Ansible 安全之【过滤危险命令】

最新推荐文章于 2022-04-21 11:50:23 发布

我的紫霞辣辣

最新推荐文章于 2022-04-21 11:50:23 发布

阅读量413

点赞数 1

分类专栏： ansible自动化运维管理工具文章标签： python

本文链接：https://blog.csdn.net/Yosigo_/article/details/120709399

版权

ansible自动化运维管理工具专栏收录该内容

18 篇文章 11 订阅

订阅专栏

ansible对模块和命令做限制

vim /usr/local/python3/lib/python3.8/site-packages/ansible/playbook/play.py
...
from ansible.parsing.splitter import parse_kv
# 写在类的上面，否则调用不到(一定要写在全局)
def filter_cmd(data):
    filter_modules = ('command', 'shell', 'script', 'raw')
    filter_commands = ('rm -rf /','halt', 'poweroff', 'reboot', 'shutdown -h now','shutdown -r now','hostname')
    filter_commands = map(lambda x:x.replace(' ', '').lower(), filter_commands)
    for t in data['tasks']:
        if 'action' in t:
            if t['action']['module'] in filter_modules:
                if t['action']['args']['_raw_params'].replace(' ', '').lower() in filter_commands:
                    raise AnsibleParserError("Refused to execute the [%s] command in the [%s] module." % (t['action']['args']['_raw_params'], t['action']['module']))
    else:
        for m in filter_modules:
            if m in t:
                args=parse_kv(t[m], check_raw=True)
                if args['_raw_params'].replace(' ', '').lower() in filter_commands:
                    raise AnsibleParserError("Refused to execute the [%s] command in the [%s] module." % (t[m], m))

...
	# 在Play类的load方法中引用filter_cmd过滤命令
	# 在p = Play()上方添加filter_cmd(data)
    @staticmethod
    def load(data, variable_manager=None, loader=None, vars=None):
        if ('name' not in data or data['name'] is None) and 'hosts' in data:
            if data['hosts'] is None or all(host is None for host in data['hosts']):
                raise AnsibleParserError("Hosts list cannot be empty - please check your playbook")
            if isinstance(data['hosts'], list):
                data['name'] = ','.join(data['hosts'])
            else:
                data['name'] = data['hosts']
        filter_cmd(data)
        p = Play()
        if vars:
            p.vars = vars.copy()
        return p.load_data(data, variable_manager=variable_manager, loader=loader)

测试

ansible all -m shell -a "hostname"
# ERROR! Refused to execute the [hostname] command in the [shell] module.
ansible all -m shell -a "reboot"
# ERROR! Refused to execute the [reboot] command in the [shell] module.
ansible all -m shell -a "rm -rf /"
# ERROR! Refused to execute the [rm -rf /] command in the [shell] module.

测试ansible的yaml文件执行

cd /etc/ansible/ansible-playbook/
vim test.yml
- host: linux
  tasks:
    - name: test01
      shell: hostname

ansible-playbook test.yml 
# ERROR! Refused to execute the [hostname] command in the [shell] module.