perf: ansible 用户切换至 (#11766)

Co-authored-by: feng <1304903146@qq.com>

apps/accounts/automations/change_secret/custom/ssh/main.yml

@@ -47,4 +47,8 @@
         login_password: "{{ account.secret }}"
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"

apps/accounts/automations/change_secret/host/aix/main.yml

@@ -80,7 +80,11 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
       when: account.secret_type == "password"
       delegate_to: localhost
 
@@ -91,6 +95,5 @@
         login_user: "{{ account.username }}"
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
       when: account.secret_type == "ssh_key"
       delegate_to: localhost

apps/accounts/automations/change_secret/host/posix/main.yml

@@ -80,7 +80,11 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
       when: account.secret_type == "password"
       delegate_to: localhost
 
@@ -91,6 +95,5 @@
         login_user: "{{ account.username }}"
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
       when: account.secret_type == "ssh_key"
       delegate_to: localhost

apps/accounts/automations/push_account/host/aix/main.yml

@@ -80,7 +80,11 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
       when: account.secret_type == "password"
       delegate_to: localhost
 
@@ -91,7 +95,6 @@
         login_user: "{{ account.username }}"
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
       when: account.secret_type == "ssh_key"
       delegate_to: localhost
 

apps/accounts/automations/push_account/host/posix/main.yml

@@ -80,7 +80,11 @@
         login_host: "{{ jms_asset.address }}"
         login_port: "{{ jms_asset.port }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
+        become: "{{ account.become.ansible_become | default(False) }}"
+        become_method: su
+        become_user: "{{ account.become.ansible_user | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"
       when: account.secret_type == "password"
       delegate_to: localhost
 
@@ -91,7 +95,6 @@
         login_user: "{{ account.username }}"
         login_private_key_path: "{{ account.private_key_path  }}"
         gateway_args: "{{ jms_asset.ansible_ssh_common_args | default('') }}"
-        become: false
       when: account.secret_type == "ssh_key"
       delegate_to: localhost
 

apps/accounts/automations/verify_account/custom/ssh/main.yml

@@ -13,8 +13,8 @@
         login_password: "{{ account.secret }}"
         login_secret_type: "{{ account.secret_type }}"
         login_private_key_path: "{{ account.private_key_path }}"
-        become: "{{ custom_become | default(False) }}"
+        become: "{{ account.become.ansible_become | default(False) }}"
-        become_method: "{{ custom_become_method | default('su') }}"
+        become_method: "{{ account.become.ansible_become_method | default('su') }}"
-        become_user: "{{ custom_become_user | default('') }}"
+        become_user: "{{ account.become.ansible_user | default('') }}"
-        become_password: "{{ custom_become_password | default('') }}"
+        become_password: "{{ account.become.ansible_password | default('') }}"
-        become_private_key_path: "{{ custom_become_private_key_path | default(None) }}"
+        become_private_key_path: "{{ account.become.ansible_ssh_private_key_file | default(None) }}"

apps/accounts/automations/verify_account/host/posix/main.yml

@@ -1,11 +1,23 @@
 - hosts: demo
   gather_facts: no
   tasks:
-    - name: Verify account connectivity
+    - name: Verify account connectivity(Do not switch)
-      become: no
       ansible.builtin.ping:
       vars:
         ansible_become: no
         ansible_user: "{{ account.username }}"
         ansible_password: "{{ account.secret }}"
         ansible_ssh_private_key_file: "{{ account.private_key_path }}"
+      when: not account.become.ansible_become
+
+    - name: Verify account connectivity(Switch)
+      ansible.builtin.ping:
+      vars:
+        ansible_become: yes
+        ansible_user: "{{ account.become.ansible_user }}"
+        ansible_password: "{{ account.become.ansible_password }}"
+        ansible_ssh_private_key_file: "{{ account.become.ansible_ssh_private_key_file }}"
+        ansible_become_method: "{{ account.become.ansible_become_method }}"
+        ansible_become_user: "{{ account.become.ansible_become_user }}"
+        ansible_become_password: "{{ account.become.ansible_become_password }}"
+      when: account.become.ansible_become

apps/accounts/automations/verify_account/manager.py

@@ -42,7 +42,6 @@ class VerifyAccountManager(AccountBasePlaybookManager):
         if host.get('error'):
             return host
 
-        # host['ssh_args'] = '-o ControlMaster=no -o ControlPersist=no'
         accounts = asset.accounts.all()
         accounts = self.get_accounts(account, accounts)
         inventory_hosts = []
@@ -64,7 +63,8 @@ class VerifyAccountManager(AccountBasePlaybookManager):
                 'username': account.username,
                 'secret_type': account.secret_type,
                 'secret': secret,
-                'private_key_path': private_key_path
+                'private_key_path': private_key_path,
+                'become': account.get_ansible_become_auth(),
             }
             if account.platform.type == 'oracle':
                 h['account']['mode'] = 'sysdba' if account.privileged else None

apps/accounts/models/account.py

@@ -95,6 +95,33 @@ class Account(AbsConnectivity, BaseAccount):
         """ 排除自己和以自己为 su-from 的账号 """
         return self.asset.accounts.exclude(id=self.id).exclude(su_from=self)
 
+    @staticmethod
+    def make_account_ansible_vars(su_from):
+        var = {
+            'ansible_user': su_from.username,
+        }
+        if not su_from.secret:
+            return var
+        var['ansible_password'] = su_from.secret
+        var['ansible_ssh_private_key_file'] = su_from.private_key_path
+        return var
+
+    def get_ansible_become_auth(self):
+        su_from = self.su_from
+        platform = self.platform
+        auth = {'ansible_become': False}
+        if not (platform.su_enabled and su_from):
+            return auth
+
+        auth.update(self.make_account_ansible_vars(su_from))
+        become_method = 'sudo' if platform.su_method != 'su' else 'su'
+        password = su_from.secret if become_method == 'sudo' else self.secret
+        auth['ansible_become'] = True
+        auth['ansible_become_method'] = become_method
+        auth['ansible_become_user'] = self.username
+        auth['ansible_become_password'] = password
+        return auth
+
 
 def replace_history_model_with_mixin():
     """

apps/ops/ansible/inventory.py

@@ -77,9 +77,11 @@ class JMSInventory:
         return var
 
     @staticmethod
-    def make_custom_become_ansible_vars(account, platform):
+    def make_custom_become_ansible_vars(account, su_from_auth):
+        su_method = su_from_auth['ansible_become_method']
         var = {
-            'custom_become': True, 'custom_become_method': platform.su_method,
+            'custom_become': True,
+            'custom_become_method': su_method,
             'custom_become_user': account.su_from.username,
             'custom_become_password': account.su_from.secret,
             'custom_become_private_key_path': account.su_from.private_key_path
@@ -98,16 +100,9 @@ class JMSInventory:
 
         su_from = account.su_from
         if platform.su_enabled and su_from:
-            host.update(self.make_account_ansible_vars(su_from))
+            su_from_auth = account.get_ansible_become_auth()
-            host.update(self.make_custom_become_ansible_vars(account, platform))
+            host.update(su_from_auth)
-            become_method = 'sudo' if platform.su_method != 'su' else 'su'
+            host.update(self.make_custom_become_ansible_vars(account, su_from_auth))
-            host['ansible_become'] = True
-            host['ansible_become_method'] = 'sudo'
-            host['ansible_become_user'] = account.username
-            if become_method == 'sudo':
-                host['ansible_become_password'] = su_from.secret
-            else:
-                host['ansible_become_password'] = account.secret
         elif platform.su_enabled and not su_from and \
                 self.task_type in (AutomationTypes.change_secret, AutomationTypes.push_account):
             host.update(self.make_account_ansible_vars(account))

apps/ops/ansible/modules_utils/custom_common.py

@@ -63,13 +63,13 @@ class SSHClient:
     @staticmethod
     def _is_match_user(user, content):
         # 正常命令切割后是[命令，用户名，交互前缀]
-        remote_user = content.split()[1] if len(content.split()) >= 3 else None
+        content_list = content.split() if len(content.split()) >= 3 else None
-        return remote_user and remote_user == user
+        return content_list and user in content_list
 
     def switch_user(self):
         self._get_channel()
         if not self.module.params['become']:
-            return None
+            return
         method = self.module.params['become_method']
         username = self.module.params['login_user']
         if method == 'sudo':
@@ -85,7 +85,7 @@ class SSHClient:
         su_output, err_msg = self.execute(commands)
         if err_msg:
             return err_msg
-        i_output, err_msg = self.execute(['whoami'])
+        i_output, err_msg = self.execute(['whoami'], delay_time=1)
         if err_msg:
             return err_msg
 
@@ -153,14 +153,14 @@ class SSHClient:
         output = self.channel.recv(size).decode(encoding)
         return output
 
-    def execute(self, commands):
+    def execute(self, commands, delay_time=0.3):
         if not self.is_connect:
             self.connect()
         output, error_msg = '', ''
         try:
             for command in commands:
                 self.channel.send(command + '\n')
-                time.sleep(0.3)
+                time.sleep(delay_time)
                 output = self._get_recv()
         except Exception as e:
             error_msg = str(e)
@@ -170,5 +170,5 @@ class SSHClient:
         try:
             self.channel.close()
             self.client.close()
-        except:
+        except Exception:
             pass