[dev.icinga.com #1329] add complete command line to config.cgi #591
Comments
Updated by ricardo on 2011-05-20 11:24:10 +00:00 the |
Updated by ricardo on 2011-06-20 20:53:37 +00:00
any ideas on that? |
Updated by mfriedrich on 2011-07-16 12:33:39 +00:00 the main problem is that you can't use the already processed and loaded commands like the core would do with process_macros_r within get_raw_command_line_r most likely, you need to
|
Updated by mfriedrich on 2011-07-16 14:55:08 +00:00
i've hacked around in icinga cgis, but this proof of concept is not yet completed. see the attached diff against current test/cgis, which tries the basic host and service macros (if provided via GET param). the main problem remain the other macros, which need to be first grabbed into the mac struct (there are no global macros in cgis!) and then processed on the command line. feel free to enhance that. |
Updated by mfriedrich on 2011-09-12 13:39:18 +00:00
|
Updated by mfriedrich on 2011-09-23 09:23:08 +00:00 the this methods needs to be implemented into the cgis too. the problem which remains - if apache is not allowed to read resource.cfg (that should be default for security reasons). so i would add another cgi.cfg like show_all_user_macros=1 (0 by default) and if enabled, warn if resource.cfg cannot be read. furthermore, common/macros:grab_macro_value_r implemented the method where this array is being read. on the cgis the overall process_macros_r calls that (e.g.
the other parts with passing hostname and servicedesc will resolve the association on the other parts. |
Updated by mfriedrich on 2011-10-03 17:45:29 +00:00 any other thoughts on the |
Updated by mfriedrich on 2011-10-07 00:18:30 +00:00
i have now pushed a version onto dev/cgis which does the following
|
Updated by tgelf on 2011-10-07 16:59:06 +00:00 Hey, that's a great feature! Even if there is the possibility to disable it by just keeping default permissions on your ressource.cfg I'd suggest to add some kind of additional filter/permission option to your cgi.cfg. The reason I'm asking this for is simple: I want to see the full command when there is something going wrong, but most of my Icinga-Users shouldn't, as it contains sensitive information. People are currently using resource.cfg and customvars to store passwords, community strings and other sensitive stuff. What do you think about adding something like this to the cgi.cfg: authorized_for_full_command_resolution=icingaadmin Users "authorized_for_full_command_resolution" shall see everything, all the others able to see their host/service configs will not see Cheers, |
Updated by ricardo on 2011-10-07 20:50:09 +00:00 this sounds good @dnsmichi: when I try to expand a command, the raw command doesn't contain the |
Updated by mfriedrich on 2011-10-09 12:19:31 +00:00 i don't know what you mean. can you rephrase/clarify that, maybe with a screenshot? |
Updated by mfriedrich on 2011-10-09 12:23:22 +00:00 tgelf wrote:
the first target would be easy to implement, but matching on sensitive custom vars would be rather tricky. i'd rather take the other suggestion in adding some new macros in a credentials file and make resource.cfg just the resource file for paths, but not user credentials. |
Updated by ricardo on 2011-10-11 21:55:37 +00:00
Now users can only see raw command line if they are authorized for. Custom vars only get resolved in raw command line. commit message:
please TEST!!! |
Updated by ricardo on 2011-10-12 20:17:39 +00:00
|
Updated by mfriedrich on 2011-10-20 09:58:24 +00:00 https://git.icinga.org/?p=icinga-core.git;a=commit;h=10934c9 works as expected, pushed to dev/cgis - please test it and then merge to test/cgis |
Updated by mfriedrich on 2011-11-01 11:59:15 +00:00
|
Updated by mfriedrich on 2014-12-08 09:40:03 +00:00
|
This issue has been migrated from Redmine: https://dev.icinga.com/issues/1329
Created by mfriedrich on 2011-03-22 12:17:33 +00:00
Assignee: mfriedrich
Status: Resolved (closed on 2011-11-01 11:59:15 +00:00)
Target Version: 1.6
Last Update: 2014-12-08 09:40:03 +00:00 (in Redmine)
currently, it does not replace$USER1$ and $HOSTADDRESS$ etc macros, only the $ARGn$ macro - it would be nice to grab those macros from the existing config like when a normal check happens and give the user a full command line for testing/debugging purposes.
Attachments
Changesets
2011-10-07 00:12:30 +00:00 by mfriedrich 067de8b
2011-10-11 21:52:30 +00:00 by ricardo 527d782
2011-10-20 09:53:05 +00:00 by mfriedrich 10934c9
Relations:
The text was updated successfully, but these errors were encountered: