perf: 改密推送可以对自己操作同时设置su_enabled 可提权 (#10349)

Co-authored-by: feng <1304903146@qq.com>
2 years ago · 58d055f114
parent 9eec2909ed
commit 58d055f114
3 changed files with 17 additions and 4 deletions
--- a/apps/accounts/automations/change_secret/manager.py
+++ b/apps/accounts/automations/change_secret/manager.py
@ -72,14 +72,14 @@ class ChangeSecretManager(AccountBasePlaybookManager):
            return []
        asset = privilege_account.asset
-        accounts = asset.accounts.exclude(username=privilege_account.username)
+        accounts = asset.accounts.all()
        accounts = accounts.filter(id__in=self.account_ids)
        if self.secret_type:
            accounts = accounts.filter(secret_type=self.secret_type)
        if settings.CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED:
            accounts = accounts.filter(privileged=False).exclude(
-                username__in=['root', 'administrator']
+                username__in=['root', 'administrator', privilege_account.username]
            )
        return accounts
--- a/apps/assets/automations/base/manager.py
+++ b/apps/assets/automations/base/manager.py
@ -166,6 +166,7 @@ class BasePlaybookManager:
            account_prefer=self.ansible_account_prefer,
            account_policy=self.ansible_account_policy,
            host_callback=self.host_callback,
            task_type=self.__class__.method_type(),
        )
        inventory.write_to_file(inventory_path)
--- a/apps/ops/ansible/inventory.py
+++ b/apps/ops/ansible/inventory.py
@ -5,12 +5,17 @@ from collections import defaultdict
 from django.utils.translation import gettext as _
 from accounts.const import AutomationTypes
 __all__ = ['JMSInventory']
 class JMSInventory:
-    def __init__(self, assets, account_policy='privileged_first',
+    def __init__(
-                 account_prefer='root,Administrator', host_callback=None, exclude_localhost=False):
+            self, assets, account_policy='privileged_first',
            account_prefer='root,Administrator', host_callback=None,
            exclude_localhost=False, task_type=None
    ):
        """
        :param assets:
        :param account_prefer: account username name if not set use account_policy
@ -22,6 +27,7 @@ class JMSInventory:
        self.host_callback = host_callback
        self.exclude_hosts = {}
        self.exclude_localhost = exclude_localhost
        self.task_type = task_type
    @staticmethod
    def clean_assets(assets):
@ -92,6 +98,12 @@ class JMSInventory:
                host['ansible_become_password'] = su_from.secret
            else:
                host['ansible_become_password'] = account.secret
        elif platform.su_enabled and not su_from and \
                self.task_type in (AutomationTypes.change_secret, AutomationTypes.push_account):
            host.update(self.make_account_ansible_vars(account))
            host['ansible_become'] = True
            host['ansible_become_user'] = 'root'
            host['ansible_become_password'] = account.secret
        else:
            host.update(self.make_account_ansible_vars(account))