Module: check_mk
Branch: master
Commit: dc768d1a43216a6b680d061b7c5ea4fb09a81a14
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=dc768d1a43216a…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jul 21 15:41:39 2015 +0200
#2472 MSSQL Agent Plugin: Can now be configured to auth as database user
The mssql.vbs script can now be configured to authenticate as database user
using a configured username / password combination. Previously it was only
possible to authenticate using the system privileges of the user the agent
is running with. This is still the default.
If you need to authenticate as database user, you need to create a file
named <tt>mssql.ini</tt>, or if you need it instance specific,
<tt>mssql_[instance-id].ini</tt>. You need to write the following content
into this file:
F+:mssql.ini
[auth]
type = db
username = monitoring-user
password = mysecretpw
F-:
---
.werks/2472 | 24 +++++++++++
ChangeLog | 1 +
agents/windows/plugins/mssql.vbs | 81 +++++++++++++++++++++++++++++++++-----
3 files changed, 96 insertions(+), 10 deletions(-)
diff --git a/.werks/2472 b/.werks/2472
new file mode 100644
index 0000000..c693ea3
--- /dev/null
+++ b/.werks/2472
@@ -0,0 +1,24 @@
+Title: MSSQL Agent Plugin: Can now be configured to auth as database user
+Level: 1
+Component: checks
+Compatible: compat
+Version: 1.2.7i3
+Date: 1437485882
+Class: feature
+
+The mssql.vbs script can now be configured to authenticate as database user
+using a configured username / password combination. Previously it was only
+possible to authenticate using the system privileges of the user the agent
+is running with. This is still the default.
+
+If you need to authenticate as database user, you need to create a file
+named <tt>mssql.ini</tt>, or if you need it instance specific,
+<tt>mssql_[instance-id].ini</tt>. You need to write the following content
+into this file:
+
+F+:mssql.ini
+[auth]
+type = db
+username = monitoring-user
+password = mysecretpw
+F-:
diff --git a/ChangeLog b/ChangeLog
index 2cc3802..5b75aad 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -23,6 +23,7 @@
* 2405 New checks for UCS bladecenter: ucs_bladecenter_topsystem, ucs_bladecenter_faulinst...
* 2451 wut_webtherm.humidity, wut_webtherm.pressure: Two new checks for humidity and air pressure sensors for WuT devices...
NOTE: Please refer to the migration notes!
+ * 2472 MSSQL Agent Plugin: Can now be configured to auth as database user...
* 2315 FIX: windows agent: BOM replacement, fixed incorrect byte offset...
* 2316 FIX: windows agent: fix garbled output of cached agent plugins...
* 2358 FIX: check_mk_agent.solaris: more correct computation of zfs used space...
diff --git a/agents/windows/plugins/mssql.vbs b/agents/windows/plugins/mssql.vbs
index 834eb7c..20892fe 100644
--- a/agents/windows/plugins/mssql.vbs
+++ b/agents/windows/plugins/mssql.vbs
@@ -5,9 +5,16 @@
' on the local system.
'
' The current implementation of the check uses the "trusted authentication"
-' where no user/password needs to be created in the MSSQL server instance. It
-' is only needed to grant the user as which the Check_MK windows agent service
-' is running access to the MSSQL database.
+' where no user/password needs to be created in the MSSQL server instance by
+' default. It is only needed to grant the user as which the Check_MK windows
+' agent service is running access to the MSSQL database.
+'
+' Another option is to create a mssql.ini file in MK_CONFDIR and write the
+' credentials of a database user to it which shal be used for monitoring:
+'
+' [auth]
+' username = monitoring
+' password = secret-pw
'
' The following sources are asked:
' 1. WMI - to gather a list of local MSSQL-Server instances
@@ -21,19 +28,49 @@
Option Explicit
-Dim WMI, prop, instId, instIdx, instVersion, instIds, instName, output, WMIservice, colRunningServices, objService
+Dim WMI, FSO, SHO, prop, instId, instIdx, instVersion, instIds, instName, output
+Dim WMIservice, colRunningServices, objService, cfg_dir, cfg_file, hostname
WScript.Timeout = 10
' Directory of all database instance names
Set instIds = CreateObject("Scripting.Dictionary")
+Set FSO = CreateObject("Scripting.FileSystemObject")
+Set SHO = CreateObject("WScript.Shell")
+hostname = SHO.ExpandEnvironmentStrings("%COMPUTERNAME%")
+cfg_dir = "C:\check_mk_agent" 'SHO.ExpandEnvironmentStrings("%MK_CONFDIR%")
output = ""
Sub addOutput(text)
output = output & text & vbLf
End Sub
+Function readIniFile(path)
+ Dim parsed : Set parsed = CreateObject("Scripting.Dictionary")
+ If path <> "" Then
+ Dim FH
+ Set FH = FSO.OpenTextFile(path)
+ Dim line, sec, pair
+ Do Until FH.AtEndOfStream
+ line = Trim(FH.ReadLine())
+ If Left(line, 1) = "[" Then
+ sec = Mid(line, 2, Len(line) - 2)
+ Set parsed(sec) = CreateObject("Scripting.Dictionary")
+ Else
+ If line <> "" Then
+ pair = Split(line, "=")
+ If 1 = UBound(pair) Then
+ parsed(sec)(Trim(pair(0))) = Trim(pair(1))
+ End If
+ End If
+ End If
+ Loop
+ FH.Close
+ End If
+ Set readIniFile = parsed
+End Function
+
' Dummy empty output.
' Contains timeout error if this scripts runtime exceeds the timeout
WScript.echo "<<<mssql_versions>>>"
@@ -91,9 +128,7 @@ Next
Set WMI = nothing
-Dim CONN, RS, hostname
-
-hostname = WScript.CreateObject("WScript.Shell").ExpandEnvironmentStrings("%COMPUTERNAME%")
+Dim CONN, RS, CFG, AUTH
' Initialize connection objects
Set CONN = CreateObject("ADODB.Connection")
@@ -106,8 +141,31 @@ CONN.Provider = "sqloledb"
' Loop all found server instances and connect to them
' In my tests only the connect using the "named instance" string worked
For Each instId In instIds.Keys
+ ' Use either an instance specific config file named mssql_<instance-id>.ini
+ ' or the default mysql.ini file.
+ cfg_file = cfg_dir & "\mssql_" & instId & ".ini"
+ If Not FSO.FileExists(cfg_file) Then
+ cfg_file = cfg_dir & "\mssql.ini"
+ If Not FSO.FileExists(cfg_file) Then
+ cfg_file = ""
+ End If
+ End If
+
+ Set CFG = readIniFile(cfg_file)
+ If Not CFG.Exists("auth") Then
+ Set AUTH = CreateObject("Scripting.Dictionary")
+ Else
+ Set AUTH = CFG("auth")
+ End If
+
' At this place one could implement to use other authentication mechanism
- CONN.Properties("Integrated Security").Value = "SSPI"
+ If Not AUTH.Exists("type") or AUTH("type") = "system" Then
+ CONN.Properties("Integrated Security").Value = "SSPI"
+ Else
+ CONN.Properties("User ID").Value = AUTH("username")
+ CONN.Properties("Password").Value = AUTH("password")
+ End If
+ wscript.echo instId
If InStr(instId, "__") <> 0 Then
instName = Split(instId, "__")(1)
@@ -115,6 +173,7 @@ For Each instId In instIds.Keys
Else
instName = instId
End If
+ wscript.echo instId
' In case of instance name "MSSQLSERVER" always use (local) as connect string
If instName = "MSSQLSERVER" Then
@@ -122,10 +181,10 @@ For Each instId In instIds.Keys
Else
CONN.Properties("Data Source").Value = hostname & "\" & instName
End If
- 'WScript.echo (CONN)
+ WScript.echo (CONN)
CONN.Open
-
+
' Get counter data for the whole instance
RS.Open "SELECT counter_name, object_name, instance_name, cntr_value " & _
"FROM sys.dm_os_performance_counters " & _
@@ -219,6 +278,8 @@ Next
Set RS = nothing
Set CONN = nothing
+Set FSO = nothing
+Set SHO = nothing
' finally output collected data
WScript.echo output
Module: check_mk
Branch: master
Commit: 8118c334b6dfe8ac1590bd2131347c23a16b0f2c
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=8118c334b6dfe8…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jul 21 09:39:10 2015 +0200
#2471 User IDs are now allowed to contain special characters (like German umlauts)
Using the GUI it was not possible to create users having user IDs containing special
characters like e.g. German umlauts. But in environments where user synchronizations
with LDAP directories is used it might happen that users with sucht user IDs need
to be synchronized into Check_MK. This was in possible in earlier versions,
which lead to some kind of inconsistencies.
To have a consistent situation for all users independent of their source, Check_MK
now allows you to create users which user IDs contain special characters.
If you already have configured a LDAP synchronization and set the option
"Translate Umlauts in User-IDs" to "replace", your already synchronized users will
be left untouched for the moment. But it is recommended to set this option to
"Keep special characters" now to allow your users to use their normal user IDs for
logging in. But please note, if you change this option, your users having special
characters in user IDs are deleted and re-created with the new name during next
LDAP sync. You will need to migrate the users profile (<tt>var/check_mk/web/[user_id]</tt>)
to make them able to use their custom views, dashboards, bookmarks etc. again after
renaming.
---
.werks/2471 | 26 ++++++++++++++++++++++++++
ChangeLog | 1 +
2 files changed, 27 insertions(+)
diff --git a/.werks/2471 b/.werks/2471
new file mode 100644
index 0000000..075ebb5
--- /dev/null
+++ b/.werks/2471
@@ -0,0 +1,26 @@
+Title: User IDs are now allowed to contain special characters (like German umlauts)
+Level: 2
+Component: multisite
+Compatible: compat
+Version: 1.2.7i3
+Date: 1437463798
+Class: feature
+
+Using the GUI it was not possible to create users having user IDs containing special
+characters like e.g. German umlauts. But in environments where user synchronizations
+with LDAP directories is used it might happen that users with sucht user IDs need
+to be synchronized into Check_MK. This was in possible in earlier versions,
+which lead to some kind of inconsistencies.
+
+To have a consistent situation for all users independent of their source, Check_MK
+now allows you to create users which user IDs contain special characters.
+
+If you already have configured a LDAP synchronization and set the option
+"Translate Umlauts in User-IDs" to "replace", your already synchronized users will
+be left untouched for the moment. But it is recommended to set this option to
+"Keep special characters" now to allow your users to use their normal user IDs for
+logging in. But please note, if you change this option, your users having special
+characters in user IDs are deleted and re-created with the new name during next
+LDAP sync. You will need to migrate the users profile (<tt>var/check_mk/web/[user_id]</tt>)
+to make them able to use their custom views, dashboards, bookmarks etc. again after
+renaming.
diff --git a/ChangeLog b/ChangeLog
index 48441d5..2cc3802 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -76,6 +76,7 @@
* 2392 SEC: Auth cookie is always using "httponly" flag...
* 1268 The Snapins "Folders" and "Tree of Folders" can now be used by users without wato permission
* 1270 Multsite site Hostfilters for views can now be negated
+ * 2471 User IDs are now allowed to contain special characters (like German umlauts)...
* 2314 FIX: Availability: fixed exception when grouping by host or service group
* 2361 FIX: Fix exception for missing key 'title' in certain cases of older customized views
* 2379 FIX: Plugin-Output: Fixed handling of URLs within output of check_http...
Module: check_mk
Branch: master
Commit: 60ea727d1864f836d3897b88216fe18be03202fd
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=60ea727d1864f8…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Jul 21 09:19:02 2015 +0200
Some user login handling cleanups
---
web/htdocs/config.py | 5 +++
web/htdocs/html_mod_python.py | 15 +++++++--
web/htdocs/index.py | 4 +--
web/htdocs/login.py | 70 ++++++++++++++++++++++++-----------------
4 files changed, 60 insertions(+), 34 deletions(-)
diff --git a/web/htdocs/config.py b/web/htdocs/config.py
index 36d1ee5..c0333b9 100644
--- a/web/htdocs/config.py
+++ b/web/htdocs/config.py
@@ -43,6 +43,11 @@ try:
except NameError:
from sets import Set as set
+# FIXME: Make clear whether or not user related values should be part
+# of the "config" module. Maybe move to dedicated module (userdb?). Then
+# move all user related stuff there. e.g. html.user should also be moved
+# there.
+
#.
# .--Declarations--------------------------------------------------------.
# | ____ _ _ _ |
diff --git a/web/htdocs/html_mod_python.py b/web/htdocs/html_mod_python.py
index 7c3f3c3..e65b7e8 100644
--- a/web/htdocs/html_mod_python.py
+++ b/web/htdocs/html_mod_python.py
@@ -60,8 +60,11 @@ class html_mod_python(htmllib.html):
else:
return self.site_status
+ def login(self, user_id):
+ self.user = user_id
+
def is_logged_in(self):
- return self.user and type(self.user) in [ str, unicode ]
+ return self.user and type(self.user) == unicode
def load_help_visible(self):
try:
@@ -69,8 +72,14 @@ class html_mod_python(htmllib.html):
except:
pass
+
+ def get_request_header(self, key, deflt=None):
+ return self.req.headers_in.get(key, deflt)
+
+
def is_ssl_request(self):
- return self.req.headers_in.get('X-Forwarded-Proto') == 'https'
+ return self.get_request_header('X-Forwarded-Proto') == 'https'
+
def set_cookie(self, varname, value, expires = None):
# httponly tells the browser not to make this cookie available to Javascript
@@ -111,7 +120,7 @@ class html_mod_python(htmllib.html):
return config.load_user_file("buttoncounts", {})
def top_heading(self, title):
- if type(self.user) in [ str, unicode ]:
+ if self.is_logged_in():
login_text = "<b>%s</b> (%s" % (config.user_id, "+".join(config.user_role_ids))
if self.enable_debug:
if config.get_language():
diff --git a/web/htdocs/index.py b/web/htdocs/index.py
index b8b6f3d..22497ac 100644
--- a/web/htdocs/index.py
+++ b/web/htdocs/index.py
@@ -196,8 +196,8 @@ def handler(req, fields = None, profiling = True):
if not html.is_logged_in():
config.auth_type = 'cookie'
# When not authed tell the browser to ask for the password
- html.user = login.check_auth()
- if html.user == '':
+ html.login(login.check_auth())
+ if not html.is_logged_in():
if fail_silently:
# While api call don't show the login dialog
raise MKUnauthenticatedException(_('You are not authenticated.'))
diff --git a/web/htdocs/login.py b/web/htdocs/login.py
index 738a39a..639a9ae 100644
--- a/web/htdocs/login.py
+++ b/web/htdocs/login.py
@@ -132,42 +132,54 @@ def check_auth_cookie(cookie_name):
def check_auth_automation():
secret = html.var("_secret").strip()
- user = html.var_utf8("_username").strip()
+ user_id = html.var_utf8("_username").strip()
html.del_var('_username')
html.del_var('_secret')
- if secret and user and "/" not in user:
- path = defaults.var_dir + "/web/" + user.encode("utf-8") + "/automation.secret"
+ if secret and user_id and "/" not in user_id:
+ path = defaults.var_dir + "/web/" + user_id.encode("utf-8") + "/automation.secret"
if os.path.isfile(path) and file(path).read().strip() == secret:
# Auth with automation secret succeeded - mark transid as unneeded in this case
html.set_ignore_transids()
- return user
- raise MKAuthException(_("Invalid automation secret for user %s") % html.attrencode(user))
+ return user_id
+ raise MKAuthException(_("Invalid automation secret for user %s") % html.attrencode(user_id))
+
+# When http header auth is enabled, try to read the user_id from the var
+# and when there is some available, set the auth cookie (for other addons) and proceed.
+def check_auth_http_header():
+ user_id = html.get_request_header(config.auth_by_http_header)
+ if user_id:
+ user_id = user_id.decode("utf-8")
+ serial = load_serial(user_id)
+ renew_cookie(site_cookie_name(), user_id, serial)
+ else:
+ user_id = None
+ return user_id
def check_auth():
+ user_id = None
if html.var("_secret"):
- return check_auth_automation()
-
- # When http header auth is enabled, try to read the username from the var
- # and when there is some available, set the auth cookie (for other addons) and proceed.
- if config.auth_by_http_header:
- username = html.req.headers_in.get(config.auth_by_http_header, None).decode("utf-8")
- if username:
- serial = load_serial(username)
- renew_cookie(site_cookie_name(), username, serial)
- return username
-
- for cookie_name in html.get_cookie_names():
- if cookie_name.startswith('auth_'):
- try:
- return check_auth_cookie(cookie_name)
- except Exception, e:
- #if html.enable_debug:
- # html.write('Exception occured while checking cookie %s' % cookie_name)
- # raise
- #else:
- pass
-
- return ''
+ user_id = check_auth_automation()
+
+ elif config.auth_by_http_header:
+ user_id = check_auth_http_header()
+
+ if user_id == None:
+ for cookie_name in html.get_cookie_names():
+ if cookie_name.startswith('auth_'):
+ try:
+ user_id = check_auth_cookie(cookie_name)
+ break
+ except Exception, e:
+ #if html.enable_debug:
+ # html.write('Exception occured while checking cookie %s' % cookie_name)
+ # raise
+ #else:
+ pass
+
+ if (user_id != None and type(user_id) != unicode) or user_id == u'':
+ raise MKInternalError(_("Invalid user authentication"))
+
+ return user_id
def do_login():
@@ -256,7 +268,7 @@ def normal_login_page(called_directly = True):
}''')
# When someone calls the login page directly and is already authed redirect to main page
- if html.myfile == 'login' and check_auth() != '':
+ if html.myfile == 'login' and check_auth():
html.immediate_browser_redirect(0.5, origtarget and origtarget or 'index.py')
return apache.OK