Secrets for Special Agents in CheckMk 2.3

Spoth · May 13, 2024, 10:12am

Hi,

I’m trying to get my plugin working on CheckMk 2.3p1 and I’m struggling getting a secret to my special agent. I’m using the Redfish plugin as reference, but still cannot figure out this:

In the “server_side_calls” file it prepares the command line for the execution of the special agent:

This Secret object is passed as string as a command line parameter:

In the special agent this value gets split into id and path, then the actual password looked up from the password store:

When I print out the Secret in my “server_side_call”, it shows this objects, I don’t see how it could be split by : and it does not contain any path:

Secret(id=140152638596336, format='%s', pass_safely=True)

So I actually have no idea where to take the “path” value from, that the password store lookup needs.

I then found the “unsafe” method of the Secret class. I would prefer to have the “server_side_call” looking up the password and give it to the special agent. This should do what I want:

But when I print the value that is returned by the usafe method, it again does not show me my password:

I would appreciate a little hint on how to get the password to my special agent. I would prefer not to modify the special agent, I’d like the server_side_call to retrieve the password and hand it plaintext as parameter to the special agent.

Regards,
Sven

andreas-doehler · May 13, 2024, 11:00am

Here some information about my implementation inside the Redfish mkp.

Example command line with explizit password set.

agent_redfish -u demouser1 --password-id uuid981006ce-29ca-4289-9674-ab3f636cb575:/omd/sites/cmk/var/check_mk/passwords_merged -P https 192.168.188.223

and here with password store used

agent_redfish -u demouser2 --password-id password_1:/omd/sites/cmk/var/check_mk/passwords_merged -P https 192.168.188.223

You see in booth versions you have a password id and a path inside the command line.

This object is translated into the command line.
In your special agent how does the command line looks like if shown with “cmk -D hostname”.

Spoth · May 13, 2024, 1:34pm

Ah yes, I see. The object added to the “command_arguments” ends up differently in the command line parameters used to call the special agent script:

–client_secret uuid98349f98-822b-411e-884f-2130214f3fc0:/omd/sites/monitoring/var/check_mk/passwords_merged

I was actually trying to retrieve the password in the server_side_call script, so I don’t have to modify my special agent and make it dependant on the CheckMk libs.

Any idea how to do that?

Spoth · May 14, 2024, 7:10am

Now I got it. When using the unsafe() method on the Secret within the server_side_call, it later gets replaced by the plaintext password that is then given to the special agent: