def perm_role_detail(request):
"""
the role detail page
the role_info data like:
{'asset_groups': [],
'assets': [<Asset: 192.168.10.148>],
'rules': [<PermRule: PermRule object>],
'': [],
'': [<User: user1>]}
"""
# 渲染数据
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户详情"
try:
if request.method == "GET":
role_id = request.GET.get("id")
if not role_id:
raise ServerError("not role id")
role = get_object(PermRole, id=role_id)
role_info = get_role_info(role_id)
# 渲染数据
rules = role_info.get("rules")
assets = role_info.get("assets")
asset_groups = role_info.get("asset_groups")
users = role_info.get("users")
user_groups = role_info.get("user_groups")
pushed_asset, need_push_asset = get_role_push_host(
get_object(PermRole, id=role_id))
except ServerError, e:
logger.warning(e)
def perm_role_detail(request):
"""
the role detail page
the role_info data like:
{'asset_groups': [],
'assets': [<Asset: 192.168.10.148>],
'rules': [<PermRule: PermRule object>],
'': [],
'': [<User: user1>]}
"""
# 渲染数据
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户详情"
try:
if request.method == "GET":
role_id = request.GET.get("id")
if not role_id:
raise ServerError("not role id")
role = get_object(PermRole, id=role_id)
role_info = get_role_info(role_id)
# 渲染数据
rules = role_info.get("rules")
assets = role_info.get("assets")
asset_groups = role_info.get("asset_groups")
users = role_info.get("users")
user_groups = role_info.get("user_groups")
pushed_asset, need_push_asset = get_role_push_host(get_object(PermRole, id=role_id))
except ServerError, e:
logger.warning(e)
def perm_sudo_add(request):
"""
list sudo commands alias
:param request:
:return:
"""
# 渲染数据
header_title, path1, path2 = "Sudo命令", "别名管理", "添加别名"
if request.method == "POST":
# 获取参数: name, comment
name = request.POST.get("sudo_name").strip().upper()
comment = request.POST.get("sudo_comment").strip()
commands = request.POST.get("sudo_commands").strip()
pattern = re.compile(r'[ \n,\r]')
commands = ', '.join(list_drop_str(pattern.split(commands), u''))
logger.debug(u'添加sudo %s: %s' % (name, commands))
if get_object(PermSudo, name=name):
error = 'Sudo别名 %s已经存在' % name
else:
sudo = PermSudo(name=name.strip(), comment=comment, commands=commands)
sudo.save()
msg = u"添加Sudo命令别名: %s" % name
# 渲染数据
return my_render('upperm/perm_sudo_add.html', locals(), request)
def perm_sudo_add(request):
"""
list sudo commands alias
:param request:
:return:
"""
# 渲染数据
header_title, path1, path2 = "Sudo命令", "别名管理", "添加别名"
if request.method == "POST":
# 获取参数: name, comment
name = request.POST.get("sudo_name").strip().upper()
comment = request.POST.get("sudo_comment").strip()
commands = request.POST.get("sudo_commands").strip()
pattern = re.compile(r'[ \n,\r]')
commands = ', '.join(list_drop_str(pattern.split(commands), u''))
logger.debug(u'添加sudo %s: %s' % (name, commands))
if get_object(PermSudo, name=name):
error = 'Sudo别名 %s已经存在' % name
else:
sudo = PermSudo(name=name.strip(),
comment=comment,
commands=commands)
sudo.save()
msg = u"添加Sudo命令别名: %s" % name
# 渲染数据
return my_render('upperm/perm_sudo_add.html', locals(), request)
def search(self, str_r=''):
gid_pattern = re.compile(r'^g\d+$')
# 获取用户授权的所有主机信息
if not self.user_perm:
self.user_perm = get_group_user_perm(self.user)
user_asset_all = self.user_perm.get('asset').keys()
# 搜索结果保存
user_asset_search = []
if str_r:
# 资产组组id匹配
if gid_pattern.match(str_r):
gid = int(str_r.lstrip('g'))
# 获取资产组包含的资产
user_asset_search = get_object(AssetGroup, id=gid).asset_set.all()
else:
# 匹配 ip, hostname, 备注
for asset in user_asset_all:
if str_r in asset.ip or str_r in str(asset.hostname) or str_r in str(asset.comment):
user_asset_search.append(asset)
else:
# 如果没有输入就展现所有
user_asset_search = user_asset_all
self.search_result = dict(zip(range(len(user_asset_search)), user_asset_search))
color_print('[%-3s] %-12s %-15s %-5s %-10s %s' % ('ID', u'主机名', 'IP', u'端口', u'系统用户', u'备注'), 'title')
for index, asset in self.search_result.items():
# 获取该资产信息
asset_info = get_asset_info(asset)
# 获取该资产包含的角色
role = [str(role.name) for role in self.user_perm.get('asset').get(asset).get('role')]
print '[%-3s] %-15s %-15s %-5s %-10s %s' % (index, asset.hostname, asset.ip, asset_info.get('port'),
role, asset.comment)
print
def _create_admin(self):
user = get_object(User, username=self.admin_user)
if user:
user.delete()
db_add_user(username=self.admin_user, password=self.admin_pass, role='SU', name='admin', groups='',
admin_groups='', email='*****@*****.**', uuid='MayBeYouAreTheFirstUser', is_active=True)
os.system('id %s &> /dev/null || useradd %s' % (self.admin_user, self.admin_user))
def perm_role_add(request):
"""
add role page
"""
# 渲染数据
header_title, path1, path2 = "系统用户", "系统用户管理", "添加系统用户"
sudos = PermSudo.objects.all()
if request.method == "POST":
# 获取参数: name, comment
name = request.POST.get("role_name", "")
comment = request.POST.get("role_comment", "")
password = request.POST.get("role_password", "")
key_content = request.POST.get("role_key", "")
sudo_ids = request.POST.getlist('sudo_name')
try:
if get_object(PermRole, name=name):
raise ServerError(u'已经存在该用户 %s' % name)
default = get_object(Setting, name='default')
if password:
encrypt_pass = CRYPTOR.encrypt(password)
else:
encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20))
# 生成随机密码,生成秘钥对
sudos_obj = [
get_object(PermSudo, id=sudo_id) for sudo_id in sudo_ids
]
if key_content:
try:
key_path = gen_keys(key=key_content)
except SSHException, e:
raise ServerError(e)
else:
key_path = gen_keys()
logger.debug('generate role key: %s' % key_path)
role = PermRole(name=name,
comment=comment,
password=encrypt_pass,
key_path=key_path)
role.save()
role.sudo = sudos_obj
msg = u"添加系统用户: %s" % name
return HttpResponseRedirect(reverse('role_list'))
def perm_role_delete(request):
"""
delete role page
"""
if request.method == "POST":
try:
# 获取参数删除的role对象
role_id = request.POST.get("id")
role = get_object(PermRole, id=role_id)
if not role:
logger.warning(u"Delete Role: %s not exist" % role.name)
raise ServerError(u"%s 无数据记录" % role.name)
role_key = role.key_path
# 删除推送到主机上的role
recycle_assets = [
push.asset for push in role.perm_push.all() if push.success
]
logger.debug(u"delete role %s - delete_assets: %s" %
(role.name, recycle_assets))
if recycle_assets:
recycle_resource = gen_resource(recycle_assets)
task = MyTask(recycle_resource)
try:
msg = task.del_user(get_object(PermRole, id=role_id).name)
except Exception, e:
logger.warning(u"Recycle Role failed: %s" % e)
raise ServerError(u"回收已推送的系统用户失败: %s" % e)
logger.info(u"delete role %s - execute delete user: %s" %
(role.name, msg))
# TODO: 判断返回结果,处理异常
# 删除存储的秘钥,以及目录
try:
key_files = os.listdir(role_key)
for key_file in key_files:
os.remove(os.path.join(role_key, key_file))
os.rmdir(role_key)
except OSError, e:
logger.warning(u"Delete Role: delete key error, %s" % e)
raise ServerError(u"删除系统用户key失败: %s" % e)
logger.info(u"delete role %s - delete role key directory: %s" %
(role.name, role_key))
# 数据库里删除记录
role.delete()
return HttpResponse(u"删除系统用户: %s" % role.name)
def perm_role_add(request):
"""
add role page
"""
# 渲染数据
header_title, path1, path2 = "系统用户", "系统用户管理", "添加系统用户"
sudos = PermSudo.objects.all()
if request.method == "POST":
# 获取参数: name, comment
name = request.POST.get("role_name", "")
comment = request.POST.get("role_comment", "")
password = request.POST.get("role_password", "")
key_content = request.POST.get("role_key", "")
sudo_ids = request.POST.getlist('sudo_name')
try:
if get_object(PermRole, name=name):
raise ServerError(u'已经存在该用户 %s' % name)
default = get_object(Setting, name='default')
if password:
encrypt_pass = CRYPTOR.encrypt(password)
else:
encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20))
# 生成随机密码,生成秘钥对
sudos_obj = [get_object(PermSudo, id=sudo_id) for sudo_id in sudo_ids]
if key_content:
try:
key_path = gen_keys(key=key_content)
except SSHException, e:
raise ServerError(e)
else:
key_path = gen_keys()
logger.debug('generate role key: %s' % key_path)
role = PermRole(name=name, comment=comment, password=encrypt_pass, key_path=key_path)
role.save()
role.sudo = sudos_obj
msg = u"添加系统用户: %s" % name
return HttpResponseRedirect(reverse('role_list'))
def perm_role_get(request):
asset_id = request.GET.get('id', 0)
if asset_id:
asset = get_object(Asset, id=asset_id)
if asset:
role = user_have_perm(request.user, asset=asset)
logger.debug(u'获取授权系统用户: ' + ','.join([i.name for i in role]))
return HttpResponse(','.join([i.name for i in role]))
else:
roles = get_group_user_perm(request.user).get('role').keys()
return HttpResponse(','.join(i.name for i in roles))
return HttpResponse('error')
def perm_role_delete(request):
"""
delete role page
"""
if request.method == "POST":
try:
# 获取参数删除的role对象
role_id = request.POST.get("id")
role = get_object(PermRole, id=role_id)
if not role:
logger.warning(u"Delete Role: %s not exist" % role.name)
raise ServerError(u"%s 无数据记录" % role.name)
role_key = role.key_path
# 删除推送到主机上的role
recycle_assets = [push.asset for push in role.perm_push.all() if push.success]
logger.debug(u"delete role %s - delete_assets: %s" % (role.name, recycle_assets))
if recycle_assets:
recycle_resource = gen_resource(recycle_assets)
task = MyTask(recycle_resource)
try:
msg = task.del_user(get_object(PermRole, id=role_id).name)
except Exception, e:
logger.warning(u"Recycle Role failed: %s" % e)
raise ServerError(u"回收已推送的系统用户失败: %s" % e)
logger.info(u"delete role %s - execute delete user: %s" % (role.name, msg))
# TODO: 判断返回结果,处理异常
# 删除存储的秘钥,以及目录
try:
key_files = os.listdir(role_key)
for key_file in key_files:
os.remove(os.path.join(role_key, key_file))
os.rmdir(role_key)
except OSError, e:
logger.warning(u"Delete Role: delete key error, %s" % e)
raise ServerError(u"删除系统用户key失败: %s" % e)
logger.info(u"delete role %s - delete role key directory: %s" % (role.name, role_key))
# 数据库里删除记录
role.delete()
return HttpResponse(u"删除系统用户: %s" % role.name)
def perm_role_recycle(request):
role_id = request.GET.get('role_id')
asset_ids = request.GET.get('asset_id').split(',')
# 仅有推送的角色才回收
assets = [get_object(Asset, id=asset_id) for asset_id in asset_ids]
recycle_assets = []
for asset in assets:
if True in [push.success for push in asset.perm_push.all()]:
recycle_assets.append(asset)
recycle_resource = gen_resource(recycle_assets)
task = MyTask(recycle_resource)
# TODO: 判断返回结果,处理异常
msg = task.del_user(get_object(PermRole, id=role_id).name)
for asset_id in asset_ids:
asset = get_object(Asset, id=asset_id)
assets.append(asset)
role = get_object(PermRole, id=role_id)
PermPush.objects.filter(asset=asset, role=role).delete()
return HttpResponse('删除成功')
def perm_role_recycle(request):
role_id = request.GET.get('role_id')
asset_ids = request.GET.get('asset_id').split(',')
# 仅有推送的角色才回收
assets = [get_object(Asset, id=asset_id) for asset_id in asset_ids]
recycle_assets = []
for asset in assets:
if True in [push.success for push in asset.perm_push.all()]:
recycle_assets.append(asset)
recycle_resource = gen_resource(recycle_assets)
task = MyTask(recycle_resource)
# TODO: 判断返回结果,处理异常
msg = task.del_user(get_object(PermRole, id=role_id).name)
for asset_id in asset_ids:
asset = get_object(Asset, id=asset_id)
assets.append(asset)
role = get_object(PermRole, id=role_id)
PermPush.objects.filter(asset=asset, role=role).delete()
return HttpResponse('删除成功')
def perm_role_get(request):
asset_id = request.GET.get('id', 0)
if asset_id:
asset = get_object(Asset, id=asset_id)
if asset:
role = user_have_perm(request.user, asset=asset)
logger.debug(u'获取授权系统用户: ' + ','.join([i.name for i in role]))
return HttpResponse(','.join([i.name for i in role]))
else:
roles = get_group_user_perm(request.user).get('role').keys()
return HttpResponse(','.join(i.name for i in roles))
return HttpResponse('error')
def _create_admin(self):
user = get_object(User, username=self.admin_user)
if user:
user.delete()
db_add_user(username=self.admin_user,
password=self.admin_pass,
role='SU',
name='admin',
groups='',
admin_groups='',
email='*****@*****.**',
uuid='MayBeYouAreTheFirstUser',
is_active=True)
os.system('id %s &> /dev/null || useradd %s' %
(self.admin_user, self.admin_user))
def search(self, str_r=""):
gid_pattern = re.compile(r"^g\d+$")
# 获取用户授权的所有主机信息
if not self.user_perm:
self.user_perm = get_group_user_perm(self.user)
user_asset_all = self.user_perm.get("asset").keys()
# 搜索结果保存
user_asset_search = []
if str_r:
# 资产组组id匹配
if gid_pattern.match(str_r):
gid = int(str_r.lstrip("g"))
# 获取资产组包含的资产
user_asset_search = get_object(AssetGroup, id=gid).asset_set.all()
else:
# 匹配 ip, hostname, 备注
for asset in user_asset_all:
if str_r in asset.ip or str_r in str(asset.hostname) or str_r in str(asset.comment):
user_asset_search.append(asset)
else:
# 如果没有输入就展现所有
user_asset_search = user_asset_all
self.search_result = dict(zip(range(len(user_asset_search)), user_asset_search))
color_print("[%-3s] %-12s %-15s %-5s %-10s %s" % ("ID", u"主机名", "IP", u"端口", u"系统用户", u"备注"), "title")
for index, asset in self.search_result.items():
# 获取该资产信息
asset_info = get_asset_info(asset)
# 获取该资产包含的角色
role = [str(role.name) for role in self.user_perm.get("asset").get(asset).get("role")]
print "[%-3s] %-15s %-15s %-5s %-10s %s" % (
index,
asset.hostname,
asset.ip,
asset_info.get("port"),
role,
asset.comment,
)
print
import errno
import struct, fcntl, signal, socket, select
os.environ['DJANGO_SETTINGS_MODULE'] = 'utopia.settings'
if django.get_version() != '1.6':
setup = django.setup()
from utopia.api import ServerError, User, Asset, PermRole, AssetGroup, get_object, mkdir, get_asset_info
from utopia.api import logger, Log, TtyLog, get_role_key, CRYPTOR, bash, get_tmp_dir
from upperm.perm_api import gen_resource, get_group_asset_perm, get_group_user_perm, user_have_perm, PermRole
from utopia.settings import LOG_DIR
from upperm.ansible_api import MyRunner
from uplog.models import ExecLog, FileLog
login_user = get_object(User, username=getpass.getuser())
remote_ip = os.popen("who -m | awk '{ print $NF }'").read().strip('()\n')
try:
import termios
import tty
except ImportError:
print '\033[1;31m仅支持类Unix系统 Only unix like supported.\033[0m'
time.sleep(3)
sys.exit()
def color_print(msg, color='red', exits=False):
"""
Print colorful string.
颜色打印字符或者退出
import errno
import struct, fcntl, signal, socket, select
os.environ["DJANGO_SETTINGS_MODULE"] = "utopia.settings"
if django.get_version() != "1.6":
setup = django.setup()
from utopia.api import ServerError, User, Asset, PermRole, AssetGroup, get_object, mkdir, get_asset_info
from utopia.api import logger, Log, TtyLog, get_role_key, CRYPTOR, bash, get_tmp_dir
from upperm.perm_api import gen_resource, get_group_asset_perm, get_group_user_perm, user_have_perm, PermRole
from utopia.settings import LOG_DIR
from upperm.ansible_api import MyRunner
from uplog.models import ExecLog, FileLog
login_user = get_object(User, username=getpass.getuser())
remote_ip = os.popen("who -m | awk '{ print $NF }'").read().strip("()\n")
try:
import termios
import tty
except ImportError:
print "\033[1;31m仅支持类Unix系统 Only unix like supported.\033[0m"
time.sleep(3)
sys.exit()
def color_print(msg, color="red", exits=False):
"""
Print colorful string.
颜色打印字符或者退出
def perm_rule_add(request):
"""
add rule page
添加授权
"""
# 渲染数据
header_title, path1, path2 = "授权规则", "规则管理", "添加规则"
# 渲染数据, 获取所有 用户,用户组,资产,资产组,用户角色, 用于添加授权规则
users = User.objects.all()
user_groups = UserGroup.objects.all()
assets = Asset.objects.all()
asset_groups = AssetGroup.objects.all()
roles = PermRole.objects.all()
if request.method == 'POST':
# 获取用户选择的 用户,用户组,资产,资产组,用户角色
users_select = request.POST.getlist('user', []) # 需要授权用户
user_groups_select = request.POST.getlist('user_group', []) # 需要授权用户组
assets_select = request.POST.getlist('asset', []) # 需要授权资产
asset_groups_select = request.POST.getlist('asset_group',
[]) # 需要授权资产组
roles_select = request.POST.getlist('role', []) # 需要授权角色
rule_name = request.POST.get('name')
rule_comment = request.POST.get('comment')
try:
rule = get_object(PermRule, name=rule_name)
if rule:
raise ServerError(u'授权规则 %s 已存在' % rule_name)
if not rule_name or not roles_select:
raise ServerError(u'系统用户名称和规则名称不能为空')
# 获取需要授权的主机列表
assets_obj = [
Asset.objects.get(id=asset_id) for asset_id in assets_select
]
asset_groups_obj = [
AssetGroup.objects.get(id=group_id)
for group_id in asset_groups_select
]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(list(asset_group.asset_set.all()))
calc_assets = set(group_assets_obj) | set(
assets_obj) # 授权资产和资产组包含的资产
# 获取需要授权的用户列表
users_obj = [
User.objects.get(id=user_id) for user_id in users_select
]
user_groups_obj = [
UserGroup.objects.get(id=group_id)
for group_id in user_groups_select
]
# 获取授予的角色列表
roles_obj = [
PermRole.objects.get(id=role_id) for role_id in roles_select
]
need_push_asset = set()
for role in roles_obj:
asset_no_push = get_role_push_host(
role=role)[1] # 获取某角色已经推送的资产
need_push_asset.update(set(calc_assets) & set(asset_no_push))
if need_push_asset:
raise ServerError(
u'没有推送系统用户 %s 的主机 %s' % (role.name, ','.join(
[asset.hostname for asset in need_push_asset])))
# 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色)
rule = PermRule(name=rule_name, comment=rule_comment)
rule.save()
rule.user = users_obj
rule.user_group = user_groups_obj
rule.asset = assets_obj
rule.asset_group = asset_groups_obj
rule.role = roles_obj
rule.save()
msg = u"添加授权规则:%s" % rule.name
return HttpResponseRedirect(reverse('rule_list'))
except ServerError, e:
error = e
def perm_role_push(request):
"""
the role push page
"""
# 渲染数据
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户推送"
role_id = request.GET.get('id')
asset_ids = request.GET.get('asset_id')
role = get_object(PermRole, id=role_id)
assets = Asset.objects.all()
asset_groups = AssetGroup.objects.all()
if asset_ids:
need_push_asset = [
get_object(Asset, id=asset_id) for asset_id in asset_ids.split(',')
]
if request.method == "POST":
# 获取推荐角色的名称列表
# 计算出需要推送的资产列表
asset_ids = request.POST.getlist("assets")
asset_group_ids = request.POST.getlist("asset_groups")
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in asset_ids]
asset_groups_obj = [
AssetGroup.objects.get(id=asset_group_id)
for asset_group_id in asset_group_ids
]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(asset_group.asset_set.all())
calc_assets = list(set(assets_obj) | set(group_assets_obj))
push_resource = gen_resource(calc_assets)
# 调用Ansible API 进行推送
password_push = True if request.POST.get("use_password") else False
key_push = True if request.POST.get("use_publicKey") else False
task = MyTask(push_resource)
ret = {}
# 因为要先建立用户,所以password 是必选项,而push key是在 password也完成的情况下的 可选项
# 1. 以秘钥 方式推送角色
if key_push:
ret["pass_push"] = task.add_user(role.name,
CRYPTOR.decrypt(role.password))
ret["key_push"] = task.push_key(
role.name, os.path.join(role.key_path, 'id_rsa.pub'))
# 2. 推送账号密码
elif password_push:
ret["pass_push"] = task.add_user(role.name,
CRYPTOR.decrypt(role.password))
# 3. 推送sudo配置文件
if password_push or key_push:
sudo_list = set([sudo for sudo in role.sudo.all()
]) # set(sudo1, sudo2, sudo3)
if sudo_list:
ret['sudo'] = task.push_sudo_file([role], sudo_list)
logger.debug('推送role结果: %s' % ret)
success_asset = {}
failed_asset = {}
logger.debug(ret)
for push_type, result in ret.items():
if result.get('failed'):
for hostname, info in result.get('failed').items():
if hostname in failed_asset.keys():
if info in failed_asset.get(hostname):
failed_asset[hostname] += info
else:
failed_asset[hostname] = info
for push_type, result in ret.items():
if result.get('ok'):
for hostname, info in result.get('ok').items():
if hostname in failed_asset.keys():
continue
elif hostname in success_asset.keys():
if str(info) in success_asset.get(hostname, ''):
success_asset[hostname] += str(info)
else:
success_asset[hostname] = str(info)
# 推送成功 回写push表
for asset in calc_assets:
push_check = PermPush.objects.filter(role=role, asset=asset)
if push_check:
func = push_check.update
else:
def func(**kwargs):
PermPush(**kwargs).save()
if failed_asset.get(asset.hostname):
func(is_password=password_push,
is_public_key=key_push,
role=role,
asset=asset,
success=False,
result=failed_asset.get(asset.hostname))
else:
func(is_password=password_push,
is_public_key=key_push,
role=role,
asset=asset,
success=True)
if not failed_asset:
msg = u'系统用户 %s 推送成功[ %s ]' % (role.name, ','.join(
success_asset.keys()))
else:
error = u'系统用户 %s 推送失败 [ %s ], 推送成功 [ %s ]' % (role.name, ','.join(
failed_asset.keys()), ','.join(success_asset.keys()))
return my_render('upperm/perm_role_push.html', locals(), request)
def perm_role_push(request):
"""
the role push page
"""
# 渲染数据
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户推送"
role_id = request.GET.get('id')
asset_ids = request.GET.get('asset_id')
role = get_object(PermRole, id=role_id)
assets = Asset.objects.all()
asset_groups = AssetGroup.objects.all()
if asset_ids:
need_push_asset = [get_object(Asset, id=asset_id) for asset_id in asset_ids.split(',')]
if request.method == "POST":
# 获取推荐角色的名称列表
# 计算出需要推送的资产列表
asset_ids = request.POST.getlist("assets")
asset_group_ids = request.POST.getlist("asset_groups")
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in asset_ids]
asset_groups_obj = [AssetGroup.objects.get(id=asset_group_id) for asset_group_id in asset_group_ids]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(asset_group.asset_set.all())
calc_assets = list(set(assets_obj) | set(group_assets_obj))
push_resource = gen_resource(calc_assets)
# 调用Ansible API 进行推送
password_push = True if request.POST.get("use_password") else False
key_push = True if request.POST.get("use_publicKey") else False
task = MyTask(push_resource)
ret = {}
# 因为要先建立用户,所以password 是必选项,而push key是在 password也完成的情况下的 可选项
# 1. 以秘钥 方式推送角色
if key_push:
ret["pass_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password))
ret["key_push"] = task.push_key(role.name, os.path.join(role.key_path, 'id_rsa.pub'))
# 2. 推送账号密码
elif password_push:
ret["pass_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password))
# 3. 推送sudo配置文件
if password_push or key_push:
sudo_list = set([sudo for sudo in role.sudo.all()]) # set(sudo1, sudo2, sudo3)
if sudo_list:
ret['sudo'] = task.push_sudo_file([role], sudo_list)
logger.debug('推送role结果: %s' % ret)
success_asset = {}
failed_asset = {}
logger.debug(ret)
for push_type, result in ret.items():
if result.get('failed'):
for hostname, info in result.get('failed').items():
if hostname in failed_asset.keys():
if info in failed_asset.get(hostname):
failed_asset[hostname] += info
else:
failed_asset[hostname] = info
for push_type, result in ret.items():
if result.get('ok'):
for hostname, info in result.get('ok').items():
if hostname in failed_asset.keys():
continue
elif hostname in success_asset.keys():
if str(info) in success_asset.get(hostname, ''):
success_asset[hostname] += str(info)
else:
success_asset[hostname] = str(info)
# 推送成功 回写push表
for asset in calc_assets:
push_check = PermPush.objects.filter(role=role, asset=asset)
if push_check:
func = push_check.update
else:
def func(**kwargs):
PermPush(**kwargs).save()
if failed_asset.get(asset.hostname):
func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=False,
result=failed_asset.get(asset.hostname))
else:
func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=True)
if not failed_asset:
msg = u'系统用户 %s 推送成功[ %s ]' % (role.name, ','.join(success_asset.keys()))
else:
error = u'系统用户 %s 推送失败 [ %s ], 推送成功 [ %s ]' % (role.name,
','.join(failed_asset.keys()),
','.join(success_asset.keys()))
return my_render('upperm/perm_role_push.html', locals(), request)
def perm_rule_edit(request):
"""
edit rule page
"""
# 渲染数据
header_title, path1, path2 = "授权规则", "规则管理", "添加规则"
# 根据rule_id 取得rule对象
rule_id = request.GET.get("id")
rule = get_object(PermRule, id=rule_id)
# 渲染数据, 获取所选的rule对象
users = User.objects.all()
user_groups = UserGroup.objects.all()
assets = Asset.objects.all()
asset_groups = AssetGroup.objects.all()
roles = PermRole.objects.all()
if request.method == 'POST' and rule_id:
# 获取用户选择的 用户,用户组,资产,资产组,用户角色
rule_name = request.POST.get('name')
rule_comment = request.POST.get("comment")
users_select = request.POST.getlist('user', [])
user_groups_select = request.POST.getlist('user_group', [])
assets_select = request.POST.getlist('asset', [])
asset_groups_select = request.POST.getlist('asset_group', [])
roles_select = request.POST.getlist('role', [])
try:
if not rule_name or not roles_select:
raise ServerError(u'系统用户和关联系统用户不能为空')
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in assets_select]
asset_groups_obj = [AssetGroup.objects.get(id=group_id) for group_id in asset_groups_select]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(list(asset_group.asset_set.all()))
calc_assets = set(group_assets_obj) | set(assets_obj) # 授权资产和资产组包含的资产
# 获取需要授权的用户列表
users_obj = [User.objects.get(id=user_id) for user_id in users_select]
user_groups_obj = [UserGroup.objects.get(id=group_id) for group_id in user_groups_select]
# 获取授予的角色列表
roles_obj = [PermRole.objects.get(id=role_id) for role_id in roles_select]
need_push_asset = set()
for role in roles_obj:
asset_no_push = get_role_push_host(role=role)[1] # 获取某角色已经推送的资产
need_push_asset.update(set(calc_assets) & set(asset_no_push))
if need_push_asset:
raise ServerError(u'没有推送系统用户 %s 的主机 %s'
% (role.name, ','.join([asset.hostname for asset in need_push_asset])))
# 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色)
rule.user = users_obj
rule.user_group = user_groups_obj
rule.asset = assets_obj
rule.asset_group = asset_groups_obj
rule.role = roles_obj
rule.name = rule_name
rule.comment = rule_comment
rule.save()
msg = u"更新授权规则:%s成功" % rule.name
except ServerError, e:
error = e
def perm_rule_edit(request):
"""
edit rule page
"""
# 渲染数据
header_title, path1, path2 = "授权规则", "规则管理", "添加规则"
# 根据rule_id 取得rule对象
rule_id = request.GET.get("id")
rule = get_object(PermRule, id=rule_id)
# 渲染数据, 获取所选的rule对象
users = User.objects.all()
user_groups = UserGroup.objects.all()
assets = Asset.objects.all()
asset_groups = AssetGroup.objects.all()
roles = PermRole.objects.all()
if request.method == 'POST' and rule_id:
# 获取用户选择的 用户,用户组,资产,资产组,用户角色
rule_name = request.POST.get('name')
rule_comment = request.POST.get("comment")
users_select = request.POST.getlist('user', [])
user_groups_select = request.POST.getlist('user_group', [])
assets_select = request.POST.getlist('asset', [])
asset_groups_select = request.POST.getlist('asset_group', [])
roles_select = request.POST.getlist('role', [])
try:
if not rule_name or not roles_select:
raise ServerError(u'系统用户和关联系统用户不能为空')
assets_obj = [
Asset.objects.get(id=asset_id) for asset_id in assets_select
]
asset_groups_obj = [
AssetGroup.objects.get(id=group_id)
for group_id in asset_groups_select
]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(list(asset_group.asset_set.all()))
calc_assets = set(group_assets_obj) | set(
assets_obj) # 授权资产和资产组包含的资产
# 获取需要授权的用户列表
users_obj = [
User.objects.get(id=user_id) for user_id in users_select
]
user_groups_obj = [
UserGroup.objects.get(id=group_id)
for group_id in user_groups_select
]
# 获取授予的角色列表
roles_obj = [
PermRole.objects.get(id=role_id) for role_id in roles_select
]
need_push_asset = set()
for role in roles_obj:
asset_no_push = get_role_push_host(
role=role)[1] # 获取某角色已经推送的资产
need_push_asset.update(set(calc_assets) & set(asset_no_push))
if need_push_asset:
raise ServerError(
u'没有推送系统用户 %s 的主机 %s' % (role.name, ','.join(
[asset.hostname for asset in need_push_asset])))
# 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色)
rule.user = users_obj
rule.user_group = user_groups_obj
rule.asset = assets_obj
rule.asset_group = asset_groups_obj
rule.role = roles_obj
rule.name = rule_name
rule.comment = rule_comment
rule.save()
msg = u"更新授权规则:%s成功" % rule.name
except ServerError, e:
error = e
def perm_rule_add(request):
"""
add rule page
添加授权
"""
# 渲染数据
header_title, path1, path2 = "授权规则", "规则管理", "添加规则"
# 渲染数据, 获取所有 用户,用户组,资产,资产组,用户角色, 用于添加授权规则
users = User.objects.all()
user_groups = UserGroup.objects.all()
assets = Asset.objects.all()
asset_groups = AssetGroup.objects.all()
roles = PermRole.objects.all()
if request.method == 'POST':
# 获取用户选择的 用户,用户组,资产,资产组,用户角色
users_select = request.POST.getlist('user', []) # 需要授权用户
user_groups_select = request.POST.getlist('user_group', []) # 需要授权用户组
assets_select = request.POST.getlist('asset', []) # 需要授权资产
asset_groups_select = request.POST.getlist('asset_group', []) # 需要授权资产组
roles_select = request.POST.getlist('role', []) # 需要授权角色
rule_name = request.POST.get('name')
rule_comment = request.POST.get('comment')
try:
rule = get_object(PermRule, name=rule_name)
if rule:
raise ServerError(u'授权规则 %s 已存在' % rule_name)
if not rule_name or not roles_select:
raise ServerError(u'系统用户名称和规则名称不能为空')
# 获取需要授权的主机列表
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in assets_select]
asset_groups_obj = [AssetGroup.objects.get(id=group_id) for group_id in asset_groups_select]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(list(asset_group.asset_set.all()))
calc_assets = set(group_assets_obj) | set(assets_obj) # 授权资产和资产组包含的资产
# 获取需要授权的用户列表
users_obj = [User.objects.get(id=user_id) for user_id in users_select]
user_groups_obj = [UserGroup.objects.get(id=group_id) for group_id in user_groups_select]
# 获取授予的角色列表
roles_obj = [PermRole.objects.get(id=role_id) for role_id in roles_select]
need_push_asset = set()
for role in roles_obj:
asset_no_push = get_role_push_host(role=role)[1] # 获取某角色已经推送的资产
need_push_asset.update(set(calc_assets) & set(asset_no_push))
if need_push_asset:
raise ServerError(u'没有推送系统用户 %s 的主机 %s'
% (role.name, ','.join([asset.hostname for asset in need_push_asset])))
# 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色)
rule = PermRule(name=rule_name, comment=rule_comment)
rule.save()
rule.user = users_obj
rule.user_group = user_groups_obj
rule.asset = assets_obj
rule.asset_group = asset_groups_obj
rule.role = roles_obj
rule.save()
msg = u"添加授权规则:%s" % rule.name
return HttpResponseRedirect(reverse('rule_list'))
except ServerError, e:
error = e
