这是jumpserver二次开发系列第三篇,主要实现用户权限的自主申请、审批和授权功能。有两种方式申请权限:
1、加入用户组,拥有与该用户组相同的权限;
2、按资产、资产组及系统用户申请相应权限。
一、数据库模型设计
其中用户、用户组、资产、资产组及系统用户为原来各模块已设计的表
二、model代码
权限申请表与用户、用户组、资产、资产组及系统用户使用ManyToManyField定义关系
class Checker(models.Model): checker_um = models.CharField(max_length=50, unique=True) checker_name = models.CharField(max_length=50, null=True) checker_role = models.CharField(max_length=100, null=True) def __unicode__(self): return self.checker_name class CheckOrder(models.Model): check_order = models.IntegerField(unique=True) checker = models.ForeignKey(Checker, related_name='check_order') check_desc = models.CharField(max_length=100, null=True) class RightApply(models.Model): app_name = models.CharField(max_length=100, unique=True) app_desc = models.CharField(max_length=100, null=True) insert_time = models.TimeField(auto_now=True) finish_time = models.TimeField(null=True) checkorder = models.ForeignKey(CheckOrder, related_name='right_app') asset = models.ManyToManyField(Asset, related_name='right_app') asset_group = models.ManyToManyField(AssetGroup, related_name='right_app') user = models.ManyToManyField(User, related_name='right_app') user_group = models.ManyToManyField(UserGroup, related_name='right_app') role = models.ManyToManyField(PermRole, related_name='right_app') APP_TYPE_CHOICES = ( ('ZCQX', u'资产权限申请'), ('GPQX', u'用户组权限申请') ) app_type = models.CharField(max_length=8, choices=APP_TYPE_CHOICES, default='ZCQX') def __unicode__(self): return self.app_name class CheckList(models.Model): rightapply = models.ForeignKey(RightApply, related_name='check_list') checkorder = models.ForeignKey(CheckOrder, related_name='check_list') insert_time = models.TimeField(auto_now=True) finish_time = models.TimeField(null=True) check_status = models.NullBooleanField(null=True) check_if = models.NullBooleanField(default=False) check_desc = models.TextField(null=True)
三、URLS
urlpatterns = patterns('rightapply.views', url(r'^apply/list/$', 'apply_list', name='app_list'), url(r'^apply/add/$', 'apply_add', name='app_add'), url(r'^apply/add_by_gpqx/$', 'add_by_gpqx', name='add_by_gpqx'), url(r'^apply/check_list/$', 'check_list', name='check_list'), url(r'^apply/check_app/$', 'check_app', name='check_app'), url(r'^apply/follow/$', 'follow_app', name='follow_app'), url(r'^apply/app_detail/$', 'app_detail', name='app_detail'), url(r'^apply/del/$', 'apply_del', name='app_del'), url(r'^apply/rule_list/$', 'app_rule_list', name='app_rule_list'), url(r'^apply/rule_detail/$', 'app_rule_detail', name='app_rule_detail'), )
四、授权添加接口及邮件发送功能
def perm_rule_add(assets_obj, asset_groups_obj, users_obj, user_groups_obj, roles_obj, rule_name, rule_comment): """ add rule page 添加授权API,参数为object 如:users_obj = [User.objects.get(id=user_id) for user_id in users_select] """ try: rule = PermRule(name=rule_name, comment=rule_comment) rule.save() rule.user = users_obj rule.user_group = user_groups_obj rule.asset = assets_obj rule.asset_group = asset_groups_obj rule.role = roles_obj rule.save() msg = u"添加授权规则:%s" % rule.name res = {'result': True, 'Msg': msg} return json.dumps(res) except ServerError, e: error = e logger.info(error) res = {'result': False, 'Msg': error} return json.dumps(res) def app_send_mail(user, app, check_res, mail_type, host_url): """ check app send mail 发送审批邮件 mail_type == "user" or "checker" """ if mail_type == "user": mail_title = u'堡垒机权限申请审批结果' url = host_url+reverse('follow_app') mail_msg = u""" Hi, %s 您的堡垒机权限申请: %s, %s, 请登录系统查看: %s """ % (user.name, app.app_name, check_res, url) else: mail_title = u'堡垒机权限申请审批' url = host_url+reverse('check_app') mail_msg = u""" Hi, %s 堡垒机权限申请: %s, 请您登录系统审批: %s """ % (user.name, app.app_name, url) send_mail(mail_title, mail_msg, MAIL_FROM, [user.email], fail_silently=False)
五、主要功能部分代码