def perm_role_detail(request):
"""
the role detail page
the role_info data like:
{'asset_groups': [],
'assets': [<Asset: 192.168.10.148>],
'rules': [<PermRule: PermRule object>],
'': [],
'': [<User: user1>]}
"""
# 渲染数据
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户详情"
try:
if request.method == "GET":
role_id = request.GET.get("id")
if not role_id:
raise ServerError("not role id")
role = get_object(PermRole, id=int(role_id))
role_info = get_role_info(role_id)
# 系统用户推送记录
rules = role_info.get("rules")
assets = role_info.get("assets")
asset_groups = role_info.get("asset_groups")
users = role_info.get("users")
user_groups = role_info.get("user_groups")
pushed_asset, need_push_asset = get_role_push_host(get_object(PermRole, id=role_id))
# 系统用户在proxy上的操作记录
role_operator_record = Task.objects.filter(role_name=role.name).filter(role_uuid=role.uuid_id)
except ServerError, e:
logger.error(e)
def proxy_edit(request, res, *args):
error = ''
msg = ''
header_title, path1, path2 = '编辑代理', '代理管理', '编辑代理'
res['operator'] = path2
if request.method == 'GET':
id = request.GET.get('id', '')
proxy = get_object(Proxy, id=id)
else:
id = int(request.POST.get('proxy_id'))
proxy_name = request.POST.get('proxy_name', '')
user_name = request.POST.get('user_name', '')
password = request.POST.get('user_password', '')
proxy_url = request.POST.get('proxy_url', '')
comment = request.POST.get('comment', '')
try:
if not proxy_name:
raise ServerError('Proxy名不能为空')
if Proxy.objects.filter(proxy_name=proxy_name):
raise ServerError('Proxy名已存在')
proxy = get_object(Proxy, id=id)
proxy.update(proxy_name=proxy_name, username=user_name, password=password,
url=proxy_url, comment=comment)
msg = '编辑Proxy[%s]成功' % proxy_name
res['content'] = msg
except ServerError, e:
error = e
res['flag'] = 'false'
res['content'] = e
def perm_role_detail(request):
"""
the role detail page
the role_info data like:
{'asset_groups': [],
'assets': [<Asset: 192.168.10.148>],
'rules': [<PermRule: PermRule object>],
'': [],
'': [<User: user1>]}
"""
# 渲染数据
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户详情"
try:
if request.method == "GET":
role_id = request.GET.get("id")
if not role_id:
raise ServerError("not role id")
role = get_object(PermRole, id=int(role_id))
role_info = get_role_info(role_id)
# 系统用户推送记录
rules = role_info.get("rules")
assets = role_info.get("assets")
asset_groups = role_info.get("asset_groups")
users = role_info.get("users")
user_groups = role_info.get("user_groups")
pushed_asset, need_push_asset = get_role_push_host(
get_object(PermRole, id=role_id))
# 系统用户在proxy上的操作记录
role_operator_record = Task.objects.filter(
role_name=role.name).filter(role_uuid=role.uuid_id)
except ServerError, e:
logger.error(e)
def perm_role_detail(request):
"""
the role detail page
the role_info data like:
{'asset_groups': [],
'assets': [<Asset: 192.168.10.148>],
'rules': [<PermRule: PermRule object>],
'': [],
'': [<User: user1>]}
"""
# 渲染数据
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户详情"
try:
if request.method == "GET":
role_id = request.GET.get("id")
if not role_id:
raise ServerError("not role id")
role = get_object(PermRole, id=role_id)
role_info = get_role_info(role_id)
# 渲染数据
rules = role_info.get("rules")
assets = role_info.get("assets")
asset_groups = role_info.get("asset_groups")
users = role_info.get("users")
user_groups = role_info.get("user_groups")
pushed_asset, need_push_asset = get_role_push_host(get_object(PermRole, id=role_id))
except ServerError, e:
logger.warning(e)
def perm_sudo_add(request, res, *args):
"""
list sudo commands alias
"""
res['operator'] = u"添加别名"
response = {'success': False, 'error': ''}
res['emer_content'] = 6
if request.method == "POST":
try:
name = request.POST.get("sudo_name").strip().upper()
comment = request.POST.get("sudo_comment")
commands = request.POST.get("sudo_commands").strip()
if not name or not commands:
raise ServerError(u"sudo name 和 commands是必填项!")
pattern = re.compile(r'[\n,\r]')
deal_space_commands = list_drop_str(pattern.split(commands), u'')
deal_all_commands = map(trans_all, deal_space_commands)
commands = ', '.join(deal_all_commands)
logger.debug(u'添加sudo %s: %s' % (name, commands))
sudo_name_test = get_object(PermSudo, name=name)
if sudo_name_test:
raise ServerError(u"别名[%s]已存在" % name)
sudo_uuid = str(uuid.uuid1())
# TODO 保存数据到magicstack
sudo = PermSudo.objects.create(uuid_id=sudo_uuid,
name=name.strip(),
comment=comment,
commands=commands)
# TODO 保存数据到proxy上的数据库
proxy_list = Proxy.objects.all()
data = {
'uuid_id': sudo_uuid,
'id': sudo.id,
'name': name,
'comment': comment,
'commands': commands
}
data = json.dumps(data)
execute_thread_tasks(proxy_list,
THREAD_NUMBERS,
role_proxy_operator,
request.user.username,
'PermSudo',
data,
obj_uuid=sudo.uuid_id,
action='add')
res['content'] = u"添加Sudo命令别名[%s]成功" % name
res['emer_status'] = u"添加Sudo命令别名[%s]成功" % name
response['success'] = True
except ServerError as e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = u"添加Sudo命令别名失败:%s" % (e.message)
response['error'] = res['emer_status']
return HttpResponse(json.dumps(response), content_type='application/json')
def perm_role_delete(request, res, *args):
"""
delete role page
"""
res['operator'] = '删除系统用户'
if request.method == "GET":
try:
# 获取参数删除的role对象
role_id = request.GET.get("id")
role = get_object(PermRole, id=role_id)
if not role:
logger.warning(u"Delete Role: role_id %s not exist" % role_id)
raise ServerError(u"role_id %s 无数据记录" % role_id)
filter_type = request.GET.get("filter_type")
if filter_type:
if filter_type == "recycle_assets":
recycle_assets = [push.asset for push in role.perm_push.all() if push.success]
print recycle_assets
recycle_assets_ip = ','.join([asset.ip for asset in recycle_assets])
return HttpResponse(recycle_assets_ip)
else:
return HttpResponse("no such filter_type: %s" % filter_type)
else:
return HttpResponse("filter_type: ?")
except ServerError, e:
res['flag'] = 'false'
res['content'] = e
return HttpResponse(e)
def perm_role_delete(request, res, *args):
"""
删除系统用户
"""
res['operator'] = '删除系统用户'
res['emer_content'] = 6
if request.method == "GET":
try:
# 获取参数删除的role对象
role_id = request.GET.get("id")
role = get_object(PermRole, id=int(role_id))
if not role:
logger.warning(u"Delete Role: role_id %s not exist" % role_id)
raise ServerError(u"role_id %s 无数据记录" % role_id)
filter_type = request.GET.get("filter_type")
if filter_type:
if filter_type == "recycle_assets":
recycle_assets = [
push.asset for push in role.perm_push.all()
if push.success
]
recycle_assets_ip = ','.join(
[asset.name for asset in recycle_assets])
return HttpResponse(recycle_assets_ip)
else:
return HttpResponse("no such filter_type: %s" %
filter_type)
else:
return HttpResponse("filter_type: ?")
except ServerError, e:
return HttpResponse(e)
def get_result(self, url, request):
req = APIRequest(url, self.username, self.password)
res = req.req_get()
tk = get_object(Task, name=res['task_name'])
tk.status = res['status']
tk.username = request.user.username
tk.save()
return res
def perm_role_push(request, *args):
"""
推送系统用户
"""
if request.method == 'GET':
try:
rest = {}
role_id = request.GET.get('id')
role = get_object(PermRole, id=int(role_id))
rest['Id'] = role.id
rest['role_name'] = role.name
return HttpResponse(json.dumps(rest),
content_type='application/json')
except Exception as e:
logger.error(e)
else:
response = {'success': False, 'error': ''}
try:
role_id = request.GET.get('id')
role = get_object(PermRole, id=int(role_id))
asset_ids = request.POST.getlist("assets")
asset_group_ids = request.POST.getlist("asset_groups")
assets_obj = [
Asset.objects.get(id=asset_id) for asset_id in asset_ids
]
asset_groups_obj = [
AssetGroup.objects.get(id=asset_group_id)
for asset_group_id in asset_group_ids
]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(asset_group.asset_set.all())
calc_assets = list(set(assets_obj) | set(group_assets_obj))
proxy_list = Proxy.objects.all()
execute_thread_tasks(proxy_list, THREAD_NUMBERS,
push_role_to_asset, calc_assets, role,
request.user.username)
response['success'] = True
response['error'] = 'running ...'
except Exception as e:
response['error'] = e.message
logger.error(e.message)
return HttpResponse(json.dumps(response),
content_type='application/json')
def perm_role_add(request, res, *args):
"""
add role page
"""
header_title, path1, path2 = "系统用户", "系统用户管理", "添加系统用户"
res['operator'] = path2
sudos = PermSudo.objects.all()
if request.method == "POST":
name = request.POST.get("role_name", "").strip()
comment = request.POST.get("role_comment", "")
password = request.POST.get("role_password", "")
key_content = request.POST.get("role_key", "")
sudo_ids = request.POST.getlist('sudo_name')
try:
if get_object(PermRole, name=name):
raise ServerError(u'已经存在该用户 %s' % name)
if name == "root":
raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!')
default = get_object(Setting, name='default')
if password:
encrypt_pass = CRYPTOR.encrypt(password)
else:
encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20))
# 生成随机密码,生成秘钥对
sudos_obj = [get_object(PermSudo, id=sudo_id) for sudo_id in sudo_ids]
if key_content:
try:
key_path = gen_keys(key=key_content)
except SSHException, e:
raise ServerError(e)
else:
key_path = gen_keys()
logger.debug('generate role key: %s' % key_path)
role = PermRole(name=name, comment=comment, password=encrypt_pass, key_path=key_path)
role.save()
role.sudo = sudos_obj
msg = u"添加系统用户: %s" % name
res['content'] = msg
return HttpResponseRedirect(reverse('role_list'))
def exec_jobs(username, password):
if queue_jobs.qsize() > 0:
job = queue_jobs.get()
schedu = TaskScheduler(username, password)
res = schedu.get_result(job['url'])
tk = get_object(Task, name=res['task_name'],uuid=job['uuid'])
tk.status = res['status']
if 'content' in res.keys():
tk.content = res['content']
tk.save()
return res
def perm_role_recycle(request):
role_id = request.GET.get('role_id')
asset_ids = request.GET.get('asset_id').split(',')
# 仅有推送的角色才回收
assets = [get_object(Asset, id=asset_id) for asset_id in asset_ids]
recycle_assets = []
for asset in assets:
if True in [push.success for push in asset.perm_push.all()]:
recycle_assets.append(asset)
recycle_resource = gen_resource(recycle_assets)
task = MyTask(recycle_resource)
try:
msg_del_user = task.del_user(get_object(PermRole, id=role_id).name)
msg_del_sudo = task.del_user_sudo(get_object(PermRole, id=role_id).name)
logger.info("recycle user msg: %s" % msg_del_user)
logger.info("recycle sudo msg: %s" % msg_del_sudo)
except Exception, e:
logger.warning("Recycle Role failed: %s" % e)
raise ServerError(u"回收已推送的系统用户失败: %s" % e)
def perm_role_get(request):
asset_id = request.GET.get('id', 0)
if asset_id:
asset = get_object(Asset, id=asset_id)
if asset:
role = user_have_perm(request.user, asset=asset)
logger.debug(u'获取授权系统用户: ' + ','.join([i.name for i in role]))
return HttpResponse(','.join([i.name for i in role]))
else:
roles = get_group_user_perm(request.user).get('role').keys()
return HttpResponse(','.join([i.name for i in roles]))
return HttpResponse('error')
def perm_role_recycle(request):
role_id = request.GET.get('role_id')
asset_ids = request.GET.get('asset_id').split(',')
# 仅有推送的角色才回收
assets = [get_object(Asset, id=asset_id) for asset_id in asset_ids]
recycle_assets = []
for asset in assets:
if True in [push.success for push in asset.perm_push.all()]:
recycle_assets.append(asset)
recycle_resource = gen_resource(recycle_assets)
task = MyTask(recycle_resource)
try:
msg_del_user = task.del_user(get_object(PermRole, id=role_id).name)
msg_del_sudo = task.del_user_sudo(
get_object(PermRole, id=role_id).name)
logger.info("recycle user msg: %s" % msg_del_user)
logger.info("recycle sudo msg: %s" % msg_del_sudo)
except Exception, e:
logger.warning("Recycle Role failed: %s" % e)
raise ServerError(u"回收已推送的系统用户失败: %s" % e)
def proxy_del(request, res, *args):
msg = ''
res['operator'] = '删除代理'
res['content'] = '删除代理'
proxy_id = request.GET.get('id')
id_list = proxy_id.split(',')
for pid in id_list:
proxy = get_object(Proxy, id=int(pid))
msg += ' %s ' % proxy.proxy_name
res['content'] += ' [%s] ' % proxy.proxy_name
proxy.delete()
return HttpResponse('删除[%s]成功' % msg)
def perm_role_get(request):
response = {'role_id': '', 'proxy_url': '', 'user_id': request.user.id, 'role_name': '', 'id_unique': '', 'role_id_name':[]}
asset_id = request.GET.get('id', 0)
if asset_id:
asset = get_object(Asset, id=asset_id)
if asset:
role = user_have_perm(request.user, asset=asset)
logger.debug(u'获取授权系统用户: ' + ','.join([i.name for i in role]))
response['role_name'] = ','.join([i.name for i in role])
response['role_id'] = ','.join([str(i.id) for i in role])
response['proxy_url'] = asset.proxy.url
response['id_unique'] = asset.id_unique
return HttpResponse(json.dumps(response))
return HttpResponse('error')
def perm_sudo_add(request, res, *args):
"""
list sudo commands alias
"""
res['operator'] = u"添加别名"
response ={'success': False, 'error': ''}
res['emer_content'] = 6
if request.method == "POST":
try:
name = request.POST.get("sudo_name").strip().upper()
comment = request.POST.get("sudo_comment")
commands = request.POST.get("sudo_commands").strip()
if not name or not commands:
raise ServerError(u"sudo name 和 commands是必填项!")
pattern = re.compile(r'[\n,\r]')
deal_space_commands = list_drop_str(pattern.split(commands), u'')
deal_all_commands = map(trans_all, deal_space_commands)
commands = ', '.join(deal_all_commands)
logger.debug(u'添加sudo %s: %s' % (name, commands))
sudo_name_test = get_object(PermSudo, name=name)
if sudo_name_test:
raise ServerError(u"别名[%s]已存在" %name)
sudo_uuid = str(uuid.uuid1())
# TODO 保存数据到magicstack
sudo = PermSudo.objects.create(uuid_id=sudo_uuid, name=name.strip(), comment=comment, commands=commands)
# TODO 保存数据到proxy上的数据库
proxy_list = Proxy.objects.all()
data = {'uuid_id': sudo_uuid,
'id': sudo.id,
'name': name,
'comment': comment,
'commands': commands}
data = json.dumps(data)
execute_thread_tasks(proxy_list, THREAD_NUMBERS, role_proxy_operator, request.user.username, 'PermSudo', data,
obj_uuid=sudo.uuid_id, action='add')
res['content'] = u"添加Sudo命令别名[%s]成功" % name
res['emer_status'] = u"添加Sudo命令别名[%s]成功" % name
response['success'] = True
except ServerError as e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = u"添加Sudo命令别名失败:%s" % (e.message)
response['error'] = res['emer_status']
return HttpResponse(json.dumps(response), content_type='application/json')
def perm_role_push(request, *args):
"""
推送系统用户
"""
if request.method == 'GET':
try:
rest = {}
role_id = request.GET.get('id')
role = get_object(PermRole, id=int(role_id))
rest['Id'] = role.id
rest['role_name'] = role.name
return HttpResponse(json.dumps(rest), content_type='application/json')
except Exception as e:
logger.error(e)
else:
response = {'success': False, 'error': ''}
try:
role_id = request.GET.get('id')
role = get_object(PermRole, id=int(role_id))
asset_ids = request.POST.getlist("assets")
asset_group_ids = request.POST.getlist("asset_groups")
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in asset_ids]
asset_groups_obj = [AssetGroup.objects.get(id=asset_group_id) for asset_group_id in asset_group_ids]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(asset_group.asset_set.all())
calc_assets = list(set(assets_obj) | set(group_assets_obj))
proxy_list = Proxy.objects.all()
execute_thread_tasks(proxy_list, THREAD_NUMBERS, push_role_to_asset, calc_assets, role, request.user.username)
response['success'] = True
response['error'] = 'running ...'
except Exception as e:
response['error'] = e.message
logger.error(e.message)
return HttpResponse(json.dumps(response), content_type='application/json')
def perm_role_get(request):
response = {
'role_id': '',
'proxy_url': '',
'user_id': request.user.id,
'role_name': '',
'id_unique': '',
'role_id_name': []
}
asset_id = request.GET.get('id', 0)
if asset_id:
asset = get_object(Asset, id=asset_id)
if asset:
role = user_have_perm(request.user, asset=asset)
logger.debug(u'获取授权系统用户: ' + ','.join([i.name for i in role]))
response['role_name'] = ','.join([i.name for i in role])
response['role_id'] = ','.join([str(i.id) for i in role])
response['proxy_url'] = asset.proxy.url
response['id_unique'] = asset.id_unique
return HttpResponse(json.dumps(response))
return HttpResponse('error')
def search(self, str_r=''):
gid_pattern = re.compile(r'^g\d+$')
# 获取用户授权的所有主机信息
if not self.user_perm:
self.user_perm = get_group_user_perm(self.user)
user_asset_all = self.user_perm.get('asset').keys()
# 搜索结果保存
user_asset_search = []
if str_r:
# 资产组组id匹配
if gid_pattern.match(str_r):
gid = int(str_r.lstrip('g'))
# 获取资产组包含的资产
asset_group = get_object(AssetGroup, id=gid)
if asset_group:
user_asset_search = asset_group.asset_set.all()
else:
color_print('没有该资产组或没有权限')
return
else:
# 匹配 ip, hostname, 备注
for asset in user_asset_all:
if str_r in asset.ip or str_r in str(asset.name) or str_r in str(asset.comment):
user_asset_search.append(asset)
else:
# 如果没有输入就展现所有
user_asset_search = user_asset_all
self.search_result = dict(zip(range(len(user_asset_search)), user_asset_search))
color_print('[%-3s] %-12s %-15s %-5s %-10s %s' % ('ID', '主机名', 'IP', '端口', '系统用户', '备注'), 'title')
for index, asset in self.search_result.items():
# 获取该资产信息
asset_info = get_asset_info(asset)
# 获取该资产包含的角色
role = [str(role.name) for role in self.user_perm.get('asset').get(asset).get('role')]
print '[%-3s] %-15s %-15s %-5s %-10s %s' % (index, asset.hostname, asset.ip, asset_info.get('port'),
role, asset.comment)
print
def perm_sudo_add(request, res, *args):
"""
list sudo commands alias
:param request:
:return:
"""
# 渲染数据
header_title, path1, path2 = "Sudo命令", "别名管理", "添加别名"
res['operator'] = path2
try:
if request.method == "POST":
# 获取参数: name, comment
name = request.POST.get("sudo_name").strip().upper()
comment = request.POST.get("sudo_comment").strip()
commands = request.POST.get("sudo_commands").strip()
if not name or not commands:
raise ServerError(u"sudo name 和 commands是必填项!")
pattern = re.compile(r'[\n,\r]')
deal_space_commands = list_drop_str(pattern.split(commands), u'')
deal_all_commands = map(trans_all, deal_space_commands)
commands = ', '.join(deal_all_commands)
logger.debug(u'添加sudo %s: %s' % (name, commands))
if get_object(PermSudo, name=name):
error = 'Sudo别名 %s已经存在' % name
res['flag'] = 'false'
res['content'] = error
else:
sudo = PermSudo(name=name.strip(), comment=comment, commands=commands)
sudo.save()
msg = u"添加Sudo命令别名: %s" % name
res['content'] = msg
except ServerError, e:
error = e
res['flag'] = 'false'
res['content'] = error
def perm_rule_add(request, res, *args):
"""
add rule page
添加授权
"""
response = {'success': False, 'error': ''}
res['operator'] = "添加授权规则"
res['emer_content'] = 6
if request.method == 'POST':
users_select = request.POST.getlist('user', []) # 需要授权用户
user_groups_select = request.POST.getlist('user_group', []) # 需要授权用户组
assets_select = request.POST.getlist('asset', []) # 需要授权资产
asset_groups_select = request.POST.getlist('asset_group',
[]) # 需要授权资产组
roles_select = request.POST.getlist('role', []) # 需要授权角色
rule_name = request.POST.get('name')
rule_comment = request.POST.get('comment')
try:
rule = get_object(PermRule, name=rule_name)
if rule:
raise ServerError(u'授权规则名称已存在')
if not rule_name or not roles_select:
raise ServerError(u'系统用户名称和规则名称不能为空')
# 获取需要授权的主机列表
assets_obj = [
Asset.objects.get(id=asset_id) for asset_id in assets_select
]
asset_groups_obj = [
AssetGroup.objects.get(id=group_id)
for group_id in asset_groups_select
]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(list(asset_group.asset_set.all()))
calc_assets = set(group_assets_obj) | set(
assets_obj) # 授权资产和资产组包含的资产
# 获取需要授权的用户列表
users_obj = [
User.objects.get(id=user_id) for user_id in users_select
]
user_groups_obj = [
UserGroup.objects.get(id=group_id)
for group_id in user_groups_select
]
# 获取授予的角色列表
roles_obj = [
PermRole.objects.get(id=role_id) for role_id in roles_select
]
need_push_asset = set()
for role in roles_obj:
asset_no_push = get_role_push_host(
role=role)[1] # 获取某角色已经推送的资产
need_push_asset.update(set(calc_assets) & set(asset_no_push))
if need_push_asset:
raise ServerError(
u'没有推送系统用户 %s 的主机 %s' % (role.name, ','.join(
[asset.name for asset in need_push_asset])))
# 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色)
rule = PermRule.objects.create(name=rule_name,
comment=rule_comment)
rule.user = users_obj
rule.user_group = user_groups_obj
rule.asset = assets_obj
rule.asset_group = asset_groups_obj
rule.role = roles_obj
rule.save()
res['content'] = u"添加授权规则:[%s]" % rule.name
res['emer_status'] = u"添加授权规则:[%s]成功" % rule.name
response['success'] = True
except ServerError, e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = response[
'error'] = u"添加授权规则[{0}]失败:{1}".format(rule_name, e.message)
return HttpResponse(json.dumps(response),
content_type='application/json')
def push_role_event(request):
"""
系统用户推送结果查询
"""
response = {'error': '', 'message':''}
if request.method == 'GET':
if task_queue.qsize() > 0:
logger.info(u'任务队列:%s'%task_queue.qsize())
try:
tk_event = task_queue.get()
if 'server' in tk_event:
event_name = tk_event['server']
web_username = tk_event['username']
tk_obj = Task.objects.get(task_name=event_name, username=web_username)
if not tk_obj:
task_queue.put(tk_event)
else:
response['message'] = tk_obj.proxy_name + tk_obj.content
else:
host_names = tk_event.pop('push_assets')
calc_assets = [Asset.objects.get(name=name) for name in host_names]
role = PermRole.objects.get(name=tk_event['role_name'])
password_push = tk_event['password_push']
key_push = tk_event['key_push']
proxy = Proxy.objects.get(proxy_name=tk_event['task_proxy'])
success_asset = {}
failed_asset = {}
for task_name in tk_event['tasks']:
time.sleep(2) # 暂停3s,否则可能会查不出结果
result = query_event(task_name, tk_event['username'], proxy)
if not result:
task_queue.put(tk_event)
else:
# 更新task的status, result
tk = get_object(Task, task_name=task_name)
tk.status = 'complete'
tk.content = result['messege']
tk.save()
res = json.loads(result['messege'])
if res.get('failed'):
for hostname, info in res.get('failed').items():
if hostname in failed_asset.keys():
if info in failed_asset.get(hostname):
failed_asset[hostname] += info
else:
failed_asset[hostname] = info
if res.get('unreachable'):
for hostname, info in res.get('unreachable').items():
if hostname in failed_asset.keys():
if info in failed_asset.get(hostname):
failed_asset[hostname] += info
else:
failed_asset[hostname] = info
if res.get('success'):
for hostname, info in res.get('success').items():
if hostname in failed_asset.keys():
continue
elif hostname in success_asset.keys():
if str(info) in success_asset.get(hostname, ''):
success_asset[hostname] += str(info)
else:
success_asset[hostname] = str(info)
# 推送成功 回写push表
for asset in calc_assets:
push_check = PermPush.objects.filter(role=role, asset=asset)
if push_check:
func = push_check.update
else:
def func(**kwargs):
PermPush(**kwargs).save()
if failed_asset.get(asset.networking.all()[0].ip_address):
func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=False,
result=failed_asset.get(asset.networking.all()[0].ip_address))
else:
func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=True)
if not failed_asset:
msg = u'系统用户 %s 推送成功[ %s ]' % (role.name, ','.join(success_asset.keys()))
response['message'] = msg
else:
intersection = set(success_asset.keys())&set(failed_asset.keys())
if intersection:
for item in intersection:
success_asset.pop(item)
error = u'系统用户 %s 推送失败 [ %s ], 推送成功 [ %s ] 进入系统用户详情,查看失败原因' % (role.name,
','.join(failed_asset.keys()),
','.join(success_asset.keys()))
else:
error = u'系统用户 %s 推送失败 [ %s ], 推送成功 [ %s ] 进入系统用户详情,查看失败原因' % (role.name,
','.join(failed_asset.keys()),
','.join(success_asset.keys()))
response['message'] = error
except Exception as e:
response['message'] = e
return HttpResponse(json.dumps(response), content_type='application/json')
def perm_rule_add(request, res, *args):
"""
add rule page
添加授权
"""
response = {'success': False, 'error': ''}
res['operator'] = "添加授权规则"
res['emer_content'] = 6
if request.method == 'POST':
users_select = request.POST.getlist('user', []) # 需要授权用户
user_groups_select = request.POST.getlist('user_group', []) # 需要授权用户组
assets_select = request.POST.getlist('asset', []) # 需要授权资产
asset_groups_select = request.POST.getlist('asset_group', []) # 需要授权资产组
roles_select = request.POST.getlist('role', []) # 需要授权角色
rule_name = request.POST.get('name')
rule_comment = request.POST.get('comment')
try:
rule = get_object(PermRule, name=rule_name)
if rule:
raise ServerError(u'授权规则名称已存在')
if not rule_name or not roles_select:
raise ServerError(u'系统用户名称和规则名称不能为空')
# 获取需要授权的主机列表
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in assets_select]
asset_groups_obj = [AssetGroup.objects.get(id=group_id) for group_id in asset_groups_select]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(list(asset_group.asset_set.all()))
calc_assets = set(group_assets_obj) | set(assets_obj) # 授权资产和资产组包含的资产
# 获取需要授权的用户列表
users_obj = [User.objects.get(id=user_id) for user_id in users_select]
user_groups_obj = [UserGroup.objects.get(id=group_id) for group_id in user_groups_select]
# 获取授予的角色列表
roles_obj = [PermRole.objects.get(id=role_id) for role_id in roles_select]
need_push_asset = set()
for role in roles_obj:
asset_no_push = get_role_push_host(role=role)[1] # 获取某角色已经推送的资产
need_push_asset.update(set(calc_assets) & set(asset_no_push))
if need_push_asset:
raise ServerError(u'没有推送系统用户 %s 的主机 %s'
% (role.name, ','.join([asset.name for asset in need_push_asset])))
# 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色)
rule = PermRule.objects.create(name=rule_name, comment=rule_comment)
rule.user = users_obj
rule.user_group = user_groups_obj
rule.asset = assets_obj
rule.asset_group = asset_groups_obj
rule.role = roles_obj
rule.save()
res['content'] = u"添加授权规则:[%s]" % rule.name
res['emer_status'] = u"添加授权规则:[%s]成功" % rule.name
response['success'] = True
except ServerError, e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = response['error'] = u"添加授权规则[{0}]失败:{1}".format(rule_name,e.message)
return HttpResponse(json.dumps(response), content_type='application/json')
def push_role_event(request):
"""
系统用户推送结果查询
"""
response = {'error': '', 'message': ''}
if request.method == 'GET':
if task_queue.qsize() > 0:
logger.info(u'任务队列:%s' % task_queue.qsize())
try:
tk_event = task_queue.get()
if 'server' in tk_event:
event_name = tk_event['server']
web_username = tk_event['username']
tk_obj = Task.objects.get(task_name=event_name,
username=web_username)
if not tk_obj:
task_queue.put(tk_event)
else:
response[
'message'] = tk_obj.proxy_name + tk_obj.content
else:
host_names = tk_event.pop('push_assets')
calc_assets = [
Asset.objects.get(name=name) for name in host_names
]
role = PermRole.objects.get(name=tk_event['role_name'])
password_push = tk_event['password_push']
key_push = tk_event['key_push']
proxy = Proxy.objects.get(
proxy_name=tk_event['task_proxy'])
success_asset = {}
failed_asset = {}
for task_name in tk_event['tasks']:
time.sleep(2) # 暂停3s,否则可能会查不出结果
result = query_event(task_name, tk_event['username'],
proxy)
if not result:
task_queue.put(tk_event)
else:
# 更新task的status, result
tk = get_object(Task, task_name=task_name)
tk.status = 'complete'
tk.content = result['messege']
tk.save()
res = json.loads(result['messege'])
if res.get('failed'):
for hostname, info in res.get(
'failed').items():
if hostname in failed_asset.keys():
if info in failed_asset.get(hostname):
failed_asset[hostname] += info
else:
failed_asset[hostname] = info
if res.get('unreachable'):
for hostname, info in res.get(
'unreachable').items():
if hostname in failed_asset.keys():
if info in failed_asset.get(hostname):
failed_asset[hostname] += info
else:
failed_asset[hostname] = info
if res.get('success'):
for hostname, info in res.get(
'success').items():
if hostname in failed_asset.keys():
continue
elif hostname in success_asset.keys():
if str(info) in success_asset.get(
hostname, ''):
success_asset[hostname] += str(
info)
else:
success_asset[hostname] = str(info)
# 推送成功 回写push表
for asset in calc_assets:
push_check = PermPush.objects.filter(role=role,
asset=asset)
if push_check:
func = push_check.update
else:
def func(**kwargs):
PermPush(**kwargs).save()
if failed_asset.get(
asset.networking.all()[0].ip_address):
func(is_password=password_push,
is_public_key=key_push,
role=role,
asset=asset,
success=False,
result=failed_asset.get(
asset.networking.all()[0].ip_address))
else:
func(is_password=password_push,
is_public_key=key_push,
role=role,
asset=asset,
success=True)
if not failed_asset:
msg = u'系统用户 %s 推送成功[ %s ]' % (role.name, ','.join(
success_asset.keys()))
response['message'] = msg
else:
intersection = set(success_asset.keys()) & set(
failed_asset.keys())
if intersection:
for item in intersection:
success_asset.pop(item)
error = u'系统用户 %s 推送失败 [ %s ], 推送成功 [ %s ] 进入系统用户详情,查看失败原因' % (
role.name, ','.join(failed_asset.keys()),
','.join(success_asset.keys()))
else:
error = u'系统用户 %s 推送失败 [ %s ], 推送成功 [ %s ] 进入系统用户详情,查看失败原因' % (
role.name, ','.join(failed_asset.keys()),
','.join(success_asset.keys()))
response['message'] = error
except Exception as e:
response['message'] = e
return HttpResponse(json.dumps(response),
content_type='application/json')
from io import open as copen
import uuid
os.environ['DJANGO_SETTINGS_MODULE'] = 'MagicStack.settings'
if not django.get_version().startswith('1.6'):
setup = django.setup()
from django.contrib.sessions.models import Session
from MagicStack.api import ServerError, User, Asset, PermRole, AssetGroup, get_object, mkdir, get_asset_info
from MagicStack.api import logger, Log, TtyLog, get_role_key, CRYPTOR, bash, get_tmp_dir
from permManage.perm_api import gen_resource, get_group_asset_perm, get_group_user_perm, user_have_perm, PermRole
from MagicStack.settings import LOG_DIR
from permManage.ansible_api import MyRunner
from logManage.models import ExecLog, FileLog
from logManage.views import TermLogRecorder
login_user = get_object(User, username=getpass.getuser())
try:
remote_ip = os.environ.get('SSH_CLIENT').split()[0]
except (IndexError, AttributeError):
remote_ip = os.popen("who -m | awk '{ print $NF }'").read().strip('()\n')
try:
import termios
import tty
except ImportError:
print '\033[1;31m仅支持类Unix系统 Only unix like supported.\033[0m'
time.sleep(3)
sys.exit()
def color_print(msg, color='red', exits=False):
def perm_role_add(request, res, *args):
"""
添加系统用户 server和proxy上都添加
"""
response = {'success': False, 'error': ''}
res['operator'] = u"添加系统用户"
res['emer_content'] = 6
if request.method == "POST":
name = request.POST.get("role_name", "").strip()
comment = request.POST.get("role_comment", "")
password = request.POST.get("role_password", "")
key_content = request.POST.get("role_key", "")
sudo_ids = request.POST.getlist('sudo_name')
uuid_id = str(uuid.uuid1())
sys_groups = request.POST.get('sys_groups', '').strip()
try:
if get_object(PermRole, name=name):
raise ServerError(u'用户 %s已经存在' % name)
if name == "root":
raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!')
if name == "":
raise ServerError(u'系统用户名为空')
if password:
encrypt_pass = CRYPTOR.encrypt(password)
else:
encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20))
# 生成随机密码,生成秘钥对
sudos_obj = [get_object(PermSudo, id=int(sudo_id)) for sudo_id in sudo_ids]
sudo_uuids = [item.uuid_id for item in sudos_obj]
try:
keys_content = json.dumps(gen_keys(key_content))
except Exception, e:
raise ServerError(e)
# # TODO 将数据保存到magicstack上
role = PermRole.objects.create(uuid_id=uuid_id, name=name, comment=comment, password=encrypt_pass,
key_content=keys_content, system_groups=sys_groups)
role.sudo = sudos_obj
role.save()
# TODO 将数据同时保存到proxy上
proxy_list = Proxy.objects.all()
data = {'uuid_id': uuid_id,
'id': role.id,
'name': name,
'password': encrypt_pass,
'comment': comment,
'key_content': keys_content,
'sudo_uuids': sudo_uuids,
'sys_groups': sys_groups}
data = json.dumps(data)
execute_thread_tasks(proxy_list, THREAD_NUMBERS, role_proxy_operator, request.user.username, 'PermRole', data,
obj_uuid=role.uuid_id, action='add')
response['success'] = True
res['content'] = u'添加系统用户[%s]成功'% role.name
res['emer_status'] = u'添加系统用户[%s]成功'% role.name
except ServerError, e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = u"添加系统用户失败:%s"(e.message)
response['error'] = u"添加系统用户失败:%s"%(e.message)
def perm_rule_edit(request, res, *args):
"""
edit rule page
"""
res['operator'] = "编辑授权规则"
res['emer_content'] = 6
if request.method == 'GET':
try:
rule_id = request.GET.get("id")
rule = get_object(PermRule, id=int(rule_id))
if rule:
rest = {}
rest['Id'] = rule.id
rest['name'] = rule.name
rest['comment'] = rule.comment
rest['asset'] = ','.join(
[str(item.id) for item in rule.asset.all()])
rest['asset_group'] = ','.join(
str(item.id) for item in rule.asset_group.all())
rest['user'] = '******'.join(
str(item.id) for item in rule.user.all())
rest['user_group'] = ','.join(
str(item.id) for item in rule.user_group.all())
rest['role'] = ','.join(
str(item.id) for item in rule.role.all())
return HttpResponse(json.dumps(rest),
content_type='application/json')
else:
return HttpResponse(u'授权规则不存在')
except Exception as e:
logger.error(e)
else:
response = {'success': False, 'error': ''}
rule_id = request.GET.get("id")
rule = get_object(PermRule, id=int(rule_id))
rule_name_old = rule.name
rule_name = request.POST.get('name')
rule_comment = request.POST.get("comment")
users_select = request.POST.getlist('user', [])
user_groups_select = request.POST.getlist('user_group', [])
assets_select = request.POST.getlist('asset', [])
asset_groups_select = request.POST.getlist('asset_group', [])
roles_select = request.POST.getlist('role', [])
try:
if not rule_name or not roles_select:
raise ServerError(u'系统用户和关联系统用户不能为空')
if rule_name_old == rule_name:
if len(PermRule.objects.filter(name=rule_name)) > 1:
raise ServerError(u'授权规则名称[%s]已存在' % rule_name)
else:
if len(PermRule.objects.filter(name=rule_name)) > 0:
raise ServerError(u'授权规则名称[%s]已存在' % rule_name)
assets_obj = [
Asset.objects.get(id=asset_id) for asset_id in assets_select
]
asset_groups_obj = [
AssetGroup.objects.get(id=group_id)
for group_id in asset_groups_select
]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(list(asset_group.asset_set.all()))
calc_assets = set(group_assets_obj) | set(
assets_obj) # 授权资产和资产组包含的资产
# 获取需要授权的用户列表
users_obj = [
User.objects.get(id=user_id) for user_id in users_select
]
user_groups_obj = [
UserGroup.objects.get(id=group_id)
for group_id in user_groups_select
]
# 获取授予的角色列表
roles_obj = [
PermRole.objects.get(id=role_id) for role_id in roles_select
]
need_push_asset = set()
for role in roles_obj:
asset_no_push = get_role_push_host(
role=role)[1] # 获取某角色已经推送的资产
need_push_asset.update(set(calc_assets) & set(asset_no_push))
if need_push_asset:
raise ServerError(
u'没有推送系统用户 %s 的主机 %s' % (role.name, ','.join(
[asset.name for asset in need_push_asset])))
# 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色)
rule.user = users_obj
rule.user_group = user_groups_obj
rule.asset = assets_obj
rule.asset_group = asset_groups_obj
rule.role = roles_obj
rule.name = rule_name
rule.comment = rule_comment
rule.save()
res['content'] = u"编辑授权规则[%s]成功" % rule_name_old
res['emer_status'] = u"编辑授权规则[%s]成功" % rule_name_old
response['success'] = True
except Exception, e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = response['error'] = u"编辑授权规则失败:%s" % e.message
return HttpResponse(json.dumps(response),
content_type='application/json')
def perm_role_add(request, res, *args):
"""
添加系统用户 server和proxy上都添加
"""
response = {'success': False, 'error': ''}
res['operator'] = u"添加系统用户"
res['emer_content'] = 6
if request.method == "POST":
name = request.POST.get("role_name", "").strip()
comment = request.POST.get("role_comment", "")
password = request.POST.get("role_password", "")
key_content = request.POST.get("role_key", "")
sudo_ids = request.POST.getlist('sudo_name')
uuid_id = str(uuid.uuid1())
sys_groups = request.POST.get('sys_groups', '').strip()
try:
if get_object(PermRole, name=name):
raise ServerError(u'用户 %s已经存在' % name)
if name == "root":
raise ServerError(u'禁止使用root用户作为系统用户,这样非常危险!')
if name == "":
raise ServerError(u'系统用户名为空')
if password:
encrypt_pass = CRYPTOR.encrypt(password)
else:
encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20))
# 生成随机密码,生成秘钥对
sudos_obj = [
get_object(PermSudo, id=int(sudo_id)) for sudo_id in sudo_ids
]
sudo_uuids = [item.uuid_id for item in sudos_obj]
try:
keys_content = json.dumps(gen_keys(key_content))
except Exception, e:
raise ServerError(e)
# # TODO 将数据保存到magicstack上
role = PermRole.objects.create(uuid_id=uuid_id,
name=name,
comment=comment,
password=encrypt_pass,
key_content=keys_content,
system_groups=sys_groups)
role.sudo = sudos_obj
role.save()
# TODO 将数据同时保存到proxy上
proxy_list = Proxy.objects.all()
data = {
'uuid_id': uuid_id,
'id': role.id,
'name': name,
'password': encrypt_pass,
'comment': comment,
'key_content': keys_content,
'sudo_uuids': sudo_uuids,
'sys_groups': sys_groups
}
data = json.dumps(data)
execute_thread_tasks(proxy_list,
THREAD_NUMBERS,
role_proxy_operator,
request.user.username,
'PermRole',
data,
obj_uuid=role.uuid_id,
action='add')
response['success'] = True
res['content'] = u'添加系统用户[%s]成功' % role.name
res['emer_status'] = u'添加系统用户[%s]成功' % role.name
except ServerError, e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = u"添加系统用户失败:%s" (e.message)
response['error'] = u"添加系统用户失败:%s" % (e.message)
recycle_assets = [push.asset for push in role.perm_push.all() if push.success]
print recycle_assets
recycle_assets_ip = ','.join([asset.ip for asset in recycle_assets])
return HttpResponse(recycle_assets_ip)
else:
return HttpResponse("no such filter_type: %s" % filter_type)
else:
return HttpResponse("filter_type: ?")
except ServerError, e:
res['flag'] = 'false'
res['content'] = e
return HttpResponse(e)
if request.method == "POST":
try:
role_id = request.POST.get("id")
role = get_object(PermRole, id=role_id)
if not role:
logger.warning(u"Delete Role: role_id %s not exist" % role_id)
raise ServerError(u"role_id %s 无数据记录" % role_id)
role_key = role.key_path
recycle_assets = [push.asset for push in role.perm_push.all() if push.success]
logger.debug(u"delete role %s - delete_assets: %s" % (role.name, recycle_assets))
if recycle_assets:
recycle_resource = gen_resource(recycle_assets)
task = MyTask(recycle_resource)
try:
msg_del_user = task.del_user(get_object(PermRole, id=role_id).name)
msg_del_sudo = task.del_user_sudo(get_object(PermRole, id=role_id).name)
except Exception, e:
logger.warning(u"Recycle Role failed: %s" % e)
raise ServerError(u"回收已推送的系统用户失败: %s" % e)
def perm_rule_edit(request, res, *args):
"""
edit rule page
"""
# 渲染数据
header_title, path1, path2 = "授权规则", "规则管理", "编辑授权规则"
res['operator'] = path2
rule_id = request.GET.get("id")
rule = get_object(PermRule, id=rule_id)
# 渲染数据, 获取所选的rule对象
users = User.objects.all()
user_groups = UserGroup.objects.all()
assets = Asset.objects.all()
asset_groups = AssetGroup.objects.all()
roles = PermRole.objects.all()
if request.method == 'POST' and rule_id:
# 获取用户选择的 用户,用户组,资产,资产组,用户角色
rule_name = request.POST.get('name')
rule_comment = request.POST.get("comment")
users_select = request.POST.getlist('user', [])
user_groups_select = request.POST.getlist('user_group', [])
assets_select = request.POST.getlist('asset', [])
asset_groups_select = request.POST.getlist('asset_group', [])
roles_select = request.POST.getlist('role', [])
try:
if not rule_name or not roles_select:
raise ServerError(u'系统用户和关联系统用户不能为空')
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in assets_select]
asset_groups_obj = [AssetGroup.objects.get(id=group_id) for group_id in asset_groups_select]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(list(asset_group.asset_set.all()))
calc_assets = set(group_assets_obj) | set(assets_obj) # 授权资产和资产组包含的资产
# 获取需要授权的用户列表
users_obj = [User.objects.get(id=user_id) for user_id in users_select]
user_groups_obj = [UserGroup.objects.get(id=group_id) for group_id in user_groups_select]
# 获取授予的角色列表
roles_obj = [PermRole.objects.get(id=role_id) for role_id in roles_select]
need_push_asset = set()
for role in roles_obj:
asset_no_push = get_role_push_host(role=role)[1] # 获取某角色已经推送的资产
need_push_asset.update(set(calc_assets) & set(asset_no_push))
if need_push_asset:
raise ServerError(u'没有推送系统用户 %s 的主机 %s'
% (role.name, ','.join([asset.name for asset in need_push_asset])))
# 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色)
rule.user = users_obj
rule.user_group = user_groups_obj
rule.asset = assets_obj
rule.asset_group = asset_groups_obj
rule.role = roles_obj
rule.name = rule_name
rule.comment = rule_comment
rule.save()
msg = u"更新授权规则:%s成功" % rule.name
res['content'] = msg
except ServerError, e:
error = e
res['flag'] = 'false'
res['content'] = e
if push.success
]
recycle_assets_ip = ','.join(
[asset.name for asset in recycle_assets])
return HttpResponse(recycle_assets_ip)
else:
return HttpResponse("no such filter_type: %s" %
filter_type)
else:
return HttpResponse("filter_type: ?")
except ServerError, e:
return HttpResponse(e)
if request.method == "POST":
try:
role_id = request.POST.get("id")
role = get_object(PermRole, id=int(role_id))
if not role:
logger.warning(u"Delete Role: role_id %s not exist" % role_id)
raise ServerError(u"role_id %s 无数据记录" % role_id)
recycle_assets = [
push.asset for push in role.perm_push.all() if push.success
]
logger.debug(u"delete role %s - delete_assets: %s" %
(role.name, recycle_assets))
if recycle_assets:
asset_proxys = gen_asset_proxy(recycle_assets)
for key, value in asset_proxys.items():
proxy = Proxy.objects.filter(proxy_name=key)[0]
recycle_resource = gen_resource(value)
host_list = [
asset.networking.all()[0].ip_address for asset in value
def perm_rule_add(request, res, *args):
"""
add rule page
添加授权
"""
header_title, path1, path2 = "授权规则", "规则管理", "添加规则"
res['operator'] = path2
# 渲染数据, 获取所有 用户,用户组,资产,资产组,用户角色, 用于添加授权规则
users = User.objects.all()
user_groups = UserGroup.objects.all()
assets = Asset.objects.all()
asset_groups = AssetGroup.objects.all()
roles = PermRole.objects.all()
if request.method == 'POST':
# 获取用户选择的 用户,用户组,资产,资产组,用户角色
users_select = request.POST.getlist('user', []) # 需要授权用户
user_groups_select = request.POST.getlist('user_group', []) # 需要授权用户组
assets_select = request.POST.getlist('asset', []) # 需要授权资产
asset_groups_select = request.POST.getlist('asset_group', []) # 需要授权资产组
roles_select = request.POST.getlist('role', []) # 需要授权角色
rule_name = request.POST.get('name')
rule_comment = request.POST.get('comment')
try:
rule = get_object(PermRule, name=rule_name)
if rule:
raise ServerError(u'授权规则 %s 已存在' % rule_name)
if not rule_name or not roles_select:
raise ServerError(u'系统用户名称和规则名称不能为空')
# 获取需要授权的主机列表
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in assets_select]
asset_groups_obj = [AssetGroup.objects.get(id=group_id) for group_id in asset_groups_select]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(list(asset_group.asset_set.all()))
calc_assets = set(group_assets_obj) | set(assets_obj) # 授权资产和资产组包含的资产
# 获取需要授权的用户列表
users_obj = [User.objects.get(id=user_id) for user_id in users_select]
user_groups_obj = [UserGroup.objects.get(id=group_id) for group_id in user_groups_select]
# 获取授予的角色列表
roles_obj = [PermRole.objects.get(id=role_id) for role_id in roles_select]
need_push_asset = set()
for role in roles_obj:
asset_no_push = get_role_push_host(role=role)[1] # 获取某角色已经推送的资产
need_push_asset.update(set(calc_assets) & set(asset_no_push))
if need_push_asset:
raise ServerError(u'没有推送系统用户 %s 的主机 %s'
% (role.name, ','.join([asset.name for asset in need_push_asset])))
# 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色)
rule = PermRule(name=rule_name, comment=rule_comment)
rule.save()
rule.user = users_obj
rule.user_group = user_groups_obj
rule.asset = assets_obj
rule.asset_group = asset_groups_obj
rule.role = roles_obj
rule.save()
msg = u"添加授权规则:%s" % rule.name
res['content'] = msg
return HttpResponseRedirect(reverse('rule_list'))
except ServerError, e:
error = e
res['flag'] = 'false'
res['content'] = e
def perm_rule_edit(request, res, *args):
"""
edit rule page
"""
res['operator'] = "编辑授权规则"
res['emer_content'] = 6
if request.method == 'GET':
try:
rule_id = request.GET.get("id")
rule = get_object(PermRule, id=int(rule_id))
if rule:
rest = {}
rest['Id'] = rule.id
rest['name'] = rule.name
rest['comment'] = rule.comment
rest['asset'] = ','.join([str(item.id) for item in rule.asset.all()])
rest['asset_group'] = ','.join(str(item.id) for item in rule.asset_group.all())
rest['user'] = '******'.join(str(item.id) for item in rule.user.all())
rest['user_group'] = ','.join(str(item.id) for item in rule.user_group.all())
rest['role'] = ','.join(str(item.id) for item in rule.role.all())
return HttpResponse(json.dumps(rest), content_type='application/json')
else:
return HttpResponse(u'授权规则不存在')
except Exception as e:
logger.error(e)
else:
response = {'success': False, 'error': ''}
rule_id = request.GET.get("id")
rule = get_object(PermRule, id=int(rule_id))
rule_name_old = rule.name
rule_name = request.POST.get('name')
rule_comment = request.POST.get("comment")
users_select = request.POST.getlist('user', [])
user_groups_select = request.POST.getlist('user_group', [])
assets_select = request.POST.getlist('asset', [])
asset_groups_select = request.POST.getlist('asset_group', [])
roles_select = request.POST.getlist('role', [])
try:
if not rule_name or not roles_select:
raise ServerError(u'系统用户和关联系统用户不能为空')
if rule_name_old == rule_name:
if len(PermRule.objects.filter(name=rule_name)) > 1:
raise ServerError(u'授权规则名称[%s]已存在'%rule_name)
else:
if len(PermRule.objects.filter(name=rule_name)) > 0:
raise ServerError(u'授权规则名称[%s]已存在'%rule_name)
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in assets_select]
asset_groups_obj = [AssetGroup.objects.get(id=group_id) for group_id in asset_groups_select]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(list(asset_group.asset_set.all()))
calc_assets = set(group_assets_obj) | set(assets_obj) # 授权资产和资产组包含的资产
# 获取需要授权的用户列表
users_obj = [User.objects.get(id=user_id) for user_id in users_select]
user_groups_obj = [UserGroup.objects.get(id=group_id) for group_id in user_groups_select]
# 获取授予的角色列表
roles_obj = [PermRole.objects.get(id=role_id) for role_id in roles_select]
need_push_asset = set()
for role in roles_obj:
asset_no_push = get_role_push_host(role=role)[1] # 获取某角色已经推送的资产
need_push_asset.update(set(calc_assets) & set(asset_no_push))
if need_push_asset:
raise ServerError(u'没有推送系统用户 %s 的主机 %s'
% (role.name, ','.join([asset.name for asset in need_push_asset])))
# 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色)
rule.user = users_obj
rule.user_group = user_groups_obj
rule.asset = assets_obj
rule.asset_group = asset_groups_obj
rule.role = roles_obj
rule.name = rule_name
rule.comment = rule_comment
rule.save()
res['content'] = u"编辑授权规则[%s]成功" % rule_name_old
res['emer_status'] = u"编辑授权规则[%s]成功" % rule_name_old
response['success'] = True
except Exception, e:
res['flag'] = 'false'
res['content'] = e.message
res['emer_status'] = response['error'] = u"编辑授权规则失败:%s"%e.message
return HttpResponse(json.dumps(response), content_type='application/json')
def perm_role_push(request, res, *args):
"""
the role push page
"""
# 渲染数据
header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户推送"
res['operator'] = path2
role_id = request.GET.get('id')
asset_ids = request.GET.get('asset_id')
role = get_object(PermRole, id=role_id)
assets = Asset.objects.all()
asset_groups = AssetGroup.objects.all()
if asset_ids:
need_push_asset = [get_object(Asset, id=asset_id) for asset_id in asset_ids.split(',')]
if request.method == "POST":
# 获取推荐角色的名称列表
# 计算出需要推送的资产列表
asset_ids = request.POST.getlist("assets")
asset_group_ids = request.POST.getlist("asset_groups")
assets_obj = [Asset.objects.get(id=asset_id) for asset_id in asset_ids]
asset_groups_obj = [AssetGroup.objects.get(id=asset_group_id) for asset_group_id in asset_group_ids]
group_assets_obj = []
for asset_group in asset_groups_obj:
group_assets_obj.extend(asset_group.asset_set.all())
calc_assets = list(set(assets_obj) | set(group_assets_obj))
push_resource = gen_resource(calc_assets)
# 调用Ansible API 进行推送
password_push = True if request.POST.get("use_password") else False
key_push = True if request.POST.get("use_publicKey") else False
task = MyTask(push_resource)
ret = {}
# 因为要先建立用户,而push key是在 password也完成的情况下的 可选项
# 1. 以秘钥 方式推送角色
if key_push:
ret["pass_push"] = task.add_user(role.name)
ret["key_push"] = task.push_key(role.name, os.path.join(role.key_path, 'id_rsa.pub'))
# 2. 推送账号密码 <为了安全 系统用户统一使用秘钥进行通信, 不再提供密码方式的推送>
# elif password_push:
# ret["pass_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password))
# 3. 推送sudo配置文件
if key_push:
sudo_list = set([sudo for sudo in role.sudo.all()]) # set(sudo1, sudo2, sudo3)
if sudo_list:
ret['sudo'] = task.push_sudo_file([role], sudo_list)
logger.debug('推送role结果: %s' % ret)
success_asset = {}
failed_asset = {}
logger.debug(ret)
for push_type, result in ret.items():
if result.get('failed'):
for hostname, info in result.get('failed').items():
if hostname in failed_asset.keys():
if info in failed_asset.get(hostname):
failed_asset[hostname] += info
else:
failed_asset[hostname] = info
for push_type, result in ret.items():
if result.get('ok'):
for hostname, info in result.get('ok').items():
if hostname in failed_asset.keys():
continue
elif hostname in success_asset.keys():
if str(info) in success_asset.get(hostname, ''):
success_asset[hostname] += str(info)
else:
success_asset[hostname] = str(info)
# 推送成功 回写push表
for asset in calc_assets:
push_check = PermPush.objects.filter(role=role, asset=asset)
if push_check:
func = push_check.update
else:
def func(**kwargs):
PermPush(**kwargs).save()
if failed_asset.get(asset.name):
func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=False,
result=failed_asset.get(asset.name))
else:
func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=True)
if not failed_asset:
msg = u'系统用户 %s 推送成功[ %s ]' % (role.name, ','.join(success_asset.keys()))
res['content'] = msg
else:
error = u'系统用户 %s 推送失败 [ %s ], 推送成功 [ %s ] 进入系统用户详情,查看失败原因' % (role.name,
','.join(failed_asset.keys()),
','.join(success_asset.keys()))
res['flag'] = 'false'
res['content'] = error
return my_render('permManage/perm_role_push.html', locals(), request)
filter_type = request.GET.get("filter_type")
if filter_type:
if filter_type == "recycle_assets":
recycle_assets = [push.asset for push in role.perm_push.all() if push.success]
recycle_assets_ip = ','.join([asset.name for asset in recycle_assets])
return HttpResponse(recycle_assets_ip)
else:
return HttpResponse("no such filter_type: %s" % filter_type)
else:
return HttpResponse("filter_type: ?")
except ServerError, e:
return HttpResponse(e)
if request.method == "POST":
try:
role_id = request.POST.get("id")
role = get_object(PermRole, id=int(role_id))
if not role:
logger.warning(u"Delete Role: role_id %s not exist" % role_id)
raise ServerError(u"role_id %s 无数据记录" % role_id)
recycle_assets = [push.asset for push in role.perm_push.all() if push.success]
logger.debug(u"delete role %s - delete_assets: %s" % (role.name, recycle_assets))
if recycle_assets:
asset_proxys = gen_asset_proxy(recycle_assets)
for key, value in asset_proxys.items():
proxy = Proxy.objects.filter(proxy_name=key)[0]
recycle_resource = gen_resource(value)
host_list = [asset.networking.all()[0].ip_address for asset in value]
task = MyTask(recycle_resource, host_list)
try:
msg_del_user = task.del_user(role.name, proxy, request.user.username)
msg_del_sudo = task.del_user_sudo(role.uuid_id, proxy, request.user.username)
