Facilitate privacyIDEA system health check

[laclaro]

We could facilitate the check of the system health by providing information to an authenticated admin at a special endpoint. Many monitoring platforms can issue simple http requests and process the result.

• [ ] Check availability of the resolvers
• [ ] Check availability of the database
• Check the time of the last (successful) validate/check request

Best regards,

Henning

[cornelinux]

There ist already a similar issue privacyidea/privacyidea#1896. The question is, if it is the task of privacyIDEA to monitor user stores. With the unix philosophy it would be not. Do one thing and to it right. I think it is not the task of privacyidea to monitor other components in the network.

We also already have a script for nagios or icinga, that checks the complete authentication process: https://github.com/privacyidea/check_privacyidea

[cornelinux]

Basically all information is already available via REST API. E.g. GET /user will tell you, if the resolvers are available.

So to not clutter the core code we could add further scripts like this here: https://github.com/privacyidea/check_privacyidea which can be easily used with OTRS or icinga or used as a template for other systems.

For the scripts we would need an administrative service account. I think besides the complete authentication, probably the most important part would be to have

• privacyIDEA is basically available: call GET /system this will simply check if the database is available. No other communication to external systems.

• userstores are available: call GET /users/ with one or more defined users, from which it is known in which resolver they are located.

The scripts would get a configuration for the service account, endpoint and additional information lik users.

@laclaro I would like to move this as an issue to https://github.com/privacyidea/check_privacyidea. What do you think?

[laclaro]

Yes, let's move it.