af0055432

Zabbix LLD Script - Building Block Permissions

Blog Post created by af0055432 on Mar 6, 2018
Just dumping stuff, for now.

Motivation

Almost everything I'm monitoring interacts in some way with Zabbix, and so when I set out to build something to automatically keep a record of permissions allocated to building blocks, I knew I wanted to Zabbix to crunch the numbers/manage this all for me.

 

How?

This is relying on the Low-Level Discovery component of Zabbix.

There may be an easier way to do this, but as a proof, I've used the bb-manifest.xml files of two building blocks, the example provided here is the Blackboard provided building block 'bb-goal'.

 

My XSLT (v0.1)

This is the first working attempt, I know there's some places to save on characters in this .

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

<xsl:template match="/">

"{ "data": [{"{#B2NAME}":"<xsl:value-of select="manifest/plugin/name/@value"/>","{#B2HANDLE}":"<xsl:value-of select="manifest/plugin/handle/@value"/>","{#B2VERSION}":"<xsl:value-of select="manifest/plugin/version/@value"/>","{#B2VENDOR}":"<xsl:value-of select="manifest/plugin/vendor/name/@value"/>","{#B2PERMISSIONS}":[<xsl:for-each select="manifest/plugin/permissions/permission">{"{#B2PERMISSIONTYPE}":"<xsl:value-of select="@type"/>","{#B2PERMISSIONNAME}":"<xsl:value-of select="@name"/>","{#B2PERMISSIONACTION}":"<xsl:value-of select="@actions"/>"}<xsl:choose><xsl:when test="position()!=last()">,</xsl:when></xsl:choose></xsl:for-each>]}]}"

</xsl:template>

</xsl:stylesheet>

To process the files, I'm using the Linux command-line tool xsltproc on an Ubuntu-based docker container.

root@67512835311e:/tmp# xsltproc ./zbx-bb-manifest.xsl ./bb-manifest.xml

Raw Output:

"{ "data": [{"{#B2NAME}":"plugin.name","{#B2HANDLE}":"goal","{#B2VERSION}":"3100.0.6-rel.3+bc75ffb","{#B2VENDOR}":"Blackboard Inc.","{#B2PERMISSIONS}":[{"{#B2PERMISSIONTYPE}":"attribute","{#B2PERMISSIONNAME}":"user.authinfo","{#B2PERMISSIONACTION}":"get"},{"{#B2PERMISSIONTYPE}":"attribute","{#B2PERMISSIONNAME}":"user.personalinfo","{#B2PERMISSIONACTION}":"get"},{"{#B2PERMISSIONTYPE}":"blackboard.persist.PersistPermission","{#B2PERMISSIONNAME}":"entitlement","{#B2PERMISSIONACTION}":"create,modify"},{"{#B2PERMISSIONTYPE}":"java.io.FilePermission","{#B2PERMISSIONNAME}":"${java.home}/lib/*","{#B2PERMISSIONACTION}":"read"},{"{#B2PERMISSIONTYPE}":"java.io.FilePermission","{#B2PERMISSIONNAME}":"BB_HOME/apps/tomcat/temp/-","{#B2PERMISSIONACTION}":"read,write,delete"},{"{#B2PERMISSIONTYPE}":"java.io.FilePermission","{#B2PERMISSIONNAME}":"BB_CONTENT/-","{#B2PERMISSIONACTION}":"read,write,delete"},{"{#B2PERMISSIONTYPE}":"java.lang.reflect.ReflectPermission","{#B2PERMISSIONNAME}":"suppressAccessChecks","{#B2PERMISSIONACTION}":""},{"{#B2PERMISSIONTYPE}":"java.lang.RuntimePermission","{#B2PERMISSIONNAME}":"*","{#B2PERMISSIONACTION}":""},{"{#B2PERMISSIONTYPE}":"java.security.SecurityPermission","{#B2PERMISSIONNAME}":"insertProvider.SUN","{#B2PERMISSIONACTION}":""},{"{#B2PERMISSIONTYPE}":"java.security.SecurityPermission","{#B2PERMISSIONNAME}":"insertProvider.SunJSSE","{#B2PERMISSIONACTION}":""},{"{#B2PERMISSIONTYPE}":"java.util.PropertyPermission","{#B2PERMISSIONNAME}":"*","{#B2PERMISSIONACTION}":"read,write"},{"{#B2PERMISSIONTYPE}":"blackboard.persist.PersistPermission","{#B2PERMISSIONNAME}":"reportdefinitiontype","{#B2PERMISSIONACTION}":"create,modify"},{"{#B2PERMISSIONTYPE}":"blackboard.persist.PersistPermission","{#B2PERMISSIONNAME}":"reportdefinition","{#B2PERMISSIONACTION}":"create,modify"},{"{#B2PERMISSIONTYPE}":"blackboard.persist.PersistPermission","{#B2PERMISSIONNAME}":"person","{#B2PERMISSIONACTION}":"create,modify"},{"{#B2PERMISSIONTYPE}":"blackboard.platform.reporting.service.birt.BirtReportPermission","{#B2PERMISSIONNAME}":"*","{#B2PERMISSIONACTION}":""}]}]}"

Displayed a little nicer, this is a section of the above:

There's multiple ways I can get this raw data into Zabbix.

  • Execute a script on Zabbix Server
  • Execute command on Zabbix Agent on a monitored host (might return after the default 3 second agent timeout)
  • Run a script as a cronjob/scheduled task, using the Zabbix Sender to get the values back to the server. Preferred.

 

Where to from here?

'Host' Mapping in Zabbix:

Because every building block now exists as a separate monitored 'host' in Zabbix, I will be organising the host group hierarchy like this:

  • UniversiteitvanAmsterdam/Applications/Blackboard/Production/BuildingBlocks/{#B2NAME}
  • UniversiteitvanAmsterdam/Applications/Blackboard/Staging/BuildingBlocks/{#B2NAME}
  • UniversiteitvanAmsterdam/Applications/Blackboard/Development/BuildingBlocks/{#B2NAME}

 

With the above structure, I can set up a trigger condition which fires when the item {#B2NAME}.{#B2VERSION} in production is not the same as that of the building block in Staging. This trigger could be adjusted to only fire if the values have been different for one or two weeks (depending on stringent I want to be with change migration). It's also very possible to use Zabbix to rectify those discrepancies, whether migrating the staging version to production, or rolling back staging to that which is in production (automatically or with some human interaction, but that's not coming in this article).

"Is it reasonable to ask for that?"

An unnamed third-party building block asks for these two permissions:

The first of those requests is valid for the purpose that the building block exists, this is a reasonable request. I'm not convinced that the latter is though, I might check that out .

 

Negatives?

If I have this just reading all files matching */WEB-INF/bb-manifest.xml, I'll get information on building blocks which are inactive as well, is this a problem? Maybe not....

 

Make it a Bit Smarter?

/usr/local/blackboard/tools/admin/B2Manager.sh -l | grep 'AVAILABLE'

Gives me those building blocks which are AVAILABLE or UNAVAILABLE, giving records in this format:

- "Goal" (bb-goal) 3100.0.6-rel.3+bc75ffb by Blackboard Inc. [AVAILABLE]

I can extract the (vendor-handle) combination from that to only read in bb-manifest.xml files from those building blocks not marked INACTIVE:

root@67512835311e:/tmp# xsltproc ./zbx-bb-manifest.xsl /usr/local/blackboard/content/vi/bblearn/plugins/vendor-handle/webapp/WEB-INF/bb-manifest.xml

 

Thanks for reading and feel free to follow for more rambling posts.

Outcomes