Hi everybody!
We needed to make a few architectural changes to get this working in the more general context that we’ll have in the 2.2 CCE.
We are not done yet, and this may still be subject to change, but I thought I’ll let you know what we’re planning currently, so you can provide feedback.
In Checkmk 2.1 things will not change, and 2.1 agent controllers out there will continue to work with Checkmk 2.2 (but probably not with Checkmk 2.3).
In Checkmk 2.2 we also have the CCE, where we are not only talking about the registration of existing hosts, but also about cmk-agent-ctl regsiter-new, a command that will create a host in the site and register to it (if the site is set up for it). For this and the existing case we plan to introduce 4 new permissions for agent registration (the “Agent pairing” permission is no longer relevant). With these new permissions you can do nothing but the operations mentioned here.
For cmk-agent-ctl register (registration of an agent controller to an existing host) the user needs to fulfill (at least) one of the following conditions:
- They have the “Register any existing host” permission
- They have the “Register managed existing hosts” permission and are in a contact group of the host in question
- They have actual read/write access to the host, either via “Write access to all hosts and folders” or via “Modify existing hosts” and write access to the specific host via contact groups.
For cmk-agent-ctl register-new (triggering an automation that ultimately creates a host on the site, registers the agent to it, discovers the a host and activates the changes) the user needs to fulfill
(at least) one of the following conditions:
- They have the “Register any new host” permission
- They have the “Register new hosts in managed folders” permission and are in a contact group of the folder in question
- They have actual read/write access to the folder, (either via “Write access to all hosts and folders” or write access to the specific folder via contact groups) and all permissions required to do the implied actions (create the host, register it, discover services, activate the changes)
Note that the “Register new” permissions will not allow you to perform any of the mentioned actions outside of the scope of the processes triggered by the agent controller command.
Again: This is preliminary, not a documentation. But I’d like to hear your feedback.