Module: check_mk
Branch: master
Commit: 533ac11c4dec5c6638a1ad074de6d65f9ade39b6
URL:
http://git.mathias-kettner.de/git/?p=check_mk.git;a=commit;h=533ac11c4dec5c…
Author: Lars Michelsen <lm(a)mathias-kettner.de>
Date: Mon Sep 4 10:04:57 2017 +0200
5175 Livestatus TCP: Can now be restricted to specific IP addresses
When enabling livestatus access via TCP (via "omd config" or the WATO site
management)
it is now possible to restrict the access to a set of client IP addresses.
The new option has been added to the global setting "Access to Livestatus via
TCP" which
then sets the "omd config" option LIVESTATUS_TCP_ONLY_FROM.
Change-Id: I238afd2080025659129ff67564f9d9378a0c82a3
---
.werks/5175 | 14 ++++++
.../mk-livestatus/LIVESTATUS_TCP_ONLY_FROM.hook | 25 ++++++++++
web/htdocs/watolib.py | 56 ++++++++++++++--------
web/plugins/wato/omd_configuration.py | 25 ++++++++--
4 files changed, 96 insertions(+), 24 deletions(-)
diff --git a/.werks/5175 b/.werks/5175
new file mode 100644
index 0000000..bfad5d2
--- /dev/null
+++ b/.werks/5175
@@ -0,0 +1,14 @@
+Title: Livestatus TCP: Can now be restricted to specific IP addresses
+Level: 2
+Component: omd
+Compatible: compat
+Edition: cre
+Version: 1.5.0i1
+Date: 1504512154
+Class: feature
+
+When enabling livestatus access via TCP (via "omd config" or the WATO site
management)
+it is now possible to restrict the access to a set of client IP addresses.
+
+The new option has been added to the global setting "Access to Livestatus via
TCP" which
+then sets the "omd config" option LIVESTATUS_TCP_ONLY_FROM.
diff --git a/omd/packages/mk-livestatus/LIVESTATUS_TCP_ONLY_FROM.hook
b/omd/packages/mk-livestatus/LIVESTATUS_TCP_ONLY_FROM.hook
new file mode 100755
index 0000000..7efa9ba
--- /dev/null
+++ b/omd/packages/mk-livestatus/LIVESTATUS_TCP_ONLY_FROM.hook
@@ -0,0 +1,25 @@
+#!/bin/bash
+
+# Alias: Restrict livestatus port to IP addresses
+# Menu: Distributed Monitoring
+# Description:
+# If Livestatus is configured to listen on a TCP port, you
+# can configure the IP addresses that are allowed to
+# connect to livestatus here. The setting 0.0.0.0 makes the
+# port available to all clients.
+
+case "$1" in
+ default)
+ echo "0.0.0.0"
+ ;;
+ choices)
+ echo
"(?:(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})\.(?:[\d]{1,3})(/[0-9]{1,2})?\s?)+"
+ ;;
+ set)
+ sed -ri
"s@#?([[:space:]]*only_from[[:space:]]*=[[:space:]]*)(.*)@\1$2@"
$OMD_ROOT/etc/mk-livestatus/xinetd.conf
+ ;;
+ depends)
+ [ "$CONFIG_CORE" != none -a "$CONFIG_LIVESTATUS_TCP" = on ]
+ ;;
+esac
+
diff --git a/web/htdocs/watolib.py b/web/htdocs/watolib.py
index 5098ac6..9f24526 100644
--- a/web/htdocs/watolib.py
+++ b/web/htdocs/watolib.py
@@ -655,16 +655,25 @@ class ConfigDomainOMD(ConfigDomain):
else:
settings[key] = value
- for toggle_key, port_key in [
- ("LIVESTATUS_TCP", "LIVESTATUS_TCP_PORT"),
- ("NSCA", "NSCA_TCP_PORT")
- ]:
-
- if toggle_key in settings:
- if settings[toggle_key]:
- settings[toggle_key] = int(settings[port_key])
- else:
- settings[toggle_key] = None
+ if "LIVESTATUS_TCP" in settings:
+ if settings["LIVESTATUS_TCP"]:
+ settings["LIVESTATUS_TCP"] = {
+ "port": int(settings["LIVESTATUS_TCP_PORT"])
+ }
+ del settings["LIVESTATUS_TCP_PORT"]
+
+ if settings["LIVESTATUS_TCP_ONLY_FROM"] !=
"0.0.0.0":
+ settings["LIVESTATUS_TCP"]["only_from"] =
settings["LIVESTATUS_TCP_ONLY_FROM"].split()
+
+ del settings["LIVESTATUS_TCP_ONLY_FROM"]
+ else:
+ settings["LIVESTATUS_TCP"] = None
+
+ if "NSCA" in settings:
+ if settings["NSCA"]:
+ settings["NSCA"] = int(settings["NSCA_TCP_PORT"])
+ else:
+ settings["NSCA"] = None
if "MKEVENTD" in settings:
if settings["MKEVENTD"]:
@@ -684,16 +693,25 @@ class ConfigDomainOMD(ConfigDomain):
def _to_omd_config(self, config):
settings = {}
- for toggle_key, port_key in [
- ("LIVESTATUS_TCP", "LIVESTATUS_TCP_PORT"),
- ("NSCA", "NSCA_TCP_PORT")
- ]:
- if toggle_key in config:
- if config[toggle_key] is not None:
- config[port_key] = "%s" % config[toggle_key]
- config[toggle_key] = "on"
+ if "LIVESTATUS_TCP" in config:
+ if config["LIVESTATUS_TCP"] is not None:
+ config["LIVESTATUS_TCP_PORT"] = "%s" %
config["LIVESTATUS_TCP"]["port"]
+
+ if "only_from" in config["LIVESTATUS_TCP"]:
+ config["LIVESTATUS_TCP_ONLY_FROM"] = "
".join(config["LIVESTATUS_TCP"]["only_from"])
else:
- config[toggle_key] = "off"
+ config["LIVESTATUS_TCP_ONLY_FROM"] = "0.0.0.0"
+
+ config["LIVESTATUS_TCP"] = "on"
+ else:
+ config["LIVESTATUS_TCP"] = "off"
+
+ if "NSCA" in config:
+ if config["NSCA"] is not None:
+ config["NSCA_TCP_PORT"] = "%s" %
config["NSCA"]
+ config["NSCA"] = "on"
+ else:
+ config["NSCA"] = "off"
if "MKEVENTD" in config:
if config["MKEVENTD"] is not None:
diff --git a/web/plugins/wato/omd_configuration.py
b/web/plugins/wato/omd_configuration.py
index a8d2fed..c7b3937 100644
--- a/web/plugins/wato/omd_configuration.py
+++ b/web/plugins/wato/omd_configuration.py
@@ -83,11 +83,26 @@ register_configvar(group,
register_configvar(group,
"LIVESTATUS_TCP",
Optional(
- Integer(
- title = _("Port number"),
- minvalue = 1,
- maxvalue = 65535,
- default_value = 6557,
+ Dictionary(
+ elements = [
+ ("port", Integer(
+ title = _("TCP port"),
+ minvalue = 1,
+ maxvalue = 65535,
+ default_value = 6557,
+ )),
+ ("only_from", ListOfStrings(
+ title = _("Restrict access to IP addresses"),
+ help = _("The access to Livestatus via TCP will only be allowed
from the "
+ "configured source IP addresses. You can either
configure specific "
+ "IP addresses or networks in the syntax
<tt>10.3.3.0/24</tt>."),
+
+ valuespec = IPv4Network(),
+ orientation = "horizontal",
+ allow_empty = False,
+ )),
+ ],
+ optional_keys = [ "only_from" ],
),
title = _("Access to Livestatus via TCP"),
help = _("Check_MK Livestatus usually listens only on a local UNIX socket -
"