Module: check_mk
Branch: master
Commit: 74c6620c23b8765a9467cd0683b8276efa198f14
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=74c6620c23b876…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Jun 22 12:17:35 2015 +0200
#2341 LDAP Sync: Automatically syncing credential changes to slave sites in distributed setups
When using the LDAP sync while having a distributed setup users might not be able to access
the GUI on the slave sites when their password was changed in LDAP. This could only be
fixed by an admin which performed a manual WATO synchronisation of the current configuration.
This has now been changed. When the password change has been detected, the master site tries
to synchronize the profile of the user to the configured and reachable remote site(s). If
this fails, the site is marked as "to be synchronized". Then the admin can perform the sync
manually once the site is available again.
---
.werks/2341 | 16 +++++++++++
ChangeLog | 1 +
web/plugins/userdb/ldap.py | 66 +++++++++++++++++++++++++++++++++++++++++++-
3 files changed, 82 insertions(+), 1 deletion(-)
diff --git a/.werks/2341 b/.werks/2341
new file mode 100644
index 0000000..5d4a293
--- /dev/null
+++ b/.werks/2341
@@ -0,0 +1,16 @@
+Title: LDAP Sync: Automatically syncing credential changes to slave sites in distributed setups
+Level: 1
+Component: multisite
+Compatible: compat
+Version: 1.2.7i2
+Date: 1434967888
+Class: feature
+
+When using the LDAP sync while having a distributed setup users might not be able to access
+the GUI on the slave sites when their password was changed in LDAP. This could only be
+fixed by an admin which performed a manual WATO synchronisation of the current configuration.
+
+This has now been changed. When the password change has been detected, the master site tries
+to synchronize the profile of the user to the configured and reachable remote site(s). If
+this fails, the site is marked as "to be synchronized". Then the admin can perform the sync
+manually once the site is available again.
diff --git a/ChangeLog b/ChangeLog
index c68a070..dc856e3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -39,6 +39,7 @@
Multisite:
* 2260 Improved load time of Check_MK GUI...
* 2332 New icon for hosts/services that are out of their service period...
+ * 2341 LDAP Sync: Automatically syncing credential changes to slave sites in distributed setups...
* 2324 FIX: Add icon for those checks that cannot be rescheduled...
* 2261 FIX: Fixed wrong pnp template cache path in non OMD environments...
* 2262 FIX: Fixed deletion of foreign views/dashboards...
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index 54ef6f6..d988855 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -1025,6 +1025,61 @@ def ldap_login(username, password):
ldap_default_bind(ldap_connection)
return result
+# In case the sync is done on the master of a distributed setup the auth serial
+# is increased on the master, but not on the slaves. The user can not access the
+# slave sites anymore with the master sites cookie since the serials differ. In
+# case the slave sites sync with LDAP on their own this issue will be repaired after
+# the next LDAP sync on the slave, but in case the slaves do not sync, this problem
+# will be repaired automagically once an admin performs the next WATO sync for
+# another reason.
+# Now, to solve this issue, we issue a user profile sync in case the password has
+# been changed. We do this only when only the password has changed.
+# Hopefully we have no large bulks of users changing their passwords at the same
+# time. In this case the implementation does not scale well. We would need to
+# change this to some kind of profile bulk sync per site.
+def synchronize_profile_to_sites(user_id, profile):
+ import wato # FIXME: Cleanup!
+ sites = [(site_id, config.site(site_id))
+ for site_id in config.sitenames()
+ if not wato.site_is_local(site_id) ]
+
+ ldap_log('Credentials changed: %s. Trying to sync to %d sites' % (user_id, len(sites)))
+
+ num_disabled = 0
+ num_succeeded = 0
+ num_failed = 0
+ for site_id, site in sites:
+ if not site.get("replication"):
+ num_disabled += 1
+ continue
+
+ if site.get("disabled"):
+ num_disabled += 1
+ continue
+
+ status = html.site_status.get(site_id, {}).get("state", "unknown")
+ if status == "dead":
+ result = "Site is dead"
+ else:
+ try:
+ result = wato.push_user_profile_to_site(site, user_id, profile)
+ except Exception, e:
+ result = str(e)
+
+ if result == True:
+ num_succeeded += 1
+ else:
+ num_failed += 1
+ ldap_log(' FAILED [%s]: %s' % (site_id, result))
+ # Add pending entry to make sync possible later for admins
+ wato.update_replication_status(site_id, {"need_sync": True})
+ wato.log_pending(wato.AFFECTED, None, "edit-users",
+ _('Password changed (sync failed: %s)') % result, user_id = '')
+
+ ldap_log(' Disabled: %d, Succeeded: %d, Failed: %d' %
+ (num_disabled, num_succeeded, num_failed))
+
+
def ldap_sync(add_to_changelog, only_username):
# Store time of the last sync. Don't store after sync since parallel
# requests to e.g. the page hook would cause duplicate calculations
@@ -1100,11 +1155,20 @@ def ldap_sync(add_to_changelog, only_username):
if removed:
details.append(_('Removed: %s') % ', '.join(removed))
- # Ignore password changes from ldap - do not log them. For now.
+ # Password changes found in LDAP should not be logged as "pending change".
+ # These changes take effect imediately (pw already changed in AD, auth serial
+ # is increaed by sync plugin) on the local site, so no one needs to active this.
+ pw_changed = False
if 'ldap_pw_last_changed' in changed:
changed.remove('ldap_pw_last_changed')
+ pw_changed = True
if 'serial' in changed:
changed.remove('serial')
+ pw_changed = True
+
+ # Synchronize new user profile to remote sites if needed
+ if pw_changed and not changed and wato.is_distributed():
+ synchronize_profile_to_sites(user_id, user)
if changed:
details.append(('Changed: %s') % ', '.join(changed))
Module: check_mk
Branch: master
Commit: e7e59c3f264175c7eb8f825901cde079072a82ec
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=e7e59c3f264175…
Author: Sven Rueß <sr(a)mathias-kettner.de>
Date: Sat Jun 20 12:56:04 2015 +0200
#2235 lnx_quota: Extended linux quota check with group quota check
Extended linux quota check with group quota check. Per default only
user quota is checked. The user can configure if group quota should
be checked additionally.
Users and groups with no soft and hard limit are ignored for monitoring.
---
.werks/2235 | 13 +++
ChangeLog | 1 +
agents/plugins/lnx_quota | 14 ++-
checkman/lnx_quota | 13 ++-
checks/lnx_quota | 202 +++++++++++++++++++++++++---------
web/plugins/wato/check_parameters.py | 29 +++++
6 files changed, 210 insertions(+), 62 deletions(-)
Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=e7e59c3f26…
fixed exception when using joined columns
Message-ID: <558417db.TimyMi77TozGftJr%ab(a)mathias-kettner.de>
User-Agent: Heirloom mailx 12.5 6/20/10
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Module: check_mk
Branch: master
Commit: 3901bb128497ac4f27a27bb6033e76b1c8a2fa2c
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=3901bb128497ac…
Author: Andreas Boesl <ab(a)mathias-kettner.de>
Date: Fri Jun 19 15:22:21 2015 +0200
#2310 FIX multisite view data export: fixed exception when using joined columns
The csv / json / python data export of a mulitsite view did not work correctly
when there were joined columns involved. An exception occured whenever an additional
column was set after the joined column.
Note: A single joined column at the end of a table row did work.
---
.werks/2310 | 14 ++++++++++++++
ChangeLog | 1 +
web/plugins/views/webservice.py | 14 +++++++-------
3 files changed, 22 insertions(+), 7 deletions(-)
diff --git a/.werks/2310 b/.werks/2310
new file mode 100644
index 0000000..9bd2a18
--- /dev/null
+++ b/.werks/2310
@@ -0,0 +1,14 @@
+Title: multisite view data export: fixed exception when using joined columns
+Level: 1
+Component: multisite
+Class: fix
+Compatible: compat
+State: unknown
+Version: 1.2.7i2
+Date: 1434719835
+
+The csv / json / python data export of a mulitsite view did not work correctly
+when there were joined columns involved. An exception occured whenever an additional
+column was set after the joined column.
+
+Note: A single joined column at the end of a table row did work.
diff --git a/ChangeLog b/ChangeLog
index acca58e..3014c8e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -47,6 +47,7 @@
* 2340 FIX: Email validation: Top level domains can now have a maximum length of 24 characters
* 2353 FIX: Fix showing options for availability in BI mode, where above header
* 2356 FIX: Fixed exception in Multisite JSON output
+ * 2310 FIX: multisite view data export: fixed exception when using joined columns...
WATO:
* 1254 The target address for crash reports can now be configured in wato global settings
diff --git a/web/plugins/views/webservice.py b/web/plugins/views/webservice.py
index ceae7d7..5eec631 100644
--- a/web/plugins/views/webservice.py
+++ b/web/plugins/views/webservice.py
@@ -41,8 +41,8 @@ def render_python(rows, view, group_painters, painters, num_columns, show_checkb
for row in rows:
html.write("[")
for p in painters:
- row = join_row(row, p)
- tdclass, content = paint_painter(p[0], row)
+ joined_row = join_row(row, p)
+ tdclass, content = paint_painter(p[0], joined_row)
html.write(repr(html.strip_tags(content)))
html.write(",")
html.write("],")
@@ -95,10 +95,10 @@ def render_json(rows, view, group_painters, painters, num_columns, show_checkbox
first = False
else:
html.write(",")
- row = join_row(row, p)
- tdclass, content = paint_painter(p[0], row)
+ joined_row = join_row(row, p)
+ tdclass, content = paint_painter(p[0], joined_row)
if type(content) == unicode:
- content = content.encode("utf-8")
+ content = content.encode("utf-8")
else:
content = str(content)
content = content.replace("<br>","\n")
@@ -159,8 +159,8 @@ def render_csv(rows, view, group_painters, painters, num_columns, show_checkboxe
first = False
else:
html.write(csv_separator)
- row = join_row(row, p)
- tdclass, content = paint_painter(p[0], row)
+ joined_row = join_row(row, p)
+ tdclass, content = paint_painter(p[0], joined_row)
content = type(content) in [ int, float ] and str(content) or content
stripped = html.strip_tags(content).replace('\n', '').replace('"', '""')
html.write('"%s"' % stripped.encode("utf-8"))
Module: check_mk
Branch: master
Commit: f9bb6eb0c3874e14d9c61170d2dba11efdf95a2b
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=f9bb6eb0c3874e…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Fri Jun 19 09:48:36 2015 +0200
Allow tilde-prefixed regular expressions for explicit host names again
---
web/htdocs/wato.py | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index a6caa57..a7e6729 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -14833,7 +14833,7 @@ def get_rule_conditions(ruleset):
else:
negate = html.get_checkbox("negate_hosts")
nr = 0
- vs = ListOfStrings(valuespec=Hostname())
+ vs = ListOfStrings()
host_list = vs.from_html_vars("hostlist")
vs.validate_value(host_list, "hostlist")
if negate:
@@ -15046,9 +15046,13 @@ def mode_edit_rule(phase, new = False):
html.checkbox("negate_hosts", negate_hosts, label =
_("<b>Negate:</b> make rule apply for <b>all but</b> the above hosts"))
html.write("</div>")
- html.help(_("You can enter a number of explicit host names that rule should or should "
- "not apply to here. Leave this option disabled if you want the rule to "
- "apply for all hosts specified by the given tags."))
+ html.help(_("Here you can enter a list of explicit host names that the rule should or should "
+ "not apply to. Leave this option disabled if you want the rule to "
+ "apply for all hosts specified by the given tags. The names that you "
+ "enter here are compared with case sensitive exact matching. Alternatively "
+ "you can use regular expressions if you enter a tilde (<tt>~</tt>) as the first "
+ "character. That regular expression must match the <i>beginning</i> of "
+ "the host names in question."))
# Itemlist
itemtype = rulespec["itemtype"]