From: Michael Friedrich <michael.friedrich@icinga.com>
Date: Tue, 9 Oct 2018 15:40:04 +0000 (+0200)
Subject: CLI: 'ca list' now lists pending CSRs by default, add '--all' parameter
X-Git-Tag: v2.11.0-rc1~101^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=refs%2Fpull%2F7026%2Fhead;p=icinga2
CLI: 'ca list' now lists pending CSRs by default, add '--all' parameter
https://puppet.com/docs/puppet/5.5/man/cert.html
---
diff --git a/doc/06-distributed-monitoring.md b/doc/06-distributed-monitoring.md
index 58730420b..f1697ae37 100644
--- a/doc/06-distributed-monitoring.md
+++ b/doc/06-distributed-monitoring.md
@@ -417,13 +417,21 @@ Disadvantages:
* Needs client verification on the master.
-You can list certificate requests by using the `ca list` CLI command. This also shows
-which requests already have been signed.
+You can list pending certificate signing requests with the `ca list` CLI command.
```
[root@icinga2-master1.localdomain /]# icinga2 ca list
Fingerprint | Timestamp | Signed | Subject
-----------------------------------------------------------------|---------------------|--------|--------
+71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 | 2017/09/06 17:20:02 | | CN = icinga2-client2.localdomain
+```
+
+In order to show all requests, use the `--all` parameter.
+
+```
+[root@icinga2-master1.localdomain /]# icinga2 ca list --all
+Fingerprint | Timestamp | Signed | Subject
+-----------------------------------------------------------------|---------------------|--------|--------
403da5b228df384f07f980f45ba50202529cded7c8182abf96740660caa09727 | 2017/09/06 17:02:40 | * | CN = icinga2-client1.localdomain
71700c28445109416dd7102038962ac3fd421fbb349a6e7303b6033ec1772850 | 2017/09/06 17:20:02 | | CN = icinga2-client2.localdomain
```
diff --git a/doc/11-cli-commands.md b/doc/11-cli-commands.md
index 883dd3995..4cbfb8659 100644
--- a/doc/11-cli-commands.md
+++ b/doc/11-cli-commands.md
@@ -205,6 +205,42 @@ Report bugs at <https://github.com/Icinga/icinga2>
Icinga home page: <https://icinga.com/>
```
+
+### CLI command: Ca List <a id="cli-command-ca-list"></a>
+
+```
+icinga2 ca list --help
+icinga2 - The Icinga 2 network monitoring daemon (version: v2.11.0)
+
+Usage:
+ icinga2 ca list [<arguments>]
+
+Lists pending certificate signing requests.
+
+Global options:
+ -h [ --help ] show this help message
+ -V [ --version ] show version information
+ --color use VT100 color codes even when stdout is not a
+ terminal
+ -D [ --define ] arg define a constant
+ -I [ --include ] arg add include search directory
+ -x [ --log-level ] arg specify the log level for the console log.
+ The valid value is either debug, notice,
+ information (default), warning, or critical
+ -X [ --script-debugger ] whether to enable the script debugger
+
+Command options:
+ --all List all certificate signing requests, including
+ signed. Note: Old requests are automatically
+ cleaned by Icinga after 1 week.
+ --json encode output as JSON
+
+Report bugs at <https://github.com/Icinga/icinga2>
+Get support: <https://icinga.com/support/>
+Documentation: <https://icinga.com/docs/>
+Icinga home page: <https://icinga.com/>
+```
+
## CLI command: Console <a id="cli-command-console"></a>
The CLI command `console` can be used to debug and evaluate Icinga 2 config expressions,
diff --git a/doc/16-upgrading-icinga-2.md b/doc/16-upgrading-icinga-2.md
index 5b2ba51a9..d8d9ac221 100644
--- a/doc/16-upgrading-icinga-2.md
+++ b/doc/16-upgrading-icinga-2.md
@@ -89,6 +89,8 @@ This value also is available in the [ido](10-icinga-template-library.md#itl-icin
### CLI Commands <a id="upgrading-to-2-11-cli-commands"></a>
+#### Permissions <a id="upgrading-to-2-11-cli-commands-permissions"></a>
+
CLI commands such as `api setup`, `node wizard/setup`, `feature enable/disable/list`
required root permissions previously. Since the file permissions allow
the Icinga user to change things already, and users kept asking to
@@ -103,6 +105,13 @@ user has the capabilities to change to a different user.
If you still encounter problems, run the aforementioned CLI commands as root,
or with sudo.
+#### CA List Behaviour Change <a id="upgrading-to-2-11-cli-commands-ca-list"></a>
+
+`ca list` only shows the pending certificate signing requests by default.
+
+You can use the new `--all` parameter to show all signing requests.
+Note that Icinga automatically purges signed requests older than 1 week.
+
### Configuration <a id="upgrading-to-2-11-configuration"></a>
The deprecated `concurrent_checks` attribute in the [checker feature](09-object-types.md#objecttype-checkercomponent)
diff --git a/lib/cli/calistcommand.cpp b/lib/cli/calistcommand.cpp
index 509d0a91d..829086b98 100644
--- a/lib/cli/calistcommand.cpp
+++ b/lib/cli/calistcommand.cpp
@@ -16,20 +16,20 @@ REGISTER_CLICOMMAND("ca/list", CAListCommand);
String CAListCommand::GetDescription() const
{
- return "Lists all certificate signing requests.";
+ return "Lists pending certificate signing requests.";
}
String CAListCommand::GetShortDescription() const
{
- return "lists all certificate signing requests";
+ return "lists pending certificate signing requests";
}
void CAListCommand::InitParameters(boost::program_options::options_description& visibleDesc,
boost::program_options::options_description& hiddenDesc) const
{
visibleDesc.add_options()
- ("json", "encode output as JSON")
- ;
+ ("all", "List all certificate signing requests, including signed. Note: Old requests are automatically cleaned by Icinga after 1 week.")
+ ("json", "encode output as JSON");
}
/**
@@ -52,6 +52,10 @@ int CAListCommand::Run(const boost::program_options::variables_map& vm, const st
for (auto& kv : requests) {
Dictionary::Ptr request = kv.second;
+ /* Skip signed requests by default. */
+ if (!vm.count("all") && request->Contains("cert_response"))
+ continue;
+
std::cout << kv.first
<< " | "
/* << Utility::FormatDateTime("%Y/%m/%d %H:%M:%S", request->Get("timestamp")) */