Module: check_mk
Branch: master
Commit: 8fe01b8cb4b15d4718d1fde513126e782ca13fd1
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=8fe01b8cb4b15d…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Tue Dec 17 11:30:25 2013 +0100
FIX Fix folder visibility in WATO for unpriviledged users
In WATO if you are an unpriviledged user you might have write access to some
lower subfolders but not to the upper folders. This is perfectly common,
because that way the monitoring administrator can delegate tasks for certain
classes of hosts to his collegues.
Previously, however, you couldn't navigate to the lower folders without
faking the URL. This has been fixed now. If you are located in a folder
without having permissions to it you won't see any hosts of that folder,
but still you see the subfolders and also can enter these.
Also this fix removes that buttons for actions on a folder if you do
not have write permissions to it.
---
.werks/346 | 21 +++++++++++++++++++++
ChangeLog | 1 +
web/htdocs/wato.css | 8 ++++++++
web/htdocs/wato.py | 46 +++++++++++++++++++++++++++++-----------------
4 files changed, 59 insertions(+), 17 deletions(-)
diff --git a/.werks/346 b/.werks/346
new file mode 100644
index 0000000..36cd5de
--- /dev/null
+++ b/.werks/346
@@ -0,0 +1,21 @@
+Title: Fix folder visibility in WATO for unpriviledged users
+Level: 2
+Component: wato
+Class: fix
+State: unknown
+Version: 1.2.5i1
+Date: 1387276017
+Targetversion: future
+
+In WATO if you are an unpriviledged user you might have write access to some
+lower subfolders but not to the upper folders. This is perfectly common,
+because that way the monitoring administrator can delegate tasks for certain
+classes of hosts to his collegues.
+
+Previously, however, you couldn't navigate to the lower folders without
+faking the URL. This has been fixed now. If you are located in a folder
+without having permissions to it you won't see any hosts of that folder,
+but still you see the subfolders and also can enter these.
+
+Also this fix removes that buttons for actions on a folder if you do
+not have write permissions to it.
diff --git a/ChangeLog b/ChangeLog
index e5792cf..9f59b6d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -79,6 +79,7 @@
* 0361 FIX: The page linked by "new rule" can now be bookmarked again
* 0341 FIX: Avoid rare exception in WATO when deleting a host...
* 0376 FIX: LDAP: Default configuration of attributes is reflected within WATO now
+ * 0346 FIX: Fix folder visibility in WATO for unpriviledged users...
Notifications:
* 0362 sms: now searching PATH for sendsms and smssend commands...
diff --git a/web/htdocs/wato.css b/web/htdocs/wato.css
index fb0550d..39eb26d 100644
--- a/web/htdocs/wato.css
+++ b/web/htdocs/wato.css
@@ -362,6 +362,7 @@ table.validationerror img {
position: absolute;
top: 28px;
right: 19px;
+ z-index: 500;
}
.wato div.floatfolder div.infos img {
@@ -422,6 +423,13 @@ table.validationerror img {
top: -2px;
}
+.wato img.authicon {
+ width: 28px;
+ height: 28px;
+ margin-right: 10px;
+ vertical-align: middle;
+}
+
.wato div.move_dialog {
padding:10px;
background-color: #45829D;
diff --git a/web/htdocs/wato.py b/web/htdocs/wato.py
index 029eac2..4518ff6 100644
--- a/web/htdocs/wato.py
+++ b/web/htdocs/wato.py
@@ -827,6 +827,10 @@ def get_folder_aliaspath(folder, show_main = True):
# '----------------------------------------------------------------------'
def mode_folder(phase):
+ auth_message = check_folder_permissions(g_folder, "read", False)
+ auth_read = auth_message == True
+ auth_write = check_folder_permissions(g_folder, "write", False) == True
+
global g_folder
if phase == "title":
return g_folder["title"]
@@ -835,16 +839,17 @@ def mode_folder(phase):
global_buttons()
if config.may("wato.rulesets") or config.may("wato.seeall"):
html.context_button(_("Rulesets"), make_link([("mode", "ruleeditor")]), "rulesets")
- html.context_button(_("Folder Properties"), make_link_to([("mode", "editfolder")], g_folder), "edit")
- if not g_folder.get(".lock_subfolders") and config.may("wato.manage_folders"):
+ if auth_read:
+ html.context_button(_("Folder Properties"), make_link_to([("mode", "editfolder")], g_folder), "edit")
+ if not g_folder.get(".lock_subfolders") and config.may("wato.manage_folders") and auth_write:
html.context_button(_("New folder"), make_link([("mode", "newfolder")]), "newfolder")
- if not g_folder.get(".lock_hosts") and config.may("wato.manage_hosts"):
+ if not g_folder.get(".lock_hosts") and config.may("wato.manage_hosts") and auth_write:
html.context_button(_("New host"), make_link([("mode", "newhost")]), "new")
html.context_button(_("New cluster"), make_link([("mode", "newcluster")]), "new_cluster")
if config.may("wato.services"):
html.context_button(_("Bulk Inventory"), make_link([("mode", "bulkinventory"), ("all", "1")]),
"inventory")
- if not g_folder.get(".lock_hosts") and config.may("wato.parentscan"):
+ if not g_folder.get(".lock_hosts") and config.may("wato.parentscan") and auth_write:
html.context_button(_("Parent scan"), make_link([("mode", "parentscan"), ("all", "1")]),
"parentscan")
search_button()
@@ -955,6 +960,9 @@ def mode_folder(phase):
else:
render_folder_path()
+ if not auth_read:
+ html.message('<img class=authicon src="images/icon_autherr.png"> %s' % auth_message)
+
lock_messages = []
if g_folder.get(".lock_hosts"):
if g_folder[".lock_hosts"] == True:
@@ -982,7 +990,7 @@ def mode_folder(phase):
if True == check_folder_permissions(g_folder, "read", False):
have_something = show_hosts(g_folder) or have_something
- if not have_something:
+ if not have_something and auth_write:
menu_items = []
if not g_folder.get(".lock_hosts"):
menu_items.extend([
@@ -1098,7 +1106,7 @@ def check_folder_permissions(folder, how, exception=True, user = None, users = N
if c in cgs:
return True
- reason = _("Sorry, you have no permissions to access the folder <b>%s</b>. ") % folder["title"]
+ reason = _("Sorry, you have no permissions to the folder <b>%s</b>. ") % folder["title"]
if not cgs:
reason += _("The folder has no contact groups assigned to.")
else:
@@ -1107,6 +1115,7 @@ def check_folder_permissions(folder, how, exception=True, user = None, users = N
reason += _("Your contact groups are <b>%s</b>.") % ", ".join(user_cgs)
else:
reason += _("But you are not a member of any contact group.")
+ reason += _("You may enter the folder as you might have permission on a subfolders, though.")
if exception:
raise MKAuthException(reason)
@@ -1152,18 +1161,24 @@ def show_subfolders(folder):
html.write('<div class="floatfolder%s" id="folder_%s"' % (
auth_read and " unlocked" or " locked", entry['.name']))
- if auth_write:
- html.write(' onclick="wato_open_folder(event, \'%s\');"' % enter_url)
+ html.write(' onclick="wato_open_folder(event, \'%s\');"' % enter_url)
html.write('>')
# Only make folder openable when permitted to edit
- if auth_read:
- html.write(
- '<div class=hoverarea onmouseover="wato_toggle_folder(event, this, true);" '
- 'onmouseout="wato_toggle_folder(event, this, false)">'
- )
+ if not auth_read:
+ html.write('<img class="icon autherr" src="images/icon_autherr.png" title="%s">' % \
+ (html.strip_tags(auth_message)))
+
+ if True: # auth_read:
+ if not auth_read:
+ html.write('<div class=hoverarea>')
+
+ else:
+ html.write(
+ '<div class=hoverarea onmouseover="wato_toggle_folder(event, this, true);" '
+ 'onmouseout="wato_toggle_folder(event, this, false)">'
+ )
- if auth_read:
html.icon_button(
edit_url,
_("Edit the properties of this folder"),
@@ -1200,9 +1215,6 @@ def show_subfolders(folder):
)
html.write('</div>')
- else:
- html.write('<img class="icon autherr" src="images/icon_autherr.png" title="%s">' % \
- (html.strip_tags(auth_message)))
html.write('<div class=infos>')
# Show contact groups of the folder
effective = effective_attributes(None, entry)
Module: check_mk
Branch: master
Commit: 5a034c7dc8d95a69c456aeb69d7581b2ad90c26d
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=5a034c7dc8d95a…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Dec 17 10:48:42 2013 +0100
agent_vsphere.pysphere: More compatibility in case of not enough permissions
---
agents/special/agent_vsphere.pysphere | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/agents/special/agent_vsphere.pysphere b/agents/special/agent_vsphere.pysphere
index 2e26e18..68284f8 100755
--- a/agents/special/agent_vsphere.pysphere
+++ b/agents/special/agent_vsphere.pysphere
@@ -640,12 +640,15 @@ def output_datastores():
# print inspect.getmembers(MORTypes)
print "<<<esx_vsphere_datastores:sep(%d)>>>" % ord('\t')
- for mor in host._retrieve_properties_traversal(property_names=property_names, obj_type=MORTypes.Datastore):
- for entry in mor.PropSet:
- if entry.Name == "name":
- print '[%s]' % entry.Val
- else:
- print '%s\t%s' % (entry.Name.split(".")[1], entry.Val)
+ rows = host._retrieve_properties_traversal(property_names=property_names, obj_type=MORTypes.Datastore)
+ # if the user has no permission to host / datastores, rows is None, skip it then
+ if rows:
+ for mor in rows:
+ for entry in mor.PropSet:
+ if entry.Name == "name":
+ print '[%s]' % entry.Val
+ else:
+ print '%s\t%s' % (entry.Name.split(".")[1], entry.Val)
def conv_multipath(value):
return " ".join(["%s %s" % (p.Name, p.PathState) for p in value.HostMultipathStateInfoPath])
Module: check_mk
Branch: master
Commit: 84f69ad53ba14c7f5f627cf2ed6e62fee7ab100a
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=84f69ad53ba14c…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Tue Dec 17 10:06:27 2013 +0100
FIX LDAP: Now handling user-ids with umlauts
User-IDs with umlauts seem to be used in some installations. We added one new configuration
options to handle those User-IDs. The default is now that multisite replaces the umlauts
ü, ö, ä, ß with two letters ue, oe, ae, ss. Other umlauts are left untouched. Another option
is that users with umlauts are simply skipped and not synced into multisite.
Please note: Users with umlauts need to login with their umlaut login name. After login, the
username is always used without umlauts within multisite.
Maybe we make multisite handle umlauts correctly one day, but for the moment this change
could have too many unwanted results.
---
.werks/375 | 19 +++++++++++
ChangeLog | 1 +
web/plugins/config/builtin.py | 5 ++-
web/plugins/userdb/ldap.py | 49 +++++++++++++++++++++-------
web/plugins/wato/check_mk_configuration.py | 13 +++++++-
5 files changed, 73 insertions(+), 14 deletions(-)
diff --git a/.werks/375 b/.werks/375
new file mode 100644
index 0000000..3f7a792
--- /dev/null
+++ b/.werks/375
@@ -0,0 +1,19 @@
+Title: LDAP: Now handling user-ids with umlauts
+Level: 1
+Component: multisite
+Class: fix
+State: unknown
+Version: 1.2.5i1
+Date: 1387270969
+Targetversion: future
+
+User-IDs with umlauts seem to be used in some installations. We added one new configuration
+options to handle those User-IDs. The default is now that multisite replaces the umlauts
+ü, ö, ä, ß with two letters ue, oe, ae, ss. Other umlauts are left untouched. Another option
+is that users with umlauts are simply skipped and not synced into multisite.
+
+Please note: Users with umlauts need to login with their umlaut login name. After login, the
+username is always used without umlauts within multisite.
+
+Maybe we make multisite handle umlauts correctly one day, but for the moment this change
+could have too many unwanted results.
diff --git a/ChangeLog b/ChangeLog
index 6ca7559..b89185e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -56,6 +56,7 @@
* 0356 FIX: Fixed exception caused by utf8 chars in tooltip text...
* 0368 FIX: Generating selection id is hopefully now compatible to more systems...
* 0374 FIX: Fixed syntax error in exception handler of LDAP search code...
+ * 0375 FIX: LDAP: Now handling user-ids with umlauts...
WATO:
* 0308 Multisite can now set rotation view permissions for NagVis...
diff --git a/web/plugins/config/builtin.py b/web/plugins/config/builtin.py
index c5a3b1a..fd285d8 100644
--- a/web/plugins/config/builtin.py
+++ b/web/plugins/config/builtin.py
@@ -215,7 +215,10 @@ escape_plugin_output = True
user_connectors = ['htpasswd']
userdb_automatic_sync = [ 'wato_users', 'page', 'wato_pre_activate_changes', 'wato_snapshot_pushed' ]
ldap_connection = {}
-ldap_userspec = {}
+ldap_userspec = {
+ 'scope' : 'sub',
+ 'user_id_umlauts' : 'replace',
+}
ldap_groupspec = {}
ldap_active_plugins = {'email': {}, 'alias': {}, 'auth_expire': {}}
ldap_cache_livetime = 300
diff --git a/web/plugins/userdb/ldap.py b/web/plugins/userdb/ldap.py
index bf14356..ca1fd6c 100644
--- a/web/plugins/userdb/ldap.py
+++ b/web/plugins/userdb/ldap.py
@@ -399,6 +399,36 @@ def ldap_replace_macros(tmpl):
return dn
+def ldap_rewrite_user_id(user_id):
+ if config.ldap_userspec.get('lower_user_ids', False):
+ user_id = user_id.lower()
+
+ umlauts = config.ldap_userspec.get('user_id_umlauts', 'replace')
+ new = ""
+ for c in user_id:
+ if c == u'ü':
+ new += 'ue'
+ elif c == u'ö':
+ new += 'oe'
+ elif c == u'ä':
+ new += 'ae'
+ elif c == u'ß':
+ new += 'ss'
+ elif c == u'Ü':
+ new += 'UE'
+ elif c == u'Ö':
+ new += 'OE'
+ elif c == u'Ä':
+ new += 'AE'
+ else:
+ new += c
+ if umlauts == 'replace':
+ user_id = new
+ elif umlauts == 'skip' and user_id != new:
+ return None # This makes the user being skipped
+
+ return user_id
+
def ldap_user_id_attr():
return config.ldap_userspec.get('user_id', ldap_attr('user_id'))
@@ -430,11 +460,9 @@ def ldap_get_user(username, no_escape = False):
if result:
dn = result[0][0]
- user_id = result[0][1][ldap_user_id_attr()][0]
-
- if config.ldap_userspec.get('lower_user_ids', False):
- user_id = user_id.lower()
-
+ user_id = ldap_rewrite_user_id(result[0][1][ldap_user_id_attr()][0])
+ if user_id is None:
+ return None
g_ldap_user_cache[username] = (dn, user_id)
if no_escape:
@@ -488,13 +516,10 @@ def ldap_get_users(add_filter = ''):
if ldap_user_id_attr() not in ldap_user:
raise MKLDAPException(_('The configured User-ID attribute "%s" does not '
'exist for the user "%s"') % (ldap_user_id_attr(), dn))
- user_id = ldap_user[ldap_user_id_attr()][0]
-
- if config.ldap_userspec.get('lower_user_ids', False):
- user_id = user_id.lower()
-
- ldap_user['dn'] = dn # also add the DN
- result[user_id] = ldap_user
+ user_id = ldap_rewrite_user_id(ldap_user[ldap_user_id_attr()][0])
+ if user_id:
+ ldap_user['dn'] = dn # also add the DN
+ result[user_id] = ldap_user
return result
diff --git a/web/plugins/wato/check_mk_configuration.py b/web/plugins/wato/check_mk_configuration.py
index 2a25018..5ffabb5 100644
--- a/web/plugins/wato/check_mk_configuration.py
+++ b/web/plugins/wato/check_mk_configuration.py
@@ -698,8 +698,19 @@ register_configvar(group,
value = True,
totext = _("Enforce lower case User-IDs."),
)),
+ ("user_id_umlauts", DropdownChoice(
+ title = _("Umlauts in User-IDs"),
+ help = _("Multisite does not support umlauts in User-IDs at the moment. To deal "
+ "with LDAP users having umlauts in their User-IDs you have the following "
+ "choices."),
+ choices = [
+ ("replace", _("Replace umlauts like \"ü\" with \"ue\"")),
+ ("skip", _("Skip users with umlauts in their User-IDs")),
+ ],
+ default_value = "replace",
+ )),
],
- optional_keys = ['scope', 'filter', 'filter_group', 'user_id', 'lower_user_ids'],
+ optional_keys = ['filter', 'filter_group', 'user_id', 'lower_user_ids', ],
),
domain = "multisite",
in_global_settings = False,
Module: check_mk
Branch: master
Commit: 0b97347881693169485aeb1685d2900f6568aee9
URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=0b973478816931…
Author: Mathias Kettner <mk(a)mathias-kettner.de>
Date: Tue Dec 17 10:07:46 2013 +0100
FIX: Linux agent: fix detaching of background plugins
The asynchronous execution of background processes in the Linux agent has
been fixed. Before it could have happened that the agent starts background
processes but - however - waits for all of them to finish until finishing
itself. This has now been fixed. All plugins started with run_cached are
now correctly detached from the agent.
---
.werks/345 | 14 ++++++++++++++
ChangeLog | 1 +
agents/check_mk_agent.linux | 2 +-
3 files changed, 16 insertions(+), 1 deletion(-)
diff --git a/.werks/345 b/.werks/345
new file mode 100644
index 0000000..fed7f1f
--- /dev/null
+++ b/.werks/345
@@ -0,0 +1,14 @@
+Title: Linux agent: fix detaching of background plugins
+Level: 2
+Component: checks
+Class: fix
+State: unknown
+Version: 1.2.5i1
+Date: 1387270406
+Targetversion: future
+
+The asynchronous execution of background processes in the Linux agent has
+been fixed. Before it could have happened that the agent starts background
+processes but - however - waits for all of them to finish until finishing
+itself. This has now been fixed. All plugins started with run_cached are
+now correctly detached from the agent.
diff --git a/ChangeLog b/ChangeLog
index 6ca7559..0ad4f89 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -43,6 +43,7 @@
* 0369 FIX: cups_queues: Fixed bug checking the last queue reported by agent...
* 0370 FIX: brocade_mlx_module*: Improved output of checks
* 0372 FIX: megaraid_ldisks: Ignoring adapters without configured logical disks...
+ * 0345 FIX: Linux agent: fix detaching of background plugins...
Multisite:
* 0371 Added log class filter to hostsvcevents view
diff --git a/agents/check_mk_agent.linux b/agents/check_mk_agent.linux
index 28453ad..2f67328 100755
--- a/agents/check_mk_agent.linux
+++ b/agents/check_mk_agent.linux
@@ -88,7 +88,7 @@ function run_cached () {
# Cache file outdated and new job not yet running? Start it
if [ -z "$USE_CACHEFILE" -a ! -e "$CACHEFILE.new" ] ; then
- echo "$CMDLINE" | setsid bash -o noclobber > $CACHEFILE.new && mv $CACHEFILE.new $CACHEFILE || rm -f $CACHEFILE $CACHEFILE.new &
+ echo "set -o noclobber ; exec > $CACHEFILE.new || exit 1 ; $CMDLINE && mv $CACHEFILE.new $CACHEFILE || rm -f $CACHEFILE $CACHEFILE.new" | nohup bash 2>/dev/null &
fi
}