1. 新增 PermPush表, 用于记录角色的推送记录

2. 角色权限以来 sudo 完成。
2015-11-26 17:23:16 +08:00 · 2015-11-26 17:23:16 +08:00 · 951467f8ca
parent 1a0c9cd4e6
commit 951467f8ca
6 changed files with 109 additions and 43 deletions
--- a/jperm/ansible_api.py
+++ b/jperm/ansible_api.py
@ -233,6 +233,7 @@ class Tasks(Command):
                     )

        self.results = hoc.run()
+        return {"msg": self.msg, "result": self.results}

    @property
    def msg(self):
@ -400,13 +401,29 @@ class Tasks(Command):

        return {"failed": self.msg, "ok": result}

-    def push_sudo(self, role_custo, role_name, role_chosen):
+    def push_sudo_file(self, file_path):
        """
        use template to render pushed sudoers file
        :return:
        """
-        module_args = 'src=%s dest=%s owner=root group=root mode=0440' % (username, encrypt_pass)
-        self.__run(module_args, "template")
+        module_args1 = 'src=%s dest=%s owner=root group=root mode=0440' % (file_path, '/etc/sudoers')
+        ret1 = self.__run(module_args1, "copy")
+        module_args2 = 'visudo -c | grep "parsed OK" &> /dev/null && echo "ok" || echo "failed"'
+        ret2 = self.__run(module_args2, "shell")
+        ret2_status = [host_value.get("stdout") for host_value in ret2["result"]["contacted"].values()]
+
+        result = {}
+        if not ret1["msg"]:
+            result["step1"] = "ok"
+        else:
+            result["step1"] = "failed"
+
+        if not ret2["msg"] and "failed" not in ret2_status:
+            result["step2"] = "ok"
+        else:
+            result["step2"] = "failed"
+
+        return result


 class CustomAggregateStats(callbacks.AggregateStats):
@ -427,7 +444,6 @@ class CustomAggregateStats(callbacks.AggregateStats):

        self.results.append(runner_results)

-
    def summarize(self, host):
        """                                                                         
        Return information about a particular host                                  
--- a/jperm/models.py
+++ b/jperm/models.py
@ -55,5 +55,13 @@ class PermRule(models.Model):
        return self.name


+class PermPush(models.Model):
+    date_added = models.DateTimeField(auto_now=True)
+    asset = models.ManyToManyField(Asset, related_name='perm_push')
+    asset_group = models.ManyToManyField(AssetGroup, related_name='perm_push')
+    role = models.ManyToManyField(PermRole, related_name='perm_push')
+    is_public_key = models.BooleanField(default=False)
+    is_password = models.BooleanField(default=False)
+


--- a/jperm/utils.py
+++ b/jperm/utils.py
@ -8,6 +8,7 @@ from os import chmod, makedirs
 from uuid import uuid4
 from django.template.loader import get_template
 from django.template import Context
+from tempfile import NamedTemporaryFile

 from jumpserver.settings import KEY_DIR

@ -88,6 +89,21 @@ def gen_sudo(role_custom, role_name, role_chosen):
    return sudo_file_path


+def get_sudo_file(sudo_chosen_aliase, sudo_chosen_obj):
+    """
+    get the sudo file
+    :param kwargs:
+    :return:
+    """
+    sudo_j2 = get_template('jperm/role_sudo.j2')
+    sudo_content = sudo_j2.render(Context({"sudo_chosen_aliase": sudo_chosen_aliase,
+                                           "sudo_chosen_obj": sudo_chosen_obj}))
+    sudo_file = NamedTemporaryFile(delete=False)
+    sudo_file.write(sudo_content)
+    sudo_file.close()
+
+    return sudo_file.name
+

 if __name__ == "__main__":
    print gen_keys()
--- a/jperm/views.py
+++ b/jperm/views.py
@ -6,13 +6,12 @@ from jperm.models import PermLog as Log
 from jperm.models import SysUser
 from juser.user_api import gen_ssh_key

-
 from juser.models      import User, UserGroup
 from jasset.models     import Asset, AssetGroup
-from jperm.models      import PermRole, PermRule, PermSudo
+from jperm.models      import PermRole, PermRule, PermSudo, PermPush
 from jumpserver.models import Setting

-from jperm.utils       import updates_dict, gen_keys, get_rand_pass
+from jperm.utils       import updates_dict, gen_keys, get_rand_pass, get_sudo_file
 from jperm.ansible_api import Tasks
 from jperm.perm_api    import get_role_info

@ -448,24 +447,61 @@ def perm_role_push(request):
        key_push = request.POST.get("use_publicKey")
        task = Tasks(push_resource)
        ret = {}
-        ret_failed = []
+        ret_failed = {}

-        # 因为要先建立用户，所以password 是必选项，
-        # 而push key是在 password也完成的情况下的 可选项
-        ret["password_push"] = task.add_multi_user(**role_pass)
-        if ret["password_push"].get("status") != "success":
-            ret_failed.append(1)
+        # 因为要先建立用户，所以password 是必选项，而push key是在 password也完成的情况下的 可选项
+        # 1. 以password 方式推送角色
+        if password_push:
+            ret["password_push"] = task.add_multi_user(**role_pass)
+            if ret["password_push"].get("status") != "success":
+                ret_failed["step1"] == "failed"

+        # 2. 以秘钥 方式推送角色
        if key_push:
+            ret["password_push"] = task.add_multi_user(**role_pass)
+            if ret["password_push"].get("status") != "success":
+                ret_failed["step2-1"] == "failed"
            ret["key_push"] = task.push_multi_key(**role_key)
            if ret["key_push"].get("status") != "success":
-                ret_failed.append(1)
+                ret_failed["step2-2"] == "failed"

-        print ret
+        # 3. 推送sudo配置文件
+        sudo_chosen_aliase = {}
+        sudo_alias = []
+        for role in roles_obj:
+            role_alias = [sudo.name for sudo in role.sudo.all()]
+            sudo_alias.extend(role_alias)
+            sudo_chosen_aliase[role.name] = ','.join(role_alias)
+        sudo_chosen_obj = [PermSudo.objects.get(name=sudo_name) for sudo_name in set(sudo_alias)]
+        sudo_file = get_sudo_file(sudo_chosen_aliase, sudo_chosen_obj)
+        ret_sudo = task.push_sudo_file(sudo_file)
+        if ret_sudo["step1"] != "ok" and ret_sudo["step2"] != "ok":
+            ret_failed["step3"] == "failed"
+
+        # 结果汇总统计
        if ret_failed:
-            return HttpResponse(u"推送失败")
+            # 推送失败
+            msg = u"推送失败, 原因: %s 失败" % ','.join(ret_failed.keys())
        else:
-            return HttpResponse(u"推送系统角色： %s" % ','.join(role_names))
+            # 推送成功 写会push表
+            msg = u"推送系统角色： %s" % ','.join(role_names)
+            push = PermPush(is_public_key=bool(key_push), is_password=bool(password_push))
+            push.save()
+            push.asset_group = asset_groups_obj
+            push.asset = calc_assets
+            push.role = roles_obj
+            push.save()
+
+        # 渲染 刷新数据
+        header_title, path1, path2 = "系统角色", "角色管理", "查看角色"
+        roles_list = PermRole.objects.all()
+        # TODO: 搜索和分页
+        keyword = request.GET.get('search', '')
+        if keyword:
+            roles_list = roles_list.filter(Q(name=keyword))
+
+        roles_list, p, roles, page_range, current_page, show_first, show_end = pages(roles_list, request)
+        return my_render('jperm/perm_role_list.html', locals(), request)


@require_role('admin')
--- a/templates/jperm/perm_role_push.html
+++ b/templates/jperm/perm_role_push.html
@ -77,6 +77,16 @@
                                        </div>
                                    </div>
                                </div>
+                                <div class="form-group">
+                                    <label for="j_group" class="col-sm-2 control-label">使用密码</label>
+                                    <div class="col-sm-1">
+                                        <div class="radio i-checks">
+                                            <label>
+                                                <input type="checkbox" value="1" id="use_password" name="use_password">
+                                            </label>
+                                        </div>
+                                    </div>
+                                </div>
                            </div>
                            <div class="hr-line-dashed"></div>
                            <div class="form-group">
--- a/templates/jperm/role_sudo.j2
+++ b/templates/jperm/role_sudo.j2
@ -23,34 +23,13 @@
 ## Command Aliases
 ## These are groups of related commands...

-## Networking
-Cmnd_Alias NETWORKING = /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
+{% for sudo in sudo_chosen_obj %}
+Cmnd_Alias {{ sudo.name }} = {{ sudo.commands }}
+{% endfor %}

-## Installation and management of software
-Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum

-## Services
-Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig

-## Updating the locate database
-Cmnd_Alias LOCATE = /usr/bin/updatedb

-## Storage
-Cmnd_Alias STORAGE = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
-
-## Delegating permissions
-Cmnd_Alias DELEGATING = /bin/chown, /bin/chmod, /bin/chgrp
-
-## Processes
-Cmnd_Alias PROCESSES = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
-
-## Drivers
-Cmnd_Alias DRIVERS = /sbin/modprobe
-
-## Custom
-{% if {{ role_custom }} %}
-{% Cmnd_Alias CUSTOM = {{ role_custom }} %}
-{% endif %}

 # Defaults specification

@ -102,8 +81,9 @@ Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
 ## Allow root to run any commands anywhere
 root    ALL=(ALL)       ALL

-{{ role_name }} ALL = {{ role_chosen }}
-
+{% for role, alias in sudo_chosen_aliase.items %}
+{{ role }} ALL = {{ alias }}
+{% endfor %}

 ## Allows members of the 'sys' group to run networking, software,
 ## service management apps and more.