Module: check_mk
Branch: master
Commit: 0344428ea821781b49b713103cf24e781e51bf10
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=0344428ea82178…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Wed Apr 13 14:04:30 2016 +0200
3376 Cleaned up handling of setting Livestatus AuthUser for "see all" users
This change affects only users which have the "general.see_all" permission,
normally Administrators
and Guests. But the most affected users will be the admins.
Previous Check_MK versions had the options "Visibility of Hosts/Services" and
"Visibility of Hosts/Services (Webservice)" which could be set in the user
profile. These options
could be used by all users which have the "see all" permission to limit the
shown hosts and services
to only the ones which they are really a contact for.
The later option has been deprecated now. It was first integrated to make users of
external tools
like Nagstamon, which fetches it's list of host and service problems from the Check_MK
webservice,
be able to show only the the problems of their hosts and services.
But this option also had a side effect: When it is enabled and the option "Visibility
of Hosts/Services"
was not enabled, the admin could see all hosts/services in the GUI but when executing a
CSV export
he was only getting the hosts/services he is a contact for.
To fix this situation we decided to deprecate the "Visibility of Hosts/Services
(Webservice)" and
replace it with a URL variable which can be used to filter each page individually. The new
URL
variable <tt>force_authuser</tt> can be used on any view and set to:
<ul>
<li><tt>1<tt> to show only the hosts/services the user is a contact
for</li>
<li><tt>0<tt> to show all hosts/services</li>
<li><tt>[username]<tt> to show all hosts/services the given user is
a contact for</li>
</ul>
The now deprecated option will still be working as before but you are recommended to
uncheck
the option and use the new mechanism. If you are using it for Nagstamon you will need to
use a Nagstamon 2.0 release newer than ALPHA-20160307 once it is available.
---
.werks/3376 | 36 ++++++++++++++++++++++++++++
ChangeLog | 2 ++
web/htdocs/sites.py | 42 +++++++++++++++++++++++----------
web/plugins/userdb/user_attributes.py | 6 +++--
4 files changed, 71 insertions(+), 15 deletions(-)
diff --git a/.werks/3376 b/.werks/3376
new file mode 100644
index 0000000..ede1f92
--- /dev/null
+++ b/.werks/3376
@@ -0,0 +1,36 @@
+Title: Cleaned up handling of setting Livestatus AuthUser for "see all" users
+Level: 1
+Component: multisite
+Compatible: incomp
+Version: 1.2.9i1
+Date: 1460548346
+Class: feature
+
+This change affects only users which have the "general.see_all" permission,
normally Administrators
+and Guests. But the most affected users will be the admins.
+
+Previous Check_MK versions had the options "Visibility of Hosts/Services" and
+"Visibility of Hosts/Services (Webservice)" which could be set in the user
profile. These options
+could be used by all users which have the "see all" permission to limit the
shown hosts and services
+to only the ones which they are really a contact for.
+
+The later option has been deprecated now. It was first integrated to make users of
external tools
+like Nagstamon, which fetches it's list of host and service problems from the
Check_MK webservice,
+be able to show only the the problems of their hosts and services.
+But this option also had a side effect: When it is enabled and the option
"Visibility of Hosts/Services"
+was not enabled, the admin could see all hosts/services in the GUI but when executing a
CSV export
+he was only getting the hosts/services he is a contact for.
+
+To fix this situation we decided to deprecate the "Visibility of Hosts/Services
(Webservice)" and
+replace it with a URL variable which can be used to filter each page individually. The
new URL
+variable <tt>force_authuser</tt> can be used on any view and set to:
+
+<ul>
+ <li><tt>1<tt> to show only the hosts/services the user is a contact
for</li>
+ <li><tt>0<tt> to show all hosts/services</li>
+ <li><tt>[username]<tt> to show all hosts/services the given user is
a contact for</li>
+</ul>
+
+The now deprecated option will still be working as before but you are recommended to
uncheck
+the option and use the new mechanism. If you are using it for Nagstamon you will need to
+use a Nagstamon 2.0 release newer than ALPHA-20160307 once it is available.
diff --git a/ChangeLog b/ChangeLog
index 49a8d58..1d4c042 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -153,6 +153,8 @@
* 2237 Unique name for columns of Host Groups and Service Groups...
* 3310 New dashlet which shows user notifications
* 3328 Default cloned views to be not public...
+ * 3376 Cleaned up handling of setting Livestatus AuthUser for "see all"
users...
+ NOTE: Please refer to the migration notes!
* 3059 FIX: Fixed highlighting of availability timeline time slices
* 3175 FIX: Fix timeranges of graphs that are embedded in a dashboard...
* 3076 FIX: fixed broken views in check_mk raw edition
diff --git a/web/htdocs/sites.py b/web/htdocs/sites.py
index 6fde86d..41bd63c 100644
--- a/web/htdocs/sites.py
+++ b/web/htdocs/sites.py
@@ -150,27 +150,43 @@ def connect_single_site():
# If Multisite is retricted to data the user is a contact for, we need to set an
# AuthUser: header for livestatus.
def set_livestatus_auth():
- if html.output_format == 'html':
- perm = "force_authuser"
- else:
- perm = "force_authuser_webservice"
-
- use_livestatus_auth = True
- if config.may("general.see_all") and not config.user.get(perm):
- use_livestatus_auth = False
-
- if use_livestatus_auth == True:
- _live.set_auth_user('read', config.user_id)
- _live.set_auth_user('action', config.user_id)
+ user_id = livestatus_auth_user()
+ if user_id != None:
+ _live.set_auth_user('read', user_id)
+ _live.set_auth_user('action', user_id)
# May the user see all objects in BI aggregations or only some?
if not config.may("bi.see_all"):
- _live.set_auth_user('bi', config.user_id)
+ _live.set_auth_user('bi', user_id)
# Default auth domain is read. Please set to None to switch off authorization
_live.set_auth_domain('read')
+# Returns either None when no auth user shal be set or the name of the user
+# to be used as livestatus auth user
+def livestatus_auth_user():
+ if not config.may("general.see_all"):
+ return config.user_id
+
+ force_authuser = html.var("force_authuser")
+ if force_authuser == "1":
+ return config.user_id
+ elif force_authuser == "0":
+ return None
+ elif force_authuser:
+ return force_authuser # set a different user
+
+ # TODO: Remove this with 1.5.0/1.6.0
+ if html.output_format != 'html' and
config.user.get("force_authuser_webservice"):
+ return config.user_id
+
+ if config.user.get("force_authuser"):
+ return config.user_id
+
+ return None
+
+
def disconnect():
global _live, _site_status
_live = None
diff --git a/web/plugins/userdb/user_attributes.py
b/web/plugins/userdb/user_attributes.py
index d48aa57..a2a5a8c 100644
--- a/web/plugins/userdb/user_attributes.py
+++ b/web/plugins/userdb/user_attributes.py
@@ -37,11 +37,13 @@ declare_user_attribute(
permission = "general.see_all"
)
+# TODO: Remove this with 1.5.0/1.6.0
declare_user_attribute(
"force_authuser_webservice",
Checkbox(
- title = _("Visibility of Hosts/Services (Webservice)"),
- label = _("Export only hosts and services the user is a contact for"),
+ title = _("Hosts/Service visibility (Webservice, Deprecated)"),
+ label = _("Export only hosts and services the user is a contact for. "
+ "<b>Please don't use this option anymore, it is
deprecated.</b>"),
help = _("When this option is checked, then the Multisite webservice "
"will only export hosts and services that the user is a contact for
- "
"even if he has the permission for seeing all objects."),