diff --git a/jperm/perm_api.py b/jperm/perm_api.py index 185fe969d..21a69ac09 100644 --- a/jperm/perm_api.py +++ b/jperm/perm_api.py @@ -54,19 +54,18 @@ def get_playbook(template, var): return path -def playbook_run(inventory, playbook, default_user=None, default_port=None, default_pri_key_path=None): +def playbook_run(inventory, playbook, settings): stats = callbacks.AggregateStats() playbook_cb = callbacks.PlaybookCallbacks(verbose=utils.VERBOSITY) runner_cb = callbacks.PlaybookRunnerCallbacks(stats, verbose=utils.VERBOSITY) # run the playbook - print default_user, default_port, default_pri_key_path, inventory, playbook - if default_user and default_port and default_pri_key_path: + if settings: playbook = PlayBook(host_list=inventory, playbook=playbook, forks=5, - remote_user=default_user, - remote_port=default_port, - private_key_file=default_pri_key_path, + remote_user=settings.default_user, + remote_port=settings.default_port, + private_key_file=settings.default_pri_key_path, callbacks=playbook_cb, runner_callbacks=runner_cb, stats=stats, @@ -98,43 +97,67 @@ def playbook_run(inventory, playbook, default_user=None, default_port=None, defa return results_r -def perm_user_api(asset_new, asset_del, asset_group_new, asset_group_del, user=None, user_group=None): - """用户授权api,通过调用ansible API完成用户新建等""" - asset_new_ip = [] # 新授权的ip列表 - asset_del_ip = [] # 回收授权的ip列表 - - asset_new_ip.extend([asset.ip for asset in asset_new]) # 查库,获取新授权ip - for asset_group in asset_group_new: - asset_new_ip.extend([asset.ip for asset in asset_group.asset_set.all()]) # 同理 - asset_del_ip.extend([asset.ip for asset in asset_del]) # 查库,获取回收授权的ip - for asset_group in asset_group_del: - asset_del_ip.extend([asset.ip for asset in asset_group.asset_set.all()]) # 同理 - - if asset_new_ip or asset_del_ip: - host_group = {'new': asset_new_ip, 'del': asset_del_ip} - inventory = get_inventory(host_group) - if user: - the_items = user.username, - elif user_group: - users = user_group.user_set.all() - the_items = ','.join([user.username for user in users]) +def perm_user_api(perm_info): + """ + 用户授权api,通过调用ansible API完成用户新建等,传入参数必须如下,列表中可以是对象,也可以是用户名和ip + perm_info = {'del': {'users': [], + 'assets': [], + }, + 'new': {'users': [], + 'assets': []}} + """ + try: + new_users = perm_info['new']['users'] + new_assets = perm_info['new']['assets'] + del_users = perm_info['del']['users'] + del_assets = perm_info['del']['assets'] + except IndexError: + raise ServerError("Error: function perm_user_api传入参数错误") + + # 检查传入的是字符串还是对象 + check_users = new_users + del_users + try: + if isinstance(check_users[0], str): + var_type = 'str' else: - return HttpResponse('Argument error.') + var_type = 'obj' + + except IndexError: + raise ServerError("Error: function perm_user_api传入参数错误") + + print new_assets, del_assets + print new_users, del_users + try: + if var_type == 'str': + new_ip = new_assets + del_ip = del_assets + new_username = new_users + del_username = del_users + else: + new_ip = [asset.ip for asset in new_assets if isinstance(asset, Asset)] + del_ip = [asset.ip for asset in del_assets if isinstance(asset, Asset)] + new_username = [user.username for user in new_users if isinstance(user, User)] + del_username = [user.username for user in del_users if isinstance(user, User)] + except IndexError: + raise ServerError("Error: function perm_user_api传入参数类型错误") - playbook = get_playbook(os.path.join(BASE_DIR, 'playbook', 'user_perm.yaml'), - {'the_new_group': 'new', 'the_del_group': 'del', - 'the_items': the_items, 'the_pub_key': '/tmp/id_rsa.pub'}) + print new_ip, del_ip + print new_username, del_username - settings = get_object(Setting, id=1) - if settings: - default_user = settings.default_user - default_port = settings.default_port - default_pri_key_path = settings.default_pri_key_path - else: - default_user = default_port = default_pri_key_path = '' + host_group = {'new': new_ip, 'del': del_ip} + inventory = get_inventory(host_group) + + the_new_users = ','.join(new_username) + the_del_users = ','.join(del_username) - results_r = playbook_run(inventory, playbook, default_user, default_port, default_pri_key_path) - return results_r + playbook = get_playbook(os.path.join(BASE_DIR, 'playbook', 'user_perm.yaml'), + {'the_new_group': 'new', 'the_del_group': 'del', + 'the_new_users': the_new_users, 'the_del_users': the_del_users, + 'the_pub_key': '/tmp/id_rsa.pub'}) + + settings = get_object(Setting, name='default') + results_r = playbook_run(inventory, playbook, settings) + return results_r def refresh_group_api(user_group=None, asset_group=None): diff --git a/jperm/views.py b/jperm/views.py index 15f375d79..98c1b3bb7 100644 --- a/jperm/views.py +++ b/jperm/views.py @@ -1 +1 @@ -# # coding: utf-8 # import sys # # reload(sys) # sys.setdefaultencoding('utf8') # # from django.shortcuts import render_to_response # from django.template import RequestContext # from jperm.models import Perm, SudoPerm, CmdGroup, Apply import json from django.db.models import Q from jperm.models import * from jumpserver.api import * from jperm.perm_api import * @require_role('admin') def perm_user_list(request): header_title, path1, path2 = '用户授权', '授权管理', '用户授权' keyword = request.GET.get('search', '') users_list = User.objects.all() # 获取所有用户 if keyword: users_list = users_list.filter(Q(name=keyword) | Q(username=keyword)) # 搜索 users_list, p, users, page_range, current_page, show_first, show_end = pages(users_list, request) # 分页 return my_render('jperm/perm_user_list.html', locals(), request) @require_role('admin') def perm_user_edit(request): header_title, path1, path2 = '用户授权', '授权管理', '授权更改' user_id = request.GET.get('id', '') user = get_object(User, id=user_id) asset_all = Asset.objects.all() # 获取所有资产 asset_group_all = AssetGroup.objects.all() # 获取所有资产组 asset_permed = user.asset.all() # 获取授权的资产对象列表 asset_group_permed = user.asset_group.all() # 获取授权的资产组对象列表 if request.method == 'GET' and user: assets = [asset for asset in asset_all if asset not in asset_permed] # 获取没有授权的资产对象列表 asset_groups = [asset_group for asset_group in asset_group_all if asset_group not in asset_group_permed] # 同理 return my_render('jperm/perm_user_edit.html', locals(), request) elif request.method == 'POST' and user: asset_id_select = request.POST.getlist('asset_select', []) # 获取选择的资产id列表 asset_group_id_select = request.POST.getlist('asset_groups_select', []) # 获取选择的资产组id列表 asset_select = get_object_list(Asset, asset_id_select) asset_group_select = get_object_list(AssetGroup, asset_group_id_select) asset_new = list(set(asset_select) - set(asset_permed)) # 计算的得到新授权的资产对象列表 asset_del = list(set(asset_permed) - set(asset_select)) # 计算得到回收权限的资产对象列表 asset_group_new = list(set(asset_group_select) - set(asset_group_permed)) # 新授权的资产组对象列表 asset_group_del = list(set(asset_group_permed) - set(asset_group_select)) # 回收的资产组对象列表 results = perm_user_api(asset_new, asset_del, asset_group_new, asset_group_del, user=user) # 通过API授权或回收 unreachable_asset = [] failures_asset = [] for ip in results.get('unreachable'): unreachable_asset.extend(filter(lambda x: x, Asset.objects.filter(ip=ip))) for ip in results.get('failures'): failures_asset.extend(filter(lambda x: x, Asset.objects.filter(ip=ip))) failures_asset.extend(unreachable_asset) # 失败的授权要统计 for asset in failures_asset: if asset in asset_select: asset_select.remove(asset) else: asset_select.append(asset) user.asset = asset_select user.asset_group = asset_group_select user.save() # 保存到数据库 return HttpResponse(json.dumps(results, sort_keys=True, indent=4), content_type="application/json") else: return HttpResponse('输入错误') @require_role('admin') def perm_group_list(request): header_title, path1, path2 = '用户组授权', '授权管理', '用户组授权' keyword = request.GET.get('search', '') user_groups_list = UserGroup.objects.all() if keyword: request = user_groups_list.filter(Q(name=keyword) | Q(comment=keyword)) user_groups_list, p, user_groups, page_range, current_page, show_first, show_end = pages(user_groups_list, request) return my_render('jperm/perm_group_list.html', locals(), request) @require_role('admin') def perm_group_edit(request): header_title, path1, path2 = '用户组授权', '授权管理', '授权更改' user_group_id = request.GET.get('id', '') user_group = get_object(UserGroup, id=user_group_id) asset_all = Asset.objects.all() asset_group_all = AssetGroup.objects.all() asset_permed = user_group.asset.all() # 获取授权的资产对象列表 asset_group_permed = user_group.asset_group.all() # 获取授权的资产组对象列表 if request.method == 'GET' and user_group: assets = [asset for asset in asset_all if asset not in asset_permed] asset_groups = [asset_group for asset_group in asset_group_all if asset_group not in asset_group_permed] return my_render('jperm/perm_group_edit.html', locals(), request) elif request.method == 'POST' and user_group: asset_id_select = request.POST.getlist('asset_select', []) asset_group_id_select = request.POST.getlist('asset_groups_select', []) asset_select = get_object_list(Asset, asset_id_select) asset_group_select = get_object_list(AssetGroup, asset_group_id_select) asset_new = list(set(asset_select) - set(asset_permed)) # 计算的得到新授权的资产对象列表 asset_del = list(set(asset_permed) - set(asset_select)) # 计算得到回收权限的资产对象列表 asset_group_new = list(set(asset_group_select) - set(asset_group_permed)) # 新授权的资产组对象列表 asset_group_del = list(set(asset_group_permed) - set(asset_group_select)) # 回收的资产组对象列表 results = perm_user_api(asset_new, asset_del, asset_group_new, asset_group_del, user_group=user_group) # 通过API授权或回收 unreachable_asset = [] failures_asset = [] for ip in results.get('unreachable'): unreachable_asset.extend(filter(lambda x: x, Asset.objects.filter(ip=ip))) for ip in results.get('failures'): failures_asset.extend(filter(lambda x: x, Asset.objects.filter(ip=ip))) failures_asset.extend(unreachable_asset) # 失败的授权要统计 for asset in failures_asset: if asset in asset_select: asset_select.remove(asset) else: asset_select.append(asset) user_group.asset = asset_select user_group.asset_group = asset_group_select user_group.save() # 保存到数据库 return HttpResponse(json.dumps(results, sort_keys=True, indent=4), content_type="application/json") else: return HttpResponse('输入错误') \ No newline at end of file +# # coding: utf-8 # import sys # # reload(sys) # sys.setdefaultencoding('utf8') # # from django.shortcuts import render_to_response # from django.template import RequestContext # from jperm.models import Perm, SudoPerm, CmdGroup, Apply from django.db.models import Q from jperm.models import * from jumpserver.api import * from jperm.perm_api import * @require_role('admin') def perm_user_list(request): header_title, path1, path2 = '用户授权', '授权管理', '用户授权' keyword = request.GET.get('search', '') users_list = User.objects.all() # 获取所有用户 if keyword: users_list = users_list.filter(Q(name=keyword) | Q(username=keyword)) # 搜索 users_list, p, users, page_range, current_page, show_first, show_end = pages(users_list, request) # 分页 return my_render('jperm/perm_user_list.html', locals(), request) @require_role('admin') def perm_user_edit(request): header_title, path1, path2 = '用户授权', '授权管理', '授权更改' user_id = request.GET.get('id', '') user = get_object(User, id=user_id) asset_all = Asset.objects.all() # 获取所有资产 asset_group_all = AssetGroup.objects.all() # 获取所有资产组 asset_permed = user.asset.all() # 获取授权的资产对象列表 asset_group_permed = user.asset_group.all() # 获取授权的资产组对象列表 if request.method == 'GET' and user: assets = [asset for asset in asset_all if asset not in asset_permed] # 获取没有授权的资产对象列表 asset_groups = [asset_group for asset_group in asset_group_all if asset_group not in asset_group_permed] # 同理 return my_render('jperm/perm_user_edit.html', locals(), request) elif request.method == 'POST' and user: asset_id_select = request.POST.getlist('asset_select', []) # 获取选择的资产id列表 asset_group_id_select = request.POST.getlist('asset_groups_select', []) # 获取选择的资产组id列表 asset_select = get_object_list(Asset, asset_id_select) asset_group_select = get_object_list(AssetGroup, asset_group_id_select) asset_new = list(set(asset_select) - set(asset_permed)) # 计算的得到新授权的资产对象列表 asset_del = list(set(asset_permed) - set(asset_select)) # 计算得到回收权限的资产对象列表 asset_group_new = list(set(asset_group_select) - set(asset_group_permed)) # 新授权的资产组对象列表 asset_group_del = list(set(asset_group_permed) - set(asset_group_select)) # 回收的资产组对象列表 perm_info = { 'del': {'users': [user], 'assets': asset_del}, 'new': {'users': [user], 'assets': asset_new} } try: results = perm_user_api(perm_info) # 通过API授权或回收 except ServerError, e: return HttpResponse(e) unreachable_asset = [] failures_asset = [] for ip in results.get('unreachable'): unreachable_asset.extend(filter(lambda x: x, Asset.objects.filter(ip=ip))) for ip in results.get('failures'): failures_asset.extend(filter(lambda x: x, Asset.objects.filter(ip=ip))) failures_asset.extend(unreachable_asset) # 失败的授权要统计 for asset in failures_asset: if asset in asset_select: asset_select.remove(asset) else: asset_select.append(asset) user.asset = asset_select user.asset_group = asset_group_select user.save() # 保存到数据库 return HttpResponse(json.dumps(results, sort_keys=True, indent=4), content_type="application/json") else: return HttpResponse('输入错误') @require_role('admin') def perm_group_list(request): header_title, path1, path2 = '用户组授权', '授权管理', '用户组授权' keyword = request.GET.get('search', '') user_groups_list = UserGroup.objects.all() if keyword: request = user_groups_list.filter(Q(name=keyword) | Q(comment=keyword)) user_groups_list, p, user_groups, page_range, current_page, show_first, show_end = pages(user_groups_list, request) return my_render('jperm/perm_group_list.html', locals(), request) @require_role('admin') def perm_group_edit(request): header_title, path1, path2 = '用户组授权', '授权管理', '授权更改' user_group_id = request.GET.get('id', '') user_group = get_object(UserGroup, id=user_group_id) asset_all = Asset.objects.all() asset_group_all = AssetGroup.objects.all() asset_permed = user_group.asset.all() # 获取授权的资产对象列表 asset_group_permed = user_group.asset_group.all() # 获取授权的资产组对象列表 if request.method == 'GET' and user_group: assets = [asset for asset in asset_all if asset not in asset_permed] asset_groups = [asset_group for asset_group in asset_group_all if asset_group not in asset_group_permed] return my_render('jperm/perm_group_edit.html', locals(), request) elif request.method == 'POST' and user_group: asset_id_select = request.POST.getlist('asset_select', []) asset_group_id_select = request.POST.getlist('asset_groups_select', []) asset_select = get_object_list(Asset, asset_id_select) asset_group_select = get_object_list(AssetGroup, asset_group_id_select) asset_new = list(set(asset_select) - set(asset_permed)) # 计算的得到新授权的资产对象列表 asset_del = list(set(asset_permed) - set(asset_select)) # 计算得到回收权限的资产对象列表 asset_group_new = list(set(asset_group_select) - set(asset_group_permed)) # 新授权的资产组对象列表 asset_group_del = list(set(asset_group_permed) - set(asset_group_select)) # 回收的资产组对象列表 results = perm_user_api(asset_new, asset_del, asset_group_new, asset_group_del, user_group=user_group) # 通过API授权或回收 unreachable_asset = [] failures_asset = [] for ip in results.get('unreachable'): unreachable_asset.extend(filter(lambda x: x, Asset.objects.filter(ip=ip))) for ip in results.get('failures'): failures_asset.extend(filter(lambda x: x, Asset.objects.filter(ip=ip))) failures_asset.extend(unreachable_asset) # 失败的授权要统计 for asset in failures_asset: if asset in asset_select: asset_select.remove(asset) else: asset_select.append(asset) user_group.asset = asset_select user_group.asset_group = asset_group_select user_group.save() # 保存到数据库 return HttpResponse(json.dumps(results, sort_keys=True, indent=4), content_type="application/json") else: return HttpResponse('输入错误') \ No newline at end of file diff --git a/playbook/user_perm.yaml b/playbook/user_perm.yaml index d57ff1964..6310249d4 100644 --- a/playbook/user_perm.yaml +++ b/playbook/user_perm.yaml @@ -2,18 +2,16 @@ tasks: - name: del user user: name={{ item }} state=absent remove=yes - with_items: [ the_items ] + with_items: [ the_del_users ] - hosts: the_new_group tasks: - name: add user user: name={{ item }} state=present - with_items: [ the_items ] + with_items: [ the_new_users ] - name: .ssh direcotory file: name=/home/{{ item }}/.ssh mode=700 owner={{ item }} group={{ item }} state=directory - with_items: [ the_items ] + with_items: [ the_new_users ] - name: set authorizied_file copy: src=the_pub_key dest=/home/{{ item }}/.ssh/authorizied_keys owner={{ item }} group={{ item }} mode=600 - with_items: [ the_items ] - - + with_items: [ the_new_users ] diff --git a/templates/jperm/perm_user_edit.html b/templates/jperm/perm_user_edit.html index e7db76b0d..5d06997f5 100644 --- a/templates/jperm/perm_user_edit.html +++ b/templates/jperm/perm_user_edit.html @@ -107,7 +107,7 @@
- +