perf: Regularly delete useless password change push records (#14026)

* perf: If the user Home page does not exist, push will fail * perf: Change secret add uid parameter * perf: Regularly delete useless password change push records --------- Co-authored-by: feng <1304903146@qq.com>
2024-08-30 15:01:40 +08:00 · 2024-08-30 15:01:40 +08:00 · 160293365a
parent 7a19007aba
commit 160293365a
17 changed files with 276 additions and 91 deletions
--- a/apps/accounts/automations/change_secret/host/aix/main.yml
+++ b/apps/accounts/automations/change_secret/host/aix/main.yml
@ -14,27 +14,15 @@
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
-        groups: "{{ params.groups }}"
+        uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
+        shell: "{{ params.shell if params.shell | length > 0 else omit }}"
+        home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
+        groups: "{{ params.groups if params.groups | length > 0 else omit }}"
+        append: yes
        expires: -1
        state: present
      when: user_info.failed

-    - name: "Add {{ account.username }} group"
-      ansible.builtin.group:
-        name: "{{ account.username }}"
-        state: present
-      when: user_info.failed
-
-    - name: "Add {{ account.username }} user to group"
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        groups: "{{ params.groups }}"
-      when:
-        - user_info.failed
-        - params.groups
-
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
@ -54,14 +42,40 @@
      ignore_errors: true
      when: account.secret_type == "password"

-    - name: remove jumpserver ssh key
+    - name: "Get home directory for {{ account.username }}"
+      ansible.builtin.shell: "getent passwd {{ account.username }} | cut -d: -f6"
+      register: home_dir
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Check if home directory exists for {{ account.username }}"
+      ansible.builtin.stat:
+        path: "{{ home_dir.stdout.strip() }}"
+      register: home_dir_stat
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Ensure {{ account.username }} home directory exists"
+      ansible.builtin.file:
+        path: "{{ home_dir.stdout.strip() }}"
+        state: directory
+        owner: "{{ account.username }}"
+        group: "{{ account.username }}"
+        mode: '0750'
+      when:
+        - account.secret_type == "ssh_key"
+        - home_dir_stat.stat.exists == false
+      ignore_errors: yes
+
+    - name: Remove jumpserver ssh key
      ansible.builtin.lineinfile:
-        dest: "{{ ssh_params.dest }}"
+        dest: "{{ home_dir.stdout.strip() }}/.ssh/authorized_keys"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
+      ignore_errors: yes

    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
--- a/apps/accounts/automations/change_secret/host/aix/manifest.yml
+++ b/apps/accounts/automations/change_secret/host/aix/manifest.yml
@ -34,6 +34,12 @@ params:
    default: ''
    help_text: "{{ 'Params groups help text' | trans }}"

+  - name: uid
+    type: str
+    label: "{{ 'Params uid label' | trans }}"
+    default: ''
+    help_text: "{{ 'Params uid help text' | trans }}"
+
 i18n:
  AIX account change secret:
    zh: '使用 Ansible 模块 user 执行账号改密 (DES)'
@ -60,6 +66,11 @@ i18n:
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'

+  Params uid help text:
+    zh: '请输入用户ID'
+    ja: 'ユーザーIDを入力してください'
+    en: 'Please enter the user ID'
+
  Modify sudo label:
    zh: '修改 sudo 权限'
    ja: 'sudo 権限を変更'
@ -75,3 +86,7 @@ i18n:
    ja: 'グループ'
    en: 'Groups'

+  Params uid label:
+    zh: '用户ID'
+    ja: 'ユーザーID'
+    en: 'User ID'
--- a/apps/accounts/automations/change_secret/host/posix/main.yml
+++ b/apps/accounts/automations/change_secret/host/posix/main.yml
@ -14,27 +14,15 @@
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
-        groups: "{{ params.groups }}"
+        uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
+        shell: "{{ params.shell if params.shell | length > 0 else omit }}"
+        home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
+        groups: "{{ params.groups if params.groups | length > 0 else omit }}"
+        append: yes
        expires: -1
        state: present
      when: user_info.failed

-    - name: "Add {{ account.username }} group"
-      ansible.builtin.group:
-        name: "{{ account.username }}"
-        state: present
-      when: user_info.failed
-
-    - name: "Add {{ account.username }} user to group"
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        groups: "{{ params.groups }}"
-      when:
-        - user_info.failed
-        - params.groups
-
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
@ -54,14 +42,40 @@
      ignore_errors: true
      when: account.secret_type == "password"

-    - name: remove jumpserver ssh key
+    - name: "Get home directory for {{ account.username }}"
+      ansible.builtin.shell: "getent passwd {{ account.username }} | cut -d: -f6"
+      register: home_dir
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Check if home directory exists for {{ account.username }}"
+      ansible.builtin.stat:
+        path: "{{ home_dir.stdout.strip() }}"
+      register: home_dir_stat
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Ensure {{ account.username }} home directory exists"
+      ansible.builtin.file:
+        path: "{{ home_dir.stdout.strip() }}"
+        state: directory
+        owner: "{{ account.username }}"
+        group: "{{ account.username }}"
+        mode: '0750'
+      when:
+        - account.secret_type == "ssh_key"
+        - home_dir_stat.stat.exists == false
+      ignore_errors: yes
+
+    - name: Remove jumpserver ssh key
      ansible.builtin.lineinfile:
-        dest: "{{ ssh_params.dest }}"
+        dest: "{{ home_dir.stdout.strip() }}/.ssh/authorized_keys"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
+      ignore_errors: yes

    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
--- a/apps/accounts/automations/change_secret/host/posix/manifest.yml
+++ b/apps/accounts/automations/change_secret/host/posix/manifest.yml
@ -36,6 +36,12 @@ params:
    default: ''
    help_text: "{{ 'Params groups help text' | trans }}"

+  - name: uid
+    type: str
+    label: "{{ 'Params uid label' | trans }}"
+    default: ''
+    help_text: "{{ 'Params uid help text' | trans }}"
+
 i18n:
  Posix account change secret:
    zh: '使用 Ansible 模块 user 执行账号改密 (SHA512)'
@ -62,6 +68,11 @@ i18n:
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'

+  Params uid help text:
+    zh: '请输入用户ID'
+    ja: 'ユーザーIDを入力してください'
+    en: 'Please enter the user ID'
+
  Modify sudo label:
    zh: '修改 sudo 权限'
    ja: 'sudo 権限を変更'
@ -77,3 +88,7 @@ i18n:
    ja: 'グループ'
    en: 'Groups'

+  Params uid label:
+    zh: '用户ID'
+    ja: 'ユーザーID'
+    en: 'User ID'
--- a/apps/accounts/automations/change_secret/manager.py
+++ b/apps/accounts/automations/change_secret/manager.py
@ -50,9 +50,6 @@ class ChangeSecretManager(AccountBasePlaybookManager):
        kwargs['exclusive'] = 'yes' if kwargs['strategy'] == SSHKeyStrategy.set else 'no'

        if kwargs['strategy'] == SSHKeyStrategy.set_jms:
-            username = account.username
-            path = f'/{username}' if username == "root" else f'/home/{username}'
-            kwargs['dest'] = f'{path}/.ssh/authorized_keys'
            kwargs['regexp'] = '.*{}$'.format(secret.split()[2].strip())
        return kwargs

@ -130,6 +127,7 @@ class ChangeSecretManager(AccountBasePlaybookManager):
                recorder = ChangeSecretRecord(
                    asset=asset, account=account, execution=self.execution,
                    old_secret=account.secret, new_secret=new_secret,
+                    comment=f'{account.username}@{asset.address}'
                )
                records.append(recorder)
            else:
--- a/apps/accounts/automations/push_account/host/aix/main.yml
+++ b/apps/accounts/automations/push_account/host/aix/main.yml
@ -14,27 +14,15 @@
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
-        groups: "{{ params.groups }}"
+        uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
+        shell: "{{ params.shell if params.shell | length > 0 else omit }}"
+        home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
+        groups: "{{ params.groups if params.groups | length > 0 else omit }}"
+        append: yes
        expires: -1
        state: present
      when: user_info.failed

-    - name: "Add {{ account.username }} group"
-      ansible.builtin.group:
-        name: "{{ account.username }}"
-        state: present
-      when: user_info.failed
-
-    - name: "Add {{ account.username }} user to group"
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        groups: "{{ params.groups }}"
-      when:
-        - user_info.failed
-        - params.groups
-
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
@ -54,14 +42,40 @@
      ignore_errors: true
      when: account.secret_type == "password"

-    - name: remove jumpserver ssh key
+    - name: "Get home directory for {{ account.username }}"
+      ansible.builtin.shell: "getent passwd {{ account.username }} | cut -d: -f6"
+      register: home_dir
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Check if home directory exists for {{ account.username }}"
+      ansible.builtin.stat:
+        path: "{{ home_dir.stdout.strip() }}"
+      register: home_dir_stat
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Ensure {{ account.username }} home directory exists"
+      ansible.builtin.file:
+        path: "{{ home_dir.stdout.strip() }}"
+        state: directory
+        owner: "{{ account.username }}"
+        group: "{{ account.username }}"
+        mode: '0750'
+      when:
+        - account.secret_type == "ssh_key"
+        - home_dir_stat.stat.exists == false
+      ignore_errors: yes
+
+    - name: Remove jumpserver ssh key
      ansible.builtin.lineinfile:
-        dest: "{{ ssh_params.dest }}"
+        dest: "{{ home_dir.stdout.strip() }}/.ssh/authorized_keys"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
+      ignore_errors: yes

    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
--- a/apps/accounts/automations/push_account/host/aix/manifest.yml
+++ b/apps/accounts/automations/push_account/host/aix/manifest.yml
@ -34,6 +34,12 @@ params:
    default: ''
    help_text: "{{ 'Params groups help text' | trans }}"

+  - name: uid
+    type: str
+    label: "{{ 'Params uid label' | trans }}"
+    default: ''
+    help_text: "{{ 'Params uid help text' | trans }}"
+
 i18n:
  Aix account push:
    zh: '使用 Ansible 模块 user 执行 Aix 账号推送 (DES)'
@ -60,6 +66,11 @@ i18n:
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'

+  Params uid help text:
+    zh: '请输入用户ID'
+    ja: 'ユーザーIDを入力してください'
+    en: 'Please enter the user ID'
+
  Modify sudo label:
    zh: '修改 sudo 权限'
    ja: 'sudo 権限を変更'
@ -75,3 +86,7 @@ i18n:
    ja: 'グループ'
    en: 'Groups'

+  Params uid label:
+    zh: '用户ID'
+    ja: 'ユーザーID'
+    en: 'User ID'
--- a/apps/accounts/automations/push_account/host/posix/main.yml
+++ b/apps/accounts/automations/push_account/host/posix/main.yml
@ -14,27 +14,15 @@
    - name: "Add {{ account.username }} user"
      ansible.builtin.user:
        name: "{{ account.username }}"
-        shell: "{{ params.shell }}"
-        home: "{{ params.home | default('/home/' + account.username, true) }}"
-        groups: "{{ params.groups }}"
+        uid: "{{ params.uid | int if params.uid | length > 0 else omit }}"
+        shell: "{{ params.shell if params.shell | length > 0 else omit }}"
+        home: "{{ params.home if params.home | length > 0 else '/home/' + account.username }}"
+        groups: "{{ params.groups if params.groups | length > 0 else omit }}"
+        append: yes
        expires: -1
        state: present
      when: user_info.failed

-    - name: "Add {{ account.username }} group"
-      ansible.builtin.group:
-        name: "{{ account.username }}"
-        state: present
-      when: user_info.failed
-
-    - name: "Add {{ account.username }} user to group"
-      ansible.builtin.user:
-        name: "{{ account.username }}"
-        groups: "{{ params.groups }}"
-      when:
-        - user_info.failed
-        - params.groups
-
    - name: "Set {{ account.username }} sudo setting"
      ansible.builtin.lineinfile:
        dest: /etc/sudoers
@ -54,14 +42,40 @@
      ignore_errors: true
      when: account.secret_type == "password"

-    - name: remove jumpserver ssh key
+    - name: "Get home directory for {{ account.username }}"
+      ansible.builtin.shell: "getent passwd {{ account.username }} | cut -d: -f6"
+      register: home_dir
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Check if home directory exists for {{ account.username }}"
+      ansible.builtin.stat:
+        path: "{{ home_dir.stdout.strip() }}"
+      register: home_dir_stat
+      when: account.secret_type == "ssh_key"
+      ignore_errors: yes
+
+    - name: "Ensure {{ account.username }} home directory exists"
+      ansible.builtin.file:
+        path: "{{ home_dir.stdout.strip() }}"
+        state: directory
+        owner: "{{ account.username }}"
+        group: "{{ account.username }}"
+        mode: '0750'
+      when:
+        - account.secret_type == "ssh_key"
+        - home_dir_stat.stat.exists == false
+      ignore_errors: yes
+
+    - name: Remove jumpserver ssh key
      ansible.builtin.lineinfile:
-        dest: "{{ ssh_params.dest }}"
+        dest: "{{ home_dir.stdout.strip() }}/.ssh/authorized_keys"
        regexp: "{{ ssh_params.regexp }}"
        state: absent
      when:
        - account.secret_type == "ssh_key"
        - ssh_params.strategy == "set_jms"
+      ignore_errors: yes

    - name: "Change {{ account.username }} SSH key"
      ansible.builtin.authorized_key:
--- a/apps/accounts/automations/push_account/host/posix/manifest.yml
+++ b/apps/accounts/automations/push_account/host/posix/manifest.yml
@ -36,6 +36,12 @@ params:
    default: ''
    help_text: "{{ 'Params groups help text' | trans }}"

+  - name: uid
+    type: str
+    label: "{{ 'Params uid label' | trans }}"
+    default: ''
+    help_text: "{{ 'Params uid help text' | trans }}"
+
 i18n:
  Posix account push:
    zh: '使用 Ansible 模块 user 执行账号推送 (sha512)'
@ -62,6 +68,11 @@ i18n:
    ja: 'グループを入力してください。複数のグループはコンマで区切ってください（既存のグループを入力してください）'
    en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'

+  Params uid help text:
+    zh: '请输入用户ID'
+    ja: 'ユーザーIDを入力してください'
+    en: 'Please enter the user ID'
+
  Modify sudo label:
    zh: '修改 sudo 权限'
    ja: 'sudo 権限を変更'
@ -75,4 +86,9 @@ i18n:
  Params groups label:
    zh: '用户组'
    ja: 'グループ'
-    en: 'Groups'
+    en: 'Groups'
+
+  Params uid label:
+    zh: '用户ID'
+    ja: 'ユーザーID'
+    en: 'User ID'
--- a/apps/accounts/migrations/0004_alter_changesecretrecord_account_and_more.py
+++ b/apps/accounts/migrations/0004_alter_changesecretrecord_account_and_more.py
@ -0,0 +1,30 @@
+# Generated by Django 4.1.13 on 2024-08-26 09:05
+
+from django.db import migrations, models
+import django.db.models.deletion
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('assets', '0005_myasset'),
+        ('accounts', '0003_automation'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='changesecretrecord',
+            name='account',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='accounts.account'),
+        ),
+        migrations.AlterField(
+            model_name='changesecretrecord',
+            name='asset',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='assets.asset'),
+        ),
+        migrations.AlterField(
+            model_name='changesecretrecord',
+            name='execution',
+            field=models.ForeignKey(null=True, on_delete=django.db.models.deletion.SET_NULL, to='accounts.automationexecution'),
+        ),
+    ]
--- a/apps/accounts/models/automations/change_secret.py
+++ b/apps/accounts/models/automations/change_secret.py
@ -33,16 +33,15 @@ class ChangeSecretAutomation(ChangeSecretMixin, AccountBaseAutomation):


 class ChangeSecretRecord(JMSBaseModel):
-    execution = models.ForeignKey('accounts.AutomationExecution', on_delete=models.CASCADE)
-    asset = models.ForeignKey('assets.Asset', on_delete=models.CASCADE, null=True)
-    account = models.ForeignKey('accounts.Account', on_delete=models.CASCADE, null=True)
+    execution = models.ForeignKey('accounts.AutomationExecution', on_delete=models.SET_NULL, null=True)
+    asset = models.ForeignKey('assets.Asset', on_delete=models.SET_NULL, null=True)
+    account = models.ForeignKey('accounts.Account', on_delete=models.SET_NULL, null=True)
    old_secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('Old secret'))
    new_secret = fields.EncryptTextField(blank=True, null=True, verbose_name=_('New secret'))
    date_started = models.DateTimeField(blank=True, null=True, verbose_name=_('Date started'))
    date_finished = models.DateTimeField(blank=True, null=True, verbose_name=_('Date finished'))
    status = models.CharField(
-        max_length=16, verbose_name=_('Status'),
-        default=ChangeSecretRecordStatusChoice.pending.value
+        max_length=16, verbose_name=_('Status'), default=ChangeSecretRecordStatusChoice.pending.value
    )
    error = models.TextField(blank=True, null=True, verbose_name=_('Error'))

@ -51,4 +50,4 @@ class ChangeSecretRecord(JMSBaseModel):
        verbose_name = _("Change secret record")

    def __str__(self):
-        return self.account.__str__()
+        return f'{self.account.username}@{self.asset}'
--- a/apps/accounts/tasks/automation.py
+++ b/apps/accounts/tasks/automation.py
@ -1,9 +1,15 @@
+import datetime
+
 from celery import shared_task
+from django.db.models import Q
+from django.utils import timezone
 from django.utils.translation import gettext_lazy as _, gettext_noop

 from accounts.const import AutomationTypes
 from accounts.tasks.common import quickstart_automation_by_snapshot
-from common.utils import get_logger, get_object_or_none
+from common.const.crontab import CRONTAB_AT_AM_THREE
+from common.utils import get_logger, get_object_or_none, get_log_keep_day
+from ops.celery.decorator import register_as_period_task
 from orgs.utils import tmp_to_org, tmp_to_root_org

 logger = get_logger(__file__)
@ -74,3 +80,24 @@ def execute_automation_record_task(record_ids, tp):
    }
    with tmp_to_org(record.execution.org_id):
        quickstart_automation_by_snapshot(task_name, tp, task_snapshot)
+
+
+@shared_task(
+    verbose_name=_('Clean change secret and push record period'),
+    description=_('Clean change secret and push record period')
+)
+@register_as_period_task(crontab=CRONTAB_AT_AM_THREE)
+def clean_change_secret_and_push_record_period():
+    from accounts.models import ChangeSecretRecord
+    print('Start clean change secret and push record period')
+    with tmp_to_root_org():
+        now = timezone.now()
+        days = get_log_keep_day('ACCOUNT_CHANGE_SECRET_RECORD_KEEP_DAYS')
+        expired_day = now - datetime.timedelta(days=days)
+        records = ChangeSecretRecord.objects.filter(
+            date_updated__lt=expired_day
+        ).filter(
+            Q(execution__isnull=True) | Q(asset__isnull=True) | Q(account__isnull=True)
+        )
+
+        records.delete()
--- a/apps/assets/models/asset/common.py
+++ b/apps/assets/models/asset/common.py
@ -158,10 +158,16 @@ class Asset(NodesRelationMixin, LabeledMixin, AbsConnectivity, JSONFilterMixin,

    name = models.CharField(max_length=128, verbose_name=_('Name'))
    address = models.CharField(max_length=767, verbose_name=_('Address'), db_index=True)
-    platform = models.ForeignKey(Platform, on_delete=models.PROTECT, verbose_name=_("Platform"), related_name='assets')
-    domain = models.ForeignKey("assets.Domain", null=True, blank=True, related_name='assets',
-                               verbose_name=_("Zone"), on_delete=models.SET_NULL)
-    nodes = models.ManyToManyField('assets.Node', default=default_node, related_name='assets', verbose_name=_("Nodes"))
+    platform = models.ForeignKey(
+        Platform, on_delete=models.PROTECT, verbose_name=_("Platform"), related_name='assets'
+    )
+    domain = models.ForeignKey(
+        "assets.Domain", null=True, blank=True, related_name='assets',
+        verbose_name=_("Zone"), on_delete=models.SET_NULL
+    )
+    nodes = models.ManyToManyField(
+        'assets.Node', default=default_node, related_name='assets', verbose_name=_("Nodes")
+    )
    is_active = models.BooleanField(default=True, verbose_name=_('Active'))
    gathered_info = models.JSONField(verbose_name=_('Gathered info'), default=dict, blank=True)  # 资产的一些信息，如 硬件信息
    custom_info = models.JSONField(verbose_name=_('Custom info'), default=dict)
--- a/apps/common/const/crontab.py
+++ b/apps/common/const/crontab.py
@ -1,5 +1,6 @@

 CRONTAB_AT_AM_TWO = '0 2 * * *'
+CRONTAB_AT_AM_THREE = '0 3 * * *'
 CRONTAB_AT_AM_TEN = '0 10 * * *'
 CRONTAB_AT_PM_TWO = '0 14 * * *'

--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@ -607,6 +607,7 @@ class Config(dict):
        'CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS': 180,
        'JOB_EXECUTION_KEEP_DAYS': 180,
        'PASSWORD_CHANGE_LOG_KEEP_DAYS': 999,
+        'ACCOUNT_CHANGE_SECRET_RECORD_KEEP_DAYS': 180,

        'TICKETS_ENABLED': True,
        'TICKETS_DIRECT_APPROVE': False,
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@ -128,6 +128,7 @@ ACTIVITY_LOG_KEEP_DAYS = CONFIG.ACTIVITY_LOG_KEEP_DAYS
 FTP_LOG_KEEP_DAYS = CONFIG.FTP_LOG_KEEP_DAYS
 CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS = CONFIG.CLOUD_SYNC_TASK_EXECUTION_KEEP_DAYS
 JOB_EXECUTION_KEEP_DAYS = CONFIG.JOB_EXECUTION_KEEP_DAYS
+ACCOUNT_CHANGE_SECRET_RECORD_KEEP_DAYS = CONFIG.ACCOUNT_CHANGE_SECRET_RECORD_KEEP_DAYS
 ORG_CHANGE_TO_URL = CONFIG.ORG_CHANGE_TO_URL
 WINDOWS_SKIP_ALL_MANUAL_PASSWORD = CONFIG.WINDOWS_SKIP_ALL_MANUAL_PASSWORD

--- a/apps/settings/serializers/cleaning.py
+++ b/apps/settings/serializers/cleaning.py
@ -47,3 +47,8 @@ class CleaningSerializer(serializers.Serializer):
        help_text=_(
            'Session, record, command will be delete if more than duration, only in database, OSS will not be affected.')
    )
+
+    ACCOUNT_CHANGE_SECRET_RECORD_KEEP_DAYS = serializers.IntegerField(
+        min_value=MIN_VALUE, max_value=9999,
+        label=_("Change secret and push record retention days (day)"),
+    )