Merge pull request #7026 from Icinga/feature/ca-list-all

CLI: 'ca list' lists pending CSRs by default, add '--all' parameter
This commit is contained in:
Michael Friedrich 2019-05-10 16:41:53 +02:00 committed by GitHub
commit e8c6e3da32
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 63 additions and 6 deletions

View File

@ -417,13 +417,21 @@ Disadvantages:
* Needs client verification on the master. * Needs client verification on the master.
You can list certificate requests by using the `ca list` CLI command. This also shows You can list pending certificate signing requests with the `ca list` CLI command.
which requests already have been signed.
``` ```
[root@icinga2-master1.localdomain /]# icinga2 ca list [root@icinga2-master1.localdomain /]# icinga2 ca list
Fingerprint | Timestamp | Signed | Subject Fingerprint | Timestamp | Signed | Subject
-----------------------------------------------------------------|---------------------|--------|-------- -----------------------------------------------------------------|---------------------|--------|--------
71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 | 2017/09/06 17:20:02 | | CN = icinga2-client2.localdomain
```
In order to show all requests, use the `--all` parameter.
```
[root@icinga2-master1.localdomain /]# icinga2 ca list --all
Fingerprint | Timestamp | Signed | Subject
-----------------------------------------------------------------|---------------------|--------|--------
403da5b228df384f07f980f45ba50202529cded7c8182abf96740660caa09727 | 2017/09/06 17:02:40 | * | CN = icinga2-client1.localdomain 403da5b228df384f07f980f45ba50202529cded7c8182abf96740660caa09727 | 2017/09/06 17:02:40 | * | CN = icinga2-client1.localdomain
71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 | 2017/09/06 17:20:02 | | CN = icinga2-client2.localdomain 71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 | 2017/09/06 17:20:02 | | CN = icinga2-client2.localdomain
``` ```

View File

@ -205,6 +205,42 @@ Report bugs at <https://github.com/Icinga/icinga2>
Icinga home page: <https://icinga.com/> Icinga home page: <https://icinga.com/>
``` ```
### CLI command: Ca List <a id="cli-command-ca-list"></a>
```
icinga2 ca list --help
icinga2 - The Icinga 2 network monitoring daemon (version: v2.11.0)
Usage:
icinga2 ca list [<arguments>]
Lists pending certificate signing requests.
Global options:
-h [ --help ] show this help message
-V [ --version ] show version information
--color use VT100 color codes even when stdout is not a
terminal
-D [ --define ] arg define a constant
-I [ --include ] arg add include search directory
-x [ --log-level ] arg specify the log level for the console log.
The valid value is either debug, notice,
information (default), warning, or critical
-X [ --script-debugger ] whether to enable the script debugger
Command options:
--all List all certificate signing requests, including
signed. Note: Old requests are automatically
cleaned by Icinga after 1 week.
--json encode output as JSON
Report bugs at <https://github.com/Icinga/icinga2>
Get support: <https://icinga.com/support/>
Documentation: <https://icinga.com/docs/>
Icinga home page: <https://icinga.com/>
```
## CLI command: Console <a id="cli-command-console"></a> ## CLI command: Console <a id="cli-command-console"></a>
The CLI command `console` can be used to debug and evaluate Icinga 2 config expressions, The CLI command `console` can be used to debug and evaluate Icinga 2 config expressions,

View File

@ -89,6 +89,8 @@ This value also is available in the [ido](10-icinga-template-library.md#itl-icin
### CLI Commands <a id="upgrading-to-2-11-cli-commands"></a> ### CLI Commands <a id="upgrading-to-2-11-cli-commands"></a>
#### Permissions <a id="upgrading-to-2-11-cli-commands-permissions"></a>
CLI commands such as `api setup`, `node wizard/setup`, `feature enable/disable/list` CLI commands such as `api setup`, `node wizard/setup`, `feature enable/disable/list`
required root permissions previously. Since the file permissions allow required root permissions previously. Since the file permissions allow
the Icinga user to change things already, and users kept asking to the Icinga user to change things already, and users kept asking to
@ -103,6 +105,13 @@ user has the capabilities to change to a different user.
If you still encounter problems, run the aforementioned CLI commands as root, If you still encounter problems, run the aforementioned CLI commands as root,
or with sudo. or with sudo.
#### CA List Behaviour Change <a id="upgrading-to-2-11-cli-commands-ca-list"></a>
`ca list` only shows the pending certificate signing requests by default.
You can use the new `--all` parameter to show all signing requests.
Note that Icinga automatically purges signed requests older than 1 week.
### Configuration <a id="upgrading-to-2-11-configuration"></a> ### Configuration <a id="upgrading-to-2-11-configuration"></a>
The deprecated `concurrent_checks` attribute in the [checker feature](09-object-types.md#objecttype-checkercomponent) The deprecated `concurrent_checks` attribute in the [checker feature](09-object-types.md#objecttype-checkercomponent)

View File

@ -16,20 +16,20 @@ REGISTER_CLICOMMAND("ca/list", CAListCommand);
String CAListCommand::GetDescription() const String CAListCommand::GetDescription() const
{ {
return "Lists all certificate signing requests."; return "Lists pending certificate signing requests.";
} }
String CAListCommand::GetShortDescription() const String CAListCommand::GetShortDescription() const
{ {
return "lists all certificate signing requests"; return "lists pending certificate signing requests";
} }
void CAListCommand::InitParameters(boost::program_options::options_description& visibleDesc, void CAListCommand::InitParameters(boost::program_options::options_description& visibleDesc,
boost::program_options::options_description& hiddenDesc) const boost::program_options::options_description& hiddenDesc) const
{ {
visibleDesc.add_options() visibleDesc.add_options()
("json", "encode output as JSON") ("all", "List all certificate signing requests, including signed. Note: Old requests are automatically cleaned by Icinga after 1 week.")
; ("json", "encode output as JSON");
} }
/** /**
@ -52,6 +52,10 @@ int CAListCommand::Run(const boost::program_options::variables_map& vm, const st
for (auto& kv : requests) { for (auto& kv : requests) {
Dictionary::Ptr request = kv.second; Dictionary::Ptr request = kv.second;
/* Skip signed requests by default. */
if (!vm.count("all") && request->Contains("cert_response"))
continue;
std::cout << kv.first std::cout << kv.first
<< " | " << " | "
/* << Utility::FormatDateTime("%Y/%m/%d %H:%M:%S", request->Get("timestamp")) */ /* << Utility::FormatDateTime("%Y/%m/%d %H:%M:%S", request->Get("timestamp")) */