github
/
teleport
mirror of https://github.com/tp4a/teleport
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

调整功能:具有运维授权权限的用户,无需进行授权即可使用任意远程账号进行连接;具有运维权限的用户,则需要先授权才能进行连接;具有审计授权权限的用户,无需进行授权即可查看所有运维录像;具有审计权限的用户,必须先授权才能查看指定主机的运维录像。

pull/105/head
Apex Liu 2017-12-22 02:29:52 +08:00
parent d9d4c22e61
commit 38a8d245c5
6 changed files with 139 additions and 292 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
server/www/teleport/static/js/asset/host-list.js
View File

@ -1660,6 +1660,8 @@ $app.create_dlg_edit_account = function () {
$assist.do_teleport( $assist.do_teleport(
{ {
mode: 0,
auth_id: 'none',
acc_id: dlg.field_id, acc_id: dlg.field_id,
host_id: dlg.host.id, host_id: dlg.host.id,
protocol_type: dlg.field_protocol, protocol_type: dlg.field_protocol,

169
server/www/teleport/static/js/ops/remote-list.js
View File

@ -29,16 +29,6 @@ $app.create_controls = function (cb_stack) {
}, },
column_default: {sort: false, align: 'left'}, column_default: {sort: false, align: 'left'},
columns: [ columns: [
// {
// // title: '<input type="checkbox" id="user-list-select-all" value="">',
// title: '<a href="javascript:;" data-reset-filter><i class="fa fa-rotate-left fa-fw"></i></a>',
// key: 'chkbox',
// sort: false,
// width: 36,
// align: 'center',
// render: 'make_check_box',
// fields: {id: 'id'}
// },
{ {
title: '主机', title: '主机',
key: 'host', key: 'host',
@ -83,9 +73,6 @@ $app.create_controls = function (cb_stack) {
name: 'search', name: 'search',
place_holder: '搜索主机IP/名称/描述/资产编号/等等...' place_holder: '搜索主机IP/名称/描述/资产编号/等等...'
}); });
// $app.table_host_role_filter = $tp.create_table_filter_role($app.table_host, $app.role_list);
// 主机没有“临时锁定”状态,因此要排除掉
// $tp.create_table_header_filter_state($app.table_host, 'state', $app.obj_states, [TP_STATE_LOCKED]);
// 从cookie中读取用户分页限制的选择 // 从cookie中读取用户分页限制的选择
$tp.create_table_paging($app.table_host, 'table-host-paging', $tp.create_table_paging($app.table_host, 'table-host-paging',
@ -110,11 +97,6 @@ $app.create_controls = function (cb_stack) {
$app.table_host.load_data(); $app.table_host.load_data();
}); });
// $app.dom.box_rdp_option.mouseleave(function(){
// console.log('---mouseleave');
// $app.dom.box_rdp_option.hide();
// });
cb_stack.exec(); cb_stack.exec();
}; };
@ -126,16 +108,18 @@ $app.on_table_host_cell_created = function (tbl, row_id, col_key, cell_obj) {
var action = $(this).attr('data-action'); var action = $(this).attr('data-action');
var protocol_sub_type = $(this).attr('data-sub-protocol'); var protocol_sub_type = $(this).attr('data-sub-protocol');
var uni_id = $(this).attr('data-id'); var uni_id = $(this).attr('data-id');
var acc_id = parseInt($(this).attr('data-acc-id'));
var host_id = parseInt($(this).attr('data-host-id'));
// var policy = $app.table_policy.get_row(row_id);
// console.log(uni_id, protocol_sub_type);
if (action === 'rdp') { if (action === 'rdp') {
$app.connect_remote(uni_id, TP_PROTOCOL_TYPE_RDP, TP_PROTOCOL_TYPE_RDP_DESKTOP); $app.connect_remote(uni_id, acc_id, host_id, TP_PROTOCOL_TYPE_RDP, TP_PROTOCOL_TYPE_RDP_DESKTOP);
} else if (action === 'rdp-option') { } else if (action === 'rdp-option') {
$app.dlg_rdp_options.show(e.pageX, e.pageY, uni_id, TP_PROTOCOL_TYPE_RDP, TP_PROTOCOL_TYPE_RDP_DESKTOP); $app.dlg_rdp_options.show(e.pageX, e.pageY, uni_id, acc_id, host_id, TP_PROTOCOL_TYPE_RDP, TP_PROTOCOL_TYPE_RDP_DESKTOP);
//$app.connect_remote(uni_id, TP_PROTOCOL_TYPE_SSH, protocol_sub_type);
} else if (action === 'ssh') { } else if (action === 'ssh') {
$app.connect_remote(uni_id, TP_PROTOCOL_TYPE_SSH, protocol_sub_type); $app.connect_remote(uni_id, acc_id, host_id, TP_PROTOCOL_TYPE_SSH, protocol_sub_type);
} else if (action === 'telnet') { } else if (action === 'telnet') {
$tp.notify_error('尚未实现!'); $tp.notify_error('尚未实现!');
} }
@ -144,22 +128,6 @@ $app.on_table_host_cell_created = function (tbl, row_id, col_key, cell_obj) {
}; };
$app.on_table_host_render_created = function (render) { $app.on_table_host_render_created = function (render) {
// render.filter_role = function (header, title, col) {
// var _ret = ['<div class="tp-table-filter tp-table-filter-' + col.cell_align + '">'];
// _ret.push('<div class="tp-table-filter-inner">');
// _ret.push('<div class="search-title">' + title + '</div>');
//
// // 表格内嵌过滤器的DOM实体在这时生成
// var filter_ctrl = header._table_ctrl.get_filter_ctrl('role');
// _ret.push(filter_ctrl.render());
//
// _ret.push('</div></div>');
//
// return _ret.join('');
// };
// render.filter_os = function (header, title, col) {
// return '';
// };
render.filter_state = function (header, title, col) { render.filter_state = function (header, title, col) {
var _ret = ['<div class="tp-table-filter tp-table-filter-' + col.cell_align + '">']; var _ret = ['<div class="tp-table-filter tp-table-filter-' + col.cell_align + '">'];
@ -189,10 +157,6 @@ $app.on_table_host_render_created = function (render) {
return _ret.join(''); return _ret.join('');
}; };
// render.make_check_box = function (row_id, fields) {
// return '<span><input type="checkbox" data-check-box="' + fields.id + '" data-row-id="' + row_id + '"></span>';
// };
//
render.host_info = function (row_id, fields) { render.host_info = function (row_id, fields) {
var title, sub_title; var title, sub_title;
@ -206,25 +170,13 @@ $app.on_table_host_render_created = function (render) {
// title = fields.a_name + '@' + title; // title = fields.a_name + '@' + title;
var desc = []; var desc = [];
// if (fields.desc.length > 0) {
// desc.push(fields.desc.replace(/\r/ig, "").replace(/\n/ig, "<br/>"));
// }
if (fields.router_ip.length > 0) { if (fields.router_ip.length > 0) {
sub_title += ',由 ' + fields.router_ip + ':' + fields.router_port + ' 路由'; sub_title += ',由 ' + fields.router_ip + ':' + fields.router_port + ' 路由';
} }
var ret = []; var ret = [];
// ret.push('<div><span class="host-name" href="javascript:;">' + title + '</span>');
// if (desc.length > 0) {
// ret.push('<a class="host-id-desc" data-toggle="popover" data-placement="right"');
// ret.push(' data-html="true"');
// ret.push(' data-content="' + desc.join('') + '"');
// ret.push('><i class="fa fa-list-alt fw"></i></a>');
// }
if (desc.length > 0) { if (desc.length > 0) {
ret.push('<div><a class="host-name host-name-desc" data-toggle="popover" data-placement="right"'); ret.push('<div><a class="host-name host-name-desc" data-toggle="popover" data-placement="right"');
// ret.push('<a class="host-id-desc" data-toggle="popover" data-placement="right"');
ret.push(' data-html="true"'); ret.push(' data-html="true"');
ret.push(' data-content="' + desc.join('') + '"'); ret.push(' data-content="' + desc.join('') + '"');
ret.push('>' + title + '</a>'); ret.push('>' + title + '</a>');
@ -271,36 +223,24 @@ $app.on_table_host_render_created = function (render) {
if (acc.protocol_type === TP_PROTOCOL_TYPE_RDP) { if (acc.protocol_type === TP_PROTOCOL_TYPE_RDP) {
if ((acc.policy_.flag_rdp & TP_FLAG_RDP_DESKTOP) !== 0) { if ((acc.policy_.flag_rdp & TP_FLAG_RDP_DESKTOP) !== 0) {
act_btn.push('<div class="btn-group btn-group-sm">'); act_btn.push('<div class="btn-group btn-group-sm">');
act_btn.push('<button type="button" class="btn btn-primary" data-action="rdp" data-id="' + acc.uni_id + '" data-sub-protocol="' + TP_PROTOCOL_TYPE_RDP_DESKTOP + '"><i class="fa fa-desktop fa-fw"></i> RDP</button>'); act_btn.push('<button type="button" class="btn btn-primary" data-action="rdp" data-id="' + acc.uni_id + '" data-acc-id="' + acc.a_id + '" data-host-id="' + acc.h_id + '" data-sub-protocol="' + TP_PROTOCOL_TYPE_RDP_DESKTOP + '"><i class="fa fa-desktop fa-fw"></i> RDP</button>');
// act_btn.push('<button type="button" class="btn btn-primary dropdown-toggle" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">'); act_btn.push('<a href="javascript:;" class="btn btn-primary dropdown-toggle" data-action="rdp-option" data-id="' + acc.uni_id + '" data-acc-id="' + acc.a_id + '" data-host-id="' + acc.h_id + '" data-sub-protocol="' + TP_PROTOCOL_TYPE_RDP_DESKTOP + '">');
act_btn.push('<a href="javascript:;" class="btn btn-primary dropdown-toggle" data-action="rdp-option" data-id="' + acc.uni_id + '" data-sub-protocol="' + TP_PROTOCOL_TYPE_RDP_DESKTOP + '">');
//act_btn.push('<span class="caret"></span>');
act_btn.push('<i class="fa fa-cog"></i>'); act_btn.push('<i class="fa fa-cog"></i>');
act_btn.push('</a>'); act_btn.push('</a>');
// act_btn.push('<ul class="dropdown-menu">');
// act_btn.push('<li><a href="#">Another action</a></li>');
// act_btn.push('<li><a href="#"><i class="fa fa-desktop fa-fw"></i> 连接</a></li>');
// act_btn.push('<li role="separator" class="divider"></li>');
// // act_btn.push('<li><a href="#"><i class="fa fa-desktop fa-fw"></i> Console模式</a></li>');
// // act_btn.push('<li><input type="checkbox">Console模式</input></li>');
// act_btn.push('<li><a href="javascript:;" class="tp-checkbox tp-editable">Console模式</a></li>');
// act_btn.push('<li role="separator" class="divider"></li>');
// act_btn.push('<li><a href="#"><i class="fa fa-desktop fa-fw"></i> 连接</a></li>');
// act_btn.push('</ul>');
act_btn.push('</div>'); act_btn.push('</div>');
} }
} else if (acc.protocol_type === TP_PROTOCOL_TYPE_SSH) { } else if (acc.protocol_type === TP_PROTOCOL_TYPE_SSH) {
act_btn.push('<div class="btn-group btn-group-sm">'); act_btn.push('<div class="btn-group btn-group-sm">');
if ((acc.policy_.flag_ssh & TP_FLAG_SSH_SHELL) !== 0) { if ((acc.policy_.flag_ssh & TP_FLAG_SSH_SHELL) !== 0) {
act_btn.push('<button type="button" class="btn btn-success" data-action="ssh" data-id="' + acc.uni_id + '" data-sub-protocol="' + TP_PROTOCOL_TYPE_SSH_SHELL + '"><i class="fa fa-keyboard-o fa-fw"></i> SSH</button>'); act_btn.push('<button type="button" class="btn btn-success" data-action="ssh" data-id="' + acc.uni_id + '" data-acc-id="' + acc.a_id + '" data-host-id="' + acc.h_id + '" data-sub-protocol="' + TP_PROTOCOL_TYPE_SSH_SHELL + '"><i class="fa fa-keyboard-o fa-fw"></i> SSH</button>');
} }
if ((acc.policy_.flag_ssh & TP_FLAG_SSH_SFTP) !== 0) { if ((acc.policy_.flag_ssh & TP_FLAG_SSH_SFTP) !== 0) {
act_btn.push('<button type="button" class="btn btn-info" data-action="ssh" data-id="' + acc.uni_id + '" data-sub-protocol="' + TP_PROTOCOL_TYPE_SSH_SFTP + '"><i class="fa fa-upload fa-fw"></i> SFTP</button>'); act_btn.push('<button type="button" class="btn btn-info" data-action="ssh" data-id="' + acc.uni_id + '" data-acc-id="' + acc.a_id + '" data-host-id="' + acc.h_id + '" data-sub-protocol="' + TP_PROTOCOL_TYPE_SSH_SFTP + '"><i class="fa fa-upload fa-fw"></i> SFTP</button>');
} }
act_btn.push('</div>'); act_btn.push('</div>');
} else if (acc.protocol_type === TP_PROTOCOL_TYPE_TELNET) { } else if (acc.protocol_type === TP_PROTOCOL_TYPE_TELNET) {
act_btn.push('<button type="button" class="btn btn-warning" data-action="telnet" data-id="' + acc.uni_id + '" data-sub-protocol="' + TP_PROTOCOL_TYPE_TELNET_SHELL + '"><i class="fa fa-keyboard-o fa-fw"></i> TELNET</button>'); act_btn.push('<button type="button" class="btn btn-warning" data-action="telnet" data-id="' + acc.uni_id + '" data-acc-id="' + acc.a_id + '" data-host-id="' + acc.h_id + '" data-sub-protocol="' + TP_PROTOCOL_TYPE_TELNET_SHELL + '"><i class="fa fa-keyboard-o fa-fw"></i> TELNET</button>');
} }
} }
@ -310,62 +250,6 @@ $app.on_table_host_render_created = function (render) {
} }
return h.join(''); return h.join('');
}; };
render.state = function (row_id, fields) {
// console.log(fields);
var _prompt, _style, _state;
if ((fields.h_state === TP_STATE_NORMAL || fields.h_state === 0)
&& (fields.gh_state === TP_STATE_NORMAL || fields.gh_state === 0)
// && (fields.a_state === TP_STATE_NORMAL || fields.a_state === 0)
// && (fields.ga_state === TP_STATE_NORMAL || fields.ga_state === 0)
) {
return '<span class="label label-sm label-success">正常</span>'
}
var states = [
{n: '主机', s: fields.h_state},
{n: '主机组', s: fields.gh_state},
// {n: '账号', s: fields.a_state},
// {n: '账号组', s: fields.ga_state}
];
for (var j = 0; j < states.length; ++j) {
if (states[j].s === TP_STATE_NORMAL)
continue;
for (var i = 0; i < $app.obj_states.length; ++i) {
if ($app.obj_states[i].id === states[j].s) {
_style = $app.obj_states[i].style;
_state = $app.obj_states[i].name;
_prompt = states[j].n;
return '<span class="label label-sm label-' + _style + '">' + _prompt + '被' + _state + '</span>'
}
}
}
return '<span class="label label-sm label-info"><i class="fa fa-question-circle"></i> 未知</span>'
};
// render.make_host_action_btn = function (row_id, fields) {
// var h = [];
// h.push('<div class="btn-group btn-group-sm">');
// h.push('<button type="button" class="btn btn-no-border dropdown-toggle" data-toggle="dropdown">');
// h.push('<span data-selected-action>操作</span> <i class="fa fa-caret-right"></i></button>');
// h.push('<ul class="dropdown-menu dropdown-menu-right dropdown-menu-sm">');
// h.push('<li><a href="javascript:;" data-action="edit"><i class="fa fa-edit fa-fw"></i> 编辑</a></li>');
// h.push('<li><a href="javascript:;" data-action="lock"><i class="fa fa-lock fa-fw"></i> 禁用</a></li>');
// h.push('<li><a href="javascript:;" data-action="unlock"><i class="fa fa-unlock fa-fw"></i> 解禁</a></li>');
// h.push('<li role="separator" class="divider"></li>');
// h.push('<li><a href="javascript:;" data-action="account"><i class="fa fa-user-secret fa-fw"></i> 管理远程账号</a></li>');
// h.push('<li role="separator" class="divider"></li>');
// h.push('<li><a href="javascript:;" data-action="duplicate"><i class="fa fa-cubes fa-fw"></i> 复制主机</a></li>');
// h.push('<li><a href="javascript:;" data-action="delete"><i class="fa fa-times-circle fa-fw"></i> 删除</a></li>');
// h.push('</ul>');
// h.push('</div>');
//
// return h.join('');
// };
}; };
$app.on_table_host_header_created = function (header) { $app.on_table_host_header_created = function (header) {
@ -385,6 +269,8 @@ $app.create_dlg_rdp_options = function () {
var dlg = {}; var dlg = {};
dlg.dom_id = 'dlg-rdp-options'; dlg.dom_id = 'dlg-rdp-options';
dlg.uni_id = ''; dlg.uni_id = '';
dlg.acc_id = 0;
dlg.host_id = 0;
dlg.protocol_type = TP_PROTOCOL_TYPE_RDP; dlg.protocol_type = TP_PROTOCOL_TYPE_RDP;
dlg.protocol_sub_type = TP_PROTOCOL_TYPE_RDP_DESKTOP; dlg.protocol_sub_type = TP_PROTOCOL_TYPE_RDP_DESKTOP;
dlg.rdp_w = 0; dlg.rdp_w = 0;
@ -424,7 +310,7 @@ $app.create_dlg_rdp_options = function () {
dlg.rdp_h = _h; dlg.rdp_h = _h;
Cookies.set('rdp_options', {w: _w, h: _h, 'c': _console}, {path: '/ops/remote'}); Cookies.set('rdp_options', {w: _w, h: _h, 'c': _console}, {path: '/ops/remote'});
$app.connect_remote(dlg.uni_id, dlg.protocol_type, dlg.protocol_sub_type); $app.connect_remote(dlg.uni_id, dlg.acc_id, dlg.host_id, dlg.protocol_type, dlg.protocol_sub_type);
}); });
var ops = Cookies.getJSON('rdp_options'); var ops = Cookies.getJSON('rdp_options');
@ -461,7 +347,7 @@ $app.create_dlg_rdp_options = function () {
for (var i = 0; i < ss.length; ++i) { for (var i = 0; i < ss.length; ++i) {
var _w = ss[i].w; var _w = ss[i].w;
var _h = ss[i].h; var _h = ss[i].h;
h.push('<div><label><input type="radio" name="screen-size" data-w="'+_w+'" data-h="'+_h+'"'); h.push('<div><label><input type="radio" name="screen-size" data-w="' + _w + '" data-h="' + _h + '"');
if (dlg.rdp_w === _w && dlg.rdp_h === _h) if (dlg.rdp_w === _w && dlg.rdp_h === _h)
h.push(' checked'); h.push(' checked');
h.push('> ' + _w + ' x ' + _h + '</label></div>'); h.push('> ' + _w + ' x ' + _h + '</label></div>');
@ -469,19 +355,21 @@ $app.create_dlg_rdp_options = function () {
h.push('</div>'); h.push('</div>');
dlg.dom.screen_size.html($(h.join(''))); dlg.dom.screen_size.html($(h.join('')));
if(dlg.rdp_console) if (dlg.rdp_console)
dlg.dom.console_mode.prop('checked', true); dlg.dom.console_mode.prop('checked', true);
cb_stack.exec(); cb_stack.exec();
}; };
dlg.show = function (x, y, uni_id, protocol_type, protocol_sub_type) { dlg.show = function (x, y, uni_id, acc_id, host_id, protocol_type, protocol_sub_type) {
if (dlg.timer !== null) { if (dlg.timer !== null) {
clearTimeout(dlg.timer); clearTimeout(dlg.timer);
dlg.timer = null; dlg.timer = null;
} }
dlg.uni_id = uni_id; dlg.uni_id = uni_id;
dlg.acc_id = acc_id;
dlg.host_id = host_id;
dlg.protocol_type = protocol_type; dlg.protocol_type = protocol_type;
dlg.protocol_sub_type = protocol_sub_type; dlg.protocol_sub_type = protocol_sub_type;
@ -499,16 +387,25 @@ $app.create_dlg_rdp_options = function () {
return dlg; return dlg;
}; };
$app.connect_remote = function (uni_id, protocol_type, protocol_sub_type) { $app.connect_remote = function (uni_id, acc_id, host_id, protocol_type, protocol_sub_type) {
$assist.do_teleport(
{ var args = {
mode: 1,
auth_id: uni_id, auth_id: uni_id,
acc_id: acc_id,
host_id: host_id,
protocol_type: protocol_type, protocol_type: protocol_type,
protocol_sub_type: protocol_sub_type, protocol_sub_type: protocol_sub_type,
rdp_width: $app.dlg_rdp_options.rdp_w, rdp_width: $app.dlg_rdp_options.rdp_w,
rdp_height: $app.dlg_rdp_options.rdp_h, rdp_height: $app.dlg_rdp_options.rdp_h,
rdp_console: $app.dlg_rdp_options.rdp_console rdp_console: $app.dlg_rdp_options.rdp_console
}, };
if(uni_id === 'none')
args.mode = 2;
$assist.do_teleport(
args,
function () { function () {
// func_success // func_success
//$tp.notify_success('远程连接测试通过!'); //$tp.notify_success('远程连接测试通过!');

20
server/www/teleport/webroot/app/controller/ops.py
View File

@ -108,8 +108,14 @@ class DoGetSessionIDHandler(TPBaseJsonHandler):
protocol_sub_type = TP_PROTOCOL_TYPE_UNKNOWN protocol_sub_type = TP_PROTOCOL_TYPE_UNKNOWN
if 'auth_id' in args: if 'mode' not in args:
if 'protocol_sub_type' not in args: return self.write_json(TPE_PARAM)
# mode = 0: test connect
# mode = 1: user connect
# mode = 2: admin connect
if args['mode'] == 1:
if 'auth_id' not in args or 'protocol_sub_type' not in args:
return self.write_json(TPE_PARAM) return self.write_json(TPE_PARAM)
# 根据auth_id从数据库中取得此授权相关的用户、主机、账号三者详细信息 # 根据auth_id从数据库中取得此授权相关的用户、主机、账号三者详细信息
@ -132,7 +138,8 @@ class DoGetSessionIDHandler(TPBaseJsonHandler):
return self.write_json(err) return self.write_json(err)
log.v(acc_info) log.v(acc_info)
elif len(args) == 2 and 'acc_id' in args and 'host_id' in args: # elif len(args) == 2 and 'acc_id' in args and 'host_id' in args:
elif args['mode'] == 2:
acc_id = args['acc_id'] acc_id = args['acc_id']
host_id = args['host_id'] host_id = args['host_id']
@ -140,7 +147,7 @@ class DoGetSessionIDHandler(TPBaseJsonHandler):
if err != TPE_OK: if err != TPE_OK:
return self.write_json(err) return self.write_json(err)
else: elif args['mode'] == 0:
conn_info['_test'] = 1 conn_info['_test'] = 1
try: try:
acc_id = int(args['acc_id']) acc_id = int(args['acc_id'])
@ -185,6 +192,9 @@ class DoGetSessionIDHandler(TPBaseJsonHandler):
conn_info['_enc'] = 1 conn_info['_enc'] = 1
else:
return self.write_json(TPE_PARAM)
# 获取要远程连接的主机信息要访问的IP地址如果是路由模式则是路由主机的IP+端口) # 获取要远程连接的主机信息要访问的IP地址如果是路由模式则是路由主机的IP+端口)
err, host_info = host.get_host_info(host_id) err, host_info = host.get_host_info(host_id)
if err != TPE_OK: if err != TPE_OK:
@ -627,7 +637,7 @@ class DoRankReorderHandler(TPBaseJsonHandler):
class DoGetRemotesHandler(TPBaseJsonHandler): class DoGetRemotesHandler(TPBaseJsonHandler):
def post(self): def post(self):
ret = self.check_privilege(TP_PRIVILEGE_OPS) ret = self.check_privilege(TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_OPS)
if ret != TPE_OK: if ret != TPE_OK:
return return

137
server/www/teleport/webroot/app/model/audit.py
View File

@ -347,143 +347,6 @@ def get_auth(auth_id):
return s.recorder[0], TPE_OK return s.recorder[0], TPE_OK
def get_remotes(handler, sql_filter, sql_order, sql_limit):
"""
获取当前登录用户的可以远程登录的主机及账号
步骤
1. 查询满足条件的项用户->账号按授权策略顺序排序
2. 在此基础上选出非重复的用户->账号关系项
3. 继续在上一步基础上选出非重复的主机项
4. 为每一个主机查询满足条件的账号项
"""
operator = handler.get_current_user()
db = get_db()
######################################################
# step 1.
######################################################
s1 = []
s1.append('SELECT * FROM {}ops_map'.format(db.table_prefix))
s1_where = []
s1_where.append('u_id={}'.format(operator.id))
s1_where.append('p_state={state}'.format(state=TP_STATE_NORMAL))
s1.append('WHERE ({})'.format(') AND ('.join(s1_where)))
s1.append('ORDER BY p_rank DESC')
sql_1 = ' '.join(s1)
######################################################
# step 2.
######################################################
sql_2 = 'SELECT * FROM ({}) AS s1 GROUP BY ua_id'.format(sql_1)
_f = ['id', 'p_id', 'h_id', 'h_state', 'gh_state', 'h_name', 'ip', 'router_ip', 'router_port']
######################################################
# step 3.
######################################################
sql = []
sql.append('SELECT {}'.format(','.join(_f)))
sql.append('FROM')
sql.append('({}) AS s2'.format(sql_2))
sql.append('GROUP BY h_id')
sql.append('ORDER BY ip')
sql.append('LIMIT {},{}'.format(sql_limit['page_index'] * sql_limit['per_page'], sql_limit['per_page']))
sql.append(';')
sql_counter = []
sql_counter.append('SELECT COUNT(*)')
sql_counter.append('FROM')
sql_counter.append('({}) AS s3'.format(sql_2))
sql_counter.append('GROUP BY h_id')
sql_counter.append(';')
db_ret = db.query(' '.join(sql_counter))
if db_ret is None or len(db_ret) == 0:
return TPE_OK, 0, 1, []
total = len(db_ret)
ret_recorder = [] # 用于构建最终返回的数据
h_ids = [] # 涉及到的主机的ID列表
db_ret = db.query(' '.join(sql))
if db_ret is None:
return TPE_OK, 0, 1, []
for db_item in db_ret:
item = AttrDict()
for i in range(len(_f)):
item[_f[i]] = db_item[i]
item.accounts_ = []
ret_recorder.append(item)
h_ids.append(item.h_id)
######################################################
# step 4.
######################################################
host_ids = [str(i) for i in h_ids]
s4 = []
s4.append('SELECT * FROM {}ops_map'.format(db.table_prefix))
s4_where = []
s4_where.append('u_id={}'.format(operator.id))
s4_where.append('p_state={state}'.format(state=TP_STATE_NORMAL))
s4_where.append('h_id IN ({})'.format(','.join(host_ids)))
s4.append('WHERE ({})'.format(') AND ('.join(s4_where)))
s4.append('ORDER BY p_rank DESC')
sql_4 = ' '.join(s4)
sql = []
_f = ['id', 'uni_id', 'policy_auth_type', 'p_id', 'h_id', 'a_id', 'a_state', 'ga_state', 'a_name', 'protocol_type']
sql.append('SELECT {}'.format(','.join(_f)))
sql.append('FROM')
sql.append('({}) AS s4'.format(sql_4))
sql.append('GROUP BY ua_id')
sql.append(';')
db_ret = db.query(' '.join(sql))
if db_ret is None:
return TPE_OK, 0, 1, []
p_ids = [] # 涉及到的策略的ID列表
for db_item in db_ret:
item = AttrDict()
for i in range(len(_f)):
item[_f[i]] = db_item[i]
if item.p_id not in p_ids:
p_ids.append(item.p_id)
for j in range(len(ret_recorder)):
if ret_recorder[j].h_id == item.h_id:
ret_recorder[j].accounts_.append(item)
# 查询所有相关的授权策略的详细信息
# print('p-ids:', p_ids)
policy_ids = [str(i) for i in p_ids]
_f = ['id', 'flag_rdp', 'flag_ssh']
sql = []
sql.append('SELECT {}'.format(','.join(_f)))
sql.append('FROM {}ops_policy'.format(db.table_prefix))
sql.append('WHERE id IN ({})'.format(','.join(policy_ids)))
sql.append(';')
db_ret = db.query(' '.join(sql))
# print('', db_ret)
for db_item in db_ret:
item = AttrDict()
for i in range(len(_f)):
item[_f[i]] = db_item[i]
for i in range(len(ret_recorder)):
for j in range(len(ret_recorder[i].accounts_)):
if ret_recorder[i].accounts_[j].p_id == item.id:
ret_recorder[i].accounts_[j].policy_ = item
# print(json.dumps(ret_recorder, indent=' '))
return TPE_OK, total, sql_limit['page_index'], ret_recorder
def build_auz_map(): def build_auz_map():
_users = {} _users = {}
_hosts = {} _hosts = {}

85
server/www/teleport/webroot/app/model/ops.py
View File

@ -496,9 +496,89 @@ def get_auth(auth_id):
return s.recorder[0], TPE_OK return s.recorder[0], TPE_OK
def get_all_remotes(handler, sql_filter, sql_order, sql_limit):
s = SQL(get_db())
s.select_from('host', ['id', 'name', 'ip', 'router_ip', 'router_port', 'state'], alt_name='h')
str_where = ''
_where = list()
if len(sql_filter) > 0:
for k in sql_filter:
if k == 'state':
_where.append('h.state={}'.format(sql_filter[k]))
elif k == 'search':
_where.append('(h.name LIKE "%{k}%" OR h.ip LIKE "%{k}%" OR h.router_ip LIKE "%{k}%")'.format(k=sql_filter[k]))
if len(_where) > 0:
str_where = '( {} )'.format(' AND '.join(_where))
s.where(str_where)
if sql_order is not None:
_sort = False if not sql_order['asc'] else True
if 'id' == sql_order['name']:
s.order_by('h.id', _sort)
elif 'ip' == sql_order['name']:
s.order_by('h.ip', _sort)
elif 'name' == sql_order['name']:
s.order_by('h.name', _sort)
else:
log.e('unknown order field: {}\n'.format(sql_order['name']))
return TPE_PARAM, s.total_count, s.page_index, s.recorder
if len(sql_limit) > 0:
s.limit(sql_limit['page_index'], sql_limit['per_page'])
err = s.query()
if err != TPE_OK:
return err, 0, 1, []
ret = s.recorder
for h in ret:
h['h_id'] = h.id
h['h_state'] = TP_STATE_NORMAL
h['gh_state'] = TP_STATE_NORMAL
h['h_name'] = h.name
del h['id']
del h['name']
h['accounts_'] = []
sa = SQL(get_db())
sa.select_from('acc', ['id', 'protocol_type', 'protocol_port', 'username'], alt_name='a')
sa.where('a.host_id={}'.format(h.h_id))
sa.order_by('a.username', True)
err = sa.query()
if err != TPE_OK:
continue
for a in sa.recorder:
h['accounts_'].append({
'a_name': a.username,
'id': a.id,
'a_id': a.id,
'policy_auth_type': TP_POLICY_AUTH_USER_ACC,
'uni_id': 'none',
'a_state': TP_STATE_NORMAL,
'ga_state': TP_STATE_NORMAL,
'protocol_type': a.protocol_type,
'h_id': h.h_id,
'policy_': {
'flag_ssh': TP_FLAG_ALL,
'flag_rdp': TP_FLAG_ALL
}
})
# print(json.dumps(s.recorder, indent=' '))
return err, s.total_count, s.page_index, s.recorder
def get_remotes(handler, sql_filter, sql_order, sql_limit): def get_remotes(handler, sql_filter, sql_order, sql_limit):
""" """
获取当前登录用户的可以远程登录的主机及账号 获取当前登录用户的可以远程登录的主机及账号
远程连接列表的显示策略
1. 运维权限可以使用被授权的远程账号进行远程连接
2. 运维授权权限可以使用所有的远程账号进行远程连接
步骤 步骤
1. 查询满足条件的项用户->账号按授权策略顺序排序 1. 查询满足条件的项用户->账号按授权策略顺序排序
2. 在此基础上选出非重复的用户->账号关系项 2. 在此基础上选出非重复的用户->账号关系项
@ -506,6 +586,9 @@ def get_remotes(handler, sql_filter, sql_order, sql_limit):
4. 为每一个主机查询满足条件的账号项 4. 为每一个主机查询满足条件的账号项
""" """
operator = handler.get_current_user() operator = handler.get_current_user()
if (operator['privilege'] & TP_PRIVILEGE_OPS_AUZ) != 0:
return get_all_remotes(handler, sql_filter, sql_order, sql_limit)
db = get_db() db = get_db()
###################################################### ######################################################
@ -908,7 +991,7 @@ def build_auz_map():
for i in _map: for i in _map:
v = '("{uni_id}","{ua_id}",{p_id},{p_rank},{p_state},{policy_auth_type},{u_id},{u_state},{gu_id},{gu_state},{h_id},{h_state},{gh_id},{gh_state},{a_id},{a_state},{ga_id},{ga_state},' \ v = '("{uni_id}","{ua_id}",{p_id},{p_rank},{p_state},{policy_auth_type},{u_id},{u_state},{gu_id},{gu_state},{h_id},{h_state},{gh_id},{gh_state},{a_id},{a_state},{ga_id},{ga_state},' \
'"{u_name}","{u_surname}","{h_name}","{ip}","{router_ip}",{router_port},"{a_name}",{protocol_type},{protocol_port})' \ '"{u_name}","{u_surname}","{h_name}","{ip}","{router_ip}",{router_port},"{a_name}",{protocol_type},{protocol_port})' \
''.format(uni_id=i.uni_id, ua_id=i.ua_id, p_id=i.p_id, p_rank=i.p_rank, p_state=i.p_state,policy_auth_type=i.policy_auth_type, ''.format(uni_id=i.uni_id, ua_id=i.ua_id, p_id=i.p_id, p_rank=i.p_rank, p_state=i.p_state, policy_auth_type=i.policy_auth_type,
u_id=i.u_id, u_state=i.u_state, gu_id=i.gu_id, gu_state=i.gu_state, h_id=i.h_id, h_state=i.h_state, u_id=i.u_id, u_state=i.u_state, gu_id=i.gu_id, gu_state=i.gu_state, h_id=i.h_id, h_state=i.h_state,
gh_id=i.gh_id, gh_state=i.gh_state, a_id=i.a_id, a_state=i.a_state, ga_id=i.ga_id, ga_state=i.ga_state, gh_id=i.gh_id, gh_state=i.gh_state, a_id=i.a_id, a_state=i.a_state, ga_id=i.ga_id, ga_state=i.ga_state,
u_name=i.u_name, u_surname=i.u_surname, h_name=i.h_name, ip=i.ip, router_ip=i.router_ip, router_port=i.router_port, u_name=i.u_name, u_surname=i.u_surname, h_name=i.h_name, ip=i.ip, router_ip=i.router_ip, router_port=i.router_port,

8
server/www/teleport/webroot/app/model/record.py
View File

@ -22,14 +22,6 @@ def get_records(handler, sql_filter, sql_order, sql_limit, sql_restrict, sql_exc
2. 运维授权权限可以查看所有会话但不能审计 2. 运维授权权限可以查看所有会话但不能审计
3. 审计权限可以查看被授权的主机相关的会话且可以审计 3. 审计权限可以查看被授权的主机相关的会话且可以审计
4. 审计授权权限可以查看所有会话且可以审计 4. 审计授权权限可以查看所有会话且可以审计
:param handler:
:param sql_filter:
:param sql_order:
:param sql_limit:
:param sql_restrict:
:param sql_exclude:
:return:
""" """
allow_uid = 0 allow_uid = 0