Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

To register agents, both for agent updates and for TLS encryption, it might be desirable to have a dedicated user and role at hand.
This article outlines how that can be achieved.

Table of Contents

The UI way

The easiest way to build an agent registration role is by using the GUI and following these steps:

  1. Create a copy of the guest role and name it meaningfully.

  2. Ensure the role has the following permissions:
    1. "Use the GUI at all"
    2. "Register Host & download monitoring agents of your hosts",
    3. "Register all hosts & download all monitoring agents"

  3. Optionally you can disable all other permissions.

  4. Create a user with a meaningful name
    1. Configure the following things:
      1. Authentication: Automation Secret
      2. Assign the agent registration role created before

The config file way

Note

We always recommend using the GUI instead of modifying .mk files. For any issue or broken config, we do not provide any support.

In exceptional circumstances, you might want to adjust configuration files with caution. Please do a backup before adjusting the files.

  1. Pretty print the configuration for a better overview: Pretty-print the configuration files
  2. Add the following section to the config file: ~/etc/check_mk/multisite.d/wato/roles.mk.

    Code Block
    languagebash
    themeRDark
    'agent_updater': {'alias': 'agents registration and download',
              'basedon': None,
              'builtin': True,
              'permissions': {'general.see_all': True,
                              'general.use': True,
                              'wato.download_all_agents': True}}

    In order to put it in the right place, please add a comma "," before the "})". 

Agent Pairing for TLS Encryption

For a user to be able to do the cmk-agent-ctl register, which is needed to enable the TLS encryption (available from 2.1.0 onwards), you have to add the following rights (internal name "general.agent_pairing") to their role.

  • Agent pairing
  • Read access to all hosts and folders
  • Write access to all hosts and folders


In the end, the whole file should look like this:

Code Block
languagepy
themeRDark
# Written by Checkmk store

roles.update({
 'admin': {'alias': 'Administrator',
           'builtin': True,
           'permissions': {}},
 'guest': {'alias': 'Guest user',
           'builtin': True,
           'permissions': {}},
 'user': {'alias': 'Normal monitoring user',
          'builtin': True,
          'permissions': {}},
 'agent_updater': {'alias': 'agents registration and download',
                   'basedon': None,
                   'builtin': True,
                   'permissions': {'general.see_all': True,
                                   'general.use': True,
                                   'wato.download_all_agents': True}},  
 'agent_ctl': {'alias': 'Agent Controller', 
               'basedon': None, 
               'builtin': True, 
               'permissions': {'general.agent_pairing': True,
                               'general.use': True,
                               'wato.see_all_folders': True,
                               'wato.all_folders': True}}
})
~                                                                   


Filter by label (Content by label)
showLabelsfalse
max5
spacesKB
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ("agent_bakery","roles") and type = "page" and space = "KB"
labelsagent_bakery roles

Page Properties
hiddentrue


Related issues