[checkmk-commits] [Checkmk/checkmk] 226b81: disable add_or_modify_executables on cse for admins

Branch: refs/heads/master Home: https://github.com/Checkmk/checkmk Commit: 226b81706e5e349815184960395b74e1aef7b7cd https://github.com/Checkmk/checkmk/commit/226b81706e5e349815184960395b74e1a… Author: Max Linke <max.linke(a)checkmk.com> Date: 2024-02-23 (Fri, 23 Feb 2024) Changed paths: M cmk/gui/wato/_permissions.py Log Message: ----------- disable add_or_modify_executables on cse for admins We have a few rules that allow modification of executables on the server. Those options can be set via some rules. Current approach has been to disable the corresponding rules. However those rules are valuable to customers. For example "Host Check Command" was requested a lot from our beta customers. We deactivate the rule because it allows arbitrary commands to be executed on the server. Now with the add_or_modify_executables permission removed the rule cannot be used anymore for arbitrary code execution. Currently this works great because on the CSE users cannot modify roles. I also like this approach as it is more of a "catch all" than reviewing individual rules. Long term it would be nice if we could globally disable some permissions on the CSE. Change-Id: Ib1eb2743dc6811d95dbab233a0cbc64c350a427a Commit: 03e830a28c2525201767df0ec3311310f1a08d2b https://github.com/Checkmk/checkmk/commit/03e830a28c2525201767df0ec3311310f… Author: Gav <gavin.mcguigan(a)checkmk.com> Date: 2024-02-23 (Fri, 23 Feb 2024) Changed paths: A .werks/16521.md M cmk/bi/search.py M tests/unit/cmk/bi/test_bi_search.py M tests/unit/cmk/gui/openapi/test_openapi_bi.py Log Message: ----------- 16521 FIX bi_rule: schema update to match the api docs The Open API schema previously did not reflect the response or the request schema format that was required to create or show bi_rules. This werk addresses this issue. Previously, when creating or getting a bi-rule, via the REST-API, the schema for host_label_groups or service_label_groups looked something like this ``` "host_label_groups": [ [ "and", [ ["and", "mystery/switch:yes"], ["or", "mystery/switch:no"], ], ], ] ``` This did not match the schema documented in the Open API docs. To fix this, we have now changed the format to the following ``` "host_label_groups": [ { "operator": "and", "label_group": [ {"operator": "and", "label": "mystery/switch:yes"}, {"operator": "or", "label": "mystery/switch:no"}, ], }, ] ``` This also aligns with other endpoints that use our new host_label_groups or service_label_groups, for example the rules endpoints. As this is a breaking change, user scripts should be adjusted accordingly. Change-Id: I14657ad8bf37e71c69210b9d7e4f2dfaa2f4d94d Compare: https://github.com/Checkmk/checkmk/compare/a2dc0852200e...03e830a28c25 To unsubscribe from these emails, change your notification settings at https://github.com/Checkmk/checkmk/settings/notifications