Module: check_mk
Branch: master
Commit: d357457fecb1fdb201297b3eaf2ef8ffcb049125
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=d357457fecb1fd…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon May 15 15:20:20 2017 +0200
4682 SEC Add permission "Can add or modify executables" to be able to fine tune access rights
It is now possible to explicitly allow/deny users of WATO to add or modify executables.
This done with the new permission <i>Can add or modify executables</i>. By default
only users with the role <i>Administrator</i> have this permission.
There are different places in Check_MK where an admin, the user of the configuration
GUI, can use the GUI to add executable code to Check_MK.
For example when configuring datasource programs, the user inserts a command line for
gathering monitoring data. This command line is then executed during monitoring by
Check_MK.
Another example is the upload of extension packages (MKPs).
These functions have in common that the user provides data that is executed by Check_MK
later in the context of Check_MK.
If you want to ensure that your WATO users can not "inject" arbitrary executables
into your Check_MK installation, you only need to revoke this permission.
This permission is needed in addition to the other component related permissions.
For example you need the <tt>wato.rulesets</tt> permission together with the new
permission to be able to configure rulesets where bare command lines are configured.
These things are protected by the new permission at the moment:
<ul>
<li>Ruleset: Classical active and passive monitoring checks</li>
<li>Ruleset: Datasource programs</li>
<li>Ruleset: Configuring custom host check command</li>
<li>Host diagnostic page: Setting arbritary command line as datasource program</li>
<li>Configure event console actions</li>
<li>
<strong>Incompatible</strong>: User with the role <i>Users</i> are allowed to edit rulesets
for the WATO folders they are permitted on. In previous versions they were also able to
insert arbitrary commands into the rulesets mentioned above. This has now been removed
(by default) for security reasons. If you still need this functionality, you need to
set the new permission to <i>yes</i> for this role.
Change-Id: Ic52c52e53b8cbd10c8f2af064559ff0bed9b41c7
---
.werks/4682 | 47 ++++++++++++++++++++++++++
web/htdocs/js/wato.js | 4 ++-
web/htdocs/wato.py | 54 ++++++++++++++++++++++++------
web/plugins/wato/check_mk_configuration.py | 34 +++++++++++++------
4 files changed, 117 insertions(+), 22 deletions(-)
Diff: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commitdiff;h=d357457fec…
Module: check_mk
Branch: master
Commit: 67604cec40e3d48a43196559432162e7813d3b09
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=67604cec40e3d4…
Author: Simon Betz <si(a)mathias-kettner.de>
Date: Mon May 15 13:15:17 2017 +0200
4660 FIX win_os: Fixed wrong OS information if eg. ESX is installed on Windows host
Change-Id: I716e4611eee174786c1ab80ccff5fd76faa8f4ad
---
.werks/4660 | 11 +++++++++++
inventory/win_os | 6 ++++++
2 files changed, 17 insertions(+)
diff --git a/.werks/4660 b/.werks/4660
new file mode 100644
index 0000000..5345fa8
--- /dev/null
+++ b/.werks/4660
@@ -0,0 +1,11 @@
+Title: win_os: Fixed wrong OS information if eg. ESX is installed on Windows host
+Level: 1
+Component: inv
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1494846640
+
+
diff --git a/inventory/win_os b/inventory/win_os
index 58d98b2..b9631ed 100644
--- a/inventory/win_os
+++ b/inventory/win_os
@@ -31,6 +31,12 @@
def inv_win_os(info):
node = inv_tree("software.os.")
+ # Some information come eg. from esx and we delete these
+ # because basic os is windows
+ for what in ["vendor", "name", "version", "type", "arch"]:
+ if what in node:
+ del node[what]
+
node["type"] = "Windows"
node["vendor"] = "Microsoft"
Module: check_mk
Branch: master
Commit: 28463b4498455b8796394dafaae1c5fac8f9077b
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=28463b4498455b…
Author: Simon Betz <si(a)mathias-kettner.de>
Date: Mon May 15 11:45:01 2017 +0200
4658 FIX Fixed permissions in BI packs using rules from other packs
Change-Id: I272bcc753b6d287f5f9e063bc3c2915f3aed7874
---
.werks/4658 | 13 +++++++++++++
web/plugins/wato/bi.py | 19 +++++++++++++++++++
2 files changed, 32 insertions(+)
diff --git a/.werks/4658 b/.werks/4658
new file mode 100644
index 0000000..193c8a9
--- /dev/null
+++ b/.werks/4658
@@ -0,0 +1,13 @@
+Title: Fixed permissions in BI packs using rules from other packs
+Level: 1
+Component: bi
+Class: fix
+Compatible: compat
+Edition: cre
+State: unknown
+Version: 1.5.0i1
+Date: 1494836173
+
+If users use rules with node rules from other BI packs for which they have
+no permissions, these parent rules could be damaged by editing them. Now they
+get an error message and editing is not allowed any more.
diff --git a/web/plugins/wato/bi.py b/web/plugins/wato/bi.py
index 295fa6a..b9c1c75 100644
--- a/web/plugins/wato/bi.py
+++ b/web/plugins/wato/bi.py
@@ -1490,6 +1490,7 @@ class ModeBIEditRule(ModeBI):
def page(self):
+ self._may_use_rules_from_packs()
if self._new:
cloneid = html.var("clone")
if cloneid:
@@ -1518,6 +1519,24 @@ class ModeBIEditRule(ModeBI):
html.end_form()
+ def _may_use_rules_from_packs(self):
+ rules_without_permissions = {}
+ for node in self._pack["rules"][self._ruleid]["nodes"]:
+ node_type, node_content = node
+ node_name = node_content[0]
+ pack = self.pack_containing_rule(node_name)
+ if node_type == 'call' and not self.may_use_rules_in_pack(pack):
+ packid = (pack['id'], pack['title'])
+ rules_without_permissions.setdefault(packid, [])
+ rules_without_permissions[packid].append(node_name)
+
+ if rules_without_permissions:
+ message = ", ".join([_("in BI rules %s used in pack '%s'") % \
+ (", ".join([ "'%s'" % ruleid for ruleid in ruleids]), title)
+ for (nodeid, title), ruleids in rules_without_permissions.items()])
+ raise MKAuthException(_("You have no permission for changes %s.") % message)
+
+
def valuespec(self):
elements = [
( "id",
Module: check_mk
Branch: master
Commit: be7bf548cfe0b1588cc0ef249ea7a85a6f4b1519
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=be7bf548cfe0b1…
Author: Andreas Boesl <ab(a)mathias-kettner.de>
Date: Mon May 15 11:31:27 2017 +0200
4698 FIX netapp_api_volumes: Changed service description for clustermode volumes
The service description for clustermode volumes now always consists of the SVM name and the
volume name. The old description used the node name and the volume name, which was not sufficient
to uniquely identify the volume.
Change-Id: Ia1543b53a2f37e8d32fdd16e31564b4b95272325
---
.werks/4698 | 13 +++++++++++++
agents/special/agent_netapp | 2 +-
checks/netapp_api_volumes | 8 ++------
3 files changed, 16 insertions(+), 7 deletions(-)
diff --git a/.werks/4698 b/.werks/4698
new file mode 100644
index 0000000..1fda5ca
--- /dev/null
+++ b/.werks/4698
@@ -0,0 +1,13 @@
+Title: netapp_api_volumes: Changed service description for clustermode volumes
+Level: 1
+Component: checks
+Compatible: incomp
+Edition: cre
+Version: 1.5.0i1
+Date: 1494840344
+Class: fix
+
+The service description for clustermode volumes now always consists of the SVM name and the
+volume name. The old description used the node name and the volume name, which was not sufficient
+to uniquely identify the volume.
+
diff --git a/agents/special/agent_netapp b/agents/special/agent_netapp
index dabdfb9..0722baf 100755
--- a/agents/special/agent_netapp
+++ b/agents/special/agent_netapp
@@ -1052,7 +1052,7 @@ try:
"volume-inode-attributes.files-used" : "files-used" },
extra_info = create_dict(volume_counters, custom_key = [ "instance_uuid" ]),
extra_info_report = sum(map(lambda x: ["%s" % x, "nfs_%s" % x, "cifs_%s" % x, "san_%s" % x, "fcp_%s" % x, "iscsi_%s" % x],
- sum(map(lambda x: ["read_%s" % x, "write_%s" % x], ["data", "latency", "ops"]), [])), []) + [ "instance_name" ],
+ sum(map(lambda x: ["read_%s" % x, "write_%s" % x], ["data", "latency", "ops"]), [])), []) + [ "instance_name", "vserver_name" ],
skip_missing_config_key = True
)
diff --git a/checks/netapp_api_volumes b/checks/netapp_api_volumes
index f2f4f46..74d5709 100644
--- a/checks/netapp_api_volumes
+++ b/checks/netapp_api_volumes
@@ -37,12 +37,8 @@ def parse_netapp_api_volumes(info):
volume[tokens[0]] = tokens[1]
# Clustermode specific
- if "node" in volume:
- # There are cluster volumes and volumes which only exist on the node.
- if "msid" not in volume:
- name = "%s.%s" % (volume["node"], volume["name"])
- else:
- name = volume["name"]
+ if "vserver_name" in volume:
+ name = "%s.%s" % (volume["vserver_name"], volume["name"])
volumes[name] = volume
Module: check_mk
Branch: master
Commit: faff77559ecc25d552af04b2fd85526a51d9c8ab
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=faff77559ecc25…
Author: Sven Panne <sp(a)mathias-kettner.de>
Date: Mon May 15 10:15:15 2017 +0200
4688 FIX Emit error message in livestatus response
When the 'fixed16' response format is used, the Livestatus response should
contain the actual error message when something goes wrong. This was broken
in the 1.4 series and has been fixed now.
Change-Id: Icb2af944ac25601c0626d7aa59f67f6a92ec5cc2
---
.werks/4688 | 12 ++++++++++++
livestatus/src/OutputBuffer.cc | 4 +++-
2 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/.werks/4688 b/.werks/4688
new file mode 100644
index 0000000..fda9acb
--- /dev/null
+++ b/.werks/4688
@@ -0,0 +1,12 @@
+Title: Emit error message in livestatus response
+Level: 1
+Component: livestatus
+Compatible: compat
+Edition: cre
+Version: 1.5.0i1
+Date: 1494835970
+Class: fix
+
+When the 'fixed16' response format is used, the Livestatus response should
+contain the actual error message when something goes wrong. This was broken
+in the 1.4 series and has been fixed now.
diff --git a/livestatus/src/OutputBuffer.cc b/livestatus/src/OutputBuffer.cc
index 673cb64..474c4ba 100644
--- a/livestatus/src/OutputBuffer.cc
+++ b/livestatus/src/OutputBuffer.cc
@@ -55,7 +55,9 @@ OutputBuffer::~OutputBuffer() { flush(); }
void OutputBuffer::flush() {
if (_response_header == ResponseHeader::fixed16) {
if (_response_code != ResponseCode::ok) {
- _os.str(_error_message);
+ _os.clear();
+ _os.str("");
+ _os << _error_message;
}
auto code = static_cast<unsigned>(_response_code);
size_t size = _os.tellp();