github
/
teleport
mirror of https://github.com/tp4a/teleport
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

审计授权功能可以按用户区分显示的列表内容了。

pull/105/head
Apex Liu 2017-12-21 00:05:26 +08:00
parent 001cf53e8f
commit aedb6099a0
7 changed files with 66 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
server/www/teleport/static/js/system/role.js
View File

@ -80,7 +80,7 @@ $app.create_controls = function () {
}, },
{ {
t: '审计', i: [ t: '审计', i: [
{n: '审计(回放操作录像)', p: TP_PRIVILEGE_AUDIT_OPS_HISTORY}, {n: '审计(回放操作录像)', p: TP_PRIVILEGE_AUDIT},
{n: '审计授权管理', p: TP_PRIVILEGE_AUDIT_AUZ}] {n: '审计授权管理', p: TP_PRIVILEGE_AUDIT_AUZ}]
}, },
{ {

4
server/www/teleport/static/js/tp-const.js
View File

@ -136,7 +136,7 @@ var TP_PRIVILEGE_OPS_AUZ = 0x00001000;// # 远程主机运维授权管理
var TP_PRIVILEGE_SESSION_BLOCK = 0x00002000;// # 阻断在线会话 var TP_PRIVILEGE_SESSION_BLOCK = 0x00002000;// # 阻断在线会话
var TP_PRIVILEGE_SESSION_VIEW = 0x00004000;// # 查看在线会话 var TP_PRIVILEGE_SESSION_VIEW = 0x00004000;// # 查看在线会话
var TP_PRIVILEGE_AUDIT_OPS_HISTORY = 0x00008000;// # 审计(查看历史会话) var TP_PRIVILEGE_AUDIT = 0x00008000;// # 审计(查看历史会话)
var TP_PRIVILEGE_AUDIT_AUZ = 0x00010000;// # 审计策略授权管理 var TP_PRIVILEGE_AUDIT_AUZ = 0x00010000;// # 审计策略授权管理
//var TP_PRIVILEGE_AUDIT_SYSLOG = 0x00020000;// # 查看系统日志 //var TP_PRIVILEGE_AUDIT_SYSLOG = 0x00020000;// # 查看系统日志
@ -161,7 +161,7 @@ var TP_PRIVILEGES = [
TP_PRIVILEGE_OPS_AUZ, TP_PRIVILEGE_OPS_AUZ,
TP_PRIVILEGE_SESSION_BLOCK, TP_PRIVILEGE_SESSION_BLOCK,
TP_PRIVILEGE_SESSION_VIEW, TP_PRIVILEGE_SESSION_VIEW,
TP_PRIVILEGE_AUDIT_OPS_HISTORY, TP_PRIVILEGE_AUDIT,
TP_PRIVILEGE_AUDIT_AUZ, TP_PRIVILEGE_AUDIT_AUZ,
//TP_PRIVILEGE_AUDIT_SYSLOG, //TP_PRIVILEGE_AUDIT_SYSLOG,
TP_PRIVILEGE_SYS_ROLE, TP_PRIVILEGE_SYS_ROLE,

2
server/www/teleport/view/_sidebar_nav_menu.mako
View File

@ -98,7 +98,7 @@
'name': '审计授权', 'name': '审计授权',
}, },
{ {
'privilege': const.TP_PRIVILEGE_AUDIT_OPS_HISTORY | const.TP_PRIVILEGE_OPS, 'privilege': const.TP_PRIVILEGE_AUDIT | const.TP_PRIVILEGE_OPS,
'id': 'record', 'id': 'record',
'link': '/audit/record', 'link': '/audit/record',
'name': '会话审计', 'name': '会话审计',

18
server/www/teleport/webroot/app/base/database/create.py
View File

@ -649,22 +649,6 @@ class DatabaseInit:
# gh_id: 主机组ID # gh_id: 主机组ID
f.append('`gh_id` int(11) DEFAULT 0') f.append('`gh_id` int(11) DEFAULT 0')
# 后续字段仅用于显示
# u_name: 用户登录名
f.append('`u_name` varchar(32) DEFAULT ""')
# u_surname: 用户姓名
f.append('`u_surname` varchar(64) DEFAULT ""')
# h_name: 主机名称
f.append('`h_name` varchar(64) DEFAULT ""')
# ip: IP地址
f.append('`ip` varchar(40) NOT NULL')
# router_ip: 路由IP
f.append('`router_ip` varchar(40) DEFAULT ""')
# router_port: 路由端口
f.append('`router_port` int(11) DEFAULT 0')
self._db_exec( self._db_exec(
'创建审计授权映射表...', '创建审计授权映射表...',
'CREATE TABLE `{}audit_map` ({});'.format(self.db.table_prefix, ','.join(f)) 'CREATE TABLE `{}audit_map` ({});'.format(self.db.table_prefix, ','.join(f))
@ -813,7 +797,7 @@ class DatabaseInit:
privilege_admin = TP_PRIVILEGE_ALL privilege_admin = TP_PRIVILEGE_ALL
privilege_ops = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_OPS privilege_ops = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_OPS
privilege_audit = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_AUDIT_OPS_HISTORY privilege_audit = TP_PRIVILEGE_LOGIN_WEB | TP_PRIVILEGE_AUDIT
self._db_exec( self._db_exec(
'创建默认角色', '创建默认角色',
[ [

2
server/www/teleport/webroot/app/const.py
View File

@ -152,7 +152,7 @@ TP_PRIVILEGE_OPS_AUZ = 0x00001000 # 远程主机运维授权管理
TP_PRIVILEGE_SESSION_BLOCK = 0x00002000 # 阻断在线会话 TP_PRIVILEGE_SESSION_BLOCK = 0x00002000 # 阻断在线会话
TP_PRIVILEGE_SESSION_VIEW = 0x00004000 # 查看在线会话 TP_PRIVILEGE_SESSION_VIEW = 0x00004000 # 查看在线会话
TP_PRIVILEGE_AUDIT_OPS_HISTORY = 0x00008000 # 审计(查看历史会话) TP_PRIVILEGE_AUDIT = 0x00008000 # 审计(查看历史会话)
TP_PRIVILEGE_AUDIT_AUZ = 0x00010000 # 审计策略授权管理 TP_PRIVILEGE_AUDIT_AUZ = 0x00010000 # 审计策略授权管理
# TP_PRIVILEGE_AUDIT_SYSLOG = 0x00020000 # 查看系统日志 # TP_PRIVILEGE_AUDIT_SYSLOG = 0x00020000 # 查看系统日志

23
server/www/teleport/webroot/app/controller/audit.py
View File

@ -17,7 +17,7 @@ def get_free_space_bytes(folder):
""" Return folder/drive free space (in bytes) """ Return folder/drive free space (in bytes)
""" """
try: try:
total, used, free = shutil.disk_usage(folder) total, _, free = shutil.disk_usage(folder)
return total, free return total, free
except: except:
return 0, 0 return 0, 0
@ -406,7 +406,7 @@ class DoRemoveMembersHandler(TPBaseJsonHandler):
class RecordHandler(TPBaseHandler): class RecordHandler(TPBaseHandler):
def get(self): def get(self):
ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT_OPS_HISTORY) ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT)
if ret != TPE_OK: if ret != TPE_OK:
return return
@ -426,7 +426,7 @@ class RecordHandler(TPBaseHandler):
class DoGetRecordsHandler(TPBaseJsonHandler): class DoGetRecordsHandler(TPBaseJsonHandler):
def post(self): def post(self):
ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT_OPS_HISTORY) ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT)
if ret != TPE_OK: if ret != TPE_OK:
return return
@ -482,22 +482,13 @@ class DoGetRecordsHandler(TPBaseJsonHandler):
except: except:
return self.write_json(TPE_PARAM) return self.write_json(TPE_PARAM)
err, total, row_data = record.get_records(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude) err, total, row_data = record.get_records(self, sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude)
ret = dict() ret = dict()
ret['page_index'] = sql_limit['page_index'] ret['page_index'] = sql_limit['page_index']
ret['total'] = total ret['total'] = total
ret['data'] = row_data ret['data'] = row_data
self.write_json(err, data=ret) self.write_json(err, data=ret)
# err, total, record_list = record.get_records(filter, order, _limit)
# if err != TPE_OK:
# return self.write_json(err)
# ret = dict()
# ret['page_index'] = limit['page_index']
# ret['total'] = total
# ret['data'] = record_list
# return self.write_json(0, data=ret)
class ReplayHandler(TPBaseHandler): class ReplayHandler(TPBaseHandler):
def get(self, protocol, record_id): def get(self, protocol, record_id):
@ -530,7 +521,7 @@ class ReplayHandler(TPBaseHandler):
class ComandLogHandler(TPBaseHandler): class ComandLogHandler(TPBaseHandler):
@tornado.gen.coroutine @tornado.gen.coroutine
def get(self, protocol, record_id): def get(self, protocol, record_id):
ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT_OPS_HISTORY) ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT)
if ret != TPE_OK: if ret != TPE_OK:
return return
@ -599,7 +590,7 @@ class ComandLogHandler(TPBaseHandler):
class DoGetRecordHeaderHandler(TPBaseJsonHandler): class DoGetRecordHeaderHandler(TPBaseJsonHandler):
@tornado.gen.coroutine @tornado.gen.coroutine
def post(self): def post(self):
ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT_OPS_HISTORY) ret = self.check_privilege(TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT)
if ret != TPE_OK: if ret != TPE_OK:
return return
@ -652,7 +643,7 @@ class DoGetFileHandler(TPBaseHandler):
log.v('--{}\n'.format(self.request.uri)) log.v('--{}\n'.format(self.request.uri))
require_privilege = TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT_OPS_HISTORY require_privilege = TP_PRIVILEGE_OPS | TP_PRIVILEGE_OPS_AUZ | TP_PRIVILEGE_AUDIT_AUZ | TP_PRIVILEGE_AUDIT
# sid = self.get_argument('sid', None) # sid = self.get_argument('sid', None)
# if sid is None: # if sid is None:

54
server/www/teleport/webroot/app/model/record.py
View File

@ -14,7 +14,52 @@ from app.base.utils import tp_timestamp_utc_now
import tornado.gen import tornado.gen
def get_records(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude): def get_records(handler, sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
"""
获取会话列表
会话审计列表的显示策略下列的`审计`操作指为会话做标记置为保留状态写备注等
1. 运维权限可以查看自己的会话但不能审计
2. 运维授权权限可以查看所有会话但不能审计
3. 审计权限可以查看被授权的主机相关的会话且可以审计
4. 审计授权权限可以查看所有会话且可以审计
:param handler:
:param sql_filter:
:param sql_order:
:param sql_limit:
:param sql_restrict:
:param sql_exclude:
:return:
"""
allow_uid = 0
allow_hids = list()
allow_all = False
user = handler.get_current_user()
if (user['privilege'] & TP_PRIVILEGE_OPS_AUZ) != 0 or (user['privilege'] & TP_PRIVILEGE_AUDIT_AUZ) != 0:
allow_all = True
if not allow_all:
if (user['privilege'] & TP_PRIVILEGE_OPS) != 0:
allow_uid = user.id
if (user['privilege'] & TP_PRIVILEGE_AUDIT) != 0:
s = SQL(get_db())
s.select_from('audit_map', ['h_id'], alt_name='a')
s.where(
'a.p_state={enable_state} AND'
'('
'((a.policy_auth_type={U2H} OR a.policy_auth_type={U2HG}) AND a.u_state={enable_state}) OR '
'((a.policy_auth_type={UG2H} OR a.policy_auth_type={UG2HG}) AND a.u_state={enable_state} AND a.gu_state={enable_state})'
')'.format(enable_state=TP_STATE_NORMAL, U2H=TP_POLICY_AUTH_USER_HOST, U2HG=TP_POLICY_AUTH_USER_gHOST, UG2H=TP_POLICY_AUTH_gUSER_HOST, UG2HG=TP_POLICY_AUTH_gUSER_gHOST))
err = s.query()
if err != TPE_OK:
return err, 0, []
for h in s.recorder:
if h.h_id not in allow_hids:
allow_hids.append(h.h_id)
if allow_uid == 0 and len(allow_hids) == 0:
return TPE_FAILED, 0, []
s = SQL(get_db()) s = SQL(get_db())
s.select_from('record', ['id', 'sid', 'user_id', 'host_id', 'acc_id', 'state', 'user_username', 'user_surname', 'host_ip', 'conn_ip', 'conn_port', 'client_ip', 'acc_username', 'protocol_type', 'protocol_sub_type', 'time_begin', 'time_end'], alt_name='r') s.select_from('record', ['id', 'sid', 'user_id', 'host_id', 'acc_id', 'state', 'user_username', 'user_surname', 'host_ip', 'conn_ip', 'conn_port', 'client_ip', 'acc_username', 'protocol_type', 'protocol_sub_type', 'time_begin', 'time_end'], alt_name='r')
@ -42,6 +87,13 @@ def get_records(sql_filter, sql_order, sql_limit, sql_restrict, sql_exclude):
# elif k == 'search_record': # elif k == 'search_record':
# _where.append('(h.name LIKE "%{}%" OR h.ip LIKE "%{}%" OR h.router_addr LIKE "%{}%" OR h.desc LIKE "%{}%" OR h.cid LIKE "%{}%")'.format(sql_filter[k], sql_filter[k], sql_filter[k], sql_filter[k], sql_filter[k])) # _where.append('(h.name LIKE "%{}%" OR h.ip LIKE "%{}%" OR h.router_addr LIKE "%{}%" OR h.desc LIKE "%{}%" OR h.cid LIKE "%{}%")'.format(sql_filter[k], sql_filter[k], sql_filter[k], sql_filter[k], sql_filter[k]))
if not allow_all:
if allow_uid != 0:
_where.append('r.user_id={uid}'.format(uid=allow_uid))
if len(allow_hids) > 0:
hids = [str(h) for h in allow_hids]
_where.append('r.host_id IN ({hids})'.format(hids=','.join(hids)))
if len(_where) > 0: if len(_where) > 0:
str_where = '( {} )'.format(' AND '.join(_where)) str_where = '( {} )'.format(' AND '.join(_where))