BUG: REST-API Show Configuration of a single agent fails with Permission Mismatch

CMK version: 2.1.0p4
OS version: RHEL7

Using REST-API Interactive GUI, using Agent Get /object/agent/{agent_hash} results in the following error;-

2022-09-28 16:02:40,536 [40] [cmk.gui.plugins.openapi.restful_objects.decorators 26248] Permission mismatch: <Endpoint cmk.gui.cee.plugins.openapi.endpoints.agent:show_agent_information> Params: {'agent_hash': '4319ca305cce01a5'} Required: [] Declared: AllPerm([{wato.agents}, AnyPerm([{background_jobs.delete_jobs}, {background_jobs.delete_foreign_jobs}, {background_jobs.stop_jobs}, {background_jobs.stop_foreign_jobs}, {background_jobs.see_foreign_jobs})?)

All other Agent methods work, even those that require permission {wato.agents}, so the automation account being used is not missing that permission.


Found Werk #13954, which seems to suggest this issue was fixed in V2.1.0p9, so upgraded to V2.1.0p13, but problem still persists.

Really need this functionality, need a fix please


Hi Mark, can you provide the exact API call you are performing?
Maybe a minimum working example of your code?

Hi Robin,

The easiest way to replicate is via the Swagger REST-API Interactive GUI, using the method Show Configuration of a single agent (GET /objects​/agent​/{agent_hash})

This replicates exactly what I see in my code. ie

curl -X 'GET' \
  '' \
  -H 'accept: application/json'
  "title": "Internal Server Error",
  "status": 500,
  "detail": "Permission mismatch. See the server logs for more information."




Any update on this issue?


Hi Mark, looks like I can reproduce this, I will open a ticket.
Can you try to use the hostname in the meantime? That should be more real-worldly anyway.

Hi @robin.gierse ,
Ok thats great thank you.
Unfortunately I cant use hostname as I am trying to get a list of hostnames that are associated with a particulate build. I am assuming/hoping that is what will be in the ‘members’ list attribute when this works properly.


But you are aware, that hashes change on each baking? Of course as long as the configuration does not change, the hash stays the same, but when it changes, the hash also changes.
It sounds like you are trying to work around an issue, but you are not on the best path for a solution.

Hi @robin.gierse,

Yes I am aware that the hashes will change.

I have a script that along with Ansible used as a deployment method allows us to deploy to our Linux servers that run the agent as non-root, while still using the agent bakery to maintain and modify agents and agent configurations. The script runs daily and extracts the builds, it also maintains the relationship between the build hash and the hosts that are associated with that build, hence the need for this particular get method to work.

If you feel there is a better way of doing this, then I would be happy to hear any suggestions. As far as I am aware the agent bakery cannot be used in a non-root agent setup.(ie the agent registration with the bakery requires root permissions)



Wow, that is a sophisticated use case right there. Keep doing what you do, you seem to know your way around Checkmk and understand how things work.

Keep an eye on the Werks for the fix of your problem. But I cannot promise any timeline. If you can, open a support ticket with us, that might speed things up.

I just learned that this is fixed at least in 2.1.0p24, maybe earlier. :v:

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed. Contact an admin if you think this should be re-opened.