perf: Windows AD

pull/15178/head
feng 2025-04-09 18:12:18 +08:00 committed by Bryan
parent 528f9045d0
commit 37a307a9d0
21 changed files with 164 additions and 14 deletions

View File

@ -94,6 +94,7 @@ class BaseChangeSecretPushManager(AccountBasePlaybookManager):
h['account'] = {
'name': account.name,
'username': account.username,
'full_username': account.full_username,
'secret_type': secret_type,
'secret': account.escape_jinja2_syntax(new_secret),
'private_key_path': private_key_path,

View File

@ -0,0 +1,27 @@
- hosts: demo
gather_facts: no
tasks:
- name: Test privileged account
ansible.windows.win_ping:
- name: Change password
community.windows.win_domain_user:
name: "{{ account.username }}"
password: "{{ account.secret }}"
update_password: always
password_never_expires: yes
state: present
groups: "{{ params.groups }}"
groups_action: add
ignore_errors: true
when: account.secret_type == "password"
- name: Refresh connection
ansible.builtin.meta: reset_connection
- name: Verify password
ansible.windows.win_ping:
vars:
ansible_user: "{{ account.full_username }}"
ansible_password: "{{ account.secret }}"
when: account.secret_type == "password" and check_conn_after_change

View File

@ -0,0 +1,27 @@
id: change_secret_ad_windows
name: "{{ 'Windows account change secret' | trans }}"
version: 1
method: change_secret
category:
- ds
type:
- windows_ad
params:
- name: groups
type: str
label: '用户组'
default: 'Users,Remote Desktop Users'
help_text: "{{ 'Params groups help text' | trans }}"
i18n:
Windows account change secret:
zh: '使用 Ansible 模块 win_domain_user 执行 Windows 账号改密'
ja: 'Ansible win_domain_user モジュールを使用して Windows アカウントのパスワード変更'
en: 'Using Ansible module win_domain_user to change Windows account secret'
Params groups help text:
zh: '请输入用户组,多个用户组使用逗号分隔(需填写已存在的用户组)'
ja: 'グループを入力してください。複数のグループはコンマで区切ってください(既存のグループを入力してください)'
en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'

View File

@ -2,9 +2,12 @@ id: gather_accounts_windows
name: "{{ 'Windows account gather' | trans }}"
version: 1
method: gather_accounts
category: host
category:
- host
- ds
type:
- windows
- windows_ad
i18n:
Windows account gather:

View File

@ -0,0 +1,27 @@
- hosts: demo
gather_facts: no
tasks:
- name: Test privileged account
ansible.windows.win_ping:
- name: Push user password
community.windows.win_domain_user:
name: "{{ account.username }}"
password: "{{ account.secret }}"
update_password: always
password_never_expires: yes
state: present
groups: "{{ params.groups }}"
groups_action: add
ignore_errors: true
when: account.secret_type == "password"
- name: Refresh connection
ansible.builtin.meta: reset_connection
- name: Verify password
ansible.windows.win_ping:
vars:
ansible_user: "{{ account.full_username }}"
ansible_password: "{{ account.secret }}"
when: account.secret_type == "password" and check_conn_after_change

View File

@ -0,0 +1,25 @@
id: push_account_ad_windows
name: "{{ 'Windows account push' | trans }}"
version: 1
method: push_account
category:
- ds
type:
- windows_ad
params:
- name: groups
type: str
label: '用户组'
default: 'Users,Remote Desktop Users'
help_text: "{{ 'Params groups help text' | trans }}"
i18n:
Windows account push:
zh: '使用 Ansible 模块 win_domain_user 执行 Windows 账号推送'
ja: 'Ansible win_domain_user モジュールを使用して Windows アカウントをプッシュする'
en: 'Using Ansible module win_domain_user to push account'
Params groups help text:
zh: '请输入用户组,多个用户组使用逗号分隔(需填写已存在的用户组)'
ja: 'グループを入力してください。複数のグループはコンマで区切ってください(既存のグループを入力してください)'
en: 'Please enter the group. Multiple groups are separated by commas (please enter the existing group)'

View File

@ -0,0 +1,9 @@
- hosts: windows
gather_facts: no
tasks:
- name: "Remove account"
ansible.windows.win_domain_user:
name: "{{ account.username }}"
state: absent

View File

@ -0,0 +1,14 @@
id: remove_account_ad_windows
name: "{{ 'Windows account remove' | trans }}"
version: 1
method: remove_account
category:
- ds
type:
- windows_ad
i18n:
Windows account remove:
zh: 使用 Ansible 模块 win_domain_user 删除账号
ja: Ansible モジュール win_domain_user を使用してアカウントを削除する
en: Use the Ansible module win_domain_user to delete an account

View File

@ -10,6 +10,6 @@
rdp_ping:
login_host: "{{ jms_asset.address }}"
login_port: "{{ jms_asset.port }}"
login_user: "{{ account.username }}"
login_user: "{{ account.full_username }}"
login_password: "{{ account.secret }}"
login_secret_type: "{{ account.secret_type }}"

View File

@ -2,8 +2,10 @@ id: verify_account_by_rdp
name: "{{ 'Windows rdp account verify' | trans }}"
category:
- host
- ds
type:
- windows
- windows_ad
method: verify_account
protocol: rdp
priority: 1

View File

@ -7,5 +7,5 @@
- name: Verify account
ansible.windows.win_ping:
vars:
ansible_user: "{{ account.username }}"
ansible_user: "{{ account.full_username }}"
ansible_password: "{{ account.secret }}"

View File

@ -2,9 +2,12 @@ id: verify_account_windows
name: "{{ 'Windows account verify' | trans }}"
version: 1
method: verify_account
category: host
category:
- host
- ds
type:
- windows
- windows_ad
i18n:
Windows account verify:

View File

@ -64,6 +64,7 @@ class VerifyAccountManager(AccountBasePlaybookManager):
h['account'] = {
'name': account.name,
'username': account.username,
'full_username': account.full_username,
'secret_type': account.secret_type,
'secret': account.escape_jinja2_syntax(secret),
'private_key_path': private_key_path,

View File

@ -2,9 +2,12 @@ id: gather_facts_windows
name: "{{ 'Gather facts windows' | trans }}"
version: 1
method: gather_facts
category: host
category:
- host
- ds
type:
- windows
- windows_ad
i18n:
Gather facts windows:
zh: '使用 Ansible 指令 gather_facts 从 Windows 获取设备信息'

View File

@ -3,8 +3,10 @@ name: "{{ 'Ping by pyfreerdp' | trans }}"
category:
- device
- host
- ds
type:
- windows
- windows_ad
method: ping
protocol: rdp
priority: 1

View File

@ -3,6 +3,7 @@ name: "{{ 'Ping by paramiko' | trans }}"
category:
- device
- host
- ds
type:
- all
method: ping

View File

@ -3,6 +3,7 @@ name: "{{ 'Ping by telnet' | trans }}"
category:
- device
- host
- ds
type:
- all
method: ping

View File

@ -2,9 +2,12 @@ id: win_ping
name: "{{ 'Windows ping' | trans }}"
version: 1
method: ping
category: host
category:
- host
- ds
type:
- windows
- windows_ad
i18n:
Windows ping:
zh: 使用 Ansible 模块 内置模块 win_ping 来测试可连接性

View File

@ -36,6 +36,7 @@ class DirectoryTypes(BaseType):
'change_secret_enabled': True,
'push_account_enabled': True,
'gather_accounts_enabled': True,
'remove_account_enabled': True,
}
}
return constrains

View File

@ -48,7 +48,7 @@ def add_ds_platforms(apps, schema_editor):
},
"gather_accounts_enabled": true,
"gather_accounts_method": "gather_accounts_ad_windows",
"gather_accounts_method": "gather_accounts_windows",
"gather_accounts_params": {
},

View File

@ -2,7 +2,6 @@
import json
import os
import re
import sys
from collections import defaultdict
from django.utils.translation import gettext as _
@ -79,7 +78,7 @@ class JMSInventory:
@staticmethod
def make_account_ansible_vars(account, path_dir):
var = {
'ansible_user': account.username,
'ansible_user': account.full_username,
}
if not account.secret:
return var
@ -111,7 +110,8 @@ class JMSInventory:
setting = getattr(p, 'setting')
host['old_ssh_version'] = setting.get('old_ssh_version', False)
def make_account_vars(self, host, asset, account, automation, protocol, platform, gateway, path_dir):
def make_account_vars(self, host, asset, account, automation, protocol, platform, gateway, path_dir,
ansible_config):
from accounts.const import AutomationTypes
if not account:
host['error'] = _("No account available")
@ -129,7 +129,8 @@ class JMSInventory:
elif platform.su_enabled and not su_from and \
self.task_type in (AutomationTypes.change_secret, AutomationTypes.push_account):
host.update(self.make_account_ansible_vars(account, path_dir))
host['ansible_become'] = True
if ansible_config.get('ansible_shell_type') != 'powershell':
host['ansible_become'] = True
host['ansible_become_user'] = 'root'
host['ansible_become_password'] = account.escape_jinja2_syntax(account.secret)
else:
@ -192,7 +193,6 @@ class JMSInventory:
secret_info = {k: v for k, v in asset.secret_info.items() if v}
host = {
'name': name,
'local_python_interpreter': sys.executable,
'jms_asset': {
'id': str(asset.id), 'name': asset.name, 'address': asset.address,
'type': tp, 'category': category,
@ -202,7 +202,7 @@ class JMSInventory:
'origin_address': asset.address
},
'jms_account': {
'id': str(account.id), 'username': account.username,
'id': str(account.id), 'username': account.full_username,
'secret': account.escape_jinja2_syntax(account.secret),
'secret_type': account.secret_type, 'private_key_path': account.get_private_key_path(path_dir)
} if account else None
@ -223,7 +223,7 @@ class JMSInventory:
gateway = asset.domain.select_gateway()
self.make_account_vars(
host, asset, account, automation, protocol, platform, gateway, path_dir
host, asset, account, automation, protocol, platform, gateway, path_dir, ansible_config
)
return host