perf: 改密 推送 可以对自己操作 同时设置su_enabled 可提权 (#10349)

Co-authored-by: feng <1304903146@qq.com>
pull/10354/head
fit2bot 2 years ago committed by GitHub
parent 9eec2909ed
commit 58d055f114
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -72,14 +72,14 @@ class ChangeSecretManager(AccountBasePlaybookManager):
return []
asset = privilege_account.asset
accounts = asset.accounts.exclude(username=privilege_account.username)
accounts = asset.accounts.all()
accounts = accounts.filter(id__in=self.account_ids)
if self.secret_type:
accounts = accounts.filter(secret_type=self.secret_type)
if settings.CHANGE_AUTH_PLAN_SECURE_MODE_ENABLED:
accounts = accounts.filter(privileged=False).exclude(
username__in=['root', 'administrator']
username__in=['root', 'administrator', privilege_account.username]
)
return accounts

@ -166,6 +166,7 @@ class BasePlaybookManager:
account_prefer=self.ansible_account_prefer,
account_policy=self.ansible_account_policy,
host_callback=self.host_callback,
task_type=self.__class__.method_type(),
)
inventory.write_to_file(inventory_path)

@ -5,12 +5,17 @@ from collections import defaultdict
from django.utils.translation import gettext as _
from accounts.const import AutomationTypes
__all__ = ['JMSInventory']
class JMSInventory:
def __init__(self, assets, account_policy='privileged_first',
account_prefer='root,Administrator', host_callback=None, exclude_localhost=False):
def __init__(
self, assets, account_policy='privileged_first',
account_prefer='root,Administrator', host_callback=None,
exclude_localhost=False, task_type=None
):
"""
:param assets:
:param account_prefer: account username name if not set use account_policy
@ -22,6 +27,7 @@ class JMSInventory:
self.host_callback = host_callback
self.exclude_hosts = {}
self.exclude_localhost = exclude_localhost
self.task_type = task_type
@staticmethod
def clean_assets(assets):
@ -92,6 +98,12 @@ class JMSInventory:
host['ansible_become_password'] = su_from.secret
else:
host['ansible_become_password'] = account.secret
elif platform.su_enabled and not su_from and \
self.task_type in (AutomationTypes.change_secret, AutomationTypes.push_account):
host.update(self.make_account_ansible_vars(account))
host['ansible_become'] = True
host['ansible_become_user'] = 'root'
host['ansible_become_password'] = account.secret
else:
host.update(self.make_account_ansible_vars(account))

Loading…
Cancel
Save