diff --git a/apps/accounts/automations/change_secret/host/aix/main.yml b/apps/accounts/automations/change_secret/host/aix/main.yml index 761a9c2c1..daddc4d01 100644 --- a/apps/accounts/automations/change_secret/host/aix/main.yml +++ b/apps/accounts/automations/change_secret/host/aix/main.yml @@ -52,6 +52,7 @@ password: "{{ account.secret | password_hash('des') }}" update_password: always ignore_errors: true + register: change_secret_result when: account.secret_type == "password" - name: remove jumpserver ssh key @@ -68,6 +69,7 @@ user: "{{ account.username }}" key: "{{ account.secret }}" exclusive: "{{ ssh_params.exclusive }}" + register: change_secret_result when: account.secret_type == "ssh_key" - name: Refresh connection @@ -86,7 +88,9 @@ become_password: "{{ account.become.ansible_password | default('') }}" become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}" old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}" - when: account.secret_type == "password" + when: + - account.secret_type == "password" + - check_conn_after_change or change_secret_result.failed delegate_to: localhost - name: "Verify {{ account.username }} SSH KEY (paramiko)" @@ -97,5 +101,7 @@ login_private_key_path: "{{ account.private_key_path }}" gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}" old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}" - when: account.secret_type == "ssh_key" + when: + - account.secret_type == "ssh_key" + - check_conn_after_change or change_secret_result.failed delegate_to: localhost diff --git a/apps/accounts/automations/change_secret/host/posix/main.yml b/apps/accounts/automations/change_secret/host/posix/main.yml index d166de81f..0c9650f01 100644 --- a/apps/accounts/automations/change_secret/host/posix/main.yml +++ b/apps/accounts/automations/change_secret/host/posix/main.yml @@ -52,6 +52,7 @@ password: "{{ account.secret | password_hash('sha512') }}" update_password: always ignore_errors: true + register: change_secret_result when: account.secret_type == "password" - name: remove jumpserver ssh key @@ -68,6 +69,7 @@ user: "{{ account.username }}" key: "{{ account.secret }}" exclusive: "{{ ssh_params.exclusive }}" + register: change_secret_result when: account.secret_type == "ssh_key" - name: Refresh connection @@ -86,7 +88,9 @@ become_password: "{{ account.become.ansible_password | default('') }}" become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}" old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}" - when: account.secret_type == "password" + when: + - account.secret_type == "password" + - check_conn_after_change or change_secret_result.failed delegate_to: localhost - name: "Verify {{ account.username }} SSH KEY (paramiko)" @@ -97,5 +101,7 @@ login_private_key_path: "{{ account.private_key_path }}" gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}" old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}" - when: account.secret_type == "ssh_key" + when: + - account.secret_type == "ssh_key" + - check_conn_after_change or change_secret_result.failed delegate_to: localhost diff --git a/apps/accounts/automations/push_account/host/aix/main.yml b/apps/accounts/automations/push_account/host/aix/main.yml index 8c03c07f3..6c1a8004d 100644 --- a/apps/accounts/automations/push_account/host/aix/main.yml +++ b/apps/accounts/automations/push_account/host/aix/main.yml @@ -52,6 +52,7 @@ password: "{{ account.secret | password_hash('des') }}" update_password: always ignore_errors: true + register: change_secret_result when: account.secret_type == "password" - name: remove jumpserver ssh key @@ -68,6 +69,7 @@ user: "{{ account.username }}" key: "{{ account.secret }}" exclusive: "{{ ssh_params.exclusive }}" + register: change_secret_result when: account.secret_type == "ssh_key" - name: Refresh connection @@ -86,7 +88,9 @@ become_password: "{{ account.become.ansible_password | default('') }}" become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}" old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}" - when: account.secret_type == "password" + when: + - account.secret_type == "password" + - check_conn_after_change or change_secret_result.failed delegate_to: localhost - name: "Verify {{ account.username }} SSH KEY (paramiko)" @@ -97,6 +101,8 @@ login_private_key_path: "{{ account.private_key_path }}" gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}" old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}" - when: account.secret_type == "ssh_key" + when: + - account.secret_type == "ssh_key" + - check_conn_after_change or change_secret_result.failed delegate_to: localhost diff --git a/apps/accounts/automations/push_account/host/posix/main.yml b/apps/accounts/automations/push_account/host/posix/main.yml index 8bc433f5a..f439ba2ff 100644 --- a/apps/accounts/automations/push_account/host/posix/main.yml +++ b/apps/accounts/automations/push_account/host/posix/main.yml @@ -52,6 +52,7 @@ password: "{{ account.secret | password_hash('sha512') }}" update_password: always ignore_errors: true + register: change_secret_result when: account.secret_type == "password" - name: remove jumpserver ssh key @@ -68,6 +69,7 @@ user: "{{ account.username }}" key: "{{ account.secret }}" exclusive: "{{ ssh_params.exclusive }}" + register: change_secret_result when: account.secret_type == "ssh_key" - name: Refresh connection @@ -86,7 +88,9 @@ become_password: "{{ account.become.ansible_password | default('') }}" become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}" old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}" - when: account.secret_type == "password" + when: + - account.secret_type == "password" + - check_conn_after_change or change_secret_result.failed delegate_to: localhost - name: "Verify {{ account.username }} SSH KEY (paramiko)" @@ -97,6 +101,8 @@ login_private_key_path: "{{ account.private_key_path }}" gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}" old_ssh_version: "{{ jms_asset.old_ssh_version | default(False) }}" - when: account.secret_type == "ssh_key" + when: + - account.secret_type == "ssh_key" + - check_conn_after_change or change_secret_result.failed delegate_to: localhost diff --git a/apps/assets/automations/base/manager.py b/apps/assets/automations/base/manager.py index eeb427506..67406666b 100644 --- a/apps/assets/automations/base/manager.py +++ b/apps/assets/automations/base/manager.py @@ -187,6 +187,7 @@ class BasePlaybookManager: host['error'] = _('{} disabled'.format(self.__class__.method_type())) return host + host['check_conn_after_change'] = settings.CHECK_CONN_AFTER_CHANGE host = self.convert_cert_to_file(host, kwargs.get('path_dir')) host['params'] = self.get_params(automation, method_type) return host diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index 8ae556f93..0791e85ae 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -488,6 +488,7 @@ class Config(dict): 'TERMINAL_OMNIDB_ENABLED': True, # 安全配置 + 'CHECK_CONN_AFTER_CHANGE': True, 'SECURITY_MFA_AUTH': 0, # 0 不开启 1 全局开启 2 管理员开启 'SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY': True, 'SECURITY_COMMAND_EXECUTION': False, diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py index 11da6b89d..ae903a629 100644 --- a/apps/jumpserver/settings/custom.py +++ b/apps/jumpserver/settings/custom.py @@ -32,6 +32,8 @@ TERMINAL_REPLAY_STORAGE = CONFIG.TERMINAL_REPLAY_STORAGE FTP_FILE_MAX_STORE = CONFIG.FTP_FILE_MAX_STORE # Security settings +CHECK_CONN_AFTER_CHANGE = CONFIG.CHECK_CONN_AFTER_CHANGE + SECURITY_MFA_AUTH = CONFIG.SECURITY_MFA_AUTH SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY = CONFIG.SECURITY_MFA_AUTH_ENABLED_FOR_THIRD_PARTY SECURITY_MAX_IDLE_TIME = CONFIG.SECURITY_MAX_IDLE_TIME # Unit: minute