def perm_role_edit(request, res, *args):
"""
edit role page
"""
# 渲染数据
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户编辑"
res['operator'] = path2
# 渲染数据
role_id = request.GET.get("id")
role = PermRole.objects.get(id=role_id)
role_pass = CRYPTOR.decrypt(role.password)
sudo_all = PermSudo.objects.all()
role_sudos = role.sudo.all()
sudo_all = PermSudo.objects.all()
if request.method == "GET":
return my_render('permManage/perm_role_edit.html', locals(), request)
if request.method == "POST":
# 获取 POST 数据
role_name = request.POST.get("role_name")
role_password = request.POST.get("role_password")
role_comment = request.POST.get("role_comment")
role_sudo_names = request.POST.getlist("sudo_name")
role_sudos = [PermSudo.objects.get(id=sudo_id) for sudo_id in role_sudo_names]
key_content = request.POST.get("role_key", "")
try:
if not role:
raise ServerError('该系统用户不能存在')
if role_name == "root":
raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!')
if role_password:
encrypt_pass = CRYPTOR.encrypt(role_password)
role.password = encrypt_pass
# 生成随机密码,生成秘钥对
if key_content:
try:
key_path = gen_keys(key=key_content, key_path_dir=role.key_path)
except SSHException:
raise ServerError('输入的密钥不合法')
logger.debug('Recreate role key: %s' % role.key_path)
# 写入数据库
role.name = role_name
role.comment = role_comment
role.sudo = role_sudos
role.save()
msg = u"更新系统用户: %s" % role.name
res['content'] = msg
return HttpResponseRedirect(reverse('role_list'))
except ServerError, e:
error = e
res['flag'] = 'false'
res['content'] = e
def query_event(task_name, username, proxy):
data = {'task_name': task_name, 'username': username}
data = json.dumps(data)
api = APIRequest('{0}/v1.0/permission/event'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password))
result, codes = api.req_post(data)
logger.info('推送用户事件查询结果result:%s'%result)
return result
def add_user(self, username, proxy, groups, web_username):
"""
add a host user.
username: 系统用户名
web_username: 网站用户名
"""
self.run_action = 'async'
self.run_type = 'ad-hoc'
if groups.strip():
module_args = 'name=%s shell=/bin/bash groups=%s' % (username,
groups)
else:
module_args = 'name=%s shell=/bin/bash' % username
data = {
'mod_name': 'user',
'resource': self.resource,
'hosts': self.host_list,
'mod_args': module_args,
'role_name': username,
'web_username': web_username,
'run_action': self.run_action,
'run_type': self.run_type, # 标记, 执行ansible ad-hoc命令还是执行playbook
'isTemplate': self.isTemplate
}
data = json.dumps(data)
api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username,
CRYPTOR.decrypt(proxy.password))
result, code = api.req_post(data)
return result
def add_user(self, username, proxy, groups, web_username):
"""
add a host user.
username: 系统用户名
web_username: 网站用户名
"""
self.run_action = 'async'
self.run_type = 'ad-hoc'
if groups.strip():
module_args = 'name=%s shell=/bin/bash groups=%s' % (username, groups)
else:
module_args = 'name=%s shell=/bin/bash' % username
data = {'mod_name': 'user',
'resource': self.resource,
'hosts': self.host_list,
'mod_args': module_args,
'role_name': username,
'web_username': web_username,
'run_action': self.run_action,
'run_type': self.run_type, # 标记, 执行ansible ad-hoc命令还是执行playbook
'isTemplate': self.isTemplate
}
data = json.dumps(data)
api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password))
result, code = api.req_post(data)
return result
def send_email(email_config, email_title, email_to, email_msg):
"""
发送邮件
"""
rest = {'msgCode': 0, 'msgError': ''} # msgCode: 0:成功 1:失败
message = MIMEText(email_msg, 'plain', 'utf-8')
message['Subject'] = Header(email_title)
message['From'] = email_config.email_username
emali_list = ','.join(email_to)
message['To'] = emali_list
server = smtplib.SMTP()
if email_config.email_use_ssl:
server = smtplib.SMTP_SSL()
try:
server.connect(email_config.smtp_server, email_config.smtp_server_port)
if email_config.email_use_tls and email_config.email_use_ssl is not True:
server.starttls()
logger.info(u'%s: password %s'%(email_config.name, email_config.email_password))
server.login(email_config.email_username, CRYPTOR.decrypt(email_config.email_password))
server.sendmail(email_config.email_username, email_to, message.as_string())
except Exception as e:
rest['msgCode'] = 1
rest['msgError'] = e
logger.error(e)
finally:
server.quit()
return rest
def send_email(email_config, email_title, email_to, email_msg):
"""
发送邮件
"""
rest = {'msgCode': 0, 'msgError': ''} # msgCode: 0:成功 1:失败
message = MIMEText(email_msg, 'plain', 'utf-8')
message['Subject'] = Header(email_title)
message['From'] = email_config.email_username
emali_list = ','.join(email_to)
message['To'] = emali_list
server = smtplib.SMTP()
if email_config.email_use_ssl:
server = smtplib.SMTP_SSL()
try:
server.connect(email_config.smtp_server, email_config.smtp_server_port)
if email_config.email_use_tls and email_config.email_use_ssl is not True:
server.starttls()
logger.info(u'%s: password %s' %
(email_config.name, email_config.email_password))
server.login(email_config.email_username,
CRYPTOR.decrypt(email_config.email_password))
server.sendmail(email_config.email_username, email_to,
message.as_string())
except Exception as e:
rest['msgCode'] = 1
rest['msgError'] = e
logger.error(e)
finally:
server.quit()
return rest
def query_event(task_name, username, proxy):
data = {'task_name': task_name, 'username': username}
data = json.dumps(data)
api = APIRequest('{0}/v1.0/permission/event'.format(proxy.url),
proxy.username, CRYPTOR.decrypt(proxy.password))
result, codes = api.req_post(data)
logger.info('推送用户事件查询结果result:%s' % result)
return result
def role_proxy_operator(user_name, obj_name, data, proxy=None, obj_uuid='all', action='add'):
"""
保存,更新, 删除数据,并把操作结果保存到Task表中
obj_name: PermRole, PermSudo
"""
result = res_info = msg_name = ''
g_lock = threading.Lock() # 线程锁
if obj_name == 'PermRole':
msg_name = u'系统用户'
elif obj_name == 'PermSudo':
msg_name = u'SUDO别名'
g_url = '{0}/v1.0/permission/{1}/{2}'.format(proxy.url, obj_name, obj_uuid)
try:
g_lock.acquire()
# 在每个proxy上(add/update/delete) role/sudo,并返回结果
api = APIRequest(g_url, proxy.username, CRYPTOR.decrypt(proxy.password))
if action == 'add':
result, codes = api.req_post(data)
pdata = json.loads(data)
res_info = u'添加{0}{1} {2}'.format(msg_name, pdata['name'], result['messege'])
elif action == 'update':
result, codes = api.req_put(data)
pdata = json.loads(data)
res_info = u'编辑{0}{1} {2}'.format(msg_name, pdata['name'], result['messege'])
elif action == 'delete':
result, codes = api.req_del(data)
pdata = json.loads(data)
res_info = u'删除{0}{1} {2}'.format(msg_name, pdata['name'], result['messege'])
logger.info('role_proxy_%s:%s'%(action, result['messege']))
# 生成唯一的事件名称,用于从数据库中查询执行结果
if 'name' not in json.dumps(data):
raise ValueError('role_proxy_operator: data["name"]不存在')
task_name = json.loads(data)['name'] + '_' + uuid.uuid4().hex
# 将事件添加到消息队列中
task_queue.put({'server': task_name, 'username': user_name})
# 将执行结果保存到数据库中
role_task = Task()
role_task.task_name = task_name
role_task.proxy_name = proxy.proxy_name
role_task.role_name = json.loads(data)['name']
role_task.username = user_name
role_task.status = 'complete'
role_task.content = res_info
role_task.url = g_url
role_task.start_time = datetime.datetime.now()
role_task.action = action
role_task.role_uuid = obj_uuid
role_task.role_data = data
role_task.result = result['messege']
role_task.save()
except Exception as e:
logger.error("[role_proxy_operator] %s"%e)
finally:
g_lock.release()
return result
def perm_role_add(request, res, *args):
"""
add role page
"""
header_title, path1, path2 = "系统用户", "系统用户管理", "添加系统用户"
res['operator'] = path2
sudos = PermSudo.objects.all()
if request.method == "POST":
name = request.POST.get("role_name", "").strip()
comment = request.POST.get("role_comment", "")
password = request.POST.get("role_password", "")
key_content = request.POST.get("role_key", "")
sudo_ids = request.POST.getlist('sudo_name')
try:
if get_object(PermRole, name=name):
raise ServerError(u'已经存在该用户 %s' % name)
if name == "root":
raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!')
default = get_object(Setting, name='default')
if password:
encrypt_pass = CRYPTOR.encrypt(password)
else:
encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20))
# 生成随机密码,生成秘钥对
sudos_obj = [get_object(PermSudo, id=sudo_id) for sudo_id in sudo_ids]
if key_content:
try:
key_path = gen_keys(key=key_content)
except SSHException, e:
raise ServerError(e)
else:
key_path = gen_keys()
logger.debug('generate role key: %s' % key_path)
role = PermRole(name=name, comment=comment, password=encrypt_pass, key_path=key_path)
role.save()
role.sudo = sudos_obj
msg = u"添加系统用户: %s" % name
res['content'] = msg
return HttpResponseRedirect(reverse('role_list'))
def get_connect_info(self):
"""
获取需要登陆的主机的信息和映射用户的账号密码
"""
asset_info = get_asset_info(self.asset)
role_key = get_role_key(self.user, self.role) # 获取角色的key,因为ansible需要权限是600,所以统一生成用户_角色key
role_pass = CRYPTOR.decrypt(self.role.password)
connect_info = {'user': self.user, 'asset': self.asset, 'ip': asset_info.get('ip'),
'port': int(asset_info.get('port')), 'role_name': self.role.name,
'role_pass': role_pass, 'role_key': role_key}
logger.debug(connect_info)
return connect_info
def media_add(request, res, *args):
response = {'success': False, 'error': ''}
res['operator'] = u'添加告警媒介'
if request.method == 'POST':
try:
media_name = request.POST.get('media_name', '')
if EmergencyType.objects.filter(name=media_name):
raise ServerError(u'名称[%s]已存在'%media_name)
media_type = request.POST.get('media_type', '')
if media_type == '0':
smtp_host = request.POST.get('smtp_host', '')
smtp_host_port = request.POST.get('smtp_host_port', 587)
email_user = request.POST.get('email_user', '')
email_user_password = request.POST.get('email_user_password', '')
encrypt_password = CRYPTOR.encrypt(email_user_password)
connect_security = request.POST.getlist('connection', [])
status = request.POST.get('extra', '0')
comment = request.POST.get('comment', '')
is_use_tls = True if '1' in connect_security else 0
is_use_ssl = True if '0' in connect_security else 0
media_detail = u"SMTP服务器:{0} SMTP电邮:{1}".format(smtp_host, email_user)
if '' in [media_name, smtp_host, smtp_host_port, email_user, email_user_password]:
raise ServerError(u'必要参数不能为空,请从新填写')
EmergencyType.objects.create(name=media_name, type=media_type, smtp_server=smtp_host, smtp_server_port=int(smtp_host_port),
status=status, email_username=email_user, email_password=encrypt_password,
email_use_ssl=is_use_ssl, email_use_tls=is_use_tls,detail=media_detail, comment=comment)
res['content'] = u'添加告警媒介[%s]成功' % media_name
response['success'] = True
response['error'] = u'添加告警媒介[%s]成功' % media_name
elif media_type == '1':
corpid = request.POST.get('corpid', '')
corpsecret = request.POST.get('corpsecret', '')
status = request.POST.get('extra', '0')
comment = request.POST.get('comment', '')
if '' in [media_name, corpid, corpsecret]:
raise ServerError(u'必要参数为空,请从新填写!')
media_detail = u'CorpID:%s '%corpid
EmergencyType.objects.create(name=media_name, type=media_type, corpid=corpid, corpsecret=corpsecret,
detail=media_detail, status=status, comment=comment)
res['content'] = u'添加成功'
response['success'] = True
response['error'] = u'添加成功'
except Exception as e:
res['flag'] = False
res['content'] = e.message
response['error'] = u'添加media失败:%s'%e.message
return HttpResponse(json.dumps(response), content_type='application/json')
def get_one_or_all(obj_name, proxy, obj_uuid='all'):
"""
获取所有的对象或者一个id对应的对象
"""
obj_list = []
try:
api = APIRequest(
'{0}/v1.0/permission/{1}/{2}'.format(proxy.url, obj_name,
obj_uuid), proxy.username,
CRYPTOR.decrypt(proxy.password))
result, codes = api.req_get()
obj_list = result['messege']
except Exception as e:
logger.error(e)
return obj_list
def del_user(self, username, proxy, web_username):
"""
delete a host user.
"""
module_args = 'name=%s groups='' state=absent remove=yes move_home=yes force=yes' % username
data = {'mod_name': 'user',
'resource': self.resource,
'hosts': self.host_list,
'mod_args': module_args,
'role_name': username,
'web_username': web_username,
'run_action': 'sync', # run_action参数表示同步还是异步执行
'run_type': 'ad-hoc'
}
data = json.dumps(data)
api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password))
result, code = api.req_post(data)
return result
def del_user_sudo(self, role_uuid, proxy, web_username):
"""
delete a role sudo item
"""
filename = 'role-%s'%role_uuid
module_args = "name=/etc/sudoers.d/%s state=absent" %filename
data = {'mod_name': 'file',
'resource': self.resource,
'hosts': self.host_list,
'mod_args': module_args,
'web_username': web_username,
'run_action': 'sync',
'run_type': 'ad-hoc'
}
data = json.dumps(data)
api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password))
result, code = api.req_post(data)
return result
def del_key(self, user, key_path, proxy):
"""
push the ssh authorized key to target.
"""
module_args = 'user="******" key="{{ lookup("file", "%s") }}" state="absent"' % (
user, key_path)
data = {
'mod_name': 'authorized_key',
'resource': self.resource,
'hosts': self.host_list,
'mod_args': module_args,
'role_name': user
}
data = json.dumps(data)
api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username,
CRYPTOR(proxy.password))
result, code = api.req_post(data)
return result
def del_user(self, username, proxy, web_username):
"""
delete a host user.
"""
module_args = 'name=%s groups=' ' state=absent remove=yes move_home=yes force=yes' % username
data = {
'mod_name': 'user',
'resource': self.resource,
'hosts': self.host_list,
'mod_args': module_args,
'role_name': username,
'web_username': web_username,
'run_action': 'sync', # run_action参数表示同步还是异步执行
'run_type': 'ad-hoc'
}
data = json.dumps(data)
api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username,
CRYPTOR.decrypt(proxy.password))
result, code = api.req_post(data)
return result
def del_user_sudo(self, role_uuid, proxy, web_username):
"""
delete a role sudo item
"""
filename = 'role-%s' % role_uuid
module_args = "name=/etc/sudoers.d/%s state=absent" % filename
data = {
'mod_name': 'file',
'resource': self.resource,
'hosts': self.host_list,
'mod_args': module_args,
'web_username': web_username,
'run_action': 'sync',
'run_type': 'ad-hoc'
}
data = json.dumps(data)
api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username,
CRYPTOR.decrypt(proxy.password))
result, code = api.req_post(data)
return result
def push_sudo(self, role, sudo_uuids, proxy, web_username):
"""
use template to render pushed sudoers file
"""
self.run_action = 'async'
self.run_type = 'playbook'
data = {'resource': self.resource,
'hosts': self.host_list,
'sudo_uuids': sudo_uuids,
'role_name': role.name,
'role_uuid': role.uuid_id,
'web_username': web_username,
'run_action': self.run_action,
'run_type': self.run_type,
'isTemplate': True
}
data = json.dumps(data)
api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password))
result, code = api.req_post(data)
return result
def push_key(self, user, key_path, proxy, web_username):
"""
push the ssh authorized key to target.
"""
self.run_action = 'async'
self.run_type = 'ad-hoc'
module_args = 'user="******" key="{{ lookup("file", "%s") }}" state=present' % (user, key_path)
data = {'mod_name': 'authorized_key',
'resource': self.resource,
'hosts': self.host_list,
'mod_args': module_args,
'role_name': user,
'web_username': web_username,
'run_action': self.run_action,
'run_type': self.run_type,
'isTemplate': self.isTemplate
}
data = json.dumps(data)
api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username, CRYPTOR.decrypt(proxy.password))
result, code = api.req_post(data)
return result
def push_sudo(self, role, sudo_uuids, proxy, web_username):
"""
use template to render pushed sudoers file
"""
self.run_action = 'async'
self.run_type = 'playbook'
data = {
'resource': self.resource,
'hosts': self.host_list,
'sudo_uuids': sudo_uuids,
'role_name': role.name,
'role_uuid': role.uuid_id,
'web_username': web_username,
'run_action': self.run_action,
'run_type': self.run_type,
'isTemplate': True
}
data = json.dumps(data)
api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username,
CRYPTOR.decrypt(proxy.password))
result, code = api.req_post(data)
return result
def push_key(self, user, key_path, proxy, web_username):
"""
push the ssh authorized key to target.
"""
self.run_action = 'async'
self.run_type = 'ad-hoc'
module_args = 'user="******" key="{{ lookup("file", "%s") }}" state=present' % (
user, key_path)
data = {
'mod_name': 'authorized_key',
'resource': self.resource,
'hosts': self.host_list,
'mod_args': module_args,
'role_name': user,
'web_username': web_username,
'run_action': self.run_action,
'run_type': self.run_type,
'isTemplate': self.isTemplate
}
data = json.dumps(data)
api = APIRequest('{0}/v1.0/module'.format(proxy.url), proxy.username,
CRYPTOR.decrypt(proxy.password))
result, code = api.req_post(data)
return result
def save_or_delete(obj_name, data, proxy, obj_uuid=None, action='add'):
"""
保存,更新, 删除数据
obj_name: 'PermRole'
obj_uuid: role.uuid_id
"""
info = ''
try:
api = APIRequest(
'{0}/v1.0/permission/{1}/{2}'.format(proxy.url, obj_name,
obj_uuid), proxy.username,
CRYPTOR.decrypt(proxy.password))
if action == 'add':
result, codes = api.req_post(data)
elif action == 'update':
result, codes = api.req_put(data)
elif action == 'delete':
result, codes = api.req_del(data)
if result is not None:
info = result['messege']
except Exception as e:
info = 'error'
logger.error("[save_or_delete] %s" % e)
return info
def perm_role_add(request, res, *args):
"""
添加系统用户 server和proxy上都添加
"""
response = {'success': False, 'error': ''}
res['operator'] = u"添加系统用户"
res['emer_content'] = 6
if request.method == "POST":
name = request.POST.get("role_name", "").strip()
comment = request.POST.get("role_comment", "")
password = request.POST.get("role_password", "")
key_content = request.POST.get("role_key", "")
sudo_ids = request.POST.getlist('sudo_name')
uuid_id = str(uuid.uuid1())
sys_groups = request.POST.get('sys_groups', '').strip()
try:
if get_object(PermRole, name=name):
raise ServerError(u'用户 %s已经存在' % name)
if name == "root":
raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!')
if name == "":
raise ServerError(u'系统用户名为空')
if password:
encrypt_pass = CRYPTOR.encrypt(password)
else:
encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20))
# 生成随机密码,生成秘钥对
sudos_obj = [
get_object(PermSudo, id=int(sudo_id)) for sudo_id in sudo_ids
]
sudo_uuids = [item.uuid_id for item in sudos_obj]
try:
keys_content = json.dumps(gen_keys(key_content))
except Exception, e:
raise ServerError(e)
# # TODO 将数据保存到magicstack上
role = PermRole.objects.create(uuid_id=uuid_id,
name=name,
comment=comment,
password=encrypt_pass,
key_content=keys_content,
system_groups=sys_groups)
role.sudo = sudos_obj
role.save()
# TODO 将数据同时保存到proxy上
proxy_list = Proxy.objects.all()
data = {
'uuid_id': uuid_id,
'id': role.id,
'name': name,
'password': encrypt_pass,
'comment': comment,
'key_content': keys_content,
'sudo_uuids': sudo_uuids,
'sys_groups': sys_groups
}
data = json.dumps(data)
execute_thread_tasks(proxy_list,
THREAD_NUMBERS,
role_proxy_operator,
request.user.username,
'PermRole',
data,
obj_uuid=role.uuid_id,
action='add')
response['success'] = True
res['content'] = u'添加系统用户[%s]成功' % role.name
res['emer_status'] = u'添加系统用户[%s]成功' % role.name
except ServerError, e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = u"添加系统用户失败:%s" (e.message)
response['error'] = u"添加系统用户失败:%s" % (e.message)
def media_edit(request, res):
res['operator'] = u'编辑告警媒介'
if request.method == 'GET':
try:
media_id = request.GET.get('id', '')
media_info = EmergencyType.objects.get(id=int(media_id))
rest = {}
rest['Id'] = media_info.id
rest['name'] = media_info.name
rest['type'] = media_info.type
rest['status'] = media_info.status
rest['smtp_server'] = media_info.smtp_server
rest['smtp_server_port'] = media_info.smtp_server_port
rest['email_username'] = media_info.email_username
email_psswd = CRYPTOR.decrypt(media_info.email_password) if media_info.email_password else '' # 将密码解密后在传到前端
rest['email_password'] = email_psswd
rest['email_use_tls'] = media_info.email_use_tls
rest['email_use_ssl'] = media_info.email_use_ssl
rest['corpid'] = media_info.corpid
rest['corpsecret'] = media_info.corpsecret
rest['comment'] = media_info.comment
return HttpResponse(json.dumps(rest), content_type='application/json')
except Exception as e:
logger.error(e.message)
return HttpResponse(e.message)
else:
response = {'success': False, 'error': ''}
m_id = request.GET.get('id', '')
media = EmergencyType.objects.get(id=int(m_id))
media_name = request.POST.get('media_name', '')
media_type = request.POST.get('media_type', '')
try:
old_name=media.name
if old_name==media_name:
if EmergencyType.objects.filter(name=media_name).count()>1:
raise ServerError(u'名称[%s]已存在'% media_name)
else:
if EmergencyType.objects.filter(name=media_name).count()>0:
raise ServerError(u"名称[%s]已存在"% media_name)
if media_type == '0':
smtp_host = request.POST.get('smtp_host', '')
smtp_host_port = int(request.POST.get('smtp_host_port', 587))
email_user = request.POST.get('email_user', '')
email_user_password = request.POST.get('email_user_password', '')
encrypt_password = CRYPTOR.encrypt(email_user_password)
connect_security = request.POST.getlist('connection', [])
status = request.POST.get('extra', '0')
comment = request.POST.get('comment', '')
is_use_tls = True if '1' in connect_security else 0
is_use_ssl = True if '0' in connect_security else 0
media_detail = u"SMTP服务器:{0} SMTP电邮:{1}".format(smtp_host, email_user)
if '' in [media_name, smtp_host, smtp_host_port, email_user, email_user_password]:
raise ServerError(u'名称不能为空')
media.name = media_name
media.type = media_type
media.smtp_server = smtp_host
media.smtp_server_port = smtp_host_port
media.status = status
media.email_username = email_user
media.email_password = encrypt_password
media.email_use_ssl = is_use_ssl
media.email_use_tls = is_use_tls
media.detail = media_detail
media.comment = comment
media.save()
res['content'] = u'修改告警媒介[%s]成功' % media_name
response['success'] = True
elif media_type == '1':
corpid = request.POST.get('corpid', '')
corpsecret = request.POST.get('corpsecret', '')
status = request.POST.get('extra', '0')
comment = request.POST.get('comment', '')
media_detail = u'CorpID:%s'%corpid
if '' in [media_name, corpid, corpsecret]:
raise ServerError(u'必要参数为空,请从新填写!')
media.name = media_name
media.type = media_type
media.status = status
media.corpid = corpid
media.detail = media_detail
media.corpsecret = corpsecret
media.comment = comment
media.save()
res['content'] = u'修改告警媒介[%s]成功'%media.name
response['success'] = True
except Exception as e:
logger.error(e)
res['flag'] = 'false'
response['error'] =res['content'] = u'修改告警媒介失败:%s'%e.message
return HttpResponse(json.dumps(response), content_type='application/json')
def role_proxy_operator(user_name,
obj_name,
data,
proxy=None,
obj_uuid='all',
action='add'):
"""
保存,更新, 删除数据,并把操作结果保存到Task表中
obj_name: PermRole, PermSudo
"""
result = res_info = msg_name = ''
g_lock = threading.Lock() # 线程锁
if obj_name == 'PermRole':
msg_name = u'系统用户'
elif obj_name == 'PermSudo':
msg_name = u'SUDO别名'
g_url = '{0}/v1.0/permission/{1}/{2}'.format(proxy.url, obj_name, obj_uuid)
try:
g_lock.acquire()
# 在每个proxy上(add/update/delete) role/sudo,并返回结果
api = APIRequest(g_url, proxy.username,
CRYPTOR.decrypt(proxy.password))
if action == 'add':
result, codes = api.req_post(data)
pdata = json.loads(data)
res_info = u'添加{0}{1} {2}'.format(msg_name, pdata['name'],
result['messege'])
elif action == 'update':
result, codes = api.req_put(data)
pdata = json.loads(data)
res_info = u'编辑{0}{1} {2}'.format(msg_name, pdata['name'],
result['messege'])
elif action == 'delete':
result, codes = api.req_del(data)
pdata = json.loads(data)
res_info = u'删除{0}{1} {2}'.format(msg_name, pdata['name'],
result['messege'])
logger.info('role_proxy_%s:%s' % (action, result['messege']))
# 生成唯一的事件名称,用于从数据库中查询执行结果
if 'name' not in json.dumps(data):
raise ValueError('role_proxy_operator: data["name"]不存在')
task_name = json.loads(data)['name'] + '_' + uuid.uuid4().hex
# 将事件添加到消息队列中
task_queue.put({'server': task_name, 'username': user_name})
# 将执行结果保存到数据库中
role_task = Task()
role_task.task_name = task_name
role_task.proxy_name = proxy.proxy_name
role_task.role_name = json.loads(data)['name']
role_task.username = user_name
role_task.status = 'complete'
role_task.content = res_info
role_task.url = g_url
role_task.start_time = datetime.datetime.now()
role_task.action = action
role_task.role_uuid = obj_uuid
role_task.role_data = data
role_task.result = result['messege']
role_task.save()
except Exception as e:
logger.error("[role_proxy_operator] %s" % e)
finally:
g_lock.release()
return result
def gen_resource(ob, perm=None):
"""
ob为用户或资产列表或资产queryset, 如果同时输入用户和{'role': role1, 'asset': []},则获取用户在这些资产上的信息
生成MyInventory需要的 resource文件
"""
res = []
if isinstance(ob, dict):
role = ob.get('role')
asset_r = ob.get('asset')
user = ob.get('user')
if not perm:
perm = get_group_user_perm(user)
if role:
roles = perm.get('role', {}).keys() # 获取用户所有授权角色
if role not in roles:
return {}
role_assets_all = perm.get('role').get(role).get('asset') # 获取用户该角色所有授权主机
assets = set(role_assets_all) & set(asset_r) # 获取用户提交中合法的主机
for asset in assets:
asset_info = get_asset_info(asset)
role_key = get_role_key(user, role)
info = {'hostname': asset.name,
'ip': asset.ip,
'port': asset_info.get('port', 22),
'ansible_ssh_private_key_file': role_key,
'username': role.name,
}
if os.path.isfile(role_key):
info['ssh_key'] = role_key
res.append(info)
else:
for asset, asset_info in perm.get('asset').items():
if asset not in asset_r:
continue
asset_info = get_asset_info(asset)
try:
role = sorted(list(perm.get('asset').get(asset).get('role')))[0]
except IndexError:
continue
role_key = get_role_key(user, role)
info = {'hostname': asset.name,
'ip': asset.ip,
'port': asset_info.get('port', 22),
'username': role.name,
'password': CRYPTOR.decrypt(role.password),
}
if os.path.isfile(role_key):
info['ssh_key'] = role_key
res.append(info)
elif isinstance(ob, User):
if not perm:
perm = get_group_user_perm(ob)
for asset, asset_info in perm.get('asset').items():
asset_info = get_asset_info(asset)
info = {'hostname': asset.name, 'ip': asset.ip, 'port': asset_info.get('port', 22)}
try:
role = sorted(list(perm.get('asset').get(asset).get('role')))[0]
except IndexError:
continue
info['username'] = role.name
info['password'] = CRYPTOR.decrypt(role.password)
role_key = get_role_key(ob, role)
if os.path.isfile(role_key):
info['ssh_key'] = role_key
res.append(info)
elif isinstance(ob, (list, QuerySet)):
for asset in ob:
info = get_asset_info(asset)
res.append(info)
return res
def save_or_delete(obj_name, data, proxy, obj_uuid=None, action='add'):
"""
保存,更新, 删除数据
obj_name: 'PermRole'
obj_uuid: role.uuid_id
"""
info = ''
try:
api = APIRequest('{0}/v1.0/permission/{1}/{2}'.format(proxy.url, obj_name, obj_uuid), proxy.username, CRYPTOR.decrypt(proxy.password))
if action == 'add':
result, codes = api.req_post(data)
elif action == 'update':
result, codes = api.req_put(data)
elif action == 'delete':
result, codes = api.req_del(data)
if result is not None:
info = result['messege']
except Exception as e:
info = 'error'
logger.error("[save_or_delete] %s"%e)
return info
def gen_resource(ob, perm=None):
"""
ob为用户或资产列表或资产queryset, 如果同时输入用户和{'role': role1, 'asset': []},则获取用户在这些资产上的信息
生成MyInventory需要的 resource文件
"""
res = []
if isinstance(ob, dict):
role = ob.get('role')
asset_r = ob.get('asset')
user = ob.get('user')
if not perm:
perm = get_group_user_perm(user)
if role:
roles = perm.get('role', {}).keys() # 获取用户所有授权角色
if role not in roles:
return {}
role_assets_all = perm.get('role').get(role).get(
'asset') # 获取用户该角色所有授权主机
assets = set(role_assets_all) & set(asset_r) # 获取用户提交中合法的主机
for asset in assets:
asset_info = get_asset_info(asset)
role_key = get_role_key(user, role)
info = {
'hostname': asset.name,
'ip': asset.ip,
'port': asset_info.get('port', 22),
'ansible_ssh_private_key_file': role_key,
'username': role.name,
}
if os.path.isfile(role_key):
info['ssh_key'] = role_key
res.append(info)
else:
for asset, asset_info in perm.get('asset').items():
if asset not in asset_r:
continue
asset_info = get_asset_info(asset)
try:
role = sorted(
list(perm.get('asset').get(asset).get('role')))[0]
except IndexError:
continue
role_key = get_role_key(user, role)
info = {
'hostname': asset.name,
'ip': asset.ip,
'port': asset_info.get('port', 22),
'username': role.name,
'password': CRYPTOR.decrypt(role.password),
}
if os.path.isfile(role_key):
info['ssh_key'] = role_key
res.append(info)
elif isinstance(ob, User):
if not perm:
perm = get_group_user_perm(ob)
for asset, asset_info in perm.get('asset').items():
asset_info = get_asset_info(asset)
info = {
'hostname': asset.name,
'ip': asset.ip,
'port': asset_info.get('port', 22)
}
try:
role = sorted(list(
perm.get('asset').get(asset).get('role')))[0]
except IndexError:
continue
info['username'] = role.name
info['password'] = CRYPTOR.decrypt(role.password)
role_key = get_role_key(ob, role)
if os.path.isfile(role_key):
info['ssh_key'] = role_key
res.append(info)
elif isinstance(ob, (list, QuerySet)):
for asset in ob:
info = get_asset_info(asset)
res.append(info)
return res
def perm_role_edit(request, res, *args):
"""
编辑系统用户
"""
# 渲染数据
res['operator'] = u"编辑系统用户"
res['emer_content'] = 6
if request.method == "GET":
role_id = request.GET.get("id")
role = PermRole.objects.get(id=int(role_id))
if not role:
return HttpResponse(u'系统用户不存在')
rest = {}
rest['Id'] = role.id
rest['role_name'] = role.name
rest['role_password'] = role.password
rest['role_comment'] = role.comment
rest['system_groups'] = role.system_groups
rest['sudos'] = ','.join([str(item.id) for item in role.sudo.all()])
return HttpResponse(json.dumps(rest), content_type='application/json')
else:
response = {'success': False, 'error': ''}
role_id = request.GET.get("id", '')
role = PermRole.objects.get(id=int(role_id))
role_name = request.POST.get("role_name")
role_password = request.POST.get("role_password")
role_comment = request.POST.get("role_comment")
role_sudo_names = request.POST.getlist("sudo_name")
role_sudos = [
PermSudo.objects.get(id=int(sudo_id))
for sudo_id in role_sudo_names
]
key_content = request.POST.get("role_key", "")
sudo_uuids = [item.uuid_id for item in role_sudos]
sys_groups = request.POST.get("sys_groups", '').strip()
try:
if not role:
raise ServerError('该系统用户不能存在')
if role_name == "root":
raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!')
if role_password:
encrypt_pass = CRYPTOR.encrypt(role_password)
role.password = encrypt_pass
role_key_content = "" # key_content为空表示用户秘钥不变,不为空就根据私钥生成公钥
# TODO 生成随机密码,生成秘钥对
if key_content:
try:
key_contents = json.dumps(gen_keys(key=key_content))
role.key_content = key_contents
role_key_content = key_contents
except SSHException:
raise ServerError(u'输入的密钥不合法')
# 跟新server上的permrole
role.name = role_name
role.comment = role_comment
role.system_groups = sys_groups
role.sudo = role_sudos
role.save()
# 更新proxy上的permrole
data = {
'name': role_name,
'password': role_password,
'comment': role_comment,
'sudo_uuids': sudo_uuids,
'key_content': role_key_content,
'sys_groups': sys_groups
}
data = json.dumps(data)
proxy_list = Proxy.objects.all()
execute_thread_tasks(proxy_list,
THREAD_NUMBERS,
role_proxy_operator,
request.user.username,
'PermRole',
data,
obj_uuid=role.uuid_id,
action='update')
# TODO 用户操作记录
res['content'] = u"编辑系统用户[%s]成功" % role.name
# TODO 告警事件记录
res['emer_status'] = u"编辑系统用户[%s]成功" % role.name
# TODO 页面返回信息
response['success'] = True
except ServerError, e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = u"编辑系统用户失败:%s" % (e.message)
response['error'] = u"编辑系统用户失败:%s" % (e.message)
return HttpResponse(json.dumps(response),
content_type='application/json')
def perm_role_edit(request, res, *args):
"""
编辑系统用户
"""
# 渲染数据
res['operator'] = u"编辑系统用户"
res['emer_content'] = 6
if request.method == "GET":
role_id = request.GET.get("id")
role = PermRole.objects.get(id=int(role_id))
if not role:
return HttpResponse(u'系统用户不存在')
rest = {}
rest['Id'] = role.id
rest['role_name'] = role.name
rest['role_password'] = role.password
rest['role_comment'] = role.comment
rest['system_groups'] = role.system_groups
rest['sudos'] = ','.join([str(item.id) for item in role.sudo.all()])
return HttpResponse(json.dumps(rest), content_type='application/json')
else:
response = {'success': False, 'error': ''}
role_id = request.GET.get("id", '')
role = PermRole.objects.get(id=int(role_id))
role_name = request.POST.get("role_name")
role_password = request.POST.get("role_password")
role_comment = request.POST.get("role_comment")
role_sudo_names = request.POST.getlist("sudo_name")
role_sudos = [PermSudo.objects.get(id=int(sudo_id)) for sudo_id in role_sudo_names]
key_content = request.POST.get("role_key", "")
sudo_uuids = [item.uuid_id for item in role_sudos]
sys_groups = request.POST.get("sys_groups",'').strip()
try:
if not role:
raise ServerError('该系统用户不能存在')
if role_name == "root":
raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!')
if role_password:
encrypt_pass = CRYPTOR.encrypt(role_password)
role.password = encrypt_pass
role_key_content = "" # key_content为空表示用户秘钥不变,不为空就根据私钥生成公钥
# TODO 生成随机密码,生成秘钥对
if key_content:
try:
key_contents = json.dumps(gen_keys(key=key_content))
role.key_content = key_contents
role_key_content = key_contents
except SSHException:
raise ServerError(u'输入的密钥不合法')
# 跟新server上的permrole
role.name = role_name
role.comment = role_comment
role.system_groups = sys_groups
role.sudo = role_sudos
role.save()
# 更新proxy上的permrole
data = {'name': role_name,
'password': role_password,
'comment': role_comment,
'sudo_uuids': sudo_uuids,
'key_content': role_key_content,
'sys_groups': sys_groups}
data = json.dumps(data)
proxy_list = Proxy.objects.all()
execute_thread_tasks(proxy_list, THREAD_NUMBERS, role_proxy_operator, request.user.username, 'PermRole', data, obj_uuid=role.uuid_id, action='update')
# TODO 用户操作记录
res['content'] = u"编辑系统用户[%s]成功" % role.name
# TODO 告警事件记录
res['emer_status'] = u"编辑系统用户[%s]成功" % role.name
# TODO 页面返回信息
response['success'] = True
except ServerError, e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = u"编辑系统用户失败:%s"%(e.message)
response['error'] = u"编辑系统用户失败:%s"%(e.message)
return HttpResponse(json.dumps(response), content_type='application/json')
def get_one_or_all(obj_name, proxy, obj_uuid='all'):
"""
获取所有的对象或者一个id对应的对象
"""
obj_list = []
try:
api = APIRequest('{0}/v1.0/permission/{1}/{2}'.format(proxy.url, obj_name, obj_uuid), proxy.username, CRYPTOR.decrypt(proxy.password))
result, codes = api.req_get()
obj_list = result['messege']
except Exception as e:
logger.error(e)
return obj_list
def get_rand_pass():
"""
get a reandom password.
"""
CRYPTOR.gen_rand_pass(20)
def perm_role_add(request, res, *args):
"""
添加系统用户 server和proxy上都添加
"""
response = {'success': False, 'error': ''}
res['operator'] = u"添加系统用户"
res['emer_content'] = 6
if request.method == "POST":
name = request.POST.get("role_name", "").strip()
comment = request.POST.get("role_comment", "")
password = request.POST.get("role_password", "")
key_content = request.POST.get("role_key", "")
sudo_ids = request.POST.getlist('sudo_name')
uuid_id = str(uuid.uuid1())
sys_groups = request.POST.get('sys_groups', '').strip()
try:
if get_object(PermRole, name=name):
raise ServerError(u'用户 %s已经存在' % name)
if name == "root":
raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!')
if name == "":
raise ServerError(u'系统用户名为空')
if password:
encrypt_pass = CRYPTOR.encrypt(password)
else:
encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20))
# 生成随机密码,生成秘钥对
sudos_obj = [get_object(PermSudo, id=int(sudo_id)) for sudo_id in sudo_ids]
sudo_uuids = [item.uuid_id for item in sudos_obj]
try:
keys_content = json.dumps(gen_keys(key_content))
except Exception, e:
raise ServerError(e)
# # TODO 将数据保存到magicstack上
role = PermRole.objects.create(uuid_id=uuid_id, name=name, comment=comment, password=encrypt_pass,
key_content=keys_content, system_groups=sys_groups)
role.sudo = sudos_obj
role.save()
# TODO 将数据同时保存到proxy上
proxy_list = Proxy.objects.all()
data = {'uuid_id': uuid_id,
'id': role.id,
'name': name,
'password': encrypt_pass,
'comment': comment,
'key_content': keys_content,
'sudo_uuids': sudo_uuids,
'sys_groups': sys_groups}
data = json.dumps(data)
execute_thread_tasks(proxy_list, THREAD_NUMBERS, role_proxy_operator, request.user.username, 'PermRole', data,
obj_uuid=role.uuid_id, action='add')
response['success'] = True
res['content'] = u'添加系统用户[%s]成功'% role.name
res['emer_status'] = u'添加系统用户[%s]成功'% role.name
except ServerError, e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = u"添加系统用户失败:%s"(e.message)
response['error'] = u"添加系统用户失败:%s"%(e.message)
