python的学习第十三天 一个堡垒机
堡垒机功能实现需求
业务需求:
- 兼顾业务安全目标与用户体验,堡垒机部署后,不应使用户访问业务系统的访问变的复杂,否则工作将很难推进,因为没人喜欢改变现状,尤其是改变后生活变得更艰难
- 保证堡垒机稳定安全运行, 没有100%的把握,不要上线任何新系统,即使有100%把握,也要做好最坏的打算,想好故障预案
功能需求:
- 所有的用户操作日志要保留在数据库中
- 每个用户登录堡垒机后,只需要选择具体要访问的设置,就连接上了,不需要再输入目标机器的访问密码
- 允许用户对不同的目标设备有不同的访问权限,例:
- 对10.0.2.34 有mysql 用户的权限
- 对192.168.3.22 有root用户的权限
- 对172.33.24.55 没任何权限
- 分组管理,即可以对设置进行分组,允许用户访问某组机器,但对组里的不同机器依然有不同的访问权限
设计表机构:
python代码实现创建结构:
__author__ = "Alex Li" from sqlalchemy import Table, Column, Enum,Integer,String,DATE, ForeignKey,UniqueConstraint from sqlalchemy.orm import relationship from sqlalchemy.ext.declarative import declarative_base from sqlalchemy_utils import ChoiceType from sqlalchemy import create_engine # from sqlalchemy.orm import sessionmaker Base = declarative_base() user_m2m_bindhost = Table('user_m2m_bindhost', Base.metadata, Column('userprofile_id', Integer, ForeignKey('user_profile.id')), Column('bindhost_id', Integer, ForeignKey('bind_host.id')), ) bindhost_m2m_hostgroup = Table('bindhost_m2m_hostgroup', Base.metadata, Column('bindhost_id', Integer, ForeignKey('bind_host.id')), Column('hostgroup_id', Integer, ForeignKey('host_group.id')), ) user_m2m_hostgroup = Table('userprofile_m2m_hostgroup', Base.metadata, Column('userprofile_id', Integer, ForeignKey('user_profile.id')), Column('hostgroup_id', Integer, ForeignKey('host_group.id')), ) class Host(Base): '''创建主机表''' __tablename__ = 'host' id = Column(Integer,primary_key=True) hostname = Column(String(64),unique=True) ip = Column(String(64),unique=True) port = Column(Integer,default=22) def __repr__(self): return self.hostname class HostGroup(Base): '''创建组''' __tablename__ = 'host_group' id = Column(Integer, primary_key=True) name = Column(String(64), unique=True) bind_hosts = relationship("BindHost",secondary="bindhost_m2m_hostgroup",backref="host_groups") def __repr__(self): return self.name class RemoteUser(Base): '''创建远程用户和认证用户''' __tablename__ = 'remote_user' __table_args__ = (UniqueConstraint('auth_type', 'username','password', name='_user_passwd_uc'),) #联合唯一 id = Column(Integer, primary_key=True) AuthTypes = [ ('ssh-password','SSH/Password'), ('ssh-key','SSH/KEY'), ] auth_type = Column(ChoiceType(AuthTypes)) username = Column(String(32)) password = Column(String(128)) def __repr__(self): return self.username class BindHost(Base): ''' 192.168.1.11 web 192.168.1.11 mysql 组和Ip关联 ''' __tablename__ = "bind_host" __table_args__ = (UniqueConstraint('host_id','remoteuser_id', name='_host_remoteuser_uc'),) id = Column(Integer, primary_key=True) host_id = Column(Integer,ForeignKey('host.id')) #group_id = Column(Integer,ForeignKey('group.id')) remoteuser_id = Column(Integer, ForeignKey('remote_user.id')) host = relationship("Host",backref="bind_hosts") #host_group = relationship("HostGroup",backref="bind_hosts") remote_user = relationship("RemoteUser",backref="bind_hosts") def __repr__(self): return "<%s -- %s >" %(self.host.ip, self.remote_user.username ) class UserProfile(Base): '''登录用户,分组,ip的关联''' __tablename__ = 'user_profile' id = Column(Integer, primary_key=True) username = Column(String(32),unique=True) password = Column(String(128)) bind_hosts = relationship("BindHost", secondary='user_m2m_bindhost',backref="user_profiles") host_groups = relationship("HostGroup",secondary="userprofile_m2m_hostgroup",backref="user_profiles") def __repr__(self): return self.username # class AuditLog(Base): # pass if __name__ == "__main__": engine = create_engine("mysql+pymysql://root:alex3714@192.168.16.86/oldboydb?charset=utf8", ) Base.metadata.create_all(engine) # 创建表结构
完成实例代码 ALEX
https://github.com/triaquae/py3_training/tree/master/%E5%A0%A1%E5%9E%92%E6%9C%BA
浙公网安备 33010602011771号