def perm_sudo_add(request, res, *args):
"""
list sudo commands alias
"""
res['operator'] = u"添加别名"
response = {'success': False, 'error': ''}
res['emer_content'] = 6
if request.method == "POST":
try:
name = request.POST.get("sudo_name").strip().upper()
comment = request.POST.get("sudo_comment")
commands = request.POST.get("sudo_commands").strip()
if not name or not commands:
raise ServerError(u"sudo name 和 commands是必填项!")
pattern = re.compile(r'[\n,\r]')
deal_space_commands = list_drop_str(pattern.split(commands), u'')
deal_all_commands = map(trans_all, deal_space_commands)
commands = ', '.join(deal_all_commands)
logger.debug(u'添加sudo %s: %s' % (name, commands))
sudo_name_test = get_object(PermSudo, name=name)
if sudo_name_test:
raise ServerError(u"别名[%s]已存在" % name)
sudo_uuid = str(uuid.uuid1())
# TODO 保存数据到magicstack
sudo = PermSudo.objects.create(uuid_id=sudo_uuid,
name=name.strip(),
comment=comment,
commands=commands)
# TODO 保存数据到proxy上的数据库
proxy_list = Proxy.objects.all()
data = {
'uuid_id': sudo_uuid,
'id': sudo.id,
'name': name,
'comment': comment,
'commands': commands
}
data = json.dumps(data)
execute_thread_tasks(proxy_list,
THREAD_NUMBERS,
role_proxy_operator,
request.user.username,
'PermSudo',
data,
obj_uuid=sudo.uuid_id,
action='add')
res['content'] = u"添加Sudo命令别名[%s]成功" % name
res['emer_status'] = u"添加Sudo命令别名[%s]成功" % name
response['success'] = True
except ServerError as e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = u"添加Sudo命令别名失败:%s" % (e.message)
response['error'] = res['emer_status']
return HttpResponse(json.dumps(response), content_type='application/json')
def download(self):
while True:
if not self.user_perm:
self.user_perm = get_group_user_perm(self.user)
try:
print "进入批量下载模式"
print "请输入主机名或ansible支持的pattern, 多个主机:分隔,q退出"
pattern = raw_input("\033[1;32mPattern>:\033[0m ").strip()
if pattern == 'q':
break
else:
assets = self.user_perm.get('asset').keys()
res = gen_resource({'user': self.user, 'asset': assets}, perm=self.user_perm)
runner = MyRunner(res)
asset_name_str = ''
print "匹配主机:\n"
for inv in runner.inventory.get_hosts(pattern=pattern):
asset_name_str += '%s ' % inv.name
print ' %s' % inv.name
if not asset_name_str:
color_print('没有匹配主机')
continue
print
while True:
tmp_dir = get_tmp_dir()
logger.debug('Download tmp dir: %s' % tmp_dir)
print "请输入文件路径(不支持目录)"
file_path = raw_input("\033[1;32mPath>:\033[0m ").strip()
if file_path == 'q':
break
if not file_path:
color_print("文件路径为空")
continue
runner.run('fetch', module_args='src=%s dest=%s' % (file_path, tmp_dir), pattern=pattern)
ret = runner.results
FileLog(user=self.user.name, host=asset_name_str, filename=file_path, type='download',
remote_ip=remote_ip, result=ret).save()
logger.debug('Download file result: %s' % ret)
os.chdir('/tmp')
tmp_dir_name = os.path.basename(tmp_dir)
if not os.listdir(tmp_dir):
color_print('下载全部失败')
continue
bash('tar czf %s.tar.gz %s && sz %s.tar.gz' % (tmp_dir, tmp_dir_name, tmp_dir))
if ret.get('failed'):
error = '文件名称: %s \n下载失败: [ %s ] \n下载成功 [ %s ]' % \
('%s.tar.gz' % tmp_dir_name, ', '.join(ret.get('failed').keys()), ', '.join(ret.get('ok').keys()))
color_print(error)
else:
msg = '文件名称: %s \n下载成功 [ %s ]' % ('%s.tar.gz' % tmp_dir_name, ', '.join(ret.get('ok').keys()))
color_print(msg, 'green')
print
except IndexError:
pass
def perm_role_edit(request, res, *args):
"""
edit role page
"""
# 渲染数据
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户编辑"
res['operator'] = path2
# 渲染数据
role_id = request.GET.get("id")
role = PermRole.objects.get(id=role_id)
role_pass = CRYPTOR.decrypt(role.password)
sudo_all = PermSudo.objects.all()
role_sudos = role.sudo.all()
sudo_all = PermSudo.objects.all()
if request.method == "GET":
return my_render('permManage/perm_role_edit.html', locals(), request)
if request.method == "POST":
# 获取 POST 数据
role_name = request.POST.get("role_name")
role_password = request.POST.get("role_password")
role_comment = request.POST.get("role_comment")
role_sudo_names = request.POST.getlist("sudo_name")
role_sudos = [PermSudo.objects.get(id=sudo_id) for sudo_id in role_sudo_names]
key_content = request.POST.get("role_key", "")
try:
if not role:
raise ServerError('该系统用户不能存在')
if role_name == "root":
raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!')
if role_password:
encrypt_pass = CRYPTOR.encrypt(role_password)
role.password = encrypt_pass
# 生成随机密码,生成秘钥对
if key_content:
try:
key_path = gen_keys(key=key_content, key_path_dir=role.key_path)
except SSHException:
raise ServerError('输入的密钥不合法')
logger.debug('Recreate role key: %s' % role.key_path)
# 写入数据库
role.name = role_name
role.comment = role_comment
role.sudo = role_sudos
role.save()
msg = u"更新系统用户: %s" % role.name
res['content'] = msg
return HttpResponseRedirect(reverse('role_list'))
except ServerError, e:
error = e
res['flag'] = 'false'
res['content'] = e
def req_del(self, data):
try:
req = requests.delete(self.url, headers=self.header, data=data)
codes = req.status_code
msg = req.json()
logger.debug("msg:%s status_codes:%s" % (msg, codes))
except Exception as e:
logger.error(e)
codes = 500
msg = e.message
return msg, codes
def get_connect_info(self):
"""
获取需要登陆的主机的信息和映射用户的账号密码
"""
asset_info = get_asset_info(self.asset)
role_key = get_role_key(self.user, self.role) # 获取角色的key,因为ansible需要权限是600,所以统一生成用户_角色key
role_pass = CRYPTOR.decrypt(self.role.password)
connect_info = {'user': self.user, 'asset': self.asset, 'ip': asset_info.get('ip'),
'port': int(asset_info.get('port')), 'role_name': self.role.name,
'role_pass': role_pass, 'role_key': role_key}
logger.debug(connect_info)
return connect_info
def perm_role_get(request):
asset_id = request.GET.get('id', 0)
if asset_id:
asset = get_object(Asset, id=asset_id)
if asset:
role = user_have_perm(request.user, asset=asset)
logger.debug(u'获取授权系统用户: ' + ','.join([i.name for i in role]))
return HttpResponse(','.join([i.name for i in role]))
else:
roles = get_group_user_perm(request.user).get('role').keys()
return HttpResponse(','.join([i.name for i in roles]))
return HttpResponse('error')
def perm_role_get(request):
response = {'role_id': '', 'proxy_url': '', 'user_id': request.user.id, 'role_name': '', 'id_unique': '', 'role_id_name':[]}
asset_id = request.GET.get('id', 0)
if asset_id:
asset = get_object(Asset, id=asset_id)
if asset:
role = user_have_perm(request.user, asset=asset)
logger.debug(u'获取授权系统用户: ' + ','.join([i.name for i in role]))
response['role_name'] = ','.join([i.name for i in role])
response['role_id'] = ','.join([str(i.id) for i in role])
response['proxy_url'] = asset.proxy.url
response['id_unique'] = asset.id_unique
return HttpResponse(json.dumps(response))
return HttpResponse('error')
def perm_sudo_add(request, res, *args):
"""
list sudo commands alias
"""
res['operator'] = u"添加别名"
response ={'success': False, 'error': ''}
res['emer_content'] = 6
if request.method == "POST":
try:
name = request.POST.get("sudo_name").strip().upper()
comment = request.POST.get("sudo_comment")
commands = request.POST.get("sudo_commands").strip()
if not name or not commands:
raise ServerError(u"sudo name 和 commands是必填项!")
pattern = re.compile(r'[\n,\r]')
deal_space_commands = list_drop_str(pattern.split(commands), u'')
deal_all_commands = map(trans_all, deal_space_commands)
commands = ', '.join(deal_all_commands)
logger.debug(u'添加sudo %s: %s' % (name, commands))
sudo_name_test = get_object(PermSudo, name=name)
if sudo_name_test:
raise ServerError(u"别名[%s]已存在" %name)
sudo_uuid = str(uuid.uuid1())
# TODO 保存数据到magicstack
sudo = PermSudo.objects.create(uuid_id=sudo_uuid, name=name.strip(), comment=comment, commands=commands)
# TODO 保存数据到proxy上的数据库
proxy_list = Proxy.objects.all()
data = {'uuid_id': sudo_uuid,
'id': sudo.id,
'name': name,
'comment': comment,
'commands': commands}
data = json.dumps(data)
execute_thread_tasks(proxy_list, THREAD_NUMBERS, role_proxy_operator, request.user.username, 'PermSudo', data,
obj_uuid=sudo.uuid_id, action='add')
res['content'] = u"添加Sudo命令别名[%s]成功" % name
res['emer_status'] = u"添加Sudo命令别名[%s]成功" % name
response['success'] = True
except ServerError as e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = u"添加Sudo命令别名失败:%s" % (e.message)
response['error'] = res['emer_status']
return HttpResponse(json.dumps(response), content_type='application/json')
def perm_role_add(request, res, *args):
"""
add role page
"""
header_title, path1, path2 = "系统用户", "系统用户管理", "添加系统用户"
res['operator'] = path2
sudos = PermSudo.objects.all()
if request.method == "POST":
name = request.POST.get("role_name", "").strip()
comment = request.POST.get("role_comment", "")
password = request.POST.get("role_password", "")
key_content = request.POST.get("role_key", "")
sudo_ids = request.POST.getlist('sudo_name')
try:
if get_object(PermRole, name=name):
raise ServerError(u'已经存在该用户 %s' % name)
if name == "root":
raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!')
default = get_object(Setting, name='default')
if password:
encrypt_pass = CRYPTOR.encrypt(password)
else:
encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20))
# 生成随机密码,生成秘钥对
sudos_obj = [get_object(PermSudo, id=sudo_id) for sudo_id in sudo_ids]
if key_content:
try:
key_path = gen_keys(key=key_content)
except SSHException, e:
raise ServerError(e)
else:
key_path = gen_keys()
logger.debug('generate role key: %s' % key_path)
role = PermRole(name=name, comment=comment, password=encrypt_pass, key_path=key_path)
role.save()
role.sudo = sudos_obj
msg = u"添加系统用户: %s" % name
res['content'] = msg
return HttpResponseRedirect(reverse('role_list'))
def get_log(self):
"""
Logging user command and output.
记录用户的日志
"""
tty_log_dir = os.path.join(LOG_DIR, 'tty')
date_today = datetime.datetime.now()
date_start = date_today.strftime('%Y%m%d')
time_start = date_today.strftime('%H%M%S')
today_connect_log_dir = os.path.join(tty_log_dir, date_start)
log_file_path = os.path.join(today_connect_log_dir, '%s_%s_%s' % (self.username, self.asset_name, time_start))
try:
mkdir(os.path.dirname(today_connect_log_dir), mode=0777)
mkdir(today_connect_log_dir, mode=0777)
except OSError:
logger.debug('创建目录 %s 失败,请修改%s目录权限' % (today_connect_log_dir, tty_log_dir))
raise ServerError('创建目录 %s 失败,请修改%s目录权限' % (today_connect_log_dir, tty_log_dir))
try:
log_file_f = open(log_file_path + '.log', 'a')
log_time_f = open(log_file_path + '.time', 'a')
except IOError:
logger.debug('创建tty日志文件失败, 请修改目录%s权限' % today_connect_log_dir)
raise ServerError('创建tty日志文件失败, 请修改目录%s权限' % today_connect_log_dir)
if self.login_type == 'ssh': # 如果是ssh连接过来,记录connect.py的pid,web terminal记录为日志的id
pid = os.getpid()
self.remote_ip = remote_ip # 获取远端IP
else:
pid = 0
log = Log(user=self.username, host=self.asset_name, remote_ip=self.remote_ip, login_type=self.login_type,
log_path=log_file_path, start_time=date_today, pid=pid)
log.save()
if self.login_type == 'web':
log.pid = log.id # 设置log id为websocket的id, 然后kill时干掉websocket
log.save()
log_file_f.write('Start at %s\r\n' % datetime.datetime.now())
return log_file_f, log_time_f, log
def perm_role_get(request):
response = {
'role_id': '',
'proxy_url': '',
'user_id': request.user.id,
'role_name': '',
'id_unique': '',
'role_id_name': []
}
asset_id = request.GET.get('id', 0)
if asset_id:
asset = get_object(Asset, id=asset_id)
if asset:
role = user_have_perm(request.user, asset=asset)
logger.debug(u'获取授权系统用户: ' + ','.join([i.name for i in role]))
response['role_name'] = ','.join([i.name for i in role])
response['role_id'] = ','.join([str(i.id) for i in role])
response['proxy_url'] = asset.proxy.url
response['id_unique'] = asset.id_unique
return HttpResponse(json.dumps(response))
return HttpResponse('error')
def run(self, module_name='shell', module_args='', timeout=10, forks=10, pattern='*',
become=False, become_method='sudo', become_user='******', become_pass='', transport='paramiko'):
"""
run module from andible ad-hoc.
module_name: ansible module_name
module_args: ansible module args
"""
hoc = Runner(module_name=module_name,
module_args=module_args,
timeout=timeout,
inventory=self.inventory,
pattern=pattern,
forks=forks,
become=become,
become_method=become_method,
become_user=become_user,
become_pass=become_pass,
transport=transport
)
self.results_raw = hoc.run()
logger.debug(self.results_raw)
return self.results_raw
def perm_sudo_add(request, res, *args):
"""
list sudo commands alias
:param request:
:return:
"""
# 渲染数据
header_title, path1, path2 = "Sudo命令", "别名管理", "添加别名"
res['operator'] = path2
try:
if request.method == "POST":
# 获取参数: name, comment
name = request.POST.get("sudo_name").strip().upper()
comment = request.POST.get("sudo_comment").strip()
commands = request.POST.get("sudo_commands").strip()
if not name or not commands:
raise ServerError(u"sudo name 和 commands是必填项!")
pattern = re.compile(r'[\n,\r]')
deal_space_commands = list_drop_str(pattern.split(commands), u'')
deal_all_commands = map(trans_all, deal_space_commands)
commands = ', '.join(deal_all_commands)
logger.debug(u'添加sudo %s: %s' % (name, commands))
if get_object(PermSudo, name=name):
error = 'Sudo别名 %s已经存在' % name
res['flag'] = 'false'
res['content'] = error
else:
sudo = PermSudo(name=name.strip(), comment=comment, commands=commands)
sudo.save()
msg = u"添加Sudo命令别名: %s" % name
res['content'] = msg
except ServerError, e:
error = e
res['flag'] = 'false'
res['content'] = error
def perm_sudo_edit(request, res, *args):
"""
list sudo commands alias
:param request:
:return:
"""
# 渲染数据
header_title, path1, path2 = "Sudo命令", "别名管理", "编辑别名"
res['operator'] = path2
sudo_id = request.GET.get("id")
sudo = PermSudo.objects.get(id=sudo_id)
try:
if request.method == "POST":
name = request.POST.get("sudo_name").upper()
commands = request.POST.get("sudo_commands")
comment = request.POST.get("sudo_comment")
if not name or not commands:
raise ServerError(u"sudo name 和 commands是必填项!")
pattern = re.compile(r'[\n,\r]')
deal_space_commands = list_drop_str(pattern.split(commands), u'')
deal_all_commands = map(trans_all, deal_space_commands)
commands = ', '.join(deal_all_commands).strip()
logger.debug(u'添加sudo %s: %s' % (name, commands))
sudo.name = name.strip()
sudo.commands = commands
sudo.comment = comment
sudo.save()
msg = u"更新命令别名: %s" % name
res['content'] = msg
except ServerError, e:
error = e
res['flag'] = 'false'
res['content'] = e
def upload(self):
while True:
if not self.user_perm:
self.user_perm = get_group_user_perm(self.user)
try:
print "进入批量上传模式"
print "请输入主机名或ansible支持的pattern, 多个主机:分隔 q退出"
pattern = raw_input("\033[1;32mPattern>:\033[0m ").strip()
if pattern == 'q':
break
else:
assets = self.user_perm.get('asset').keys()
res = gen_resource({'user': self.user, 'asset': assets}, perm=self.user_perm)
runner = MyRunner(res)
asset_name_str = ''
print "匹配主机:"
for inv in runner.inventory.get_hosts(pattern=pattern):
print inv.name
asset_name_str += '%s ' % inv.name
if not asset_name_str:
color_print('没有匹配主机')
continue
tmp_dir = get_tmp_dir()
logger.debug('Upload tmp dir: %s' % tmp_dir)
os.chdir(tmp_dir)
bash('rz')
filename_str = ' '.join(os.listdir(tmp_dir))
if not filename_str:
color_print("上传文件为空")
continue
logger.debug('上传文件: %s' % filename_str)
runner = MyRunner(res)
runner.run('copy', module_args='src=%s dest=%s directory_mode'
% (tmp_dir, '/tmp'), pattern=pattern)
ret = runner.results
FileLog(user=self.user.name, host=asset_name_str, filename=filename_str,
remote_ip=remote_ip, type='upload', result=ret).save()
logger.debug('Upload file: %s' % ret)
if ret.get('failed'):
error = '上传目录: %s \n上传失败: [ %s ] \n上传成功 [ %s ]' % (tmp_dir,
', '.join(ret.get('failed').keys()),
', '.join(ret.get('ok').keys()))
color_print(error)
else:
msg = '上传目录: %s \n传送成功 [ %s ]' % (tmp_dir, ', '.join(ret.get('ok').keys()))
color_print(msg, 'green')
print
except IndexError:
pass
def perm_role_push(request, res, *args):
"""
the role push page
"""
# 渲染数据
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户推送"
res['operator'] = path2
role_id = request.GET.get('id')
asset_ids = request.GET.get('asset_id')
role = get_object(PermRole, id=role_id)
assets = Asset.objects.all()
asset_groups = AssetGroup.objects.all()
if asset_ids:
need_push_asset = [get_object(Asset, id=asset_id) for asset_id in asset_ids.split(',')]
if request.method == "POST":
# 获取推荐角色的名称列表
# 计算出需要推送的资产列表
asset_ids = request.POST.getlist("assets")
asset_group_ids = request.POST.getlist("asset_groups")
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in asset_ids]
asset_groups_obj = [AssetGroup.objects.get(id=asset_group_id) for asset_group_id in asset_group_ids]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(asset_group.asset_set.all())
calc_assets = list(set(assets_obj) | set(group_assets_obj))
push_resource = gen_resource(calc_assets)
# 调用Ansible API 进行推送
password_push = True if request.POST.get("use_password") else False
key_push = True if request.POST.get("use_publicKey") else False
task = MyTask(push_resource)
ret = {}
# 因为要先建立用户,而push key是在 password也完成的情况下的 可选项
# 1. 以秘钥 方式推送角色
if key_push:
ret["pass_push"] = task.add_user(role.name)
ret["key_push"] = task.push_key(role.name, os.path.join(role.key_path, 'id_rsa.pub'))
# 2. 推送账号密码 <为了安全 系统用户统一使用秘钥进行通信, 不再提供密码方式的推送>
# elif password_push:
# ret["pass_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password))
# 3. 推送sudo配置文件
if key_push:
sudo_list = set([sudo for sudo in role.sudo.all()]) # set(sudo1, sudo2, sudo3)
if sudo_list:
ret['sudo'] = task.push_sudo_file([role], sudo_list)
logger.debug('推送role结果: %s' % ret)
success_asset = {}
failed_asset = {}
logger.debug(ret)
for push_type, result in ret.items():
if result.get('failed'):
for hostname, info in result.get('failed').items():
if hostname in failed_asset.keys():
if info in failed_asset.get(hostname):
failed_asset[hostname] += info
else:
failed_asset[hostname] = info
for push_type, result in ret.items():
if result.get('ok'):
for hostname, info in result.get('ok').items():
if hostname in failed_asset.keys():
continue
elif hostname in success_asset.keys():
if str(info) in success_asset.get(hostname, ''):
success_asset[hostname] += str(info)
else:
success_asset[hostname] = str(info)
# 推送成功 回写push表
for asset in calc_assets:
push_check = PermPush.objects.filter(role=role, asset=asset)
if push_check:
func = push_check.update
else:
def func(**kwargs):
PermPush(**kwargs).save()
if failed_asset.get(asset.name):
func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=False,
result=failed_asset.get(asset.name))
else:
func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=True)
if not failed_asset:
msg = u'系统用户 %s 推送成功[ %s ]' % (role.name, ','.join(success_asset.keys()))
res['content'] = msg
else:
error = u'系统用户 %s 推送失败 [ %s ], 推送成功 [ %s ] 进入系统用户详情,查看失败原因' % (role.name,
','.join(failed_asset.keys()),
','.join(success_asset.keys()))
res['flag'] = 'false'
res['content'] = error
return my_render('permManage/perm_role_push.html', locals(), request)
else:
return HttpResponse("filter_type: ?")
except ServerError, e:
res['flag'] = 'false'
res['content'] = e
return HttpResponse(e)
if request.method == "POST":
try:
role_id = request.POST.get("id")
role = get_object(PermRole, id=role_id)
if not role:
logger.warning(u"Delete Role: role_id %s not exist" % role_id)
raise ServerError(u"role_id %s 无数据记录" % role_id)
role_key = role.key_path
recycle_assets = [push.asset for push in role.perm_push.all() if push.success]
logger.debug(u"delete role %s - delete_assets: %s" % (role.name, recycle_assets))
if recycle_assets:
recycle_resource = gen_resource(recycle_assets)
task = MyTask(recycle_resource)
try:
msg_del_user = task.del_user(get_object(PermRole, id=role_id).name)
msg_del_sudo = task.del_user_sudo(get_object(PermRole, id=role_id).name)
except Exception, e:
logger.warning(u"Recycle Role failed: %s" % e)
raise ServerError(u"回收已推送的系统用户失败: %s" % e)
logger.info(u"delete role %s - execute delete user: %s" % (role.name, msg_del_user))
logger.info(u"delete role %s - execute delete sudo: %s" % (role.name, msg_del_sudo))
# TODO: 判断返回结果,处理异常
# 删除存储的秘钥,以及目录
try:
key_files = os.listdir(role_key)
filter_type)
else:
return HttpResponse("filter_type: ?")
except ServerError, e:
return HttpResponse(e)
if request.method == "POST":
try:
role_id = request.POST.get("id")
role = get_object(PermRole, id=int(role_id))
if not role:
logger.warning(u"Delete Role: role_id %s not exist" % role_id)
raise ServerError(u"role_id %s 无数据记录" % role_id)
recycle_assets = [
push.asset for push in role.perm_push.all() if push.success
]
logger.debug(u"delete role %s - delete_assets: %s" %
(role.name, recycle_assets))
if recycle_assets:
asset_proxys = gen_asset_proxy(recycle_assets)
for key, value in asset_proxys.items():
proxy = Proxy.objects.filter(proxy_name=key)[0]
recycle_resource = gen_resource(value)
host_list = [
asset.networking.all()[0].ip_address for asset in value
]
task = MyTask(recycle_resource, host_list)
try:
msg_del_user = task.del_user(role.name, proxy,
request.user.username)
msg_del_sudo = task.del_user_sudo(
role.uuid_id, proxy, request.user.username)
except Exception, e:
