[checkmk-commits] 6621 SEC Add permission to prevent users from editing " Deploy custom files with agent" rule set

Module: check_mk Branch: master Commit: 258a71a2d23440bb65ba6d8352d97dbacce55433 URL: http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=258a71a2d23440… Author: Lars Michelsen <lm(a)mathias-kettner.de> Date: Mon Sep 17 20:14:59 2018 +0200 6621 SEC Add permission to prevent users from editing "Deploy custom files with agent" rule set Using the rule set "Deploy custom files with agent" it is possible to select custom files to be distributed with the agents built using the Agent Bakery. As this is rule set may add custom executable code to the agents it makes sense to be able to control the permission for this more explicitly. If you want to make sure that administrative users can not add those custom files to the agents, you can now use the rule set "Configure custom agent file deployments" to revoke this permission. Change-Id: Iaf9c5d8b763d1f6d24decf8dceed5282dbf85e71 --- .werks/6621 | 17 +++++++++++++++++ cmk/gui/plugins/wato/utils/__init__.py | 2 ++ 2 files changed, 19 insertions(+) diff --git a/.werks/6621 b/.werks/6621 new file mode 100644 index 0000000..d2fa9d1 --- /dev/null +++ b/.werks/6621 @@ -0,0 +1,17 @@ +Title: Add permission to prevent users from editing "Deploy custom files with agent" rule set +Level: 1 +Component: agents +Compatible: compat +Edition: cee +Version: 1.6.0i1 +Date: 1537207681 +Class: security + +Using the rule set "Deploy custom files with agent" it is possible to select custom files +to be distributed with the agents built using the Agent Bakery. As this is rule set may +add custom executable code to the agents it makes sense to be able to control the permission +for this more explicitly. + +If you want to make sure that administrative users can not add those custom files to the +agents, you can now use the rule set "Configure custom agent file deployments" to revoke +this permission. diff --git a/cmk/gui/plugins/wato/utils/__init__.py b/cmk/gui/plugins/wato/utils/__init__.py index fdab5c4..c5fbb79 100644 --- a/cmk/gui/plugins/wato/utils/__init__.py +++ b/cmk/gui/plugins/wato/utils/__init__.py @@ -987,6 +987,8 @@ def may_edit_ruleset(varname): return config.user.may("wato.services") or config.user.may("wato.rulesets") elif varname in [ "custom_checks", "datasource_programs" ]: return config.user.may("wato.rulesets") and config.user.may("wato.add_or_modify_executables") + elif varname == "agent_config:custom_files": + return config.user.may("wato.rulesets") and config.user.may("wato.agent_deploy_custom_files") else: return config.user.may("wato.rulesets")