Permissions for automation user to run cmk-agent-ctl register?

nir · May 30, 2022, 12:53pm

Hello Everyone,

since there is a need to register the agents at the Server for checkmk 2.1.0, I wanted to do that with an automation user and ansible.
I cannot really find any documentation on which permissions are needed at a minimum to allow registration with a automation user.

I already had one set up for registering agents for updates, but seems to be not enough.
After getting the error: Request failed with code 403 Forbidden: You do not have the permission for agent pairing. I added the agent pairing permission to the role.
This still does not seem to work, but now I just get a 500 error. When checking the error logs from the Site’s Apache, this comes up:

[Mon May 30 14:34:18.777028 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756] mod_wsgi (pid=1590888): Exception occurred processing WSGI script '/omd/sites/office_int/share/check_mk/web/app/index.wsgi'.
[Mon May 30 14:34:18.777992 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756] Traceback (most recent call last):
[Mon May 30 14:34:18.778165 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/wsgi/applications/rest_api.py", line 483, in _wsgi_app
[Mon May 30 14:34:18.778222 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     return wsgi_app(environ, start_response)
[Mon May 30 14:34:18.778285 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/wsgi/applications/rest_api.py", line 240, in __call__
[Mon May 30 14:34:18.778334 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     wsgi_app = self.endpoint.wrapped(ParameterDict(path_args))
[Mon May 30 14:34:18.778378 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/plugins/openapi/restful_objects/decorators.py", line 809, in _wrapper
[Mon May 30 14:34:18.778413 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     response = func(param)
[Mon May 30 14:34:18.778469 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/plugins/openapi/restful_objects/decorators.py", line 695, in _validating_wrapper
[Mon May 30 14:34:18.778519 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     response = self.func(_params)
[Mon May 30 14:34:18.778566 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/plugins/openapi/endpoints/host_internal.py", line 70, in link_with_uuid
[Mon May 30 14:34:18.778613 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     host = _check_host_editing_permissions(host_name := params["host_name"])
[Mon May 30 14:34:18.778673 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/plugins/openapi/endpoints/host_internal.py", line 32, in _check_host_editing_permissions
[Mon May 30 14:34:18.778736 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     host.need_permission("write")
[Mon May 30 14:34:18.778783 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/watolib/hosts_and_folders.py", line 191, in need_permission
[Mon May 30 14:34:18.778816 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     self._user_needs_permission(how)
[Mon May 30 14:34:18.778882 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/watolib/hosts_and_folders.py", line 3320, in _user_needs_permission
[Mon May 30 14:34:18.778931 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     user.need_permission("wato.edit_hosts")
[Mon May 30 14:34:18.778975 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/utils/logged_in.py", line 380, in need_permission
[Mon May 30 14:34:18.779009 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     if not self.may(pname):
[Mon May 30 14:34:18.779054 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/utils/logged_in.py", line 369, in may
[Mon May 30 14:34:18.779087 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     raise PermissionError(
[Mon May 30 14:34:18.779140 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756] PermissionError: Required permissions not declared for this endpoint.
[Mon May 30 14:34:18.779179 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756] Endpoint: <Endpoint cmk.gui.plugins.openapi.endpoints.host_internal:link_with_uuid>
[Mon May 30 14:34:18.779200 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756] Permission: wato.edit_hosts
[Mon May 30 14:34:18.779222 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756] Used permission: {'wato.edit_hosts', 'wato.all_folders'}
[Mon May 30 14:34:18.779250 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756] Declared: {wato.all_folders}
[Mon May 30 14:34:18.779279 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756] 
[Mon May 30 14:34:18.779340 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756] 
[Mon May 30 14:34:18.779382 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756] During handling of the above exception, another exception occurred:
[Mon May 30 14:34:18.779402 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756] 
[Mon May 30 14:34:18.779431 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756] Traceback (most recent call last):
[Mon May 30 14:34:18.779552 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/wsgi/profiling.py", line 74, in __call__
[Mon May 30 14:34:18.779591 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     return app(environ, start_response)
[Mon May 30 14:34:18.779620 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/wsgi/middleware.py", line 19, in __call__
[Mon May 30 14:34:18.779646 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     response = self.app(environ, start_response)
[Mon May 30 14:34:18.779688 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/wsgi/middleware.py", line 36, in _add_apache_env
[Mon May 30 14:34:18.779718 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     return app(environ, start_response)
[Mon May 30 14:34:18.779755 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/wsgi/routing.py", line 91, in router
[Mon May 30 14:34:18.779788 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     return endpoint(environ, start_response)
[Mon May 30 14:34:18.779829 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3.9/site-packages/werkzeug/middleware/proxy_fix.py", line 187, in __call__
[Mon May 30 14:34:18.779915 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     return self.app(environ, start_response)
[Mon May 30 14:34:18.779957 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/wsgi/middleware.py", line 54, in __call__
[Mon May 30 14:34:18.779992 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     return self.wsgi_app(environ, start_response)
[Mon May 30 14:34:18.780035 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/wsgi/middleware.py", line 61, in wsgi_app
[Mon May 30 14:34:18.780073 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     return self.app(environ, start_response)
[Mon May 30 14:34:18.780103 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/wsgi/applications/rest_api.py", line 528, in _wsgi_app
[Mon May 30 14:34:18.780132 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     if user.may("general.see_crash_reports"):
[Mon May 30 14:34:18.780171 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3.9/site-packages/werkzeug/local.py", line 432, in __get__
[Mon May 30 14:34:18.780201 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     obj = instance._get_current_object()
[Mon May 30 14:34:18.780238 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3.9/site-packages/werkzeug/local.py", line 554, in _get_current_object
[Mon May 30 14:34:18.780268 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     return self.__local()  # type: ignore
[Mon May 30 14:34:18.780307 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]   File "/omd/sites/office_int/lib/python3/cmk/gui/globals.py", line 124, in _lookup_req_object
[Mon May 30 14:34:18.780351 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756]     raise RuntimeError("Working outside of request context.")
[Mon May 30 14:34:18.780397 2022] [wsgi:error] [pid 1590888] [client 127.0.0.1:60756] RuntimeError: Working outside of request context.

This still sounds like some permission issue to me.
When I use the cmkadmin user, the registration succeeds.

Thanks for any hints regarding this issue!

CMK version: 2.1.0 cee
OS version: Ubuntu 20.04.3

nir · May 30, 2022, 1:08pm

Looks like I was a bit too quickly with opening this topic, just found out that it works when I add the permission “Write access to all hosts and folders”.

Maybe this also helps others having a similar issue.

Also maybe something for the checkmk devs to check if there is a clearer way to indicate the issue without having to dig into the logs for a strange 500 error. Sounds like something that 403 would be appropriate as a response.

gstolz · May 30, 2022, 2:43pm

@nir thanks for sharing this!

@athomaidis this is what I was talking about at the conference “Write access to all hosts and folders” is a pretty “big” permission. Making it rather risky to grant the permissions to a user that is used in a script for automatic registration

nir · May 30, 2022, 2:46pm

Yep, same thought here.

gstolz · June 8, 2022, 10:49am

Agent registration: Fix required user permissions allows to limit permissions a little bit.

Laurent_Barbier · June 8, 2022, 3:09pm

To register a host, users need the following permissions:

Agent pairing.
Read access to the host, either via "Read access to all hosts and folders" or via via contact groups.
Write access to the host, either via "Write access to all hosts and folders" or via "Modify existing hosts" and write access to the specific host via contact groups.

So that’s still big, right ?

gstolz · June 9, 2022, 6:21am

yeah, only now you can at least create multiple automation users that don’t all have access to “all hosts” but limit them to some host. However, I still believe registering/pairing an agent for TLS communication should be possible without “write access” to the host.

@AndiU would that be possible?

moritz · February 9, 2023, 7:49am

If you are following this thread please refer to Security concerns with Checkmk Werk 14079 - #17 by moritz for updates on this issue!