Official website address: JumpServer - Open Source Bastion Host - Official Website
Online phone: 400-052-0755
Technical support: JumpServer technical consultation
overview
This article focuses on the relationship between users, roles, system users and assets of the JumpServer open source bastion machine, and shares how to quickly improve the JumpServer user system, realize the division of user permissions, and help enterprises quickly realize the JumpServer user and permission system from scratch building.
The JumpServer open source bastion host adopts the RBAC (Role-Based Access Control, role-based access control) authority management model. Define permissions through roles and indirectly grant user permissions by further associating users. Permissions refer to specific operations, and the relationship between it and roles and users is like a point to a line, and then to a surface.
In a nutshell, permissions define the operational behavior of the entire user system in the software, while roles are an abstraction of permissions in the real world, and are a collection of specific operational behaviors. The software further stipulates the user's operation rights through the binding relationship between roles and users, and thus forms a flexible mapping mechanism. Through the RBAC model of "authority-role-user", JumpServer supports the "minimization principle" in the construction of user authority system, and realizes the management balance between refined authority control and flexible empowerment.
1. The relationship between users and roles
When creating users and dividing roles, we must weigh the relationship between users and roles, and follow the principle of minimum authority, so as to prevent problems before they happen and avoid operation and maintenance risks in the production environment.
JumpServer supports the RBAC user management model. By customizing role permissions, users are granted a certain role to control user permissions and realize the logical separation of users and permissions (different from ACL, that is, the Access Control Lists model), which greatly improves It facilitates the management of permissions.
2. Create user and role division
For some users who are using the JumpServer open source bastion host for the first time, user creation is more dependent on manual creation. This method is relatively inefficient and has high maintenance costs. Therefore, here are several methods to quickly create users in batches to improve the efficiency of operation and maintenance.
1. Create a user
- Template creation of users
JumpServer open source bastion host supports batch creation of users. The system provides a template for creating users. Fill in the user information in the downloaded template to complete the batch creation of users.
When creating users in batches, there are two methods for setting user passwords:
Method 1 : If you need to customize the password when creating users, fill in "custom" in the "Password Policy" field of the exported template, and then fill in the password field The user password is enough;
the specific operation steps are as follows:
Step 1: Select "User Management" → "User List", click the "Import" button, and download the creation template (CSV or XLSX format);
Step 2: In the downloaded template Fill in the user information, then click the "Import" button, and select the created template to complete the user creation.
Method 2 : You can configure the company mailbox before importing the user template (user information must fill in the real user email address). After creating the user, the user clicks "Generate Reset Password Link" to set the password by the user.
The specific operation steps are as follows:
Step 1: When the user customizes the password, select "Settings" → "Mailbox Settings" to configure the mailbox;
Step 2: After creating the user, the user clicks the link "Click here to set the password", The user sets the password by himself, and then fills in the corresponding information in the exported template to complete the import. - Interface batch creation of users
JumpServer itself provides a standard API interface, users can create users in batches through the API interface, and create a user interface: http://access address of the bastion machine: port/api/v1/users/users/.
Note: execute the POST request to call the above API interface, the body parameter of the request can refer to: http://access address of the bastion host: port/api/docs to view. - Shell script to create users in batches
Step 1: Edit and create user information, which are user name, user name, mailbox, and password
in sequence; Step 2: Write a user creation script, modify the JumpServer access address, JumpServer login user, and JumpServer user login password in the script (The actual situation prevails), just write and execute the script.
The script is as follows:
#!/bin/bash
#jumpserver访问地址
HTTP_URL="http://192.168.100.100"
#jumpserver登录用户
USERNAME="admin"
#jumpserver用户登录密码
PASSWORD="fit2cloud"
TOKEN=`curl -s -X POST -H 'Content-Type: application/json' -d '{"username":"'"$USERNAME"'","password":"'"$PASSWORD"'"}' ${HTTP_URL}/api/v1/authentication/auth/ |awk -F ',' '{print $1"}"}'|awk -F '[{ " :]' '{print $6}'`
while read name username email password
do
curl -X POST -H "Authorization: Bearer $TOKEN" -H 'Content-Type: application/json' -d '{"name":"'"$name"'","username":"'"$username"'","email":"'"$email"'","password":"'"$password"'","is_active":"true","password_strategy":"custom","system_roles":["00000000-0000-0000-0000-000000000003"],"org_roles":["00000000-0000-0000-0000-000000000007"]}' ${HTTP_URL}/api/v1/users/users/
done <name.txt
Note: If it is a custom role, you can modify the corresponding system_roles and org_roles ids in the script by yourself.
2. Role relationship and role division
When creating a user, it is a normal user by default. Of course, user roles can also be specified when creating a user. By default, JumpServer comes with various roles such as system administrator, system auditor, and user, and the permissions associated with each role are different. As an administrator, you can customize user roles and edit user role permissions according to actual needs.
Ordinary users: Ordinary users have normal operation and asset login permissions, but cannot modify configurations;
Auditor: Auditors can view the current user's operation behavior, user permissions, user information, file transfer records, user operation logs and other information. When a user triggers a dangerous command, an auditor can monitor user operations in real time, find illegal operations, and immediately suspend user operations;
Administrator: The administrator refers to the user who has all the permissions of the bastion host. As an administrator, you need to complete work order approval, user authorization application, user permission change, user locking and other behavioral operations, and at the same time make corresponding permission changes to the employee's role and permission according to the change of the employee's position.
3. The relationship between users, system users and assets
In JumpServer, the user's operation rights to assets are determined by the system users authorized in the authorization rules. Generally, system users are used to distinguish business permissions, which are divided into three categories: readable system users, writable system users, and highest authority system users.
Then, authorize the corresponding system users according to their roles and requirements. Users can log in to authorized assets through authorized system users, and the relationship is as follows:
4. Division of system user rights
The authority of the system user is also crucial, which often determines the actual operation authority of the user to the server. The following methods provide two ideas for the division of system user rights:
- Method 1 : Whitelist—deny all and open certain commands;
Step 1: Select "Asset Management" → "Command Filter" to create command filtering rules;
Step 2: Edit command filtering rules, deny all commands, click " Fill in the .* parameter in the "regular expression" content;
the third step: allow certain executable commands, continue to add the second command filtering rule, and its priority must be lower than the priority of the first command filtering rule. - Method 2 : Blacklist - allow all, deny certain commands.
Step 1: Select "Asset Management" → "Command Filter" to create a command filter rule;
Step 2: Click the name of the command filter rule, and then click "Create" to add the command that needs to be disabled;
Step 3: Directly add the command that needs to be disabled Disabled commands are fine, and other commands are allowed by default. Multiple commands can be separated by adding regular expressions or using the "|" symbol.
V. Summary
A good user authority system is an important guarantee for the JumpServer open source bastion host in the best practice of the enterprise. As an administrator, we need to plan the permissions of development, testing, operation and maintenance personnel, coordinate the overall situation, and build a complete user permission system. The flexible use of permissions can guarantee the safe operation and maintenance of enterprise IT systems.