From caefbdc9175cf21b4f5f803edfba7e2b4dc88fb1 Mon Sep 17 00:00:00 2001 From: ibuler Date: Wed, 24 Feb 2016 11:34:33 +0800 Subject: [PATCH 1/4] =?UTF-8?q?fix(juser)=20=E6=8E=A8=E9=80=81=E7=B3=BB?= =?UTF-8?q?=E7=BB=9F=E7=94=A8=E6=88=B7=EF=BC=8C=E9=80=89=E6=8B=A9=E5=AF=86?= =?UTF-8?q?=E9=92=A5=E6=97=B6=E4=B8=8D=E4=B8=BA=E7=94=A8=E6=88=B7=E7=94=9F?= =?UTF-8?q?=E6=88=90=E5=AF=86=E7=A0=81?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 当推送系统用户时,选择系统用户使用密钥时没有必要为系统用户生成密码, 以免造成安全上的问题,在代码上也属于冗余. --- jperm/views.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/jperm/views.py b/jperm/views.py index a8a66128b..eba0921c7 100644 --- a/jperm/views.py +++ b/jperm/views.py @@ -512,10 +512,10 @@ def perm_role_push(request): task = MyTask(push_resource) ret = {} - # 因为要先建立用户,所以password 是必选项,而push key是在 password也完成的情况下的 可选项 + # 因为要先建立用户,而push key是在 password也完成的情况下的 可选项 # 1. 以秘钥 方式推送角色 if key_push: - ret["pass_push"] = task.add_user(role.name, CRYPTOR.decrypt(role.password)) + ret["pass_push"] = task.add_user(role.name) ret["key_push"] = task.push_key(role.name, os.path.join(role.key_path, 'id_rsa.pub')) # 2. 推送账号密码 From b6fc8b777f20884f12ebe7d5d6714d42ebb88014 Mon Sep 17 00:00:00 2001 From: ibuler Date: Wed, 24 Feb 2016 12:29:47 +0800 Subject: [PATCH 2/4] =?UTF-8?q?change(juse)=20=E4=BF=AE=E6=94=B9=E7=94=A8?= =?UTF-8?q?=E6=88=B7=E6=B7=BB=E5=8A=A0=E6=B5=81=E7=A8=8B?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. 添加新用户,不在为该用户设置密码 2. 强制用户使用key登陆跳板机,为了安全性 3. 更改邮件文案和不发送邮件提示文案 --- juser/user_api.py | 36 ++++++++++++---------------------- juser/views.py | 9 ++++----- templates/juser/user_add.html | 9 ++------- templates/juser/user_edit.html | 2 +- 4 files changed, 19 insertions(+), 37 deletions(-) diff --git a/juser/user_api.py b/juser/user_api.py index 305a877fd..63bd4bd10 100644 --- a/juser/user_api.py +++ b/juser/user_api.py @@ -137,7 +137,7 @@ def gen_ssh_key(username, password='', if authorized_keys: auth_key_dir = os.path.join(home, username, '.ssh') - mkdir(auth_key_dir, username=username , mode=0700) + mkdir(auth_key_dir, username=username, mode=0700) authorized_key_file = os.path.join(auth_key_dir, 'authorized_keys') with open(private_key_file+'.pub') as pub_f: with open(authorized_key_file, 'w') as auth_f: @@ -146,15 +146,13 @@ def gen_ssh_key(username, password='', chown(authorized_key_file, username) -def server_add_user(username, password, ssh_key_pwd='', ssh_key_login_need=True): +def server_add_user(username, ssh_key_pwd=''): """ add a system user in jumpserver 在jumpserver服务器上添加一个用户 """ - bash("useradd -s '%s' '%s'; echo '%s'; echo '%s:%s' | chpasswd " % - (os.path.join(BASE_DIR, 'init.sh'), username, password, username, password)) - if ssh_key_login_need: - gen_ssh_key(username, ssh_key_pwd) + bash("useradd -s '%s' '%s'" % (os.path.join(BASE_DIR, 'init.sh'), username)) + gen_ssh_key(username, ssh_key_pwd) def user_add_mail(user, kwargs): @@ -171,7 +169,7 @@ def user_add_mail(user, kwargs): 您的web登录密码: %s 您的ssh密钥文件密码: %s 密钥下载地址: %s/juser/key/down/?uuid=%s - 说明: 请登陆后再下载密钥! + 说明: 请登陆跳板机后台下载密钥, 然后使用密钥登陆跳板机! """ % (user.name, user.username, user_role.get(user.role, u'普通用户'), kwargs.get('password'), kwargs.get('ssh_key_pwd'), URL, user.uuid) send_mail(mail_title, mail_msg, MAIL_FROM, [user.email], fail_silently=False) @@ -185,27 +183,17 @@ def server_del_user(username): bash('userdel -r %s' % username) -def get_display_msg(user, password, ssh_key_pwd, ssh_key_login_need, send_mail_need): +def get_display_msg(user, password, ssh_key_pwd, send_mail_need=False): if send_mail_need: msg = u'添加用户 %s 成功! 用户密码已发送到 %s 邮箱!' % (user.name, user.email) - return msg - - if ssh_key_login_need: - msg = u""" - 跳板机地址: %s - 用户名:%s - 密码:%s - 密钥密码:%s - 密钥下载url: %s/juser/key/down/?uuid=%s - 该账号密码可以登陆web和跳板机。 - """ % (URL, user.username, password, ssh_key_pwd, URL, user.uuid) else: msg = u""" - 跳板机地址: %s \n - 用户名:%s \n - 密码:%s \n + 跳板机地址: %s
+ 用户名:%s
+ 密码:%s
+ 密钥密码:%s
+ 密钥下载url: %s/juser/key/down/?uuid=%s
该账号密码可以登陆web和跳板机。 - """ % (URL, user.username, password) - + """ % (URL, user.username, password, ssh_key_pwd, URL, user.uuid) return msg diff --git a/juser/views.py b/juser/views.py index 41baa7536..d57b0fbde 100644 --- a/juser/views.py +++ b/juser/views.py @@ -153,8 +153,7 @@ def user_add(request): ssh_key_pwd = PyCrypt.gen_rand_pass(16) extra = request.POST.getlist('extra', []) is_active = False if '0' in extra else True - ssh_key_login_need = True - send_mail_need = True if '2' in extra else False + send_mail_need = True if '1' in extra else False try: if '' in [username, password, ssh_key_pwd, name, role]: @@ -176,7 +175,7 @@ def user_add(request): ssh_key_pwd=ssh_key_pwd, is_active=is_active, date_joined=datetime.datetime.now()) - server_add_user(username, password, ssh_key_pwd, ssh_key_login_need) + server_add_user(username, ssh_key_pwd) user = get_object(User, username=username) if groups: user_groups = [] @@ -193,7 +192,7 @@ def user_add(request): else: if MAIL_ENABLE and send_mail_need: user_add_mail(user, kwargs=locals()) - msg = get_display_msg(user, password, ssh_key_pwd, ssh_key_login_need, send_mail_need) + msg = get_display_msg(user, password, ssh_key_pwd, send_mail_need) return my_render('juser/user_add.html', locals(), request) @@ -361,7 +360,7 @@ def user_edit(request): admin_groups = request.POST.getlist('admin_groups', []) extra = request.POST.getlist('extra', []) is_active = True if '0' in extra else False - email_need = True if '2' in extra else False + email_need = True if '1' in extra else False user_role = {'SU': u'超级管理员', 'GA': u'部门管理员', 'CU': u'普通用户'} if user_id: diff --git a/templates/juser/user_add.html b/templates/juser/user_add.html index 621d18107..931f8d192 100644 --- a/templates/juser/user_add.html +++ b/templates/juser/user_add.html @@ -28,7 +28,7 @@
{{ error }}
{% endif %} {% if msg %} -
{{ msg }}
+
{{ msg | safe }}
{% endif %}
@@ -99,14 +99,9 @@
-{#
#} -{#
#} -{# #} -{#
#} -{#
#}
- +
diff --git a/templates/juser/user_edit.html b/templates/juser/user_edit.html index 3613e6458..96da0079c 100644 --- a/templates/juser/user_edit.html +++ b/templates/juser/user_edit.html @@ -116,7 +116,7 @@
- +
From f60a8969268ddcab0e029fb9821b990f90113846 Mon Sep 17 00:00:00 2001 From: ibuler Date: Wed, 24 Feb 2016 12:32:41 +0800 Subject: [PATCH 3/4] =?UTF-8?q?modify(jasset)=20=E7=BB=9F=E4=B8=80?= =?UTF-8?q?=E7=AE=A1=E7=90=86=E7=94=A8=E6=88=B7=E6=96=87=E6=A1=88?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 所有用得到管理用户文案的地,都进行了统一 更改了 管理用户使用默认的对齐 去掉了分隔线 --- templates/jasset/asset_add.html | 11 +++++------ templates/jasset/asset_edit.html | 7 +++---- 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/templates/jasset/asset_add.html b/templates/jasset/asset_add.html index ab8de9145..57c0c04d3 100644 --- a/templates/jasset/asset_add.html +++ b/templates/jasset/asset_add.html @@ -50,24 +50,23 @@
- +
-
-

Tips: 管理账号是服务器存在的root等高权限账号,用来推送新建系统用户

+

Tips: 管理用户是服务器存在的root或拥有sudo的用户,用来推送系统用户