def perm_role_edit(request, res, *args): """ edit role page """ # 渲染数据 header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户编辑" res['operator'] = path2 # 渲染数据 role_id = request.GET.get("id") role = PermRole.objects.get(id=role_id) role_pass = CRYPTOR.decrypt(role.password) sudo_all = PermSudo.objects.all() role_sudos = role.sudo.all() sudo_all = PermSudo.objects.all() if request.method == "GET": return my_render('permManage/perm_role_edit.html', locals(), request) if request.method == "POST": # 获取 POST 数据 role_name = request.POST.get("role_name") role_password = request.POST.get("role_password") role_comment = request.POST.get("role_comment") role_sudo_names = request.POST.getlist("sudo_name") role_sudos = [PermSudo.objects.get(id=sudo_id) for sudo_id in role_sudo_names] key_content = request.POST.get("role_key", "") try: if not role: raise ServerError('该系统用户不能存在') if role_name == "root": raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!') if role_password: encrypt_pass = CRYPTOR.encrypt(role_password) role.password = encrypt_pass # 生成随机密码,生成秘钥对 if key_content: try: key_path = gen_keys(key=key_content, key_path_dir=role.key_path) except SSHException: raise ServerError('输入的密钥不合法') logger.debug('Recreate role key: %s' % role.key_path) # 写入数据库 role.name = role_name role.comment = role_comment role.sudo = role_sudos role.save() msg = u"更新系统用户: %s" % role.name res['content'] = msg return HttpResponseRedirect(reverse('role_list')) except ServerError, e: error = e res['flag'] = 'false' res['content'] = e
def query_event(task_name, username, proxy): data = {'task_name': task_name, 'username': username} data = json.dumps(data) api = APIRequest('{0}/v1.0/permission/event'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password)) result, codes = api.req_post(data) logger.info('推送用户事件查询结果result:%s'%result) return result
def add_user(self, username, proxy, groups, web_username): """ add a host user. username: 系统用户名 web_username: 网站用户名 """ self.run_action = 'async' self.run_type = 'ad-hoc' if groups.strip(): module_args = 'name=%s shell=/bin/bash groups=%s' % (username, groups) else: module_args = 'name=%s shell=/bin/bash' % username data = { 'mod_name': 'user', 'resource': self.resource, 'hosts': self.host_list, 'mod_args': module_args, 'role_name': username, 'web_username': web_username, 'run_action': self.run_action, 'run_type': self.run_type, # 标记, 执行ansible ad-hoc命令还是执行playbook 'isTemplate': self.isTemplate } data = json.dumps(data) api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password)) result, code = api.req_post(data) return result
def add_user(self, username, proxy, groups, web_username): """ add a host user. username: 系统用户名 web_username: 网站用户名 """ self.run_action = 'async' self.run_type = 'ad-hoc' if groups.strip(): module_args = 'name=%s shell=/bin/bash groups=%s' % (username, groups) else: module_args = 'name=%s shell=/bin/bash' % username data = {'mod_name': 'user', 'resource': self.resource, 'hosts': self.host_list, 'mod_args': module_args, 'role_name': username, 'web_username': web_username, 'run_action': self.run_action, 'run_type': self.run_type, # 标记, 执行ansible ad-hoc命令还是执行playbook 'isTemplate': self.isTemplate } data = json.dumps(data) api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password)) result, code = api.req_post(data) return result
def send_email(email_config, email_title, email_to, email_msg): """ 发送邮件 """ rest = {'msgCode': 0, 'msgError': ''} # msgCode: 0:成功 1:失败 message = MIMEText(email_msg, 'plain', 'utf-8') message['Subject'] = Header(email_title) message['From'] = email_config.email_username emali_list = ','.join(email_to) message['To'] = emali_list server = smtplib.SMTP() if email_config.email_use_ssl: server = smtplib.SMTP_SSL() try: server.connect(email_config.smtp_server, email_config.smtp_server_port) if email_config.email_use_tls and email_config.email_use_ssl is not True: server.starttls() logger.info(u'%s: password %s'%(email_config.name, email_config.email_password)) server.login(email_config.email_username, CRYPTOR.decrypt(email_config.email_password)) server.sendmail(email_config.email_username, email_to, message.as_string()) except Exception as e: rest['msgCode'] = 1 rest['msgError'] = e logger.error(e) finally: server.quit() return rest
def send_email(email_config, email_title, email_to, email_msg): """ 发送邮件 """ rest = {'msgCode': 0, 'msgError': ''} # msgCode: 0:成功 1:失败 message = MIMEText(email_msg, 'plain', 'utf-8') message['Subject'] = Header(email_title) message['From'] = email_config.email_username emali_list = ','.join(email_to) message['To'] = emali_list server = smtplib.SMTP() if email_config.email_use_ssl: server = smtplib.SMTP_SSL() try: server.connect(email_config.smtp_server, email_config.smtp_server_port) if email_config.email_use_tls and email_config.email_use_ssl is not True: server.starttls() logger.info(u'%s: password %s' % (email_config.name, email_config.email_password)) server.login(email_config.email_username, CRYPTOR.decrypt(email_config.email_password)) server.sendmail(email_config.email_username, email_to, message.as_string()) except Exception as e: rest['msgCode'] = 1 rest['msgError'] = e logger.error(e) finally: server.quit() return rest
def query_event(task_name, username, proxy): data = {'task_name': task_name, 'username': username} data = json.dumps(data) api = APIRequest('{0}/v1.0/permission/event'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password)) result, codes = api.req_post(data) logger.info('推送用户事件查询结果result:%s' % result) return result
def role_proxy_operator(user_name, obj_name, data, proxy=None, obj_uuid='all', action='add'): """ 保存,更新, 删除数据,并把操作结果保存到Task表中 obj_name: PermRole, PermSudo """ result = res_info = msg_name = '' g_lock = threading.Lock() # 线程锁 if obj_name == 'PermRole': msg_name = u'系统用户' elif obj_name == 'PermSudo': msg_name = u'SUDO别名' g_url = '{0}/v1.0/permission/{1}/{2}'.format(proxy.url, obj_name, obj_uuid) try: g_lock.acquire() # 在每个proxy上(add/update/delete) role/sudo,并返回结果 api = APIRequest(g_url, proxy.username, CRYPTOR.decrypt(proxy.password)) if action == 'add': result, codes = api.req_post(data) pdata = json.loads(data) res_info = u'添加{0}{1} {2}'.format(msg_name, pdata['name'], result['messege']) elif action == 'update': result, codes = api.req_put(data) pdata = json.loads(data) res_info = u'编辑{0}{1} {2}'.format(msg_name, pdata['name'], result['messege']) elif action == 'delete': result, codes = api.req_del(data) pdata = json.loads(data) res_info = u'删除{0}{1} {2}'.format(msg_name, pdata['name'], result['messege']) logger.info('role_proxy_%s:%s'%(action, result['messege'])) # 生成唯一的事件名称,用于从数据库中查询执行结果 if 'name' not in json.dumps(data): raise ValueError('role_proxy_operator: data["name"]不存在') task_name = json.loads(data)['name'] + '_' + uuid.uuid4().hex # 将事件添加到消息队列中 task_queue.put({'server': task_name, 'username': user_name}) # 将执行结果保存到数据库中 role_task = Task() role_task.task_name = task_name role_task.proxy_name = proxy.proxy_name role_task.role_name = json.loads(data)['name'] role_task.username = user_name role_task.status = 'complete' role_task.content = res_info role_task.url = g_url role_task.start_time = datetime.datetime.now() role_task.action = action role_task.role_uuid = obj_uuid role_task.role_data = data role_task.result = result['messege'] role_task.save() except Exception as e: logger.error("[role_proxy_operator] %s"%e) finally: g_lock.release() return result
def perm_role_add(request, res, *args): """ add role page """ header_title, path1, path2 = "系统用户", "系统用户管理", "添加系统用户" res['operator'] = path2 sudos = PermSudo.objects.all() if request.method == "POST": name = request.POST.get("role_name", "").strip() comment = request.POST.get("role_comment", "") password = request.POST.get("role_password", "") key_content = request.POST.get("role_key", "") sudo_ids = request.POST.getlist('sudo_name') try: if get_object(PermRole, name=name): raise ServerError(u'已经存在该用户 %s' % name) if name == "root": raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!') default = get_object(Setting, name='default') if password: encrypt_pass = CRYPTOR.encrypt(password) else: encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20)) # 生成随机密码,生成秘钥对 sudos_obj = [get_object(PermSudo, id=sudo_id) for sudo_id in sudo_ids] if key_content: try: key_path = gen_keys(key=key_content) except SSHException, e: raise ServerError(e) else: key_path = gen_keys() logger.debug('generate role key: %s' % key_path) role = PermRole(name=name, comment=comment, password=encrypt_pass, key_path=key_path) role.save() role.sudo = sudos_obj msg = u"添加系统用户: %s" % name res['content'] = msg return HttpResponseRedirect(reverse('role_list'))
def get_connect_info(self): """ 获取需要登陆的主机的信息和映射用户的账号密码 """ asset_info = get_asset_info(self.asset) role_key = get_role_key(self.user, self.role) # 获取角色的key,因为ansible需要权限是600,所以统一生成用户_角色key role_pass = CRYPTOR.decrypt(self.role.password) connect_info = {'user': self.user, 'asset': self.asset, 'ip': asset_info.get('ip'), 'port': int(asset_info.get('port')), 'role_name': self.role.name, 'role_pass': role_pass, 'role_key': role_key} logger.debug(connect_info) return connect_info
def media_add(request, res, *args): response = {'success': False, 'error': ''} res['operator'] = u'添加告警媒介' if request.method == 'POST': try: media_name = request.POST.get('media_name', '') if EmergencyType.objects.filter(name=media_name): raise ServerError(u'名称[%s]已存在'%media_name) media_type = request.POST.get('media_type', '') if media_type == '0': smtp_host = request.POST.get('smtp_host', '') smtp_host_port = request.POST.get('smtp_host_port', 587) email_user = request.POST.get('email_user', '') email_user_password = request.POST.get('email_user_password', '') encrypt_password = CRYPTOR.encrypt(email_user_password) connect_security = request.POST.getlist('connection', []) status = request.POST.get('extra', '0') comment = request.POST.get('comment', '') is_use_tls = True if '1' in connect_security else 0 is_use_ssl = True if '0' in connect_security else 0 media_detail = u"SMTP服务器:{0} SMTP电邮:{1}".format(smtp_host, email_user) if '' in [media_name, smtp_host, smtp_host_port, email_user, email_user_password]: raise ServerError(u'必要参数不能为空,请从新填写') EmergencyType.objects.create(name=media_name, type=media_type, smtp_server=smtp_host, smtp_server_port=int(smtp_host_port), status=status, email_username=email_user, email_password=encrypt_password, email_use_ssl=is_use_ssl, email_use_tls=is_use_tls,detail=media_detail, comment=comment) res['content'] = u'添加告警媒介[%s]成功' % media_name response['success'] = True response['error'] = u'添加告警媒介[%s]成功' % media_name elif media_type == '1': corpid = request.POST.get('corpid', '') corpsecret = request.POST.get('corpsecret', '') status = request.POST.get('extra', '0') comment = request.POST.get('comment', '') if '' in [media_name, corpid, corpsecret]: raise ServerError(u'必要参数为空,请从新填写!') media_detail = u'CorpID:%s '%corpid EmergencyType.objects.create(name=media_name, type=media_type, corpid=corpid, corpsecret=corpsecret, detail=media_detail, status=status, comment=comment) res['content'] = u'添加成功' response['success'] = True response['error'] = u'添加成功' except Exception as e: res['flag'] = False res['content'] = e.message response['error'] = u'添加media失败:%s'%e.message return HttpResponse(json.dumps(response), content_type='application/json')
def get_one_or_all(obj_name, proxy, obj_uuid='all'): """ 获取所有的对象或者一个id对应的对象 """ obj_list = [] try: api = APIRequest( '{0}/v1.0/permission/{1}/{2}'.format(proxy.url, obj_name, obj_uuid), proxy.username, CRYPTOR.decrypt(proxy.password)) result, codes = api.req_get() obj_list = result['messege'] except Exception as e: logger.error(e) return obj_list
def del_user(self, username, proxy, web_username): """ delete a host user. """ module_args = 'name=%s groups='' state=absent remove=yes move_home=yes force=yes' % username data = {'mod_name': 'user', 'resource': self.resource, 'hosts': self.host_list, 'mod_args': module_args, 'role_name': username, 'web_username': web_username, 'run_action': 'sync', # run_action参数表示同步还是异步执行 'run_type': 'ad-hoc' } data = json.dumps(data) api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password)) result, code = api.req_post(data) return result
def del_user_sudo(self, role_uuid, proxy, web_username): """ delete a role sudo item """ filename = 'role-%s'%role_uuid module_args = "name=/etc/sudoers.d/%s state=absent" %filename data = {'mod_name': 'file', 'resource': self.resource, 'hosts': self.host_list, 'mod_args': module_args, 'web_username': web_username, 'run_action': 'sync', 'run_type': 'ad-hoc' } data = json.dumps(data) api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password)) result, code = api.req_post(data) return result
def del_key(self, user, key_path, proxy): """ push the ssh authorized key to target. """ module_args = 'user="******" key="{{ lookup("file", "%s") }}" state="absent"' % ( user, key_path) data = { 'mod_name': 'authorized_key', 'resource': self.resource, 'hosts': self.host_list, 'mod_args': module_args, 'role_name': user } data = json.dumps(data) api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR(proxy.password)) result, code = api.req_post(data) return result
def del_user(self, username, proxy, web_username): """ delete a host user. """ module_args = 'name=%s groups=' ' state=absent remove=yes move_home=yes force=yes' % username data = { 'mod_name': 'user', 'resource': self.resource, 'hosts': self.host_list, 'mod_args': module_args, 'role_name': username, 'web_username': web_username, 'run_action': 'sync', # run_action参数表示同步还是异步执行 'run_type': 'ad-hoc' } data = json.dumps(data) api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password)) result, code = api.req_post(data) return result
def del_user_sudo(self, role_uuid, proxy, web_username): """ delete a role sudo item """ filename = 'role-%s' % role_uuid module_args = "name=/etc/sudoers.d/%s state=absent" % filename data = { 'mod_name': 'file', 'resource': self.resource, 'hosts': self.host_list, 'mod_args': module_args, 'web_username': web_username, 'run_action': 'sync', 'run_type': 'ad-hoc' } data = json.dumps(data) api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password)) result, code = api.req_post(data) return result
def push_sudo(self, role, sudo_uuids, proxy, web_username): """ use template to render pushed sudoers file """ self.run_action = 'async' self.run_type = 'playbook' data = {'resource': self.resource, 'hosts': self.host_list, 'sudo_uuids': sudo_uuids, 'role_name': role.name, 'role_uuid': role.uuid_id, 'web_username': web_username, 'run_action': self.run_action, 'run_type': self.run_type, 'isTemplate': True } data = json.dumps(data) api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password)) result, code = api.req_post(data) return result
def push_key(self, user, key_path, proxy, web_username): """ push the ssh authorized key to target. """ self.run_action = 'async' self.run_type = 'ad-hoc' module_args = 'user="******" key="{{ lookup("file", "%s") }}" state=present' % (user, key_path) data = {'mod_name': 'authorized_key', 'resource': self.resource, 'hosts': self.host_list, 'mod_args': module_args, 'role_name': user, 'web_username': web_username, 'run_action': self.run_action, 'run_type': self.run_type, 'isTemplate': self.isTemplate } data = json.dumps(data) api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password)) result, code = api.req_post(data) return result
def push_sudo(self, role, sudo_uuids, proxy, web_username): """ use template to render pushed sudoers file """ self.run_action = 'async' self.run_type = 'playbook' data = { 'resource': self.resource, 'hosts': self.host_list, 'sudo_uuids': sudo_uuids, 'role_name': role.name, 'role_uuid': role.uuid_id, 'web_username': web_username, 'run_action': self.run_action, 'run_type': self.run_type, 'isTemplate': True } data = json.dumps(data) api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password)) result, code = api.req_post(data) return result
def push_key(self, user, key_path, proxy, web_username): """ push the ssh authorized key to target. """ self.run_action = 'async' self.run_type = 'ad-hoc' module_args = 'user="******" key="{{ lookup("file", "%s") }}" state=present' % ( user, key_path) data = { 'mod_name': 'authorized_key', 'resource': self.resource, 'hosts': self.host_list, 'mod_args': module_args, 'role_name': user, 'web_username': web_username, 'run_action': self.run_action, 'run_type': self.run_type, 'isTemplate': self.isTemplate } data = json.dumps(data) api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password)) result, code = api.req_post(data) return result
def save_or_delete(obj_name, data, proxy, obj_uuid=None, action='add'): """ 保存,更新, 删除数据 obj_name: 'PermRole' obj_uuid: role.uuid_id """ info = '' try: api = APIRequest( '{0}/v1.0/permission/{1}/{2}'.format(proxy.url, obj_name, obj_uuid), proxy.username, CRYPTOR.decrypt(proxy.password)) if action == 'add': result, codes = api.req_post(data) elif action == 'update': result, codes = api.req_put(data) elif action == 'delete': result, codes = api.req_del(data) if result is not None: info = result['messege'] except Exception as e: info = 'error' logger.error("[save_or_delete] %s" % e) return info
def perm_role_add(request, res, *args): """ 添加系统用户 server和proxy上都添加 """ response = {'success': False, 'error': ''} res['operator'] = u"添加系统用户" res['emer_content'] = 6 if request.method == "POST": name = request.POST.get("role_name", "").strip() comment = request.POST.get("role_comment", "") password = request.POST.get("role_password", "") key_content = request.POST.get("role_key", "") sudo_ids = request.POST.getlist('sudo_name') uuid_id = str(uuid.uuid1()) sys_groups = request.POST.get('sys_groups', '').strip() try: if get_object(PermRole, name=name): raise ServerError(u'用户 %s已经存在' % name) if name == "root": raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!') if name == "": raise ServerError(u'系统用户名为空') if password: encrypt_pass = CRYPTOR.encrypt(password) else: encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20)) # 生成随机密码,生成秘钥对 sudos_obj = [ get_object(PermSudo, id=int(sudo_id)) for sudo_id in sudo_ids ] sudo_uuids = [item.uuid_id for item in sudos_obj] try: keys_content = json.dumps(gen_keys(key_content)) except Exception, e: raise ServerError(e) # # TODO 将数据保存到magicstack上 role = PermRole.objects.create(uuid_id=uuid_id, name=name, comment=comment, password=encrypt_pass, key_content=keys_content, system_groups=sys_groups) role.sudo = sudos_obj role.save() # TODO 将数据同时保存到proxy上 proxy_list = Proxy.objects.all() data = { 'uuid_id': uuid_id, 'id': role.id, 'name': name, 'password': encrypt_pass, 'comment': comment, 'key_content': keys_content, 'sudo_uuids': sudo_uuids, 'sys_groups': sys_groups } data = json.dumps(data) execute_thread_tasks(proxy_list, THREAD_NUMBERS, role_proxy_operator, request.user.username, 'PermRole', data, obj_uuid=role.uuid_id, action='add') response['success'] = True res['content'] = u'添加系统用户[%s]成功' % role.name res['emer_status'] = u'添加系统用户[%s]成功' % role.name except ServerError, e: res['flag'] = 'false' res['content'] = e.message res['emer_status'] = u"添加系统用户失败:%s" (e.message) response['error'] = u"添加系统用户失败:%s" % (e.message)
def media_edit(request, res): res['operator'] = u'编辑告警媒介' if request.method == 'GET': try: media_id = request.GET.get('id', '') media_info = EmergencyType.objects.get(id=int(media_id)) rest = {} rest['Id'] = media_info.id rest['name'] = media_info.name rest['type'] = media_info.type rest['status'] = media_info.status rest['smtp_server'] = media_info.smtp_server rest['smtp_server_port'] = media_info.smtp_server_port rest['email_username'] = media_info.email_username email_psswd = CRYPTOR.decrypt(media_info.email_password) if media_info.email_password else '' # 将密码解密后在传到前端 rest['email_password'] = email_psswd rest['email_use_tls'] = media_info.email_use_tls rest['email_use_ssl'] = media_info.email_use_ssl rest['corpid'] = media_info.corpid rest['corpsecret'] = media_info.corpsecret rest['comment'] = media_info.comment return HttpResponse(json.dumps(rest), content_type='application/json') except Exception as e: logger.error(e.message) return HttpResponse(e.message) else: response = {'success': False, 'error': ''} m_id = request.GET.get('id', '') media = EmergencyType.objects.get(id=int(m_id)) media_name = request.POST.get('media_name', '') media_type = request.POST.get('media_type', '') try: old_name=media.name if old_name==media_name: if EmergencyType.objects.filter(name=media_name).count()>1: raise ServerError(u'名称[%s]已存在'% media_name) else: if EmergencyType.objects.filter(name=media_name).count()>0: raise ServerError(u"名称[%s]已存在"% media_name) if media_type == '0': smtp_host = request.POST.get('smtp_host', '') smtp_host_port = int(request.POST.get('smtp_host_port', 587)) email_user = request.POST.get('email_user', '') email_user_password = request.POST.get('email_user_password', '') encrypt_password = CRYPTOR.encrypt(email_user_password) connect_security = request.POST.getlist('connection', []) status = request.POST.get('extra', '0') comment = request.POST.get('comment', '') is_use_tls = True if '1' in connect_security else 0 is_use_ssl = True if '0' in connect_security else 0 media_detail = u"SMTP服务器:{0} SMTP电邮:{1}".format(smtp_host, email_user) if '' in [media_name, smtp_host, smtp_host_port, email_user, email_user_password]: raise ServerError(u'名称不能为空') media.name = media_name media.type = media_type media.smtp_server = smtp_host media.smtp_server_port = smtp_host_port media.status = status media.email_username = email_user media.email_password = encrypt_password media.email_use_ssl = is_use_ssl media.email_use_tls = is_use_tls media.detail = media_detail media.comment = comment media.save() res['content'] = u'修改告警媒介[%s]成功' % media_name response['success'] = True elif media_type == '1': corpid = request.POST.get('corpid', '') corpsecret = request.POST.get('corpsecret', '') status = request.POST.get('extra', '0') comment = request.POST.get('comment', '') media_detail = u'CorpID:%s'%corpid if '' in [media_name, corpid, corpsecret]: raise ServerError(u'必要参数为空,请从新填写!') media.name = media_name media.type = media_type media.status = status media.corpid = corpid media.detail = media_detail media.corpsecret = corpsecret media.comment = comment media.save() res['content'] = u'修改告警媒介[%s]成功'%media.name response['success'] = True except Exception as e: logger.error(e) res['flag'] = 'false' response['error'] =res['content'] = u'修改告警媒介失败:%s'%e.message return HttpResponse(json.dumps(response), content_type='application/json')
def role_proxy_operator(user_name, obj_name, data, proxy=None, obj_uuid='all', action='add'): """ 保存,更新, 删除数据,并把操作结果保存到Task表中 obj_name: PermRole, PermSudo """ result = res_info = msg_name = '' g_lock = threading.Lock() # 线程锁 if obj_name == 'PermRole': msg_name = u'系统用户' elif obj_name == 'PermSudo': msg_name = u'SUDO别名' g_url = '{0}/v1.0/permission/{1}/{2}'.format(proxy.url, obj_name, obj_uuid) try: g_lock.acquire() # 在每个proxy上(add/update/delete) role/sudo,并返回结果 api = APIRequest(g_url, proxy.username, CRYPTOR.decrypt(proxy.password)) if action == 'add': result, codes = api.req_post(data) pdata = json.loads(data) res_info = u'添加{0}{1} {2}'.format(msg_name, pdata['name'], result['messege']) elif action == 'update': result, codes = api.req_put(data) pdata = json.loads(data) res_info = u'编辑{0}{1} {2}'.format(msg_name, pdata['name'], result['messege']) elif action == 'delete': result, codes = api.req_del(data) pdata = json.loads(data) res_info = u'删除{0}{1} {2}'.format(msg_name, pdata['name'], result['messege']) logger.info('role_proxy_%s:%s' % (action, result['messege'])) # 生成唯一的事件名称,用于从数据库中查询执行结果 if 'name' not in json.dumps(data): raise ValueError('role_proxy_operator: data["name"]不存在') task_name = json.loads(data)['name'] + '_' + uuid.uuid4().hex # 将事件添加到消息队列中 task_queue.put({'server': task_name, 'username': user_name}) # 将执行结果保存到数据库中 role_task = Task() role_task.task_name = task_name role_task.proxy_name = proxy.proxy_name role_task.role_name = json.loads(data)['name'] role_task.username = user_name role_task.status = 'complete' role_task.content = res_info role_task.url = g_url role_task.start_time = datetime.datetime.now() role_task.action = action role_task.role_uuid = obj_uuid role_task.role_data = data role_task.result = result['messege'] role_task.save() except Exception as e: logger.error("[role_proxy_operator] %s" % e) finally: g_lock.release() return result
def gen_resource(ob, perm=None): """ ob为用户或资产列表或资产queryset, 如果同时输入用户和{'role': role1, 'asset': []},则获取用户在这些资产上的信息 生成MyInventory需要的 resource文件 """ res = [] if isinstance(ob, dict): role = ob.get('role') asset_r = ob.get('asset') user = ob.get('user') if not perm: perm = get_group_user_perm(user) if role: roles = perm.get('role', {}).keys() # 获取用户所有授权角色 if role not in roles: return {} role_assets_all = perm.get('role').get(role).get('asset') # 获取用户该角色所有授权主机 assets = set(role_assets_all) & set(asset_r) # 获取用户提交中合法的主机 for asset in assets: asset_info = get_asset_info(asset) role_key = get_role_key(user, role) info = {'hostname': asset.name, 'ip': asset.ip, 'port': asset_info.get('port', 22), 'ansible_ssh_private_key_file': role_key, 'username': role.name, } if os.path.isfile(role_key): info['ssh_key'] = role_key res.append(info) else: for asset, asset_info in perm.get('asset').items(): if asset not in asset_r: continue asset_info = get_asset_info(asset) try: role = sorted(list(perm.get('asset').get(asset).get('role')))[0] except IndexError: continue role_key = get_role_key(user, role) info = {'hostname': asset.name, 'ip': asset.ip, 'port': asset_info.get('port', 22), 'username': role.name, 'password': CRYPTOR.decrypt(role.password), } if os.path.isfile(role_key): info['ssh_key'] = role_key res.append(info) elif isinstance(ob, User): if not perm: perm = get_group_user_perm(ob) for asset, asset_info in perm.get('asset').items(): asset_info = get_asset_info(asset) info = {'hostname': asset.name, 'ip': asset.ip, 'port': asset_info.get('port', 22)} try: role = sorted(list(perm.get('asset').get(asset).get('role')))[0] except IndexError: continue info['username'] = role.name info['password'] = CRYPTOR.decrypt(role.password) role_key = get_role_key(ob, role) if os.path.isfile(role_key): info['ssh_key'] = role_key res.append(info) elif isinstance(ob, (list, QuerySet)): for asset in ob: info = get_asset_info(asset) res.append(info) return res
def save_or_delete(obj_name, data, proxy, obj_uuid=None, action='add'): """ 保存,更新, 删除数据 obj_name: 'PermRole' obj_uuid: role.uuid_id """ info = '' try: api = APIRequest('{0}/v1.0/permission/{1}/{2}'.format(proxy.url, obj_name, obj_uuid), proxy.username, CRYPTOR.decrypt(proxy.password)) if action == 'add': result, codes = api.req_post(data) elif action == 'update': result, codes = api.req_put(data) elif action == 'delete': result, codes = api.req_del(data) if result is not None: info = result['messege'] except Exception as e: info = 'error' logger.error("[save_or_delete] %s"%e) return info
def gen_resource(ob, perm=None): """ ob为用户或资产列表或资产queryset, 如果同时输入用户和{'role': role1, 'asset': []},则获取用户在这些资产上的信息 生成MyInventory需要的 resource文件 """ res = [] if isinstance(ob, dict): role = ob.get('role') asset_r = ob.get('asset') user = ob.get('user') if not perm: perm = get_group_user_perm(user) if role: roles = perm.get('role', {}).keys() # 获取用户所有授权角色 if role not in roles: return {} role_assets_all = perm.get('role').get(role).get( 'asset') # 获取用户该角色所有授权主机 assets = set(role_assets_all) & set(asset_r) # 获取用户提交中合法的主机 for asset in assets: asset_info = get_asset_info(asset) role_key = get_role_key(user, role) info = { 'hostname': asset.name, 'ip': asset.ip, 'port': asset_info.get('port', 22), 'ansible_ssh_private_key_file': role_key, 'username': role.name, } if os.path.isfile(role_key): info['ssh_key'] = role_key res.append(info) else: for asset, asset_info in perm.get('asset').items(): if asset not in asset_r: continue asset_info = get_asset_info(asset) try: role = sorted( list(perm.get('asset').get(asset).get('role')))[0] except IndexError: continue role_key = get_role_key(user, role) info = { 'hostname': asset.name, 'ip': asset.ip, 'port': asset_info.get('port', 22), 'username': role.name, 'password': CRYPTOR.decrypt(role.password), } if os.path.isfile(role_key): info['ssh_key'] = role_key res.append(info) elif isinstance(ob, User): if not perm: perm = get_group_user_perm(ob) for asset, asset_info in perm.get('asset').items(): asset_info = get_asset_info(asset) info = { 'hostname': asset.name, 'ip': asset.ip, 'port': asset_info.get('port', 22) } try: role = sorted(list( perm.get('asset').get(asset).get('role')))[0] except IndexError: continue info['username'] = role.name info['password'] = CRYPTOR.decrypt(role.password) role_key = get_role_key(ob, role) if os.path.isfile(role_key): info['ssh_key'] = role_key res.append(info) elif isinstance(ob, (list, QuerySet)): for asset in ob: info = get_asset_info(asset) res.append(info) return res
def perm_role_edit(request, res, *args): """ 编辑系统用户 """ # 渲染数据 res['operator'] = u"编辑系统用户" res['emer_content'] = 6 if request.method == "GET": role_id = request.GET.get("id") role = PermRole.objects.get(id=int(role_id)) if not role: return HttpResponse(u'系统用户不存在') rest = {} rest['Id'] = role.id rest['role_name'] = role.name rest['role_password'] = role.password rest['role_comment'] = role.comment rest['system_groups'] = role.system_groups rest['sudos'] = ','.join([str(item.id) for item in role.sudo.all()]) return HttpResponse(json.dumps(rest), content_type='application/json') else: response = {'success': False, 'error': ''} role_id = request.GET.get("id", '') role = PermRole.objects.get(id=int(role_id)) role_name = request.POST.get("role_name") role_password = request.POST.get("role_password") role_comment = request.POST.get("role_comment") role_sudo_names = request.POST.getlist("sudo_name") role_sudos = [ PermSudo.objects.get(id=int(sudo_id)) for sudo_id in role_sudo_names ] key_content = request.POST.get("role_key", "") sudo_uuids = [item.uuid_id for item in role_sudos] sys_groups = request.POST.get("sys_groups", '').strip() try: if not role: raise ServerError('该系统用户不能存在') if role_name == "root": raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!') if role_password: encrypt_pass = CRYPTOR.encrypt(role_password) role.password = encrypt_pass role_key_content = "" # key_content为空表示用户秘钥不变,不为空就根据私钥生成公钥 # TODO 生成随机密码,生成秘钥对 if key_content: try: key_contents = json.dumps(gen_keys(key=key_content)) role.key_content = key_contents role_key_content = key_contents except SSHException: raise ServerError(u'输入的密钥不合法') # 跟新server上的permrole role.name = role_name role.comment = role_comment role.system_groups = sys_groups role.sudo = role_sudos role.save() # 更新proxy上的permrole data = { 'name': role_name, 'password': role_password, 'comment': role_comment, 'sudo_uuids': sudo_uuids, 'key_content': role_key_content, 'sys_groups': sys_groups } data = json.dumps(data) proxy_list = Proxy.objects.all() execute_thread_tasks(proxy_list, THREAD_NUMBERS, role_proxy_operator, request.user.username, 'PermRole', data, obj_uuid=role.uuid_id, action='update') # TODO 用户操作记录 res['content'] = u"编辑系统用户[%s]成功" % role.name # TODO 告警事件记录 res['emer_status'] = u"编辑系统用户[%s]成功" % role.name # TODO 页面返回信息 response['success'] = True except ServerError, e: res['flag'] = 'false' res['content'] = e.message res['emer_status'] = u"编辑系统用户失败:%s" % (e.message) response['error'] = u"编辑系统用户失败:%s" % (e.message) return HttpResponse(json.dumps(response), content_type='application/json')
def perm_role_edit(request, res, *args): """ 编辑系统用户 """ # 渲染数据 res['operator'] = u"编辑系统用户" res['emer_content'] = 6 if request.method == "GET": role_id = request.GET.get("id") role = PermRole.objects.get(id=int(role_id)) if not role: return HttpResponse(u'系统用户不存在') rest = {} rest['Id'] = role.id rest['role_name'] = role.name rest['role_password'] = role.password rest['role_comment'] = role.comment rest['system_groups'] = role.system_groups rest['sudos'] = ','.join([str(item.id) for item in role.sudo.all()]) return HttpResponse(json.dumps(rest), content_type='application/json') else: response = {'success': False, 'error': ''} role_id = request.GET.get("id", '') role = PermRole.objects.get(id=int(role_id)) role_name = request.POST.get("role_name") role_password = request.POST.get("role_password") role_comment = request.POST.get("role_comment") role_sudo_names = request.POST.getlist("sudo_name") role_sudos = [PermSudo.objects.get(id=int(sudo_id)) for sudo_id in role_sudo_names] key_content = request.POST.get("role_key", "") sudo_uuids = [item.uuid_id for item in role_sudos] sys_groups = request.POST.get("sys_groups",'').strip() try: if not role: raise ServerError('该系统用户不能存在') if role_name == "root": raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!') if role_password: encrypt_pass = CRYPTOR.encrypt(role_password) role.password = encrypt_pass role_key_content = "" # key_content为空表示用户秘钥不变,不为空就根据私钥生成公钥 # TODO 生成随机密码,生成秘钥对 if key_content: try: key_contents = json.dumps(gen_keys(key=key_content)) role.key_content = key_contents role_key_content = key_contents except SSHException: raise ServerError(u'输入的密钥不合法') # 跟新server上的permrole role.name = role_name role.comment = role_comment role.system_groups = sys_groups role.sudo = role_sudos role.save() # 更新proxy上的permrole data = {'name': role_name, 'password': role_password, 'comment': role_comment, 'sudo_uuids': sudo_uuids, 'key_content': role_key_content, 'sys_groups': sys_groups} data = json.dumps(data) proxy_list = Proxy.objects.all() execute_thread_tasks(proxy_list, THREAD_NUMBERS, role_proxy_operator, request.user.username, 'PermRole', data, obj_uuid=role.uuid_id, action='update') # TODO 用户操作记录 res['content'] = u"编辑系统用户[%s]成功" % role.name # TODO 告警事件记录 res['emer_status'] = u"编辑系统用户[%s]成功" % role.name # TODO 页面返回信息 response['success'] = True except ServerError, e: res['flag'] = 'false' res['content'] = e.message res['emer_status'] = u"编辑系统用户失败:%s"%(e.message) response['error'] = u"编辑系统用户失败:%s"%(e.message) return HttpResponse(json.dumps(response), content_type='application/json')
def get_one_or_all(obj_name, proxy, obj_uuid='all'): """ 获取所有的对象或者一个id对应的对象 """ obj_list = [] try: api = APIRequest('{0}/v1.0/permission/{1}/{2}'.format(proxy.url, obj_name, obj_uuid), proxy.username, CRYPTOR.decrypt(proxy.password)) result, codes = api.req_get() obj_list = result['messege'] except Exception as e: logger.error(e) return obj_list
def get_rand_pass(): """ get a reandom password. """ CRYPTOR.gen_rand_pass(20)
def perm_role_add(request, res, *args): """ 添加系统用户 server和proxy上都添加 """ response = {'success': False, 'error': ''} res['operator'] = u"添加系统用户" res['emer_content'] = 6 if request.method == "POST": name = request.POST.get("role_name", "").strip() comment = request.POST.get("role_comment", "") password = request.POST.get("role_password", "") key_content = request.POST.get("role_key", "") sudo_ids = request.POST.getlist('sudo_name') uuid_id = str(uuid.uuid1()) sys_groups = request.POST.get('sys_groups', '').strip() try: if get_object(PermRole, name=name): raise ServerError(u'用户 %s已经存在' % name) if name == "root": raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!') if name == "": raise ServerError(u'系统用户名为空') if password: encrypt_pass = CRYPTOR.encrypt(password) else: encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20)) # 生成随机密码,生成秘钥对 sudos_obj = [get_object(PermSudo, id=int(sudo_id)) for sudo_id in sudo_ids] sudo_uuids = [item.uuid_id for item in sudos_obj] try: keys_content = json.dumps(gen_keys(key_content)) except Exception, e: raise ServerError(e) # # TODO 将数据保存到magicstack上 role = PermRole.objects.create(uuid_id=uuid_id, name=name, comment=comment, password=encrypt_pass, key_content=keys_content, system_groups=sys_groups) role.sudo = sudos_obj role.save() # TODO 将数据同时保存到proxy上 proxy_list = Proxy.objects.all() data = {'uuid_id': uuid_id, 'id': role.id, 'name': name, 'password': encrypt_pass, 'comment': comment, 'key_content': keys_content, 'sudo_uuids': sudo_uuids, 'sys_groups': sys_groups} data = json.dumps(data) execute_thread_tasks(proxy_list, THREAD_NUMBERS, role_proxy_operator, request.user.username, 'PermRole', data, obj_uuid=role.uuid_id, action='add') response['success'] = True res['content'] = u'添加系统用户[%s]成功'% role.name res['emer_status'] = u'添加系统用户[%s]成功'% role.name except ServerError, e: res['flag'] = 'false' res['content'] = e.message res['emer_status'] = u"添加系统用户失败:%s"(e.message) response['error'] = u"添加系统用户失败:%s"%(e.message)