fix: Authbook 取认证信息bug

pull/7589/head
xinwen 2022-01-26 16:45:41 +08:00 committed by Jiangjie.Bai
parent 67a49dc5e9
commit 333bb64b8b
2 changed files with 47 additions and 50 deletions

View File

@ -150,17 +150,37 @@ class AuthMixin:
def load_asset_special_auth(self, asset, username=''): def load_asset_special_auth(self, asset, username=''):
""" """
AuthBook 的数据状态
| asset | systemuser | username |
1 | * | * | x |
2 | * | x | * |
当前 AuthBook 只有以上两种状态systemuser username 不会并存
正常的资产与系统用户关联产生的是第1种状态改密则产生第2种状态改密之后
只有 username 而没有 systemuser
Freq: 关联同一资产的多个系统用户指定同一用户名时修改用户密码会影响所有系统用户
这里有一个不对称的行为同名系统用户密码覆盖
当有相同 username 的多个系统用户时有改密动作之后所有的同名系统用户都使用最后
一次改动但如果没有发生过改密同名系统用户使用的密码还是各自的
""" """
authbooks = list(AuthBook.objects.filter(asset=asset).filter( if username == '':
Q(username=username) | Q(systemuser=self) username = self.username
))
if len(authbooks) == 0: authbook = AuthBook.objects.filter(
asset=asset, username=username, systemuser__isnull=True
).order_by('-date_created').first()
if not authbook:
authbook = AuthBook.objects.filter(
asset=asset, systemuser=self
).order_by('-date_created').first()
if not authbook:
return None return None
elif len(authbooks) == 1:
authbook = authbooks[0]
else:
authbooks.sort(key=lambda x: 1 if x.username == username else 0, reverse=True)
authbook = authbooks[0]
authbook.load_auth() authbook.load_auth()
self.password = authbook.password self.password = authbook.password
self.private_key = authbook.private_key self.private_key = authbook.private_key

View File

@ -4,10 +4,10 @@ from itertools import groupby
from celery import shared_task from celery import shared_task
from common.db.utils import get_object_if_need, get_objects from common.db.utils import get_object_if_need, get_objects
from django.utils.translation import ugettext as _, gettext_noop from django.utils.translation import ugettext as _, gettext_noop
from django.db.models import Empty, Q from django.db.models import Empty
from common.utils import encrypt_password, get_logger from common.utils import encrypt_password, get_logger
from assets.models import SystemUser, Asset, AuthBook from assets.models import SystemUser, Asset
from orgs.utils import org_aware_func, tmp_to_root_org from orgs.utils import org_aware_func, tmp_to_root_org
from . import const from . import const
from .utils import clean_ansible_task_hosts, group_asset_by_platform from .utils import clean_ansible_task_hosts, group_asset_by_platform
@ -178,6 +178,7 @@ def get_push_windows_system_user_tasks(system_user: SystemUser, username=None):
def get_push_system_user_tasks(system_user, platform="unixlike", username=None): def get_push_system_user_tasks(system_user, platform="unixlike", username=None):
""" """
获取推送系统用户的 ansible 命令跟资产无关
:param system_user: :param system_user:
:param platform: :param platform:
:param username: 当动态时近推送某个 :param username: 当动态时近推送某个
@ -209,18 +210,10 @@ def push_system_user_util(system_user, assets, task_name, username=None):
if not assets: if not assets:
return {} return {}
# 资产按平台分类
assets_sorted = sorted(assets, key=group_asset_by_platform) assets_sorted = sorted(assets, key=group_asset_by_platform)
platform_hosts = groupby(assets_sorted, key=group_asset_by_platform) platform_hosts = groupby(assets_sorted, key=group_asset_by_platform)
def run_task(_tasks, _hosts):
if not _tasks:
return
task, created = update_or_create_ansible_task(
task_name=task_name, hosts=_hosts, tasks=_tasks, pattern='all',
options=const.TASK_OPTIONS, run_as_admin=True,
)
task.run()
if system_user.username_same_with_user: if system_user.username_same_with_user:
if username is None: if username is None:
# 动态系统用户,但是没有指定 username # 动态系统用户,但是没有指定 username
@ -232,6 +225,15 @@ def push_system_user_util(system_user, assets, task_name, username=None):
assert username is None, 'Only Dynamic user can assign `username`' assert username is None, 'Only Dynamic user can assign `username`'
usernames = [system_user.username] usernames = [system_user.username]
def run_task(_tasks, _hosts):
if not _tasks:
return
task, created = update_or_create_ansible_task(
task_name=task_name, hosts=_hosts, tasks=_tasks, pattern='all',
options=const.TASK_OPTIONS, run_as_admin=True,
)
task.run()
for platform, _assets in platform_hosts: for platform, _assets in platform_hosts:
_assets = list(_assets) _assets = list(_assets)
if not _assets: if not _assets:
@ -239,36 +241,11 @@ def push_system_user_util(system_user, assets, task_name, username=None):
print(_("Start push system user for platform: [{}]").format(platform)) print(_("Start push system user for platform: [{}]").format(platform))
print(_("Hosts count: {}").format(len(_assets))) print(_("Hosts count: {}").format(len(_assets)))
id_asset_map = {_asset.id: _asset for _asset in _assets} for u in usernames:
asset_ids = id_asset_map.keys() for a in _assets:
no_special_auth = [] system_user.load_asset_special_auth(a, u)
special_auth_set = set() tasks = get_push_system_user_tasks(system_user, platform, username=u)
run_task(tasks, [a])
auth_books = AuthBook.objects.filter(asset_id__in=asset_ids).filter(
Q(username__in=usernames) | Q(systemuser=system_user)
).prefetch_related('systemuser')
for auth_book in auth_books:
auth_book.load_auth()
special_auth_set.add((auth_book.username, auth_book.asset_id))
for _username in usernames:
no_special_assets = []
for asset_id in asset_ids:
if (_username, asset_id) not in special_auth_set:
no_special_assets.append(id_asset_map[asset_id])
if no_special_assets:
no_special_auth.append((_username, no_special_assets))
for _username, no_special_assets in no_special_auth:
tasks = get_push_system_user_tasks(system_user, platform, username=_username)
run_task(tasks, no_special_assets)
for auth_book in auth_books:
system_user._merge_auth(auth_book)
tasks = get_push_system_user_tasks(system_user, platform, username=auth_book.username)
asset = id_asset_map[auth_book.asset_id]
run_task(tasks, [asset])
@shared_task(queue="ansible") @shared_task(queue="ansible")