Skip to content
SRE运维进阶之路SRE运维进阶之路
devops
github icon

author iconClaycalendar icon2023年4月19日category icon
  • 自动化工具
tag icon
  • jumpserver
timer icon大约 2 分钟

此页内容
  • 二开 jumpserver podshell 登录

# 二开 jumpserver podshell 登录

目的: 控制开发人员可以登录的权限

版本: v2.19.2

修改如下文件内容

diff -r old-apps/apps/applications/api/mixin.py new-apps/apps/applications/api/mixin.py
42c42
<     def serialize_applications_with_org(self, applications, tree_id, parent_info, user):
---
>     def serialize_applications_with_org(self, applications, tree_id, parent_info, user, login_username):
84c84
<         tree_nodes = KubernetesTree(tree_id).async_tree_node(parent_info)
---
>         tree_nodes = KubernetesTree(tree_id).async_tree_node(parent_info, login_username)

diff -r old-apps/apps/applications/utils/kubernetes_util.py new-apps/apps/applications/utils/kubernetes_util.py
14a15,16
> import requests
> import json
59,60c61,92
<     def get_pods(self):
<         api = self.get_api()
---
>     #def get_pods(self):
>     #    api = self.get_api()
>     #    try:
>     #        ret = api.list_pod_for_all_namespaces(watch=False, _request_timeout=(3, 3))
>     #    except MaxRetryError:
>     #        logger.warning('Kubernetes connection timed out')
>     #        return
>     #    except ApiException as e:
>     #        if e.status == 401:
>     #            logger.warning('Kubernetes User not authenticated')
>     #        else:
>     #            logger.warning(e)
>     #        return
>     #    data = {}
>     #    for i in ret.items:
>     #        namespace = i.metadata.namespace
>     #        pod_info = {
>     #            'pod_name': i.metadata.name,
>     #            'containers': [j.name for j in i.spec.containers]
>     #        }
>     #        if namespace in data:
>     #            data[namespace].append(pod_info)
>     #        else:
>     #            data[namespace] = [pod_info, ]
>     #    return data
>     def get_pods(self, login_username):
>         # 调用 外部系统,查看 用户具有 appid 的权限列表
>         xxx_api = "https://xxx/xxx_api/v1/auth/user/"
>         xxx_auth = "xxx"
>
>         res = requests.get(xxx_api+login_username+"/appid", headers={"Authorization": xxx_auth})
>         xxx_apps = []
62,64c94,102
<             ret = api.list_pod_for_all_namespaces(watch=False, _request_timeout=(3, 3))
<         except MaxRetryError:
<             logger.warning('Kubernetes connection timed out')
---
>             body = json.loads(res.text)
>             data = body["data"]
>             msg = body["message"]
>             code = body["code"]
>             if code != 200:
>                 print("调用 xxx 返回异常")
>                 return
>         except Exception as e:
>             print("调用 xxx 获取appid列表解析失败:"+str(e))
66,70c104,118
<         except ApiException as e:
<             if e.status == 401:
<                 logger.warning('Kubernetes User not authenticated')
<             else:
<                 logger.warning(e)
---
>         finally:
>             res.close()
>         for app in data:
>             xxx_apps.append(app["id"])
>
>         # 调用k8s-resource-apis, 自封装的 api 接口
>         res_apps = set()
>         k8s_resource_api = "http://xxxx"
>         res = requests.get(k8s_resource_api+"/get-all-app-list/")
>         try:
>             body = json.loads(res.text)
>             data = body["data"]
>             msg = body["msg"]
>         except Exception as e:
>             print("调用k8sResourceApi获取appid列表解析失败:"+str(e))
72,80c120,157
<         data = {}
<         for i in ret.items:
<             namespace = i.metadata.namespace
<             pod_info = {
<                 'pod_name': i.metadata.name,
<                 'containers': [j.name for j in i.spec.containers]
<             }
<             if namespace in data:
<                 data[namespace].append(pod_info)
---
>         finally:
>             res.close()
>
>         if res.status_code == 200:
>             for item in data:
>                 res_apps.add(item)
>
>         # apps
>         apps = []
>         for item in xxx_apps:
>             if item in res_apps:
>                 apps.append(item)
>
>         # get pods
>         ctx = {}    # {"namespace": [{podname:aaaa, containers}]}
>         for appid in apps:
>             res = requests.get(k8s_resource_api+"/get-pods-by-app/"+appid+"/")
>             try:
>                 body = json.loads(res.text)
>                 data = body["data"]
>                 msg = body["msg"]
>             except Exception as e:
>                 print("调用k8sResourceApis获取appid-pods列表解析失败:"+str(e), appid)
>             finally:
>                 res.close()
>
>             if res.status_code == 200:
>                 try:
>                     for pod in data:            # key: pod-name, 原始data结构:{"pod-name": {"Ns": "xxx", "Containers": {"c-name": "c-id"}}}
>                         ns = data[pod]["Ns"]    # ns == "xxx"
>                         if ns not in ctx:
>                             ctx[ns] = []
>                         containers = []
>                         for c in data[pod]["Containers"]:
>                             containers.append(c)
>                         ctx[ns].append({"pod_name": pod, "containers": containers})
>                 except Exception as e:
>                     print("解析重组pod列表信息异常:"+str(e))
82,83c159,160
<                 data[namespace] = [pod_info, ]
<         return data
---
>                 print("调用k8sResourceApis获取pod列表返回状态异常:"+str(res.status_code)+" "+msg)
>         return ctx
86c163
<     def get_kubernetes_data(app_id, system_user_id):
---
>     def get_kubernetes_data(app_id, system_user_id, login_username):
91c168
<         return k8s.get_pods()
---
>         return k8s.get_pods(login_username)
153c230
<     def async_tree_node(self, parent_info):
---
>     def async_tree_node(self, parent_info, login_username):
160c237
<         data = KubernetesClient.get_kubernetes_data(app_id, system_user_id)
---
>         data = KubernetesClient.get_kubernetes_data(app_id, system_user_id, login_username)

diff -r old-apps/apps/perms/api/application/user_permission/user_permission_applications.py new-apps/apps/perms/api/application/user_permission/user_permission_applications.py
59a60,64
>         login_username = ""
>         login_user = str(request.__dict__.get("_user", ""))
>         lft = login_user.split('(')
>         if len(lft) == 2:
>            login_username = lft[1].split(')')[0]
64c69
<             queryset, tree_id, parent_info, self.user
---
>             queryset, tree_id, parent_info, self.user, login_username
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
edit icon编辑此页open in new window
上次编辑于: 2023/4/19 13:50:36
贡献者: clay-wangzhi
备案号:冀ICP备2021007336号
Copyright © 2023 Clay