From: Michael Friedrich <michael.friedrich@icinga.com> Date: Tue, 9 Oct 2018 15:40:04 +0000 (+0200) Subject: CLI: 'ca list' now lists pending CSRs by default, add '--all' parameter X-Git-Tag: v2.11.0-rc1~101^2 X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=refs%2Fpull%2F7026%2Fhead;p=icinga2 CLI: 'ca list' now lists pending CSRs by default, add '--all' parameter https://puppet.com/docs/puppet/5.5/man/cert.html --- diff --git a/doc/06-distributed-monitoring.md b/doc/06-distributed-monitoring.md index 58730420b..f1697ae37 100644 --- a/doc/06-distributed-monitoring.md +++ b/doc/06-distributed-monitoring.md @@ -417,13 +417,21 @@ Disadvantages: * Needs client verification on the master. -You can list certificate requests by using the `ca list` CLI command. This also shows -which requests already have been signed. +You can list pending certificate signing requests with the `ca list` CLI command. ``` [root@icinga2-master1.localdomain /]# icinga2 ca list Fingerprint | Timestamp | Signed | Subject -----------------------------------------------------------------|---------------------|--------|-------- +71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 | 2017/09/06 17:20:02 | | CN = icinga2-client2.localdomain +``` + +In order to show all requests, use the `--all` parameter. + +``` +[root@icinga2-master1.localdomain /]# icinga2 ca list --all +Fingerprint | Timestamp | Signed | Subject +-----------------------------------------------------------------|---------------------|--------|-------- 403da5b228df384f07f980f45ba50202529cded7c8182abf96740660caa09727 | 2017/09/06 17:02:40 | * | CN = icinga2-client1.localdomain 71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 | 2017/09/06 17:20:02 | | CN = icinga2-client2.localdomain ``` diff --git a/doc/11-cli-commands.md b/doc/11-cli-commands.md index 883dd3995..4cbfb8659 100644 --- a/doc/11-cli-commands.md +++ b/doc/11-cli-commands.md @@ -205,6 +205,42 @@ Report bugs at <https://github.com/Icinga/icinga2> Icinga home page: <https://icinga.com/> ``` + +### CLI command: Ca List <a id="cli-command-ca-list"></a> + +``` +icinga2 ca list --help +icinga2 - The Icinga 2 network monitoring daemon (version: v2.11.0) + +Usage: + icinga2 ca list [<arguments>] + +Lists pending certificate signing requests. + +Global options: + -h [ --help ] show this help message + -V [ --version ] show version information + --color use VT100 color codes even when stdout is not a + terminal + -D [ --define ] arg define a constant + -I [ --include ] arg add include search directory + -x [ --log-level ] arg specify the log level for the console log. + The valid value is either debug, notice, + information (default), warning, or critical + -X [ --script-debugger ] whether to enable the script debugger + +Command options: + --all List all certificate signing requests, including + signed. Note: Old requests are automatically + cleaned by Icinga after 1 week. + --json encode output as JSON + +Report bugs at <https://github.com/Icinga/icinga2> +Get support: <https://icinga.com/support/> +Documentation: <https://icinga.com/docs/> +Icinga home page: <https://icinga.com/> +``` + ## CLI command: Console <a id="cli-command-console"></a> The CLI command `console` can be used to debug and evaluate Icinga 2 config expressions, diff --git a/doc/16-upgrading-icinga-2.md b/doc/16-upgrading-icinga-2.md index 5b2ba51a9..d8d9ac221 100644 --- a/doc/16-upgrading-icinga-2.md +++ b/doc/16-upgrading-icinga-2.md @@ -89,6 +89,8 @@ This value also is available in the [ido](10-icinga-template-library.md#itl-icin ### CLI Commands <a id="upgrading-to-2-11-cli-commands"></a> +#### Permissions <a id="upgrading-to-2-11-cli-commands-permissions"></a> + CLI commands such as `api setup`, `node wizard/setup`, `feature enable/disable/list` required root permissions previously. Since the file permissions allow the Icinga user to change things already, and users kept asking to @@ -103,6 +105,13 @@ user has the capabilities to change to a different user. If you still encounter problems, run the aforementioned CLI commands as root, or with sudo. +#### CA List Behaviour Change <a id="upgrading-to-2-11-cli-commands-ca-list"></a> + +`ca list` only shows the pending certificate signing requests by default. + +You can use the new `--all` parameter to show all signing requests. +Note that Icinga automatically purges signed requests older than 1 week. + ### Configuration <a id="upgrading-to-2-11-configuration"></a> The deprecated `concurrent_checks` attribute in the [checker feature](09-object-types.md#objecttype-checkercomponent) diff --git a/lib/cli/calistcommand.cpp b/lib/cli/calistcommand.cpp index 509d0a91d..829086b98 100644 --- a/lib/cli/calistcommand.cpp +++ b/lib/cli/calistcommand.cpp @@ -16,20 +16,20 @@ REGISTER_CLICOMMAND("ca/list", CAListCommand); String CAListCommand::GetDescription() const { - return "Lists all certificate signing requests."; + return "Lists pending certificate signing requests."; } String CAListCommand::GetShortDescription() const { - return "lists all certificate signing requests"; + return "lists pending certificate signing requests"; } void CAListCommand::InitParameters(boost::program_options::options_description& visibleDesc, boost::program_options::options_description& hiddenDesc) const { visibleDesc.add_options() - ("json", "encode output as JSON") - ; + ("all", "List all certificate signing requests, including signed. Note: Old requests are automatically cleaned by Icinga after 1 week.") + ("json", "encode output as JSON"); } /** @@ -52,6 +52,10 @@ int CAListCommand::Run(const boost::program_options::variables_map& vm, const st for (auto& kv : requests) { Dictionary::Ptr request = kv.second; + /* Skip signed requests by default. */ + if (!vm.count("all") && request->Contains("cert_response")) + continue; + std::cout << kv.first << " | " /* << Utility::FormatDateTime("%Y/%m/%d %H:%M:%S", request->Get("timestamp")) */