github
/
jumpserver
mirror of https://github.com/jumpserver/jumpserver
1
0
Fork 0
Code Issues Releases Wiki Activity

perf: change secret perf (#11120) 

Co-authored-by: feng <1304903146@qq.com>
pull/11128/head
fit2bot 2023-07-28 17:00:55 +08:00 committed by GitHub
parent 83917cb440
commit c201914bc8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 113 additions and 45 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

57
apps/accounts/automations/change_secret/host/aix/main.yml
View File

@ -1,10 +1,41 @@
- hosts: demo - hosts: demo
gather_facts: no gather_facts: no
tasks: tasks:
- name: Test privileged account - name: "Test privileged {{ jms_account.username }} account"
ansible.builtin.ping: ansible.builtin.ping:
- name: Change password - name: "Check if {{ account.username }} user exists"
getent:
database: passwd
key: "{{ account.username }}"
register: user_info
ignore_errors: yes # 忽略错误如果用户不存在时不会导致playbook失败
- name: "Add {{ account.username }} user"
ansible.builtin.user:
name: "{{ account.username }}"
shell: "{{ params.shell }}"
home: "{{ params.home | default('/home/' + account.username, true) }}"
groups: "{{ params.groups }}"
expires: -1
state: present
when: user_info.failed
- name: "Add {{ account.username }} group"
ansible.builtin.group:
name: "{{ account.username }}"
state: present
when: user_info.failed
- name: "Add {{ account.username }} user to group"
ansible.builtin.user:
name: "{{ account.username }}"
groups: "{{ params.groups }}"
when:
- user_info.failed
- params.groups
- name: "Change {{ account.username }} password"
ansible.builtin.user: ansible.builtin.user:
name: "{{ account.username }}" name: "{{ account.username }}"
password: "{{ account.secret | password_hash('des') }}" password: "{{ account.secret | password_hash('des') }}"
@ -12,11 +43,6 @@
ignore_errors: true ignore_errors: true
when: account.secret_type == "password" when: account.secret_type == "password"
- name: create user If it already exists, no operation will be performed
ansible.builtin.user:
name: "{{ account.username }}"
when: account.secret_type == "ssh_key"
- name: remove jumpserver ssh key - name: remove jumpserver ssh key
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: "{{ ssh_params.dest }}" dest: "{{ ssh_params.dest }}"
@ -26,17 +52,28 @@
- account.secret_type == "ssh_key" - account.secret_type == "ssh_key"
- ssh_params.strategy == "set_jms" - ssh_params.strategy == "set_jms"
- name: Change SSH key - name: "Change {{ account.username }} SSH key"
ansible.builtin.authorized_key: ansible.builtin.authorized_key:
user: "{{ account.username }}" user: "{{ account.username }}"
key: "{{ account.secret }}" key: "{{ account.secret }}"
exclusive: "{{ ssh_params.exclusive }}" exclusive: "{{ ssh_params.exclusive }}"
when: account.secret_type == "ssh_key" when: account.secret_type == "ssh_key"
- name: "Set {{ account.username }} sudo setting"
ansible.builtin.lineinfile:
dest: /etc/sudoers
state: present
regexp: "^{{ account.username }} ALL="
line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
validate: visudo -cf %s
when:
- user_info.failed
- params.sudo
- name: Refresh connection - name: Refresh connection
ansible.builtin.meta: reset_connection ansible.builtin.meta: reset_connection
- name: Verify password - name: "Verify {{ account.username }} password"
ansible.builtin.ping: ansible.builtin.ping:
become: no become: no
vars: vars:
@ -45,7 +82,7 @@
ansible_become: no ansible_become: no
when: account.secret_type == "password" when: account.secret_type == "password"
- name: Verify SSH key - name: "Verify {{ account.username }} SSH key"
ansible.builtin.ping: ansible.builtin.ping:
become: no become: no
vars: vars:

35
apps/accounts/automations/change_secret/host/posix/main.yml
View File

@ -1,10 +1,17 @@
- hosts: demo - hosts: demo
gather_facts: no gather_facts: no
tasks: tasks:
- name: Test privileged account - name: "Test privileged {{ jms_account.username }} account"
ansible.builtin.ping: ansible.builtin.ping:
- name: Check user - name: "Check if {{ account.username }} user exists"
getent:
database: passwd
key: "{{ account.username }}"
register: user_info
ignore_errors: yes # 忽略错误如果用户不存在时不会导致playbook失败
- name: "Add {{ account.username }} user"
ansible.builtin.user: ansible.builtin.user:
name: "{{ account.username }}" name: "{{ account.username }}"
shell: "{{ params.shell }}" shell: "{{ params.shell }}"
@ -12,19 +19,23 @@
groups: "{{ params.groups }}" groups: "{{ params.groups }}"
expires: -1 expires: -1
state: present state: present
when: user_info.failed
- name: "Add {{ account.username }} group" - name: "Add {{ account.username }} group"
ansible.builtin.group: ansible.builtin.group:
name: "{{ account.username }}" name: "{{ account.username }}"
state: present state: present
when: user_info.failed
- name: Add user groups - name: "Add {{ account.username }} user to group"
ansible.builtin.user: ansible.builtin.user:
name: "{{ account.username }}" name: "{{ account.username }}"
groups: "{{ params.groups }}" groups: "{{ params.groups }}"
when: params.groups when:
- user_info.failed
- params.groups
- name: Change password - name: "Change {{ account.username }} password"
ansible.builtin.user: ansible.builtin.user:
name: "{{ account.username }}" name: "{{ account.username }}"
password: "{{ account.secret | password_hash('sha512') }}" password: "{{ account.secret | password_hash('sha512') }}"
@ -32,11 +43,6 @@
ignore_errors: true ignore_errors: true
when: account.secret_type == "password" when: account.secret_type == "password"
- name: create user If it already exists, no operation will be performed
ansible.builtin.user:
name: "{{ account.username }}"
when: account.secret_type == "ssh_key"
- name: remove jumpserver ssh key - name: remove jumpserver ssh key
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: "{{ ssh_params.dest }}" dest: "{{ ssh_params.dest }}"
@ -46,14 +52,14 @@
- account.secret_type == "ssh_key" - account.secret_type == "ssh_key"
- ssh_params.strategy == "set_jms" - ssh_params.strategy == "set_jms"
- name: Change SSH key - name: "Change {{ account.username }} SSH key"
ansible.builtin.authorized_key: ansible.builtin.authorized_key:
user: "{{ account.username }}" user: "{{ account.username }}"
key: "{{ account.secret }}" key: "{{ account.secret }}"
exclusive: "{{ ssh_params.exclusive }}" exclusive: "{{ ssh_params.exclusive }}"
when: account.secret_type == "ssh_key" when: account.secret_type == "ssh_key"
- name: Set sudo setting - name: "Set {{ account.username }} sudo setting"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: /etc/sudoers dest: /etc/sudoers
state: present state: present
@ -61,12 +67,13 @@
line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}" line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
validate: visudo -cf %s validate: visudo -cf %s
when: when:
- user_info.failed
- params.sudo - params.sudo
- name: Refresh connection - name: Refresh connection
ansible.builtin.meta: reset_connection ansible.builtin.meta: reset_connection
- name: Verify password - name: "Verify {{ account.username }} password"
ansible.builtin.ping: ansible.builtin.ping:
become: no become: no
vars: vars:
@ -75,7 +82,7 @@
ansible_become: no ansible_become: no
when: account.secret_type == "password" when: account.secret_type == "password"
- name: Verify SSH key - name: "Verify {{ account.username }} SSH key"
ansible.builtin.ping: ansible.builtin.ping:
become: no become: no
vars: vars:

32
apps/accounts/automations/push_account/host/aix/main.yml
View File

@ -1,10 +1,17 @@
- hosts: demo - hosts: demo
gather_facts: no gather_facts: no
tasks: tasks:
- name: Test privileged account - name: "Test privileged {{ jms_account.username }} account"
ansible.builtin.ping: ansible.builtin.ping:
- name: Push user - name: "Check if {{ account.username }} user exists"
getent:
database: passwd
key: "{{ account.username }}"
register: user_info
ignore_errors: yes # 忽略错误如果用户不存在时不会导致playbook失败
- name: "Add {{ account.username }} user"
ansible.builtin.user: ansible.builtin.user:
name: "{{ account.username }}" name: "{{ account.username }}"
shell: "{{ params.shell }}" shell: "{{ params.shell }}"
@ -12,22 +19,26 @@
groups: "{{ params.groups }}" groups: "{{ params.groups }}"
expires: -1 expires: -1
state: present state: present
when: user_info.failed
- name: "Add {{ account.username }} group" - name: "Add {{ account.username }} group"
ansible.builtin.group: ansible.builtin.group:
name: "{{ account.username }}" name: "{{ account.username }}"
state: present state: present
when: user_info.failed
- name: Add user groups - name: "Add {{ account.username }} user to group"
ansible.builtin.user: ansible.builtin.user:
name: "{{ account.username }}" name: "{{ account.username }}"
groups: "{{ params.groups }}" groups: "{{ params.groups }}"
when: params.groups when:
- user_info.failed
- params.groups
- name: Push user password - name: "Change {{ account.username }} password"
ansible.builtin.user: ansible.builtin.user:
name: "{{ account.username }}" name: "{{ account.username }}"
password: "{{ account.secret | password_hash('sha512') }}" password: "{{ account.secret | password_hash('des') }}"
update_password: always update_password: always
ignore_errors: true ignore_errors: true
when: account.secret_type == "password" when: account.secret_type == "password"
@ -41,14 +52,14 @@
- account.secret_type == "ssh_key" - account.secret_type == "ssh_key"
- ssh_params.strategy == "set_jms" - ssh_params.strategy == "set_jms"
- name: Push SSH key - name: "Change {{ account.username }} SSH key"
ansible.builtin.authorized_key: ansible.builtin.authorized_key:
user: "{{ account.username }}" user: "{{ account.username }}"
key: "{{ account.secret }}" key: "{{ account.secret }}"
exclusive: "{{ ssh_params.exclusive }}" exclusive: "{{ ssh_params.exclusive }}"
when: account.secret_type == "ssh_key" when: account.secret_type == "ssh_key"
- name: Set sudo setting - name: "Set {{ account.username }} sudo setting"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: /etc/sudoers dest: /etc/sudoers
state: present state: present
@ -56,12 +67,13 @@
line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}" line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
validate: visudo -cf %s validate: visudo -cf %s
when: when:
- user_info.failed
- params.sudo - params.sudo
- name: Refresh connection - name: Refresh connection
ansible.builtin.meta: reset_connection ansible.builtin.meta: reset_connection
- name: Verify password - name: "Verify {{ account.username }} password"
ansible.builtin.ping: ansible.builtin.ping:
become: no become: no
vars: vars:
@ -70,7 +82,7 @@
ansible_become: no ansible_become: no
when: account.secret_type == "password" when: account.secret_type == "password"
- name: Verify SSH key - name: "Verify {{ account.username }} SSH key"
ansible.builtin.ping: ansible.builtin.ping:
become: no become: no
vars: vars:

30
apps/accounts/automations/push_account/host/posix/main.yml
View File

@ -1,10 +1,17 @@
- hosts: demo - hosts: demo
gather_facts: no gather_facts: no
tasks: tasks:
- name: Test privileged account - name: "Test privileged {{ jms_account.username }} account"
ansible.builtin.ping: ansible.builtin.ping:
- name: Push user - name: "Check if {{ account.username }} user exists"
getent:
database: passwd
key: "{{ account.username }}"
register: user_info
ignore_errors: yes # 忽略错误如果用户不存在时不会导致playbook失败
- name: "Add {{ account.username }} user"
ansible.builtin.user: ansible.builtin.user:
name: "{{ account.username }}" name: "{{ account.username }}"
shell: "{{ params.shell }}" shell: "{{ params.shell }}"
@ -12,19 +19,23 @@
groups: "{{ params.groups }}" groups: "{{ params.groups }}"
expires: -1 expires: -1
state: present state: present
when: user_info.failed
- name: "Add {{ account.username }} group" - name: "Add {{ account.username }} group"
ansible.builtin.group: ansible.builtin.group:
name: "{{ account.username }}" name: "{{ account.username }}"
state: present state: present
when: user_info.failed
- name: Add user groups - name: "Add {{ account.username }} user to group"
ansible.builtin.user: ansible.builtin.user:
name: "{{ account.username }}" name: "{{ account.username }}"
groups: "{{ params.groups }}" groups: "{{ params.groups }}"
when: params.groups when:
- user_info.failed
- params.groups
- name: Push user password - name: "Change {{ account.username }} password"
ansible.builtin.user: ansible.builtin.user:
name: "{{ account.username }}" name: "{{ account.username }}"
password: "{{ account.secret | password_hash('sha512') }}" password: "{{ account.secret | password_hash('sha512') }}"
@ -41,14 +52,14 @@
- account.secret_type == "ssh_key" - account.secret_type == "ssh_key"
- ssh_params.strategy == "set_jms" - ssh_params.strategy == "set_jms"
- name: Push SSH key - name: "Change {{ account.username }} SSH key"
ansible.builtin.authorized_key: ansible.builtin.authorized_key:
user: "{{ account.username }}" user: "{{ account.username }}"
key: "{{ account.secret }}" key: "{{ account.secret }}"
exclusive: "{{ ssh_params.exclusive }}" exclusive: "{{ ssh_params.exclusive }}"
when: account.secret_type == "ssh_key" when: account.secret_type == "ssh_key"
- name: Set sudo setting - name: "Set {{ account.username }} sudo setting"
ansible.builtin.lineinfile: ansible.builtin.lineinfile:
dest: /etc/sudoers dest: /etc/sudoers
state: present state: present
@ -56,12 +67,13 @@
line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}" line: "{{ account.username + ' ALL=(ALL) NOPASSWD: ' + params.sudo }}"
validate: visudo -cf %s validate: visudo -cf %s
when: when:
- user_info.failed
- params.sudo - params.sudo
- name: Refresh connection - name: Refresh connection
ansible.builtin.meta: reset_connection ansible.builtin.meta: reset_connection
- name: Verify password - name: "Verify {{ account.username }} password"
ansible.builtin.ping: ansible.builtin.ping:
become: no become: no
vars: vars:
@ -70,7 +82,7 @@
ansible_become: no ansible_become: no
when: account.secret_type == "password" when: account.secret_type == "password"
- name: Verify SSH key - name: "Verify {{ account.username }} SSH key"
ansible.builtin.ping: ansible.builtin.ping:
become: no become: no
vars: vars: