diff --git a/apps/accounts/automations/change_secret/custom/ssh/main.yml b/apps/accounts/automations/change_secret/custom/ssh/main.yml index b35d2175a..7e30bf62b 100644 --- a/apps/accounts/automations/change_secret/custom/ssh/main.yml +++ b/apps/accounts/automations/change_secret/custom/ssh/main.yml @@ -47,4 +47,8 @@ login_password: "{{ account.secret }}" login_host: "{{ jms_asset.address }}" login_port: "{{ jms_asset.port }}" - become: false + become: "{{ account.become.ansible_become | default(False) }}" + become_method: su + become_user: "{{ account.become.ansible_user | default('') }}" + become_password: "{{ account.become.ansible_password | default('') }}" + become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}" diff --git a/apps/accounts/automations/change_secret/host/aix/main.yml b/apps/accounts/automations/change_secret/host/aix/main.yml index 56fde8a2c..e86319ce1 100644 --- a/apps/accounts/automations/change_secret/host/aix/main.yml +++ b/apps/accounts/automations/change_secret/host/aix/main.yml @@ -80,7 +80,11 @@ login_host: "{{ jms_asset.address }}" login_port: "{{ jms_asset.port }}" gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}" - become: false + become: "{{ account.become.ansible_become | default(False) }}" + become_method: su + become_user: "{{ account.become.ansible_user | default('') }}" + become_password: "{{ account.become.ansible_password | default('') }}" + become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}" when: account.secret_type == "password" delegate_to: localhost @@ -91,6 +95,5 @@ login_user: "{{ account.username }}" login_private_key_path: "{{ account.private_key_path }}" gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}" - become: false when: account.secret_type == "ssh_key" delegate_to: localhost diff --git a/apps/accounts/automations/change_secret/host/posix/main.yml b/apps/accounts/automations/change_secret/host/posix/main.yml index 1dca70a5a..6ac4b7aa9 100644 --- a/apps/accounts/automations/change_secret/host/posix/main.yml +++ b/apps/accounts/automations/change_secret/host/posix/main.yml @@ -80,7 +80,11 @@ login_host: "{{ jms_asset.address }}" login_port: "{{ jms_asset.port }}" gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}" - become: false + become: "{{ account.become.ansible_become | default(False) }}" + become_method: su + become_user: "{{ account.become.ansible_user | default('') }}" + become_password: "{{ account.become.ansible_password | default('') }}" + become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}" when: account.secret_type == "password" delegate_to: localhost @@ -91,6 +95,5 @@ login_user: "{{ account.username }}" login_private_key_path: "{{ account.private_key_path }}" gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}" - become: false when: account.secret_type == "ssh_key" delegate_to: localhost diff --git a/apps/accounts/automations/push_account/host/aix/main.yml b/apps/accounts/automations/push_account/host/aix/main.yml index 0e6fba5c5..b0256348c 100644 --- a/apps/accounts/automations/push_account/host/aix/main.yml +++ b/apps/accounts/automations/push_account/host/aix/main.yml @@ -80,7 +80,11 @@ login_host: "{{ jms_asset.address }}" login_port: "{{ jms_asset.port }}" gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}" - become: false + become: "{{ account.become.ansible_become | default(False) }}" + become_method: su + become_user: "{{ account.become.ansible_user | default('') }}" + become_password: "{{ account.become.ansible_password | default('') }}" + become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}" when: account.secret_type == "password" delegate_to: localhost @@ -91,7 +95,6 @@ login_user: "{{ account.username }}" login_private_key_path: "{{ account.private_key_path }}" gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}" - become: false when: account.secret_type == "ssh_key" delegate_to: localhost diff --git a/apps/accounts/automations/push_account/host/posix/main.yml b/apps/accounts/automations/push_account/host/posix/main.yml index ea5128b17..2d2cc8e3e 100644 --- a/apps/accounts/automations/push_account/host/posix/main.yml +++ b/apps/accounts/automations/push_account/host/posix/main.yml @@ -80,7 +80,11 @@ login_host: "{{ jms_asset.address }}" login_port: "{{ jms_asset.port }}" gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}" - become: false + become: "{{ account.become.ansible_become | default(False) }}" + become_method: su + become_user: "{{ account.become.ansible_user | default('') }}" + become_password: "{{ account.become.ansible_password | default('') }}" + become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}" when: account.secret_type == "password" delegate_to: localhost @@ -91,7 +95,6 @@ login_user: "{{ account.username }}" login_private_key_path: "{{ account.private_key_path }}" gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}" - become: false when: account.secret_type == "ssh_key" delegate_to: localhost diff --git a/apps/accounts/automations/verify_account/custom/ssh/main.yml b/apps/accounts/automations/verify_account/custom/ssh/main.yml index 4e35b9587..c565f6f83 100644 --- a/apps/accounts/automations/verify_account/custom/ssh/main.yml +++ b/apps/accounts/automations/verify_account/custom/ssh/main.yml @@ -13,8 +13,8 @@ login_password: "{{ account.secret }}" login_secret_type: "{{ account.secret_type }}" login_private_key_path: "{{ account.private_key_path }}" - become: "{{ custom_become | default(False) }}" - become_method: "{{ custom_become_method | default('su') }}" - become_user: "{{ custom_become_user | default('') }}" - become_password: "{{ custom_become_password | default('') }}" - become_private_key_path: "{{ custom_become_private_key_path | default(None) }}" + become: "{{ account.become.ansible_become | default(False) }}" + become_method: "{{ account.become.ansible_become_method | default('su') }}" + become_user: "{{ account.become.ansible_user | default('') }}" + become_password: "{{ account.become.ansible_password | default('') }}" + become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}" diff --git a/apps/accounts/automations/verify_account/host/posix/main.yml b/apps/accounts/automations/verify_account/host/posix/main.yml index b096f9d84..49e84e5ee 100644 --- a/apps/accounts/automations/verify_account/host/posix/main.yml +++ b/apps/accounts/automations/verify_account/host/posix/main.yml @@ -1,11 +1,23 @@ - hosts: demo gather_facts: no tasks: - - name: Verify account connectivity - become: no + - name: Verify account connectivity(Do not switch) ansible.builtin.ping: vars: ansible_become: no ansible_user: "{{ account.username }}" ansible_password: "{{ account.secret }}" ansible_ssh_private_key_file: "{{ account.private_key_path }}" + when: not account.become.ansible_become + + - name: Verify account connectivity(Switch) + ansible.builtin.ping: + vars: + ansible_become: yes + ansible_user: "{{ account.become.ansible_user }}" + ansible_password: "{{ account.become.ansible_password }}" + ansible_ssh_private_key_file: "{{ account.become.ansible_ssh_private_key_file }}" + ansible_become_method: "{{ account.become.ansible_become_method }}" + ansible_become_user: "{{ account.become.ansible_become_user }}" + ansible_become_password: "{{ account.become.ansible_become_password }}" + when: account.become.ansible_become diff --git a/apps/accounts/automations/verify_account/manager.py b/apps/accounts/automations/verify_account/manager.py index b0e4a10ab..18478fb21 100644 --- a/apps/accounts/automations/verify_account/manager.py +++ b/apps/accounts/automations/verify_account/manager.py @@ -42,7 +42,6 @@ class VerifyAccountManager(AccountBasePlaybookManager): if host.get('error'): return host - # host['ssh_args'] = '-o ControlMaster=no -o ControlPersist=no' accounts = asset.accounts.all() accounts = self.get_accounts(account, accounts) inventory_hosts = [] @@ -64,7 +63,8 @@ class VerifyAccountManager(AccountBasePlaybookManager): 'username': account.username, 'secret_type': account.secret_type, 'secret': secret, - 'private_key_path': private_key_path + 'private_key_path': private_key_path, + 'become': account.get_ansible_become_auth(), } if account.platform.type == 'oracle': h['account']['mode'] = 'sysdba' if account.privileged else None diff --git a/apps/accounts/models/account.py b/apps/accounts/models/account.py index 1bdf6e83d..644961ff7 100644 --- a/apps/accounts/models/account.py +++ b/apps/accounts/models/account.py @@ -95,6 +95,33 @@ class Account(AbsConnectivity, BaseAccount): """ 排除自己和以自己为 su-from 的账号 """ return self.asset.accounts.exclude(id=self.id).exclude(su_from=self) + @staticmethod + def make_account_ansible_vars(su_from): + var = { + 'ansible_user': su_from.username, + } + if not su_from.secret: + return var + var['ansible_password'] = su_from.secret + var['ansible_ssh_private_key_file'] = su_from.private_key_path + return var + + def get_ansible_become_auth(self): + su_from = self.su_from + platform = self.platform + auth = {'ansible_become': False} + if not (platform.su_enabled and su_from): + return auth + + auth.update(self.make_account_ansible_vars(su_from)) + become_method = 'sudo' if platform.su_method != 'su' else 'su' + password = su_from.secret if become_method == 'sudo' else self.secret + auth['ansible_become'] = True + auth['ansible_become_method'] = become_method + auth['ansible_become_user'] = self.username + auth['ansible_become_password'] = password + return auth + def replace_history_model_with_mixin(): """ diff --git a/apps/ops/ansible/inventory.py b/apps/ops/ansible/inventory.py index b07876224..1c5fd17fc 100644 --- a/apps/ops/ansible/inventory.py +++ b/apps/ops/ansible/inventory.py @@ -77,9 +77,11 @@ class JMSInventory: return var @staticmethod - def make_custom_become_ansible_vars(account, platform): + def make_custom_become_ansible_vars(account, su_from_auth): + su_method = su_from_auth['ansible_become_method'] var = { - 'custom_become': True, 'custom_become_method': platform.su_method, + 'custom_become': True, + 'custom_become_method': su_method, 'custom_become_user': account.su_from.username, 'custom_become_password': account.su_from.secret, 'custom_become_private_key_path': account.su_from.private_key_path @@ -98,16 +100,9 @@ class JMSInventory: su_from = account.su_from if platform.su_enabled and su_from: - host.update(self.make_account_ansible_vars(su_from)) - host.update(self.make_custom_become_ansible_vars(account, platform)) - become_method = 'sudo' if platform.su_method != 'su' else 'su' - host['ansible_become'] = True - host['ansible_become_method'] = 'sudo' - host['ansible_become_user'] = account.username - if become_method == 'sudo': - host['ansible_become_password'] = su_from.secret - else: - host['ansible_become_password'] = account.secret + su_from_auth = account.get_ansible_become_auth() + host.update(su_from_auth) + host.update(self.make_custom_become_ansible_vars(account, su_from_auth)) elif platform.su_enabled and not su_from and \ self.task_type in (AutomationTypes.change_secret, AutomationTypes.push_account): host.update(self.make_account_ansible_vars(account)) diff --git a/apps/ops/ansible/modules_utils/custom_common.py b/apps/ops/ansible/modules_utils/custom_common.py index 0eb454e5a..920ba6942 100644 --- a/apps/ops/ansible/modules_utils/custom_common.py +++ b/apps/ops/ansible/modules_utils/custom_common.py @@ -63,13 +63,13 @@ class SSHClient: @staticmethod def _is_match_user(user, content): # 正常命令切割后是[命令,用户名,交互前缀] - remote_user = content.split()[1] if len(content.split()) >= 3 else None - return remote_user and remote_user == user + content_list = content.split() if len(content.split()) >= 3 else None + return content_list and user in content_list def switch_user(self): self._get_channel() if not self.module.params['become']: - return None + return method = self.module.params['become_method'] username = self.module.params['login_user'] if method == 'sudo': @@ -85,7 +85,7 @@ class SSHClient: su_output, err_msg = self.execute(commands) if err_msg: return err_msg - i_output, err_msg = self.execute(['whoami']) + i_output, err_msg = self.execute(['whoami'], delay_time=1) if err_msg: return err_msg @@ -153,14 +153,14 @@ class SSHClient: output = self.channel.recv(size).decode(encoding) return output - def execute(self, commands): + def execute(self, commands, delay_time=0.3): if not self.is_connect: self.connect() output, error_msg = '', '' try: for command in commands: self.channel.send(command + '\n') - time.sleep(0.3) + time.sleep(delay_time) output = self._get_recv() except Exception as e: error_msg = str(e) @@ -170,5 +170,5 @@ class SSHClient: try: self.channel.close() self.client.close() - except: + except Exception: pass