Invoke-IcingaCheckClusterHealth - Encoding artefacts in plugin output
aheinhold opened this issue · 7 comments
Icinga Plugin Output
Plugin-Ausgabe
�[91mMethodInvocationException: �[91mException calling "Format" with "2" argument(s): "Value cannot be null.
Parameter name: args"�[0m [WARNING] Check package "Cluster Services" (Match All) - [WARNING] SCVMM DeploymentTemplate-SIT Status, SCVMM VEEAM_E2E_WHCLHQSK0001.fqdn Status \_ [OK] Check package "Cluster Nodes" (Match All) \_ [OK] Check package "WHVLHQSK1100001" (Match All)
…
…
Commandline execution (Icinga Satellite)
>> ./check_by_pwsh.ps1 "user" 'pass' "whvlhqsk1100002.fqdn" "Use-Icinga; return invoke-IcingaCheckClusterHealth -Verbosity 2;"
MethodInvocationException: Exception calling "Format" with "2" argument(s): "Value cannot be null.
Parameter name: args"
[WARNING] Check package "Cluster Services" (Match All) - [WARNING] SCVMM DeploymentTemplate-SIT Status, SCVMM VEEAM_E2E_WHCLHQSK0001.fqdn Status
\_ [OK] Check package "Cluster Nodes" (Match All)
…
…
Local execution:
- User is member of local Administrators group
- User is member of Hyper-V-Administrators
- The command is executed in an "Admin-Powershell"-Window
PS C:\WINDOWS\system32> icinga
******************************************************
** Icinga PowerShell Framework v1.3.0
** Copyright (c) 2020 Icinga GmbH | MIT
** User environment DOMAIN\user
******************************************************
icinga> return Invoke-IcingaCheckClusterHealth -Verbosity 2
[WARNING] Check package "Cluster Services" (Match All) - [WARNING] SCVMM DeploymentTemplate-SIT Status, SCVMM VEEAM_E2E_WHCLHQSK0001.fqdn Status
\_ [OK] ClusSvc Status: Running
\_ [OK] Check package "Cluster Nodes" (Match All)
\_ [OK] Check package "WHVLHQSK1100001" (Match All)
...
...
Hallo @aheinhold, thanks for the report. This is probably because the user has no access to the cluster service. Can you grant the user ReadOnly access to the cluster like this. Thanks!
Same problem with read-access or full-access to the cluster
It is definitely a permission problem because for some reason the user cannot access the Cluster Service ClusSvc even though he has FullAccess on the cluster. At the moment I don't have a quick answer for you either, but I will discuss with @LordHepipud how we can solve such undefined problems.
I digged alot into permission handlings on Windows today and maybe we can get this one to work:
Can you please have a look inside the registry of the host at the following key:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
In case I get it correct, there should be an entry ClusSvc. Is the user you are running the checks with inside one of the groups there?
If not, could you please add permisisons to this specific service and possible sub elements for this user? Read-Only should be enough in this case.
Maybe restarting the WinRM service afterwards is required.
If I get it correctly, this should resolve the problem and the user can access the service object.
Okay, forget about the registry. I just figured out on how to grant access to services for non-admin users.
It's honestly not that simple, but well described in the Microsoft Docs by using security templates: How to grant users rights to manage services
For this one you also require to know how to setup a security template: Define Security Templates By Using the Security Templates Snap-In
In addition you can also configure this over GPO: How To Configure Group Policies to Set Security for System Services
I basicly just granted a non-admin domain user permissions to the vmms and winrm service as read-only. It works very well if you know on how to configure it. It also works over PowerShell remote and because I only granted read-only access, I can fetch the status but not modify it.
I have how ever no idea on how I can this make user friendly at all.
Okay, found a solution - I'm how ever not sure about possible side effects to this.
By using the above docs, you can create basically a custom .inf file, containing the follwing (example)
[Unicode]
Unicode=yes
[Version]
signature="$CHICAGO$"
Revision=1
[Service General Setting]
"vmms",2,"D:AR(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;**the SID of the user**)(A;;CCLCSWLOCRRC;;;IU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)"
The aboe example will grant the following permissions to a service:
- System: Full Access
- domain\Administrators: Full access
- INTERACTIVE: Read only
- Custom User: Read only
You can replace the **the SID of the user** with the SID of the user running the checks.
Now save this template for example at C:\users\public\vmms.inf
Now we need to compile our security database by using secedit.exe. We can use the Icinga for Windows Process Handler to start it:
Use-Icinga;
Start-IcingaProcess -Executable 'secedit.exe' -Arguments ([string]::Format('/import /cfg "{0}.inf" /db "{0}.sdb"', 'C:\users\public\vmms'));Now as we run this command, your security db is present within the same directory we can now use to configure our system:
Start-IcingaProcess -Executable 'secedit.exe' -Arguments ([string]::Format('/configure /cfg "{0}.inf" /db "{0}.sdb"', 'C:\users\public\vmms'));Once done, our user can now access the corresponding service information. In your case you can replace the vmms service with ClusSvc
Now - is there a catch? Honestly I don't know if modifying a single services requires to grant permissions to every single service available. What does does mean:
- In case you can run
Get-Servicewith the user over PowerShell Remote, we have to test first if this removes certain permissions - In case it does, we have to consider checking closely on how we can resolve this
So a problem could be, that we are going to modify permissions together with this, which we don't want.
In addition we should of course make sure that possible different permissions for services are not overwritten, as we only want to add another user to the service permissions and not change all of them.
Basically a test should be done on a new system where it doesn't matter if something goes wrong. @aheinhold would you be able to do such tests in addition to invalidate my concerns?
I will look into this.