Branch: refs/heads/master
Home:
https://github.com/tribe29/checkmk
Commit: 89655580fd1f82e0c3d347d1ae48a5aeaefd912f
https://github.com/tribe29/checkmk/commit/89655580fd1f82e0c3d347d1ae48a5aea…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
A .werks/15184
M cmk/gui/plugins/openapi/endpoints/user_config.py
M cmk/gui/userdb/__init__.py
Log Message:
-----------
15184 FIX Do not enforce password change for automation users
The enforce_pw_change flag is now ignored for automation users. Since
automation users cannot change their passwords themselves, Checkmk will
now no longer require them to do so, even if the flag is set.
Note that automation users can still be prevented from logging in if the
password policy for local accounts defines a maximum password age.
This Werk is motivated by a fixup for Werk #14391, which could cause old
automation users to be unable to log in.
Since Werk #14391 omd update / cmk-update-config looks for users whose
passwords are hashed with outdated hashing schemes in etc/htpasswd.
Users whose passwords were hashed with the insecure algorithms MD5 or
DES Crypt are asked to change their password the next time they log in.
Moreover, the administrator running the update will see a warning that
lists the affected users.
That check did not properly exclude old automation users created by
Checkmk < 1.6.0, although the check does not make sense for them.
(Automation users do not log in the same way regular users do and their
password hash is irrelevant.) As a result, the flag to require a
password change was set also for automation users, preventing automation
users from logging in. In addition, the automation users were mistakenly
listed in the warning message mentioned above.
Note that automation users that have been created or had their
automation secret changed with Checkmk >= 1.6.0 are not affected, as
Checkmk didn't use the insecure hashing algorithms since version 1.6.0
(Werk #6846).
With this fix the flag to enforce a password change will no longer be
set for automation users by that check and automation users will no
longer be listed in the warning message. Moreover, since the flag is now
ignored for automation users, they will be able to log in again, even if
the flag has already been set.
CMK-12085
Change-Id: Id923f104d05d41fc8985b5db86690db884c31a01
Commit: 4aecef2f931184cdc59c5f345ff8d1176e72720e
https://github.com/tribe29/checkmk/commit/4aecef2f931184cdc59c5f345ff8d1176…
Author: Hannes Rantzsch <hannes.rantzsch(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
A .werks/15185
M cmk/gui/plugins/openapi/endpoints/user_config.py
M tests/unit/cmk/gui/plugins/openapi/test_openapi_user.py
Log Message:
-----------
15185 FIX REST API: update password change time when changing automation user's
secret
Previously, changing an automation user's authentication secret did not update the
recorded timestamp of the last password change for the automation user.
As a result, the automation user could have been prevented from logging in by the password
policy for local users, because the secret appeared to be too old.
The recorded timestamp is now updated when the secret is changed via the REST API.
Note that the issue did not affect changing an automation user's secret via the user
management GUI (Setup > Users).
Here the timestamp was already updated correctly.
Change-Id: Ied02cc5d5e50f7743ae4d0993ce0f1c034a5e007
Commit: cd89e4a5599dbbffde0b09f19ff019b48b327bdd
https://github.com/tribe29/checkmk/commit/cd89e4a5599dbbffde0b09f19ff019b48…
Author: Simon Jess <simon.jess(a)tribe29.com>
Date: 2023-01-24 (Tue, 24 Jan 2023)
Changed paths:
M cmk/utils/licensing/export.py
Log Message:
-----------
licensing: Cleanup REST-API endpoint 'download_license_usage'
- UploadOrigin is not needed anymore
Change-Id: I70ca4009be741b7a80261ffbd601f3e8bc7e557f
Compare:
https://github.com/tribe29/checkmk/compare/4c69d9f6718c...cd89e4a5599d