BUG: REST API User handling broken for some attributes


I was using the (old, deprecated) WebAPI to fully generate an automated setup by an external (predefined) configuration. In this setup everything is configured by a python script using via API (using GitHub - brennerm/check-mk-web-api: Python library to talk to the Check_Mk Web API).

This worked quite well until 2.0.0p15, where the user creation stopped working, which forced me to fork the WebAPI-Lib or migrate to the REST API.
At this point I found out, that not all user properties are populated by the REST API and even worse: Setting them causes an error -.-

Did I miss something? Is there a “additional config” field or something like that?
The fields I tried to configure (configured with the old WebAPI):

  • ‘enforce_pw_change’: False, (at least!)
  • ‘icons_per_item’: ‘entry’,
  • ‘ui_sidebar_position’: ‘left’
RuntimeError: ("{'title': 'Bad Request', 'status': 400, 'detail': 'These fields have problems: icons_per_item, enforce_pw_change, ui_sidebar_position', 'fields': {'icons_per_item': ['Unknown field.'], 'enforce_pw_change': ['Unknown field.'], 'ui_sidebar_position': ['Unknown field.']}}")

Any help / fix is appreciated :slight_smile:

Best regards,

1 Like

Any chances to get a reply here?

May be I should workaround the whole problem the hard (old) way and start editing / generate config files again, at least there are no hidden options (or fancy bugs introduced in a new patch release) :confused:

If no one uses this functions then the probability is small :wink:
I had a look at the interactive API gui and got some strange results.
As you found out the “enforce_pw_change” is rejected as a unknown field. You can use “enforce_password_change” but the transferred value is not used anywhere → BUG

I think the problem can be found inside this file
If the UpdateUser class is changed/extended with the right attributes it will work.

The other two options are completely not available thru the API.
Funny fact - inside the tests files you find all the options you want to set. :slight_smile:
from tests/unit/cmk/gui/plugins/openapi/test_openapi_user.py


Thanks for the answer (and the re-classification of the topic).

I know that my use case is a little bit uncommon, but I did not know, that this is a community only forum, I expected some developer presence here, too (at least because the possiblity of bug reports or possible improvement requests/ideas).

And another thanks for the digging, too. As far as I can see, the CreateUser class must be extended(, too), the UpdateUser class contains at least the enforce_password_change parameter. But I found this:

# The interface options must be set for a new user but we restrict the setting through the API


PS: checkmk/user_config.py at v2.0.0p16 · tribe29/checkmk · GitHub confuses me even more.

Sometimes I get the impression that the team working on the REST API is completely separate from the rest of the checkmk developers and do not know anything about the application, @LaMi

1 Like


this is definitely a bug and the fix has been added to our queue for the 2.0.0p18 release.

The internal ticket number is CMK-9253.

Best Regards,
Christoph Rauch

Main Developer REST API


Many thanks. I will provide feedback after release (and the update of my environment, probably next year :slight_smile: ).

I did some digging by myself and found this:

which leads to this:

And that is the point, were at least the previously set password is worthless. May be this helps a little bit.

Eventhough it would be nice to configure the behaviour in general.

And here is my patch, which solves at least my problem.


@@ -1285,6 +1285,25 @@
         enum=["de", "en", "ro"],

+    enforce_pw_change = fields.Bool(
+        required=False,
+        description="Enforce the password change on next login. This has no effect if you remove "
+        "the authentication option",
+        example=False,
+    )
+    icons_per_item = fields.String(
+        required=False,
+        description="",
+        example="entry",
+    )
+    ui_sidebar_position = fields.String(
+        required=False,
+        description="",
+        example="left",
+    )

 class UpdateUser(BaseSchema):
     fullname = fields.String(
@@ -1307,7 +1326,7 @@
-    enforce_password_change = fields.Bool(
+    enforce_pw_change = fields.Bool(
         description="Enforce the password change on next login. This has no effect if you remove "
         "the authentication option",


@@ -339,8 +339,12 @@
         internal_attrs.pop("automation_secret", None)
         internal_attrs.pop("password", None)
+        changepw=new_user
+        if auth_options["password"] != "":
+            changepw=False
         internal_auth_attrs = _auth_options_to_internal_format(auth_options,
-                                                               enforce_pw_change=new_user)
+                                                               enforce_pw_change=changepw)
         if internal_auth_attrs:
             if "automation_secret" not in internal_auth_attrs:  # new password
                 internal_attrs.pop("automation_secret", None)