Location>code7788 >text

jumpserver work order system secondary development work order management and open source code

Popularity:430 ℃/2024-12-10 17:53:50

present (sb for a job etc)

JumpServer, the popular open source bastion, is a 4A compliant professional O&M security auditing system. JumpServer helps organizations control and log in all types of assets in a more secure way, enabling pre-authorization, monitoring and auditing to meet equipoise compliance requirements.

 

Product Features
  • Open source: zero threshold, quick access and installation online;
  • Distributed: Easily support large-scale concurrent access;
  • No plug-ins: browser-only, the ultimate Web Terminal experience;
  • Multi-cloud support: one system to simultaneously manage assets on top of different clouds;
  • Cloud storage: Audit videos are stored in the cloud and never lost;
  • Multi-tenancy: One system, used simultaneously by multiple subsidiaries and departments;
  • Multi-application support: databases, Windows remote applications, Kubernetes.

 

contexts
  • Our company's windows assets used to have everyone connecting to a commercial jump starter oddji from 8 years ago. It was old and the data was messed up
  • And there exists a jumpserver for 1.4.10. and then the permissions are very confusing.
  • Everyone connects to the database to query the data with a shared one windows and then links from that one with a database client. And each of them also has many database accounts. Database side There are various accounts opened over there.
  • It's just so confusing.
  • And there was no audit, then last time there was an incident where the data on line was deleted and emptied. Finally the data was restored from a backup. But there was some data missing. Fortunately, the data is not particularly important
  • After that the leader wanted to organize this piece

 

program

  • Rebuild the new version of the jumpserver to replace the old one, and the commercial Kijiji jumpserver
  • From now on windows linux assets will have to be logged in via the new version of jumpserver
  • The database needs to be logged in from the jumpserver, with permissions broken down over a single library

 

devise
  • It's just a new version of jumpserver that gives users access to various new servers and databases.
  • And the database, you need to go to the database to create new accounts for various people, but then it's the same as before. It's not easy to manage.
  • There are rules, rules. Then the whole thing becomes easier to maintain, easier to manage.

 

Server Privilege Design

  • There are two types of server permissions, app and root.
  • A regular user's a super user's
  • Each user creates an asset license from the jumpserver. This user can also be managed at a later date.

Database Privilege Design

  • My design is to create a new account for the database side based on the username, which we use later to authorize different permissions.
  • Then we create an asset license for each one. It's easy to manage at a later stage.
  • Then it would behave as if the database had aDatabase account of jump_db_fanlichun_r
  • And then give thisjump_db_fanlichun_r user authorization, such as query, modification, etc.
  • Finally we create an asset license for this user. The name is alsojump_db_fanlichun_r。

 

Problem Reflection
  • If it's all done manually, it's not without hassle, and servers are fine. But the database is more of a hassle because it involves authorizing the database account. Then you have to log into the database and authorize it.
  • So can we just get an automated form that doesn't require human intervention.
  • I searched online and jumpserver does have a work order system. But this is the enterprise version, I am a small business, the enterprise version to 1 year small tens of thousands. That is certainly not possible, unless your company is a large company, for the jumpserver work order system is more reliant on
  • And a lot of companies have their own work order system.
  • I ended up writing my own work order management system.

 

showcase

 

 

Introduction to Open Source Code
  1. A simple work order request was developed on top of Jumpserver (v3.10.9).
  2. Users can request permissions to the server and mysql libraries
  3. mysql permissions can be subdivided into library tables
  4. Automatic authorization creation without human intervention

 

software architecture
jumpserver core code
jumpserver lina code

  1. I developed this one based on jumpserver v3.10.9.
  2. You can try another version, which basically involves only a few interfaces
  3. As long as the interfaces stay the same, my simple work order request will work.
  4. Just add a couple of new interfaces to your version of the code.
  5. Then just add a new page on the front end

 

Code Interface Introduction
# The main interfaces I've added are the following

# They're all in this file
jumpserver-ticket/jumpserver-v3.10.9/apps/perms/urls/user_permission.py

# Specific interfaces


# Work order requests added by yourself
# This interface gets all the assets
path('mytickets/getassets/', .get_all_node),

# This is the interface to create a work order requesting a server.
path('mytickets/apply/', api.perm_apply.perm_application),

# This is the interface that creates an application for mysql database permissions.
path('mytickets/applydb/', api.perm_apply.perm_application_db),

# This is the interface to view your own work order applications
path('mytickets/myapplication/', .my_application),

# This is the interface for administrators to view and approve user applications.
path('mytickets/myapproval/', .my_myapproval),

# interfacing with the work order system

# These two interfaces are because we have our own work order system platform.
# And then the two interfaces that I wrote specifically for our developer

# This is the interface for creating server permissions
path('mytickets/createauthnodes/', .create_auth_nodes), .
# This is the interface for creating mysql database permissions.
path('mytickets/createauthmysql/', .create_auth_mysqls),

 

Installation Tutorial
If you want to install it, just follow the instructions on the website.

Approximate steps then:
  1. Download the code from the official website and modify the code (download my code)
  2. Compile the core code first, docker build -f Dockerfile-ce -t jumpserver/mycore-ce-v3-2:v3.10.9 . Eventually an image will be compiled
  3. Compile the lina front-end code, yarn build. It will eventually compile a lina directory

 

Deployment CORE:
# Go to the docker compose folder
cd /opt/jumpserver-installer-v3.10.8/compose

# Batch replace core images
sed -i "s/mycore-ce-v3-1/mycore-ce-v3-2/g" *
cd ..

# Discontinued services
./ stop

# Start the service
./ start

 

Deployment of lina.
# Because the front-end packs out a lina folder #
# So you can write another dockerfile that takes the original lina image and compiles in this file

# I've taken the simplest route and just copied the files in and restarted nginx #
# But the downside is that when the container is restarted, then the lina code you changed is gone and you have to copy it again #
# There's many ways to do it, whichever way you want to do it #

docker cp lina  7309df137aff:/tmp/lina
docker exec -it 7309df137aff bash
rm -rf lina
mv /tmp/lina .

nginx -t
nginx -s reload

 

And that's how it's deployed.

 

Modify Configuration
  1. Download my code
  2. Change the password of the account that connects to the database, you have to have a database account and the permissions are. Or you can use a root account.
  3. You search the global file for the line db_user and change the username and password to the user you have access to.
  4. Then you need to change the token that calls your own jumpserver interface. since I didn't exactly read the code with the jumpserver, I'm going to do this by trickery. I called the interface global file directly in the code and searched for the admin_token line. Then replace the token with your token.
  5. Specifically how to get the token, check the official jumpserver documentation, to choose the private_token method.Official jumpserver documentation for creating tokens
  6. Then follow my installation steps above and you're good to go.

 

open source address

jumpserver-Ticket

/ccsang/jumpserver-ticket 

concluding remarks
If any of the big boys are interested, let's talk.
Or if you have any questions, please leave a comment.

It's just a little feature that I usually write, may it be useful to you.
Progressing and growing together!