id=user_id) for user_id in users_select] @@ -105,19 +105,13 @@ def perm_rule_add(request): # 获取授予的角色列表 roles_obj = [PermRole.objects.get(id=role_id) for role_id in roles_select] - + need_push_asset = set() for role in roles_obj: - push_assets_or_group = get_role_push_host(role=role, raw=True) - push_assets = push_assets_or_group.get('asset') - push_asset_groups = push_assets_or_group.get('asset_group') - no_push_assets = set(assets_obj) - set(push_assets) - no_push_asset_groups = set(asset_groups_obj) - set(push_asset_groups) - if no_push_assets: + asset_no_push = get_role_push_host(role=role)[1] + need_push_asset.update(set(calc_assets) - set(asset_no_push)) + if need_push_asset: raise ServerError(u'没有推送角色 %s 的主机 %s' - % (role.name, ','.join([asset.hostname for asset in no_push_assets]))) - elif no_push_asset_groups: - raise ServerError(u'没有推送角色 %s 的主机组 %s' - % (role.name, ','.join(asset_group.name for asset_group in no_push_asset_groups))) + % (role.name, ','.join([asset.hostname for asset in need_push_asset]))) # 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色) rule = PermRule(name=rule_name, comment=rule_comment) @@ -264,10 +258,7 @@ def perm_role_add(request): if get_object(PermRole, name=name): raise ServerError('已经存在该用户 %s' % name) default = get_object(Setting, name='default') - if default and name == default.field1: - raise ServerError('与默认管理账号同名') - if name == 'root': - raise ServerError('不能为root') + if password: encrypt_pass = CRYPTOR.encrypt(password) else: @@ -336,7 +327,7 @@ def perm_role_detail(request): asset_groups = role_info.get("asset_groups") users = role_info.get("users") user_groups = role_info.get("user_groups") - push_info = get_role_push_host(PermRole.objects.get(id=role_id)) + pushed_asset, need_push_asset = get_role_push_host(get_object(PermRole, id=role_id)) return my_render('jperm/perm_role_detail.html', locals(), request) @@ -440,8 +431,8 @@ def perm_role_push(request): logger.debug('推送role res: %s' % push_resource) # 调用Ansible API 进行推送 - password_push = request.POST.get("use_password") - key_push = request.POST.get("use_publicKey") + password_push = True if request.POST.get("use_password") else False + key_push = True if request.POST.get("use_publicKey") else False task = Tasks(push_resource) ret = {} ret_failed = {} @@ -451,43 +442,57 @@ def perm_role_push(request): if password_push: ret["password_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password)) if ret["password_push"].get("status") != "success": - ret_failed["step1"] == "failed" + ret_failed = ret["password_push"].get('msg') # 2. 以秘钥 方式推送角色 if key_push: ret["password_push"] = task.add_user(role.name) if ret["password_push"].get("status") != "ok": - ret_failed["step2-1"] = "failed" + ret_failed = ret["password_push"].get('msg') ret["key_push"] = task.push_key(role.name, os.path.join(role.key_path, 'id_rsa.pub')) if ret["key_push"].get("status") != "ok": - ret_failed["step2-2"] = "failed" + ret_failed = ret["key_push"].get('msg') # 3. 推送sudo配置文件 - role_chosen_aliase = {} # {'dev': 'NETWORKING, SHUTDOWN'} - sudo_alias = set([sudo for sudo in role.sudo.all()]) # set(sudo1, sudo2, sudo3) - role_chosen_aliase[role.name] = ','.join(sudo.name for sudo in sudo_alias) - add_sudo_script = get_add_sudo_script(role_chosen_aliase, sudo_alias) - ret['sudo'] = task.push_sudo_file(add_sudo_script) + if password_push or key_push: + role_chosen_aliase = {} # {'dev': 'NETWORKING, SHUTDOWN'} + sudo_alias = set([sudo for sudo in role.sudo.all()]) # set(sudo1, sudo2, sudo3) + role_chosen_aliase[role.name] = ','.join(sudo.name for sudo in sudo_alias) + add_sudo_script = get_add_sudo_script(role_chosen_aliase, sudo_alias) + ret['sudo'] = task.push_sudo_file(add_sudo_script) - if ret['sudo']["step1"] != "ok" or ret['sudo']["step2"] != "ok": - ret_failed["step3"] = "failed" - os.remove(add_sudo_script) + if ret['sudo'].get('msg'): + ret_failed = ret['sudo'].get('msg') + os.remove(add_sudo_script) logger.debug('推送role结果: %s' % ret) - # 结果汇总统计 - if ret_failed: - # 推送失败 - error = u"推送失败, 原因: %s 失败" % ','.join(ret_failed.keys()) - else: - # 推送成功 回写push表 - msg = u"推送系统角色: %s" % ','.join(role_chosen_aliase.keys()) - push = PermPush(is_public_key=bool(key_push), is_password=bool(password_push)) - push.save() - push.asset_group = asset_groups_obj - push.asset = calc_assets - push.role = role - push.save() + logger.debug('推送role错误: %s' % ret_failed) + success_asset = [] + failed_asset = [] + # 推送成功 回写push表 + for asset in calc_assets: + push_check = PermPush.objects.filter(role=role, asset=asset) + if push_check: + func = push_check.update + else: + def func(**kwargs): + PermPush(**kwargs).save() + + if ret_failed.get(asset.hostname): + failed_asset.append(asset) + func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=False, + result=ret_failed.get(asset.hostname)) + else: + success_asset.append(asset) + func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=True) + + if not failed_asset: + msg = u'角色 %s 推送成功[ %s ]' % (role.name, ','.join([asset.hostname for asset in success_asset])) + else: + error = u'角色 %s 推送失败 [ %s ], 推送成功 [ %s ]' % (role.name, + ','.join([asset.hostname for asset in failed_asset]), + ','.join([asset.hostname for asset in success_asset])) return my_render('jperm/perm_role_push.html', locals(), request) @@ -586,7 +591,3 @@ def perm_sudo_delete(request): return HttpResponse(u"不支持该操作") -def role_push_list(request): - push_all = PermPush.objects.all() - return my_render('jperm/role_push_list.html', locals(), request) - diff --git a/templates/index.html b/templates/index.html index 0d8baf9f9..0468ecbde 100644 --- a/templates/index.html +++ b/templates/index.html @@ -104,50 +104,48 @@
-
-
-
权限申请
-
- - - - - - -
    - - - -
    -
    -
    -

    权限申请记录

    - 最近十条权限申请记录信息. -
    -
    -
    - {% if perm_apply_10 %} - {% for perm in perm_apply_10 %} -
    -
    - {% ifequal perm.status 0 %} - {{ perm.date_add|naturaltime }} - {% else %} - {{ perm.date_add|naturaltime }} - {% endifequal %} - {{ perm.applyer }} -{#
    申请 {{ perm.bisgroup|ast_to_list }} 主机组权限
    #} -{#
    申请 {{ perm.asset|ast_to_list }} 主机权限
    #} - {{ perm.date_add }} -
    -
    - {% endfor %} - {% else %} -

    (暂无)

    - {% endif %} -
    -
    -
    +{#
    #} +{#
    #} +{#
    权限申请
    #} +{#
    #} +{# #} +{# #} +{# #} +{# #} +{# #} +{# #} +{#
      #} +{# #} +{# #} +{# #} +{#
      #} +{#
      #} +{#
      #} +{#

      权限申请记录

      #} +{# 最近十条权限申请记录信息.#} +{#
      #} +{#
      #} +{#
      #} +{# {% if perm_apply_10 %}#} +{# {% for perm in perm_apply_10 %}#} +{#
      #} +{#
      #} +{# {% ifequal perm.status 0 %}#} +{# {{ perm.date_add|naturaltime }}#} +{# {% else %}#} +{# {{ perm.date_add|naturaltime }}#} +{# {% endifequal %}#} +{# {{ perm.applyer }}#} +{# {{ perm.date_add }}#} +{#
      #} +{#
      #} +{# {% endfor %}#} +{# {% else %}#} +{#

      (暂无)

      #} +{# {% endif %}#} +{#
      #} +{#
      #} +{#
      #}
      @@ -306,7 +304,7 @@
      -
      +{# #} {% endblock %} diff --git a/templates/jperm/perm_role_detail.html b/templates/jperm/perm_role_detail.html index 51d6ac9b2..a6cb9ad11 100644 --- a/templates/jperm/perm_role_detail.html +++ b/templates/jperm/perm_role_detail.html @@ -6,7 +6,7 @@ {% include 'nav_cat_bar.html' %}
      -
      +
      授权规则 @@ -52,7 +52,7 @@
      -
      +
      授权用户/用户组 @@ -98,7 +98,7 @@
      -
      +
      授权主机/主机组 @@ -146,7 +146,7 @@
      -
      +
      推送主机 @@ -175,18 +175,64 @@ 主机 - 主机组 - 使用密码 - 使用秘钥 + 密钥 + 密码 + 结果 - {% for host in push_info %} + {% for asset, info in pushed_asset.items %} - {{ host.ip }} - {{ host.group }} - {{ host.password }} - {{ host.pubkey }} + {{ asset.hostname }} + {{ info.key | yesno:"是,否,未知" }} + {{ info.password | yesno:"是,否,未知" }} + {% if info.success %} + {{ info.success | yesno:"成功,失败,未知" }} + {% else %} + {{ info.success | yesno:"成功,失败,未知" }} + {% endif %} + + {% endfor %} + + +
      +
      +
      +
      +
      + +
      +
      +
      + 未推送主机 +
      + + + + + + + + + + +
      +
      +
      +
      +
      + + + + + + + + + {% for asset in need_push_asset %} + + + {% endfor %} diff --git a/templates/jperm/perm_role_list.html b/templates/jperm/perm_role_list.html index 0c48fd782..e9305a165 100644 --- a/templates/jperm/perm_role_list.html +++ b/templates/jperm/perm_role_list.html @@ -48,9 +48,9 @@ - - + + @@ -58,9 +58,9 @@ {% for role in roles %} - - + + - +
      主机IP
      {{ asset.hostname }} {{ asset.ip }}
      名称 备注创建时间 sudo别名创建时间备注 操作
      {{ role.name }} {{ role.comment }} {{ role.date_added | date:"Y-m-d H:i:s"}} {{ role | role_contain_which_sudos }} {{ role.date_added | date:"Y-m-d H:i:s"}} {{ role.comment }} 详情 编辑 diff --git a/templates/jperm/perm_role_push.html b/templates/jperm/perm_role_push.html index c308bbe60..dfa4a109c 100644 --- a/templates/jperm/perm_role_push.html +++ b/templates/jperm/perm_role_push.html @@ -45,7 +45,7 @@
      @@ -56,7 +56,7 @@
      diff --git a/templates/jperm/perm_rule_add.html b/templates/jperm/perm_rule_add.html index cf33cbb97..15eec08e9 100644 --- a/templates/jperm/perm_rule_add.html +++ b/templates/jperm/perm_rule_add.html @@ -68,7 +68,7 @@
      资产和资产组必选一个 diff --git a/templates/juser/group_list.html b/templates/juser/group_list.html index 86e4ec3f6..db0f59a96 100644 --- a/templates/juser/group_list.html +++ b/templates/juser/group_list.html @@ -55,11 +55,12 @@ {% for group in user_groups.object_list %}
      - + {{ group.name }} {{ group.id | members_count }} + {{ group.id | members_count }} + {{ group.comment }} 编辑 diff --git a/templates/nav.html b/templates/nav.html index b85eba8c7..61bd8fe36 100644 --- a/templates/nav.html +++ b/templates/nav.html @@ -24,7 +24,7 @@
    • 授权管理