Uploaded image for project: 'ZABBIX BUGS AND ISSUES'
  1. ZABBIX BUGS AND ISSUES
  2. ZBX-17759

Deprecate EnableRemoteCommands agent configuration parameter

XMLWordPrintable

    • Sprint 64 (May 2020), Sprint 65 (Jun 2020)
    • 1

      EnableRemoteComands agent configuration parameter will be deprecated by aliasing it to corresponding AllowKey/DenyKey parameters:

      • Log warning if EnableRemoteCommands is set in configuration
      • Initialize EnableRemoteCommands with 1 on agent
      • Change EnableRemoteCommands parameter type from TYPE_INT to TYPE_CUSTOM. The custom function with log the above warning and add allow/deny system.run[*] rule based on EneableRemoteCommands value. This way it will be directly aliased to AllowKey/DenyKey parameters.
      • Move 'match all' (*) rule detection to finalize phase (this is needed to correctly detect system.run[*] rule presence)
      • Change finalize key access rules configuration to:
        • find if rules already contains system.run[*] rule
        • remove all rules after first 'match all' rule
        • remove all trailing allow rules
        • if there were other rules than system.run[*] and all were removed, print error and exit:
        • Item key access rules are configured to match all keys, indicating possible configuration problem. Please remove the rules if that was the purpose.
        • add deny system.run[*] rule unless it was manually added
      • Document that EnableRemoteCommands is now an deprecated alias for AllowKey=system.run[*]/DenyKey=system.run[*] rule
      • Document that unless a system.run[*] rule is specified a corresponding deny rule is added by default

      Agent2 must apply similar logic, except instead of deprecating EnableRemoteCommands it should not support it:

      • Remove EnableRemoteCommands check in systemrun plugin (if it's not already removed).
      • Move 'match all' (*) rule detection to finalize phase (this is needed to correctly detect system.run[*] rule presence)
      • Change finalize key access rules configuration to:
        • find if rules already contains system.run[*] rule
        • remove all rules after first 'match all' rule
        • remove all trailing allow rules
        • if there were other rules than system.run[*] and all were removed, print error and exit:
        • Item key access rules are configured to match all keys, indicating possible configuration problem. Please remove the rules if that was the purpose.
        • add deny system.run[*] rule unless it was manually added
      • Document that unless a system.run[*] rule is specified a corresponding deny rule is added by default

            wiper Andris Zeila
            wiper Andris Zeila
            Team A
            Votes:
            0 Vote for this issue
            Watchers:
            10 Start watching this issue

              Created:
              Updated:
              Resolved: