Module: check_mk
Branch: master
Commit: db258dbde1a7f8d43c42d4a0c9ca9807018c7aa2
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=db258dbde1a7f8…
Author: Marcel Schulte <ms(a)mathias-kettner.de>
Date: Thu Dec 15 13:35:32 2016 +0100
4118 check_bi_aggr: changed check and WATO rule to support Kerberos auth
Changed active check "check_bi_aggr" and the related WATO rule to support
Kerberos authentication.
For this to work Python modules "requests" and "requests_kerberos" are
needed. These should be shipped with prepackaged CRE and CEE versions since werk #7612.
Change-Id: Ib38fed9414cdae8f2770ea22defb13144efc7d58
---
.werks/4118 | 11 +++++++
ChangeLog | 1 +
doc/treasures/active_checks/check_bi_aggr | 55 ++++++++++++++++++++-----------
web/plugins/wato/active_checks.py | 1 +
4 files changed, 49 insertions(+), 19 deletions(-)
diff --git a/.werks/4118 b/.werks/4118
new file mode 100644
index 0000000..44ef8f7
--- /dev/null
+++ b/.werks/4118
@@ -0,0 +1,11 @@
+Title: check_bi_aggr: changed check and WATO rule to support Kerberos auth
+Level: 1
+Component: checks
+Compatible: compat
+Version: 1.4.0i3
+Date: 1481804930
+Class: feature
+
+Changed active check "check_bi_aggr" and the related WATO rule to support
Kerberos authentication.
+
+For this to work Python modules "requests" and "requests_kerberos"
are needed. These should be shipped with prepackaged CRE and CEE versions since werk
#7612.
diff --git a/ChangeLog b/ChangeLog
index 963671d..7dccb84 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -20,6 +20,7 @@
* 4109 websphere_mq_instance, websphere_mq_instance.manager: new checks for Websphere
MQ
* 4110 netscaler_vserver: now lower levels for health are configurable
* 4098 ups_cps_battery, ups_cps_battery.temp, ups_cps_inphase, ups_cps_outphase:
Several checks to monitor CPS UPS devices
+ * 4118 check_bi_aggr: changed check and WATO rule to support Kerberos auth...
* 3987 FIX: Check_MK Agent Access: Windows agent reported incorrect only from value
* 3952 FIX: diskstat: fixed bug if multipath devices having an alias...
* 3939 FIX: f5_bigip_conns: readded performance data and graphs...
diff --git a/doc/treasures/active_checks/check_bi_aggr
b/doc/treasures/active_checks/check_bi_aggr
index d1c82a2..30e9ad5 100755
--- a/doc/treasures/active_checks/check_bi_aggr
+++ b/doc/treasures/active_checks/check_bi_aggr
@@ -24,13 +24,16 @@
# to the Free Software Foundation, Inc., 51 Franklin St, Fifth Floor,
# Boston, MA 02110-1301 USA.
-import sys, getopt, urllib2, traceback
+import sys, getopt, requests, traceback
import os
import time
-# tell urllib2 not to honour "http(s)_proxy" env variables
-urllib2.getproxies = lambda: {}
+# tell requests not to honour "http(s)_proxy" env variables
+proxies = {
+ 'http': None,
+ 'https': None,
+}
def usage():
sys.stderr.write("""
@@ -47,8 +50,8 @@ OPTIONS:
-u USER User-ID of an automation user which is permitted to
see all contents of the aggregation
-s SECRET Automation secret of the user
- -m AUTH_MODE Authentication mode, either "cookie", "basic" or
"digest",
- defaults to "cookie"
+ -m AUTH_MODE Authentication mode, either "cookie", "basic",
"digest"
+ or "kerberos", defaults to "cookie"
-t TIMEOUT HTTP connect timeout in seconds (Default: 60)
-r track downtimes. This requires the hostname to be set.
-n HOSTNAME The hostname for which this check is run.
@@ -134,36 +137,50 @@ if track_downtime and not hostname:
def init_auth():
+ auth = None
if username and password:
- passwdmngr = urllib2.HTTPPasswordMgrWithDefaultRealm()
- passwdmngr.add_password(None, base_url, username, password)
- if auth_mode == 'digest':
- authhandler = urllib2.HTTPDigestAuthHandler(passwdmngr)
+ if auth_mode == 'kerberos':
+ from requests_kerberos import HTTPKerberosAuth
+
+ from subprocess import Popen, PIPE, check_call
+ kinit = Popen(["kinit", username], stdin=PIPE, stdout=PIPE,
stderr=PIPE)
+ output, errors = kinit.communicate("%s\n" % password)
+ kinit.wait()
+ if kinit.returncode or errors:
+ sys.stderr.write("Error getting Kerberos Ticket:\n")
+ sys.stderr.write("stdout: %s\nstderr: %s\nrc: %s" % (output,
errors, kinit.returncode))
+ sys.exit(1)
+
+ auth = HTTPKerberosAuth(principal=username)
+ elif auth_mode == 'digest':
+ auth = requests.auth.HTTPDigestAuth(username, password)
else:
- authhandler = urllib2.HTTPBasicAuthHandler(passwdmngr)
- opener = urllib2.build_opener(authhandler)
- urllib2.install_opener(opener)
+ auth = requests.auth.HTTPBasicAuth(username, password)
+ return auth
url = "%s/check_mk/view.py" \
"?view_name=aggr_single_api" \
"&aggr_name=%s&output_format=python" % \
- (base_url.rstrip('/'), urllib2.quote(aggr_name))
+ (base_url.rstrip('/'), aggr_name)
-if auth_mode in ['basic', 'digest']:
- init_auth()
+auth = None
+if auth_mode in ['basic', 'digest', 'kerberos']:
+ auth = init_auth()
else:
url += "&_username=%s&_secret=%s" % \
- (urllib2.quote(username), urllib2.quote(password))
+ (username, password)
if debug:
sys.stderr.write('URL: %s\n' % url)
try:
- json = urllib2.urlopen(url, timeout = timeout).read()
-except urllib2.socket.timeout:
+ r = requests.get(url, timeout=timeout, auth=auth, proxies=proxies)
+ r.raise_for_status()
+ json = r.text
+except requests.Timeout:
sys.stdout.write('ERROR: Socket timeout while opening URL: %s\n' % (url))
sys.exit(3)
-except urllib2.URLError, e:
+except requests.URLRequired, e:
sys.stdout.write("UNKNOWN: %s\n" % e)
sys.exit(3)
except Exception, e:
diff --git a/web/plugins/wato/active_checks.py b/web/plugins/wato/active_checks.py
index 894ff91..f71f205 100644
--- a/web/plugins/wato/active_checks.py
+++ b/web/plugins/wato/active_checks.py
@@ -1572,6 +1572,7 @@ register_rule(group,
('cookie', _('Form (Cookie) based')),
('basic', _('HTTP Basic')),
('digest', _('HTTP Digest')),
+ ('kerberos', _('Kerberos')),
],
)),
("timeout", Integer(