From 8f59e49099e710951db4b66cd61476b340661e6e Mon Sep 17 00:00:00 2001 From: feng <1304903146@qq.com> Date: Fri, 28 Jul 2023 17:16:35 +0800 Subject: [PATCH] =?UTF-8?q?perf:=20=E6=A0=B9=E6=8D=AE=E7=94=A8=E6=88=B7?= =?UTF-8?q?=E6=98=AF=E5=90=A6=E5=AD=98=E5=9C=A8=E9=85=8D=E7=BD=AE=20?= =?UTF-8?q?=E6=94=B9=E5=AF=86=E5=8F=82=E6=95=B0?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../change_secret/host/aix/main.yml | 43 +++++++++++++------ .../change_secret/host/aix/manifest.yml | 6 +++ .../change_secret/host/posix/main.yml | 43 +++++++++++++------ .../change_secret/host/posix/manifest.yml | 6 +++ 4 files changed, 72 insertions(+), 26 deletions(-) diff --git a/apps/accounts/automations/change_secret/host/aix/main.yml b/apps/accounts/automations/change_secret/host/aix/main.yml index 831b4f0bf..8593c7534 100644 --- a/apps/accounts/automations/change_secret/host/aix/main.yml +++ b/apps/accounts/automations/change_secret/host/aix/main.yml @@ -1,10 +1,17 @@ - hosts: demo gather_facts: no tasks: - - name: Test privileged account + - name: "Test privileged {{ jms_account.username }} account" ansible.builtin.ping: - - name: Check user + - name: "Check if {{ account.username }} user exists" + getent: + database: passwd + key: "{{ account.username }}" + register: user_info + ignore_errors: yes # 忽略错误,如果用户不存在时不会导致playbook失败 + + - name: "Add {{ account.username }} user" ansible.builtin.user: name: "{{ account.username }}" shell: "{{ params.shell }}" @@ -12,19 +19,23 @@ groups: "{{ params.groups }}" expires: -1 state: present + when: user_info.failed - name: "Add {{ account.username }} group" ansible.builtin.group: name: "{{ account.username }}" state: present + when: user_info.failed - - name: Add user groups + - name: "Add {{ account.username }} user to group" ansible.builtin.user: name: "{{ account.username }}" groups: "{{ params.groups }}" - when: params.groups + when: + - user_info.failed + - params.groups - - name: Change password + - name: "Change {{ account.username }} password" ansible.builtin.user: name: "{{ account.username }}" password: "{{ account.secret | password_hash('des') }}" @@ -32,11 +43,6 @@ ignore_errors: true when: account.secret_type == "password" - - name: create user If it already exists, no operation will be performed - ansible.builtin.user: - name: "{{ account.username }}" - when: account.secret_type == "ssh_key" - - name: remove jumpserver ssh key ansible.builtin.lineinfile: dest: "{{ ssh_params.dest }}" @@ -46,17 +52,28 @@ - account.secret_type == "ssh_key" - ssh_params.strategy == "set_jms" - - name: Change SSH key + - name: "Change {{ account.username }} SSH key" ansible.builtin.authorized_key: user: "{{ account.username }}" key: "{{ account.secret }}" exclusive: "{{ ssh_params.exclusive }}" when: account.secret_type == "ssh_key" + - name: "Set {{ account.username }} sudo setting" + ansible.builtin.lineinfile: + dest: /etc/sudoers + state: present + regexp: "^{{ account.username }} ALL=" + line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}" + validate: visudo -cf %s + when: + - user_info.failed + - params.sudo + - name: Refresh connection ansible.builtin.meta: reset_connection - - name: Verify password + - name: "Verify {{ account.username }} password" ansible.builtin.ping: become: no vars: @@ -65,7 +82,7 @@ ansible_become: no when: account.secret_type == "password" - - name: Verify SSH key + - name: "Verify {{ account.username }} SSH key" ansible.builtin.ping: become: no vars: diff --git a/apps/accounts/automations/change_secret/host/aix/manifest.yml b/apps/accounts/automations/change_secret/host/aix/manifest.yml index 04a332027..47d41c85a 100644 --- a/apps/accounts/automations/change_secret/host/aix/manifest.yml +++ b/apps/accounts/automations/change_secret/host/aix/manifest.yml @@ -5,6 +5,12 @@ type: - AIX method: change_secret params: + - name: sudo + type: str + label: 'Sudo' + default: '/bin/whoami' + help_text: '使用逗号分隔多个命令,如: /bin/whoami,/sbin/ifconfig' + - name: shell type: str label: 'Shell' diff --git a/apps/accounts/automations/change_secret/host/posix/main.yml b/apps/accounts/automations/change_secret/host/posix/main.yml index 3462cabf8..5ed6a10b4 100644 --- a/apps/accounts/automations/change_secret/host/posix/main.yml +++ b/apps/accounts/automations/change_secret/host/posix/main.yml @@ -1,10 +1,17 @@ - hosts: demo gather_facts: no tasks: - - name: Test privileged account + - name: "Test privileged {{ jms_account.username }} account" ansible.builtin.ping: - - name: Check user + - name: "Check if {{ account.username }} user exists" + getent: + database: passwd + key: "{{ account.username }}" + register: user_info + ignore_errors: yes # 忽略错误,如果用户不存在时不会导致playbook失败 + + - name: "Add {{ account.username }} user" ansible.builtin.user: name: "{{ account.username }}" shell: "{{ params.shell }}" @@ -12,19 +19,23 @@ groups: "{{ params.groups }}" expires: -1 state: present + when: user_info.failed - name: "Add {{ account.username }} group" ansible.builtin.group: name: "{{ account.username }}" state: present + when: user_info.failed - - name: Add user groups + - name: "Add {{ account.username }} user to group" ansible.builtin.user: name: "{{ account.username }}" groups: "{{ params.groups }}" - when: params.groups + when: + - user_info.failed + - params.groups - - name: Change password + - name: "Change {{ account.username }} password" ansible.builtin.user: name: "{{ account.username }}" password: "{{ account.secret | password_hash('sha512') }}" @@ -32,11 +43,6 @@ ignore_errors: true when: account.secret_type == "password" - - name: create user If it already exists, no operation will be performed - ansible.builtin.user: - name: "{{ account.username }}" - when: account.secret_type == "ssh_key" - - name: remove jumpserver ssh key ansible.builtin.lineinfile: dest: "{{ ssh_params.dest }}" @@ -46,17 +52,28 @@ - account.secret_type == "ssh_key" - ssh_params.strategy == "set_jms" - - name: Change SSH key + - name: "Change {{ account.username }} SSH key" ansible.builtin.authorized_key: user: "{{ account.username }}" key: "{{ account.secret }}" exclusive: "{{ ssh_params.exclusive }}" when: account.secret_type == "ssh_key" + - name: "Set {{ account.username }} sudo setting" + ansible.builtin.lineinfile: + dest: /etc/sudoers + state: present + regexp: "^{{ account.username }} ALL=" + line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}" + validate: visudo -cf %s + when: + - user_info.failed + - params.sudo + - name: Refresh connection ansible.builtin.meta: reset_connection - - name: Verify password + - name: "Verify {{ account.username }} password" ansible.builtin.ping: become: no vars: @@ -65,7 +82,7 @@ ansible_become: no when: account.secret_type == "password" - - name: Verify SSH key + - name: "Verify {{ account.username }} SSH key" ansible.builtin.ping: become: no vars: diff --git a/apps/accounts/automations/change_secret/host/posix/manifest.yml b/apps/accounts/automations/change_secret/host/posix/manifest.yml index 4e42cfe02..5ac914595 100644 --- a/apps/accounts/automations/change_secret/host/posix/manifest.yml +++ b/apps/accounts/automations/change_secret/host/posix/manifest.yml @@ -6,6 +6,12 @@ type: - linux method: change_secret params: + - name: sudo + type: str + label: 'Sudo' + default: '/bin/whoami' + help_text: '使用逗号分隔多个命令,如: /bin/whoami,/sbin/ifconfig' + - name: shell type: str label: 'Shell'