present (sb for a job etc)
JumpServer, the popular open source bastion, is a 4A compliant professional O&M security auditing system. JumpServer helps organizations control and log in all types of assets in a more secure way, enabling pre-authorization, monitoring and auditing to meet equipoise compliance requirements.
Product Features
- Open source: zero threshold, quick access and installation online;
- Distributed: Easily support large-scale concurrent access;
- No plug-ins: browser-only, the ultimate Web Terminal experience;
- Multi-cloud support: one system to simultaneously manage assets on top of different clouds;
- Cloud storage: Audit videos are stored in the cloud and never lost;
- Multi-tenancy: One system, used simultaneously by multiple subsidiaries and departments;
- Multi-application support: databases, Windows remote applications, Kubernetes.
contexts
- Our company's windows assets used to have everyone connecting to a commercial jump starter oddji from 8 years ago. It was old and the data was messed up
- And there exists a jumpserver for 1.4.10. and then the permissions are very confusing.
- Everyone connects to the database to query the data with a shared one windows and then links from that one with a database client. And each of them also has many database accounts. Database side There are various accounts opened over there.
- It's just so confusing.
- And there was no audit, then last time there was an incident where the data on line was deleted and emptied. Finally the data was restored from a backup. But there was some data missing. Fortunately, the data is not particularly important
- After that the leader wanted to organize this piece
program
- Rebuild the new version of the jumpserver to replace the old one, and the commercial Kijiji jumpserver
- From now on windows linux assets will have to be logged in via the new version of jumpserver
- The database needs to be logged in from the jumpserver, with permissions broken down over a single library
devise
- It's just a new version of jumpserver that gives users access to various new servers and databases.
- And the database, you need to go to the database to create new accounts for various people, but then it's the same as before. It's not easy to manage.
- There are rules, rules. Then the whole thing becomes easier to maintain, easier to manage.
Server Privilege Design
- There are two types of server permissions, app and root.
- A regular user's a super user's
- Each user creates an asset license from the jumpserver. This user can also be managed at a later date.
Database Privilege Design
- My design is to create a new account for the database side based on the username, which we use later to authorize different permissions.
- Then we create an asset license for each one. It's easy to manage at a later stage.
- Then it would behave as if the database had aDatabase account of jump_db_fanlichun_r
- And then give thisjump_db_fanlichun_r user authorization, such as query, modification, etc.
- Finally we create an asset license for this user. The name is alsojump_db_fanlichun_r。
Problem Reflection
- If it's all done manually, it's not without hassle, and servers are fine. But the database is more of a hassle because it involves authorizing the database account. Then you have to log into the database and authorize it.
- So can we just get an automated form that doesn't require human intervention.
- I searched online and jumpserver does have a work order system. But this is the enterprise version, I am a small business, the enterprise version to 1 year small tens of thousands. That is certainly not possible, unless your company is a large company, for the jumpserver work order system is more reliant on
- And a lot of companies have their own work order system.
- I ended up writing my own work order management system.
showcase
Introduction to Open Source Code
- A simple work order request was developed on top of Jumpserver (v3.10.9).
- Users can request permissions to the server and mysql libraries
- mysql permissions can be subdivided into library tables
- Automatic authorization creation without human intervention
- A simple work order request was developed on top of Jumpserver (v3.10.9).
- Users can request permissions to the server and mysql libraries
- mysql permissions can be subdivided into library tables
- Automatic authorization creation without human intervention
software architecture
jumpserver core code
jumpserver lina code
- I developed this one based on jumpserver v3.10.9.
- You can try another version, which basically involves only a few interfaces
- As long as the interfaces stay the same, my simple work order request will work.
- Just add a couple of new interfaces to your version of the code.
- Then just add a new page on the front end
jumpserver core code
jumpserver lina code
- I developed this one based on jumpserver v3.10.9.
- You can try another version, which basically involves only a few interfaces
- As long as the interfaces stay the same, my simple work order request will work.
- Just add a couple of new interfaces to your version of the code.
- Then just add a new page on the front end
Code Interface Introduction
# The main interfaces I've added are the following
# They're all in this file
jumpserver-ticket/jumpserver-v3.10.9/apps/perms/urls/user_permission.py
# Specific interfaces
# Work order requests added by yourself
# This interface gets all the assets
path('mytickets/getassets/', .get_all_node),
# This is the interface to create a work order requesting a server.
path('mytickets/apply/', api.perm_apply.perm_application),
# This is the interface that creates an application for mysql database permissions.
path('mytickets/applydb/', api.perm_apply.perm_application_db),
# This is the interface to view your own work order applications
path('mytickets/myapplication/', .my_application),
# This is the interface for administrators to view and approve user applications.
path('mytickets/myapproval/', .my_myapproval),
# interfacing with the work order system
# These two interfaces are because we have our own work order system platform.
# And then the two interfaces that I wrote specifically for our developer
# This is the interface for creating server permissions
path('mytickets/createauthnodes/', .create_auth_nodes), .
# This is the interface for creating mysql database permissions.
path('mytickets/createauthmysql/', .create_auth_mysqls),
# The main interfaces I've added are the following # They're all in this file jumpserver-ticket/jumpserver-v3.10.9/apps/perms/urls/user_permission.py # Specific interfaces # Work order requests added by yourself # This interface gets all the assets path('mytickets/getassets/', .get_all_node), # This is the interface to create a work order requesting a server. path('mytickets/apply/', api.perm_apply.perm_application), # This is the interface that creates an application for mysql database permissions. path('mytickets/applydb/', api.perm_apply.perm_application_db), # This is the interface to view your own work order applications path('mytickets/myapplication/', .my_application), # This is the interface for administrators to view and approve user applications. path('mytickets/myapproval/', .my_myapproval), # interfacing with the work order system # These two interfaces are because we have our own work order system platform. # And then the two interfaces that I wrote specifically for our developer # This is the interface for creating server permissions path('mytickets/createauthnodes/', .create_auth_nodes), . # This is the interface for creating mysql database permissions. path('mytickets/createauthmysql/', .create_auth_mysqls),
Installation Tutorial
If you want to install it, just follow the instructions on the website.
Approximate steps then:
- Download the code from the official website and modify the code (download my code)
- Compile the core code first, docker build -f Dockerfile-ce -t jumpserver/mycore-ce-v3-2:v3.10.9 . Eventually an image will be compiled
- Compile the lina front-end code, yarn build. It will eventually compile a lina directory
If you want to install it, just follow the instructions on the website.
Approximate steps then:
- Download the code from the official website and modify the code (download my code)
- Compile the core code first, docker build -f Dockerfile-ce -t jumpserver/mycore-ce-v3-2:v3.10.9 . Eventually an image will be compiled
- Compile the lina front-end code, yarn build. It will eventually compile a lina directory
Deployment CORE:
# Go to the docker compose folder cd /opt/jumpserver-installer-v3.10.8/compose # Batch replace core images sed -i "s/mycore-ce-v3-1/mycore-ce-v3-2/g" * cd .. # Discontinued services ./ stop # Start the service ./ start
Deployment of lina.
# Because the front-end packs out a lina folder # # So you can write another dockerfile that takes the original lina image and compiles in this file # I've taken the simplest route and just copied the files in and restarted nginx # # But the downside is that when the container is restarted, then the lina code you changed is gone and you have to copy it again # # There's many ways to do it, whichever way you want to do it # docker cp lina 7309df137aff:/tmp/lina docker exec -it 7309df137aff bash rm -rf lina mv /tmp/lina . nginx -t nginx -s reload
And that's how it's deployed.
Modify Configuration
- Download my code
- Change the password of the account that connects to the database, you have to have a database account and the permissions are. Or you can use a root account.
- You search the global file for the line db_user and change the username and password to the user you have access to.
- Then you need to change the token that calls your own jumpserver interface. since I didn't exactly read the code with the jumpserver, I'm going to do this by trickery. I called the interface global file directly in the code and searched for the admin_token line. Then replace the token with your token.
- Specifically how to get the token, check the official jumpserver documentation, to choose the private_token method.Official jumpserver documentation for creating tokens
- Then follow my installation steps above and you're good to go.
- Download my code
- Change the password of the account that connects to the database, you have to have a database account and the permissions are. Or you can use a root account.
- You search the global file for the line db_user and change the username and password to the user you have access to.
- Then you need to change the token that calls your own jumpserver interface. since I didn't exactly read the code with the jumpserver, I'm going to do this by trickery. I called the interface global file directly in the code and searched for the admin_token line. Then replace the token with your token.
- Specifically how to get the token, check the official jumpserver documentation, to choose the private_token method.Official jumpserver documentation for creating tokens
- Then follow my installation steps above and you're good to go.
open source address
jumpserver-Ticket
/ccsang/jumpserver-ticket
concluding remarks
If any of the big boys are interested, let's talk.
Or if you have any questions, please leave a comment.
It's just a little feature that I usually write, may it be useful to you.
Progressing and growing together!
If any of the big boys are interested, let's talk.
Or if you have any questions, please leave a comment.
It's just a little feature that I usually write, may it be useful to you.
Progressing and growing together!