[checkmk-commits] 6929 FIX Distributed WATO login: Protect against some config failures

Module: check_mk Branch: master Commit: 7dafc031e04ab4525bdde53305dc3e45a392fbef URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=7dafc031e04ab4… Author: Lars Michelsen &lt;lm(a)mathias-kettner.de&gt; Date: Wed Dec 12 08:20:52 2018 +0100 6929 FIX Distributed WATO login: Protect against some config failures When building up a distributed Check_MK with distributed WATO, there are two situations which could end up in problematic situations which are handled now in a better way: <ul> <li>Connecting a central Check_MK Managed Services based site to a CEE or CRE based site resulted in a broken slave site. When trying to login a CME site into a CEE site, an error message now prevents the login.</li> <li>We have added a checkbox to the login dialog to confirm that one really wants to overwrite the configuration of the remote site with the central sites configuration.</li> </ul> This changes the protocol of the login automation call, but is fully compatibile with previous versions. We may add additional checks in the future based on the involved Check_MK editions and versions. The sites now exchange their versions. CMK-1370 Change-Id: I2d12dffa4da1fe2c510ac737acbad29127877fec --- .werks/6929 | 22 ++++++++++++++++++++++ cmk/gui/wato/pages/automation.py | 14 +++++++++++++- cmk/gui/wato/pages/sites.py | 27 ++++++++++++++++++++++++--- 3 files changed, 59 insertions(+), 4 deletions(-) diff --git a/.werks/6929 b/.werks/6929 new file mode 100644 index 0000000..b1651eb --- /dev/null +++ b/.werks/6929 @@ -0,0 +1,22 @@ +Title: Distributed WATO login: Protect against some config failures +Level: 1 +Component: wato +Class: fix +Compatible: compat +Edition: cre +State: unknown +Version: 1.6.0i1 +Date: 1544597077 + +When building up a distributed Check_MK with distributed WATO, there +are two situations which could end up in problematic situations which +are handled now in a better way: + +<ul> +<li>Connecting a central Check_MK Managed Services based site to a CEE +or CRE based site resulted in a broken slave site. When trying to login +a CME site into a CEE site, an error message now prevents the login.</li> +<li>We have added a checkbox to the login dialog to confirm that one +really wants to overwrite the configuration of the remote site with the +central sites configuration.</li> +</ul> diff --git a/cmk/gui/wato/pages/automation.py b/cmk/gui/wato/pages/automation.py index d458d03..7e1f7b0 100644 --- a/cmk/gui/wato/pages/automation.py +++ b/cmk/gui/wato/pages/automation.py @@ -28,6 +28,7 @@ automation functions on slaves,""" import traceback +import cmk import cmk.gui.config as config import cmk.gui.watolib as watolib import cmk.gui.userdb as userdb @@ -53,7 +54,18 @@ class ModeAutomationLogin(WatoWebApiMode): raise MKAuthException(_("This account has no permission for automation.")) html.set_output_format("python") - html.write_html(repr(watolib.get_login_secret(True))) + + if not html.has_var("_version"): + # Be compatible to calls from sites using versions before 1.5.0p10. + # Deprecate with 1.7 by throwing an exception in this situation. + response = watolib.get_login_secret(create_on_demand=True) + else: + response = { + "version": cmk.__version__, + "edition_short": cmk.edition_short(), + "login_secret": watolib.get_login_secret(create_on_demand=True), + } + html.write_html(repr(response)) register_page_handler("automation_login", lambda: ModeAutomationLogin().page()) diff --git a/cmk/gui/wato/pages/sites.py b/cmk/gui/wato/pages/sites.py index 9f9e3a6..593ee48 100644 --- a/cmk/gui/wato/pages/sites.py +++ b/cmk/gui/wato/pages/sites.py @@ -28,6 +28,7 @@ import re import traceback +import cmk import cmk.gui.config as config import cmk.gui.watolib as watolib import cmk.gui.userdb as userdb @@ -560,7 +561,24 @@ class ModeDistributedMonitoring(ModeSites): name = html.var("_name", "").strip() passwd = html.var("_passwd", "").strip() try: - secret = watolib.do_site_login(login_id, name, passwd) + if not html.get_checkbox("_confirm"): + raise MKUserError( + "_confirm", + _("You need to confirm that you want to " + "overwrite the remote site configuration.")) + + response = watolib.do_site_login(login_id, name, passwd) + + if isinstance(response, dict): + if cmk.is_managed_edition() and response["edition_short"] != "cme": + raise MKUserError( + None, + _("The Check_MK Managed Services Edition can only " + "be connected with other sites using the CME.")) + secret = response["login_secret"] + else: + secret = response + site["secret"] = secret self._site_mgmt.save_sites(configured_sites) message = _("Successfully logged into remote site %s.") % html.render_tt( @@ -597,11 +615,14 @@ class ModeDistributedMonitoring(ModeSites): html.begin_form("login", method="POST") forms.header(_('Login credentials')) - forms.section(_('Administrator name:')) + forms.section(_('Administrator name')) html.text_input("_name") html.set_focus("_name") - forms.section(_('Administrator password:')) + forms.section(_('Administrator password')) html.password_input("_passwd") + forms.section(_('Confirm overwrite')) + html.checkbox( + "_confirm", False, label=_("Confirm overwrite of the remote site configuration")) forms.end() html.button("_do_login", _("Login")) html.button("_abort", _("Abort"))