def perm_role_detail(request): """ the role detail page the role_info data like: {'asset_groups': [], 'assets': [<Asset: 192.168.10.148>], 'rules': [<PermRule: PermRule object>], '': [], '': [<User: user1>]} """ # 渲染数据 header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户详情" try: if request.method == "GET": role_id = request.GET.get("id") if not role_id: raise ServerError("not role id") role = get_object(PermRole, id=role_id) role_info = get_role_info(role_id) # 渲染数据 rules = role_info.get("rules") assets = role_info.get("assets") asset_groups = role_info.get("asset_groups") users = role_info.get("users") user_groups = role_info.get("user_groups") pushed_asset, need_push_asset = get_role_push_host( get_object(PermRole, id=role_id)) except ServerError, e: logger.warning(e)
def perm_role_detail(request): """ the role detail page the role_info data like: {'asset_groups': [], 'assets': [<Asset: 192.168.10.148>], 'rules': [<PermRule: PermRule object>], '': [], '': [<User: user1>]} """ # 渲染数据 header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户详情" try: if request.method == "GET": role_id = request.GET.get("id") if not role_id: raise ServerError("not role id") role = get_object(PermRole, id=role_id) role_info = get_role_info(role_id) # 渲染数据 rules = role_info.get("rules") assets = role_info.get("assets") asset_groups = role_info.get("asset_groups") users = role_info.get("users") user_groups = role_info.get("user_groups") pushed_asset, need_push_asset = get_role_push_host(get_object(PermRole, id=role_id)) except ServerError, e: logger.warning(e)
def perm_sudo_add(request): """ list sudo commands alias :param request: :return: """ # 渲染数据 header_title, path1, path2 = "Sudo命令", "别名管理", "添加别名" if request.method == "POST": # 获取参数: name, comment name = request.POST.get("sudo_name").strip().upper() comment = request.POST.get("sudo_comment").strip() commands = request.POST.get("sudo_commands").strip() pattern = re.compile(r'[ \n,\r]') commands = ', '.join(list_drop_str(pattern.split(commands), u'')) logger.debug(u'添加sudo %s: %s' % (name, commands)) if get_object(PermSudo, name=name): error = 'Sudo别名 %s已经存在' % name else: sudo = PermSudo(name=name.strip(), comment=comment, commands=commands) sudo.save() msg = u"添加Sudo命令别名: %s" % name # 渲染数据 return my_render('upperm/perm_sudo_add.html', locals(), request)
def search(self, str_r=''): gid_pattern = re.compile(r'^g\d+$') # 获取用户授权的所有主机信息 if not self.user_perm: self.user_perm = get_group_user_perm(self.user) user_asset_all = self.user_perm.get('asset').keys() # 搜索结果保存 user_asset_search = [] if str_r: # 资产组组id匹配 if gid_pattern.match(str_r): gid = int(str_r.lstrip('g')) # 获取资产组包含的资产 user_asset_search = get_object(AssetGroup, id=gid).asset_set.all() else: # 匹配 ip, hostname, 备注 for asset in user_asset_all: if str_r in asset.ip or str_r in str(asset.hostname) or str_r in str(asset.comment): user_asset_search.append(asset) else: # 如果没有输入就展现所有 user_asset_search = user_asset_all self.search_result = dict(zip(range(len(user_asset_search)), user_asset_search)) color_print('[%-3s] %-12s %-15s %-5s %-10s %s' % ('ID', u'主机名', 'IP', u'端口', u'系统用户', u'备注'), 'title') for index, asset in self.search_result.items(): # 获取该资产信息 asset_info = get_asset_info(asset) # 获取该资产包含的角色 role = [str(role.name) for role in self.user_perm.get('asset').get(asset).get('role')] print '[%-3s] %-15s %-15s %-5s %-10s %s' % (index, asset.hostname, asset.ip, asset_info.get('port'), role, asset.comment) print
def _create_admin(self): user = get_object(User, username=self.admin_user) if user: user.delete() db_add_user(username=self.admin_user, password=self.admin_pass, role='SU', name='admin', groups='', admin_groups='', email='*****@*****.**', uuid='MayBeYouAreTheFirstUser', is_active=True) os.system('id %s &> /dev/null || useradd %s' % (self.admin_user, self.admin_user))
def perm_role_add(request): """ add role page """ # 渲染数据 header_title, path1, path2 = "系统用户", "系统用户管理", "添加系统用户" sudos = PermSudo.objects.all() if request.method == "POST": # 获取参数: name, comment name = request.POST.get("role_name", "") comment = request.POST.get("role_comment", "") password = request.POST.get("role_password", "") key_content = request.POST.get("role_key", "") sudo_ids = request.POST.getlist('sudo_name') try: if get_object(PermRole, name=name): raise ServerError(u'已经存在该用户 %s' % name) default = get_object(Setting, name='default') if password: encrypt_pass = CRYPTOR.encrypt(password) else: encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20)) # 生成随机密码,生成秘钥对 sudos_obj = [ get_object(PermSudo, id=sudo_id) for sudo_id in sudo_ids ] if key_content: try: key_path = gen_keys(key=key_content) except SSHException, e: raise ServerError(e) else: key_path = gen_keys() logger.debug('generate role key: %s' % key_path) role = PermRole(name=name, comment=comment, password=encrypt_pass, key_path=key_path) role.save() role.sudo = sudos_obj msg = u"添加系统用户: %s" % name return HttpResponseRedirect(reverse('role_list'))
def perm_role_delete(request): """ delete role page """ if request.method == "POST": try: # 获取参数删除的role对象 role_id = request.POST.get("id") role = get_object(PermRole, id=role_id) if not role: logger.warning(u"Delete Role: %s not exist" % role.name) raise ServerError(u"%s 无数据记录" % role.name) role_key = role.key_path # 删除推送到主机上的role recycle_assets = [ push.asset for push in role.perm_push.all() if push.success ] logger.debug(u"delete role %s - delete_assets: %s" % (role.name, recycle_assets)) if recycle_assets: recycle_resource = gen_resource(recycle_assets) task = MyTask(recycle_resource) try: msg = task.del_user(get_object(PermRole, id=role_id).name) except Exception, e: logger.warning(u"Recycle Role failed: %s" % e) raise ServerError(u"回收已推送的系统用户失败: %s" % e) logger.info(u"delete role %s - execute delete user: %s" % (role.name, msg)) # TODO: 判断返回结果,处理异常 # 删除存储的秘钥,以及目录 try: key_files = os.listdir(role_key) for key_file in key_files: os.remove(os.path.join(role_key, key_file)) os.rmdir(role_key) except OSError, e: logger.warning(u"Delete Role: delete key error, %s" % e) raise ServerError(u"删除系统用户key失败: %s" % e) logger.info(u"delete role %s - delete role key directory: %s" % (role.name, role_key)) # 数据库里删除记录 role.delete() return HttpResponse(u"删除系统用户: %s" % role.name)
def perm_role_add(request): """ add role page """ # 渲染数据 header_title, path1, path2 = "系统用户", "系统用户管理", "添加系统用户" sudos = PermSudo.objects.all() if request.method == "POST": # 获取参数: name, comment name = request.POST.get("role_name", "") comment = request.POST.get("role_comment", "") password = request.POST.get("role_password", "") key_content = request.POST.get("role_key", "") sudo_ids = request.POST.getlist('sudo_name') try: if get_object(PermRole, name=name): raise ServerError(u'已经存在该用户 %s' % name) default = get_object(Setting, name='default') if password: encrypt_pass = CRYPTOR.encrypt(password) else: encrypt_pass = CRYPTOR.encrypt(CRYPTOR.gen_rand_pass(20)) # 生成随机密码,生成秘钥对 sudos_obj = [get_object(PermSudo, id=sudo_id) for sudo_id in sudo_ids] if key_content: try: key_path = gen_keys(key=key_content) except SSHException, e: raise ServerError(e) else: key_path = gen_keys() logger.debug('generate role key: %s' % key_path) role = PermRole(name=name, comment=comment, password=encrypt_pass, key_path=key_path) role.save() role.sudo = sudos_obj msg = u"添加系统用户: %s" % name return HttpResponseRedirect(reverse('role_list'))
def perm_role_get(request): asset_id = request.GET.get('id', 0) if asset_id: asset = get_object(Asset, id=asset_id) if asset: role = user_have_perm(request.user, asset=asset) logger.debug(u'获取授权系统用户: ' + ','.join([i.name for i in role])) return HttpResponse(','.join([i.name for i in role])) else: roles = get_group_user_perm(request.user).get('role').keys() return HttpResponse(','.join(i.name for i in roles)) return HttpResponse('error')
def perm_role_delete(request): """ delete role page """ if request.method == "POST": try: # 获取参数删除的role对象 role_id = request.POST.get("id") role = get_object(PermRole, id=role_id) if not role: logger.warning(u"Delete Role: %s not exist" % role.name) raise ServerError(u"%s 无数据记录" % role.name) role_key = role.key_path # 删除推送到主机上的role recycle_assets = [push.asset for push in role.perm_push.all() if push.success] logger.debug(u"delete role %s - delete_assets: %s" % (role.name, recycle_assets)) if recycle_assets: recycle_resource = gen_resource(recycle_assets) task = MyTask(recycle_resource) try: msg = task.del_user(get_object(PermRole, id=role_id).name) except Exception, e: logger.warning(u"Recycle Role failed: %s" % e) raise ServerError(u"回收已推送的系统用户失败: %s" % e) logger.info(u"delete role %s - execute delete user: %s" % (role.name, msg)) # TODO: 判断返回结果,处理异常 # 删除存储的秘钥,以及目录 try: key_files = os.listdir(role_key) for key_file in key_files: os.remove(os.path.join(role_key, key_file)) os.rmdir(role_key) except OSError, e: logger.warning(u"Delete Role: delete key error, %s" % e) raise ServerError(u"删除系统用户key失败: %s" % e) logger.info(u"delete role %s - delete role key directory: %s" % (role.name, role_key)) # 数据库里删除记录 role.delete() return HttpResponse(u"删除系统用户: %s" % role.name)
def perm_role_recycle(request): role_id = request.GET.get('role_id') asset_ids = request.GET.get('asset_id').split(',') # 仅有推送的角色才回收 assets = [get_object(Asset, id=asset_id) for asset_id in asset_ids] recycle_assets = [] for asset in assets: if True in [push.success for push in asset.perm_push.all()]: recycle_assets.append(asset) recycle_resource = gen_resource(recycle_assets) task = MyTask(recycle_resource) # TODO: 判断返回结果,处理异常 msg = task.del_user(get_object(PermRole, id=role_id).name) for asset_id in asset_ids: asset = get_object(Asset, id=asset_id) assets.append(asset) role = get_object(PermRole, id=role_id) PermPush.objects.filter(asset=asset, role=role).delete() return HttpResponse('删除成功')
def search(self, str_r=""): gid_pattern = re.compile(r"^g\d+$") # 获取用户授权的所有主机信息 if not self.user_perm: self.user_perm = get_group_user_perm(self.user) user_asset_all = self.user_perm.get("asset").keys() # 搜索结果保存 user_asset_search = [] if str_r: # 资产组组id匹配 if gid_pattern.match(str_r): gid = int(str_r.lstrip("g")) # 获取资产组包含的资产 user_asset_search = get_object(AssetGroup, id=gid).asset_set.all() else: # 匹配 ip, hostname, 备注 for asset in user_asset_all: if str_r in asset.ip or str_r in str(asset.hostname) or str_r in str(asset.comment): user_asset_search.append(asset) else: # 如果没有输入就展现所有 user_asset_search = user_asset_all self.search_result = dict(zip(range(len(user_asset_search)), user_asset_search)) color_print("[%-3s] %-12s %-15s %-5s %-10s %s" % ("ID", u"主机名", "IP", u"端口", u"系统用户", u"备注"), "title") for index, asset in self.search_result.items(): # 获取该资产信息 asset_info = get_asset_info(asset) # 获取该资产包含的角色 role = [str(role.name) for role in self.user_perm.get("asset").get(asset).get("role")] print "[%-3s] %-15s %-15s %-5s %-10s %s" % ( index, asset.hostname, asset.ip, asset_info.get("port"), role, asset.comment, ) print
import errno import struct, fcntl, signal, socket, select os.environ['DJANGO_SETTINGS_MODULE'] = 'utopia.settings' if django.get_version() != '1.6': setup = django.setup() from utopia.api import ServerError, User, Asset, PermRole, AssetGroup, get_object, mkdir, get_asset_info from utopia.api import logger, Log, TtyLog, get_role_key, CRYPTOR, bash, get_tmp_dir from upperm.perm_api import gen_resource, get_group_asset_perm, get_group_user_perm, user_have_perm, PermRole from utopia.settings import LOG_DIR from upperm.ansible_api import MyRunner from uplog.models import ExecLog, FileLog login_user = get_object(User, username=getpass.getuser()) remote_ip = os.popen("who -m | awk '{ print $NF }'").read().strip('()\n') try: import termios import tty except ImportError: print '\033[1;31m仅支持类Unix系统 Only unix like supported.\033[0m' time.sleep(3) sys.exit() def color_print(msg, color='red', exits=False): """ Print colorful string. 颜色打印字符或者退出
import errno import struct, fcntl, signal, socket, select os.environ["DJANGO_SETTINGS_MODULE"] = "utopia.settings" if django.get_version() != "1.6": setup = django.setup() from utopia.api import ServerError, User, Asset, PermRole, AssetGroup, get_object, mkdir, get_asset_info from utopia.api import logger, Log, TtyLog, get_role_key, CRYPTOR, bash, get_tmp_dir from upperm.perm_api import gen_resource, get_group_asset_perm, get_group_user_perm, user_have_perm, PermRole from utopia.settings import LOG_DIR from upperm.ansible_api import MyRunner from uplog.models import ExecLog, FileLog login_user = get_object(User, username=getpass.getuser()) remote_ip = os.popen("who -m | awk '{ print $NF }'").read().strip("()\n") try: import termios import tty except ImportError: print "\033[1;31m仅支持类Unix系统 Only unix like supported.\033[0m" time.sleep(3) sys.exit() def color_print(msg, color="red", exits=False): """ Print colorful string. 颜色打印字符或者退出
def perm_rule_add(request): """ add rule page 添加授权 """ # 渲染数据 header_title, path1, path2 = "授权规则", "规则管理", "添加规则" # 渲染数据, 获取所有 用户,用户组,资产,资产组,用户角色, 用于添加授权规则 users = User.objects.all() user_groups = UserGroup.objects.all() assets = Asset.objects.all() asset_groups = AssetGroup.objects.all() roles = PermRole.objects.all() if request.method == 'POST': # 获取用户选择的 用户,用户组,资产,资产组,用户角色 users_select = request.POST.getlist('user', []) # 需要授权用户 user_groups_select = request.POST.getlist('user_group', []) # 需要授权用户组 assets_select = request.POST.getlist('asset', []) # 需要授权资产 asset_groups_select = request.POST.getlist('asset_group', []) # 需要授权资产组 roles_select = request.POST.getlist('role', []) # 需要授权角色 rule_name = request.POST.get('name') rule_comment = request.POST.get('comment') try: rule = get_object(PermRule, name=rule_name) if rule: raise ServerError(u'授权规则 %s 已存在' % rule_name) if not rule_name or not roles_select: raise ServerError(u'系统用户名称和规则名称不能为空') # 获取需要授权的主机列表 assets_obj = [ Asset.objects.get(id=asset_id) for asset_id in assets_select ] asset_groups_obj = [ AssetGroup.objects.get(id=group_id) for group_id in asset_groups_select ] group_assets_obj = [] for asset_group in asset_groups_obj: group_assets_obj.extend(list(asset_group.asset_set.all())) calc_assets = set(group_assets_obj) | set( assets_obj) # 授权资产和资产组包含的资产 # 获取需要授权的用户列表 users_obj = [ User.objects.get(id=user_id) for user_id in users_select ] user_groups_obj = [ UserGroup.objects.get(id=group_id) for group_id in user_groups_select ] # 获取授予的角色列表 roles_obj = [ PermRole.objects.get(id=role_id) for role_id in roles_select ] need_push_asset = set() for role in roles_obj: asset_no_push = get_role_push_host( role=role)[1] # 获取某角色已经推送的资产 need_push_asset.update(set(calc_assets) & set(asset_no_push)) if need_push_asset: raise ServerError( u'没有推送系统用户 %s 的主机 %s' % (role.name, ','.join( [asset.hostname for asset in need_push_asset]))) # 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色) rule = PermRule(name=rule_name, comment=rule_comment) rule.save() rule.user = users_obj rule.user_group = user_groups_obj rule.asset = assets_obj rule.asset_group = asset_groups_obj rule.role = roles_obj rule.save() msg = u"添加授权规则:%s" % rule.name return HttpResponseRedirect(reverse('rule_list')) except ServerError, e: error = e
def perm_role_push(request): """ the role push page """ # 渲染数据 header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户推送" role_id = request.GET.get('id') asset_ids = request.GET.get('asset_id') role = get_object(PermRole, id=role_id) assets = Asset.objects.all() asset_groups = AssetGroup.objects.all() if asset_ids: need_push_asset = [ get_object(Asset, id=asset_id) for asset_id in asset_ids.split(',') ] if request.method == "POST": # 获取推荐角色的名称列表 # 计算出需要推送的资产列表 asset_ids = request.POST.getlist("assets") asset_group_ids = request.POST.getlist("asset_groups") assets_obj = [Asset.objects.get(id=asset_id) for asset_id in asset_ids] asset_groups_obj = [ AssetGroup.objects.get(id=asset_group_id) for asset_group_id in asset_group_ids ] group_assets_obj = [] for asset_group in asset_groups_obj: group_assets_obj.extend(asset_group.asset_set.all()) calc_assets = list(set(assets_obj) | set(group_assets_obj)) push_resource = gen_resource(calc_assets) # 调用Ansible API 进行推送 password_push = True if request.POST.get("use_password") else False key_push = True if request.POST.get("use_publicKey") else False task = MyTask(push_resource) ret = {} # 因为要先建立用户,所以password 是必选项,而push key是在 password也完成的情况下的 可选项 # 1. 以秘钥 方式推送角色 if key_push: ret["pass_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password)) ret["key_push"] = task.push_key( role.name, os.path.join(role.key_path, 'id_rsa.pub')) # 2. 推送账号密码 elif password_push: ret["pass_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password)) # 3. 推送sudo配置文件 if password_push or key_push: sudo_list = set([sudo for sudo in role.sudo.all() ]) # set(sudo1, sudo2, sudo3) if sudo_list: ret['sudo'] = task.push_sudo_file([role], sudo_list) logger.debug('推送role结果: %s' % ret) success_asset = {} failed_asset = {} logger.debug(ret) for push_type, result in ret.items(): if result.get('failed'): for hostname, info in result.get('failed').items(): if hostname in failed_asset.keys(): if info in failed_asset.get(hostname): failed_asset[hostname] += info else: failed_asset[hostname] = info for push_type, result in ret.items(): if result.get('ok'): for hostname, info in result.get('ok').items(): if hostname in failed_asset.keys(): continue elif hostname in success_asset.keys(): if str(info) in success_asset.get(hostname, ''): success_asset[hostname] += str(info) else: success_asset[hostname] = str(info) # 推送成功 回写push表 for asset in calc_assets: push_check = PermPush.objects.filter(role=role, asset=asset) if push_check: func = push_check.update else: def func(**kwargs): PermPush(**kwargs).save() if failed_asset.get(asset.hostname): func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=False, result=failed_asset.get(asset.hostname)) else: func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=True) if not failed_asset: msg = u'系统用户 %s 推送成功[ %s ]' % (role.name, ','.join( success_asset.keys())) else: error = u'系统用户 %s 推送失败 [ %s ], 推送成功 [ %s ]' % (role.name, ','.join( failed_asset.keys()), ','.join(success_asset.keys())) return my_render('upperm/perm_role_push.html', locals(), request)
def perm_role_push(request): """ the role push page """ # 渲染数据 header_title, path1, path2 = "系统用户", "系统用户管理", "系统用户推送" role_id = request.GET.get('id') asset_ids = request.GET.get('asset_id') role = get_object(PermRole, id=role_id) assets = Asset.objects.all() asset_groups = AssetGroup.objects.all() if asset_ids: need_push_asset = [get_object(Asset, id=asset_id) for asset_id in asset_ids.split(',')] if request.method == "POST": # 获取推荐角色的名称列表 # 计算出需要推送的资产列表 asset_ids = request.POST.getlist("assets") asset_group_ids = request.POST.getlist("asset_groups") assets_obj = [Asset.objects.get(id=asset_id) for asset_id in asset_ids] asset_groups_obj = [AssetGroup.objects.get(id=asset_group_id) for asset_group_id in asset_group_ids] group_assets_obj = [] for asset_group in asset_groups_obj: group_assets_obj.extend(asset_group.asset_set.all()) calc_assets = list(set(assets_obj) | set(group_assets_obj)) push_resource = gen_resource(calc_assets) # 调用Ansible API 进行推送 password_push = True if request.POST.get("use_password") else False key_push = True if request.POST.get("use_publicKey") else False task = MyTask(push_resource) ret = {} # 因为要先建立用户,所以password 是必选项,而push key是在 password也完成的情况下的 可选项 # 1. 以秘钥 方式推送角色 if key_push: ret["pass_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password)) ret["key_push"] = task.push_key(role.name, os.path.join(role.key_path, 'id_rsa.pub')) # 2. 推送账号密码 elif password_push: ret["pass_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password)) # 3. 推送sudo配置文件 if password_push or key_push: sudo_list = set([sudo for sudo in role.sudo.all()]) # set(sudo1, sudo2, sudo3) if sudo_list: ret['sudo'] = task.push_sudo_file([role], sudo_list) logger.debug('推送role结果: %s' % ret) success_asset = {} failed_asset = {} logger.debug(ret) for push_type, result in ret.items(): if result.get('failed'): for hostname, info in result.get('failed').items(): if hostname in failed_asset.keys(): if info in failed_asset.get(hostname): failed_asset[hostname] += info else: failed_asset[hostname] = info for push_type, result in ret.items(): if result.get('ok'): for hostname, info in result.get('ok').items(): if hostname in failed_asset.keys(): continue elif hostname in success_asset.keys(): if str(info) in success_asset.get(hostname, ''): success_asset[hostname] += str(info) else: success_asset[hostname] = str(info) # 推送成功 回写push表 for asset in calc_assets: push_check = PermPush.objects.filter(role=role, asset=asset) if push_check: func = push_check.update else: def func(**kwargs): PermPush(**kwargs).save() if failed_asset.get(asset.hostname): func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=False, result=failed_asset.get(asset.hostname)) else: func(is_password=password_push, is_public_key=key_push, role=role, asset=asset, success=True) if not failed_asset: msg = u'系统用户 %s 推送成功[ %s ]' % (role.name, ','.join(success_asset.keys())) else: error = u'系统用户 %s 推送失败 [ %s ], 推送成功 [ %s ]' % (role.name, ','.join(failed_asset.keys()), ','.join(success_asset.keys())) return my_render('upperm/perm_role_push.html', locals(), request)
def perm_rule_edit(request): """ edit rule page """ # 渲染数据 header_title, path1, path2 = "授权规则", "规则管理", "添加规则" # 根据rule_id 取得rule对象 rule_id = request.GET.get("id") rule = get_object(PermRule, id=rule_id) # 渲染数据, 获取所选的rule对象 users = User.objects.all() user_groups = UserGroup.objects.all() assets = Asset.objects.all() asset_groups = AssetGroup.objects.all() roles = PermRole.objects.all() if request.method == 'POST' and rule_id: # 获取用户选择的 用户,用户组,资产,资产组,用户角色 rule_name = request.POST.get('name') rule_comment = request.POST.get("comment") users_select = request.POST.getlist('user', []) user_groups_select = request.POST.getlist('user_group', []) assets_select = request.POST.getlist('asset', []) asset_groups_select = request.POST.getlist('asset_group', []) roles_select = request.POST.getlist('role', []) try: if not rule_name or not roles_select: raise ServerError(u'系统用户和关联系统用户不能为空') assets_obj = [Asset.objects.get(id=asset_id) for asset_id in assets_select] asset_groups_obj = [AssetGroup.objects.get(id=group_id) for group_id in asset_groups_select] group_assets_obj = [] for asset_group in asset_groups_obj: group_assets_obj.extend(list(asset_group.asset_set.all())) calc_assets = set(group_assets_obj) | set(assets_obj) # 授权资产和资产组包含的资产 # 获取需要授权的用户列表 users_obj = [User.objects.get(id=user_id) for user_id in users_select] user_groups_obj = [UserGroup.objects.get(id=group_id) for group_id in user_groups_select] # 获取授予的角色列表 roles_obj = [PermRole.objects.get(id=role_id) for role_id in roles_select] need_push_asset = set() for role in roles_obj: asset_no_push = get_role_push_host(role=role)[1] # 获取某角色已经推送的资产 need_push_asset.update(set(calc_assets) & set(asset_no_push)) if need_push_asset: raise ServerError(u'没有推送系统用户 %s 的主机 %s' % (role.name, ','.join([asset.hostname for asset in need_push_asset]))) # 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色) rule.user = users_obj rule.user_group = user_groups_obj rule.asset = assets_obj rule.asset_group = asset_groups_obj rule.role = roles_obj rule.name = rule_name rule.comment = rule_comment rule.save() msg = u"更新授权规则:%s成功" % rule.name except ServerError, e: error = e
def perm_rule_edit(request): """ edit rule page """ # 渲染数据 header_title, path1, path2 = "授权规则", "规则管理", "添加规则" # 根据rule_id 取得rule对象 rule_id = request.GET.get("id") rule = get_object(PermRule, id=rule_id) # 渲染数据, 获取所选的rule对象 users = User.objects.all() user_groups = UserGroup.objects.all() assets = Asset.objects.all() asset_groups = AssetGroup.objects.all() roles = PermRole.objects.all() if request.method == 'POST' and rule_id: # 获取用户选择的 用户,用户组,资产,资产组,用户角色 rule_name = request.POST.get('name') rule_comment = request.POST.get("comment") users_select = request.POST.getlist('user', []) user_groups_select = request.POST.getlist('user_group', []) assets_select = request.POST.getlist('asset', []) asset_groups_select = request.POST.getlist('asset_group', []) roles_select = request.POST.getlist('role', []) try: if not rule_name or not roles_select: raise ServerError(u'系统用户和关联系统用户不能为空') assets_obj = [ Asset.objects.get(id=asset_id) for asset_id in assets_select ] asset_groups_obj = [ AssetGroup.objects.get(id=group_id) for group_id in asset_groups_select ] group_assets_obj = [] for asset_group in asset_groups_obj: group_assets_obj.extend(list(asset_group.asset_set.all())) calc_assets = set(group_assets_obj) | set( assets_obj) # 授权资产和资产组包含的资产 # 获取需要授权的用户列表 users_obj = [ User.objects.get(id=user_id) for user_id in users_select ] user_groups_obj = [ UserGroup.objects.get(id=group_id) for group_id in user_groups_select ] # 获取授予的角色列表 roles_obj = [ PermRole.objects.get(id=role_id) for role_id in roles_select ] need_push_asset = set() for role in roles_obj: asset_no_push = get_role_push_host( role=role)[1] # 获取某角色已经推送的资产 need_push_asset.update(set(calc_assets) & set(asset_no_push)) if need_push_asset: raise ServerError( u'没有推送系统用户 %s 的主机 %s' % (role.name, ','.join( [asset.hostname for asset in need_push_asset]))) # 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色) rule.user = users_obj rule.user_group = user_groups_obj rule.asset = assets_obj rule.asset_group = asset_groups_obj rule.role = roles_obj rule.name = rule_name rule.comment = rule_comment rule.save() msg = u"更新授权规则:%s成功" % rule.name except ServerError, e: error = e
def perm_rule_add(request): """ add rule page 添加授权 """ # 渲染数据 header_title, path1, path2 = "授权规则", "规则管理", "添加规则" # 渲染数据, 获取所有 用户,用户组,资产,资产组,用户角色, 用于添加授权规则 users = User.objects.all() user_groups = UserGroup.objects.all() assets = Asset.objects.all() asset_groups = AssetGroup.objects.all() roles = PermRole.objects.all() if request.method == 'POST': # 获取用户选择的 用户,用户组,资产,资产组,用户角色 users_select = request.POST.getlist('user', []) # 需要授权用户 user_groups_select = request.POST.getlist('user_group', []) # 需要授权用户组 assets_select = request.POST.getlist('asset', []) # 需要授权资产 asset_groups_select = request.POST.getlist('asset_group', []) # 需要授权资产组 roles_select = request.POST.getlist('role', []) # 需要授权角色 rule_name = request.POST.get('name') rule_comment = request.POST.get('comment') try: rule = get_object(PermRule, name=rule_name) if rule: raise ServerError(u'授权规则 %s 已存在' % rule_name) if not rule_name or not roles_select: raise ServerError(u'系统用户名称和规则名称不能为空') # 获取需要授权的主机列表 assets_obj = [Asset.objects.get(id=asset_id) for asset_id in assets_select] asset_groups_obj = [AssetGroup.objects.get(id=group_id) for group_id in asset_groups_select] group_assets_obj = [] for asset_group in asset_groups_obj: group_assets_obj.extend(list(asset_group.asset_set.all())) calc_assets = set(group_assets_obj) | set(assets_obj) # 授权资产和资产组包含的资产 # 获取需要授权的用户列表 users_obj = [User.objects.get(id=user_id) for user_id in users_select] user_groups_obj = [UserGroup.objects.get(id=group_id) for group_id in user_groups_select] # 获取授予的角色列表 roles_obj = [PermRole.objects.get(id=role_id) for role_id in roles_select] need_push_asset = set() for role in roles_obj: asset_no_push = get_role_push_host(role=role)[1] # 获取某角色已经推送的资产 need_push_asset.update(set(calc_assets) & set(asset_no_push)) if need_push_asset: raise ServerError(u'没有推送系统用户 %s 的主机 %s' % (role.name, ','.join([asset.hostname for asset in need_push_asset]))) # 仅授权成功的,写回数据库(授权规则,用户,用户组,资产,资产组,用户角色) rule = PermRule(name=rule_name, comment=rule_comment) rule.save() rule.user = users_obj rule.user_group = user_groups_obj rule.asset = assets_obj rule.asset_group = asset_groups_obj rule.role = roles_obj rule.save() msg = u"添加授权规则:%s" % rule.name return HttpResponseRedirect(reverse('rule_list')) except ServerError, e: error = e