perf: 改密推送可以对自己操作同时设置su_enabled 可提权 (#10349)

Co-authored-by: feng <1304903146@qq.com>
2023-04-26 18:50:30 +08:00 · 2023-04-26 18:50:30 +08:00 · 58d055f114
parent 9eec2909ed
commit 58d055f114
3 changed files with 17 additions and 4 deletions
--- a/apps/accounts/automations/change_secret/manager.py
+++ b/apps/accounts/automations/change_secret/manager.py
@ -72,14 +72,14 @@ class ChangeSecretManager(AccountBasePlaybookManager):
            return []

        asset = privilege_account.asset
-        accounts = asset.accounts.exclude(username=privilege_account.username)
+        accounts = asset.accounts.all()
        accounts = accounts.filter(id__in=self.account_ids)
        if self.secret_type:
            accounts = accounts.filter(secret_type=self.secret_type)

        if settings.CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED:
            accounts = accounts.filter(privileged=False).exclude(
-                username__in=['root', 'administrator']
+                username__in=['root', 'administrator', privilege_account.username]
            )
        return accounts

--- a/apps/assets/automations/base/manager.py
+++ b/apps/assets/automations/base/manager.py
@ -166,6 +166,7 @@ class BasePlaybookManager:
            account_prefer=self.ansible_account_prefer,
            account_policy=self.ansible_account_policy,
            host_callback=self.host_callback,
+            task_type=self.__class__.method_type(),
        )
        inventory.write_to_file(inventory_path)

--- a/apps/ops/ansible/inventory.py
+++ b/apps/ops/ansible/inventory.py
@ -5,12 +5,17 @@ from collections import defaultdict

 from django.utils.translation import gettext as _

+from accounts.const import AutomationTypes
+
 __all__ = ['JMSInventory']


 class JMSInventory:
-    def __init__(self, assets, account_policy='privileged_first',
-                 account_prefer='root,Administrator', host_callback=None, exclude_localhost=False):
+    def __init__(
+            self, assets, account_policy='privileged_first',
+            account_prefer='root,Administrator', host_callback=None,
+            exclude_localhost=False, task_type=None
+    ):
        """
        :param assets:
        :param account_prefer: account username name if not set use account_policy
@ -22,6 +27,7 @@ class JMSInventory:
        self.host_callback = host_callback
        self.exclude_hosts = {}
        self.exclude_localhost = exclude_localhost
+        self.task_type = task_type

    @staticmethod
    def clean_assets(assets):
@ -92,6 +98,12 @@ class JMSInventory:
                host['ansible_become_password'] = su_from.secret
            else:
                host['ansible_become_password'] = account.secret
+        elif platform.su_enabled and not su_from and \
+                self.task_type in (AutomationTypes.change_secret, AutomationTypes.push_account):
+            host.update(self.make_account_ansible_vars(account))
+            host['ansible_become'] = True
+            host['ansible_become_user'] = 'root'
+            host['ansible_become_password'] = account.secret
        else:
            host.update(self.make_account_ansible_vars(account))