search

Icinga / icinga2

The core of our monitoring platform with a powerful configuration language and REST API.
https://icinga.com/docs/icinga2/latest
GNU General Public License v2.0
2.03k stars 578 forks source link

ApiUser does not know hashed_password Attribute #6175

Closed morremeyer closed 6 years ago

morremeyer commented 6 years ago

A test API user is defined as follows, according to https://www.icinga.com/docs/icinga2/latest/doc/09-object-types/#objecttype-apiuser

/* Managed by ansible. Any manual edits will be overwritten! */

object ApiUser "defaultuser" {
  password = "eebo5eeRahyaciev4ung7hahg4ahf9heph9ooB1WeD6LahV3pidai4shoomuiphi"
  permissions = []
}

Expected Behavior

Icinga2 loads normally.

Current Behavior

The configuration check fails:

root@mon01:/etc/icinga2# icinga2 daemon -C
information/cli: Icinga application loader (version: r2.8.2-1)
information/cli: Loading configuration file(s).
information/ConfigItem: Committing config item(s).
information/ApiListener: My API identity: ***redacted.example.com***
critical/config: Error: Attribute 'hashed_password' does not exist.
Location: in /etc/icinga2/conf.d/api-users.conf: 4:3-4:44
/etc/icinga2/conf.d/api-users.conf(2): 
/etc/icinga2/conf.d/api-users.conf(3): object ApiUser "defaultuser" {
/etc/icinga2/conf.d/api-users.conf(4):   hashed_password = "$5$thisisaninvalidhash"
                                         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
/etc/icinga2/conf.d/api-users.conf(5):   // client_cn = ""
/etc/icinga2/conf.d/api-users.conf(6):   // permissions = [ "*" ]

critical/config: 1 error

When testing with password instead of hashed_password, the configuration check suceeds and icinga2 starts as expected.

Steps to Reproduce (for bugs)

  1. install icinga2
  2. icinga2 node setup --master
  3. icinga2 feature enable api
  4. Set the config in /etc/icinga2/conf.d/api-users.conf to the configuration described above

Context

I'd like to use salted + hashed passwords instead of clear text ones.

Your Environment

Copyright (c) 2012-2017 Icinga Development Team (https://www.icinga.com/) License GPLv2+: GNU GPL version 2 or later http://gnu.org/licenses/gpl2.html This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law.

Application information: Installation root: /usr Sysconf directory: /etc Run directory: /run Local state directory: /var Package data directory: /usr/share/icinga2 State path: /var/lib/icinga2/icinga2.state Modified attributes path: /var/lib/icinga2/modified-attributes.conf Objects path: /var/cache/icinga2/icinga2.debug Vars path: /var/cache/icinga2/icinga2.vars PID path: /run/icinga2/icinga2.pid

System information: Platform: Ubuntu Platform version: 16.04.4 LTS (Xenial Xerus) Kernel: Linux Kernel version: 4.4.0-112-generic Architecture: x86_64

Build information: Compiler: GNU 5.3.1 Build host: 86927c12b6d8


* Operating System and version: Ubuntu 16.04.4 LTS
* Enabled features:

root@mon01:/etc/icinga2# icinga2 feature list Disabled features: compatlog debuglog elasticsearch gelf graphite influxdb livestatus opentsdb perfdata statusdata syslog Enabled features: api checker command ido-mysql mainlog notification



* Config validation: As seen in Current Behavior
mcktr commented 6 years ago

Hi,

thanks for reporting. Looks like the wrong attribute was documented, the right one should be password_hash. Could you may try that?

Best regards Michael

morremeyer commented 6 years ago

@mcktr Yes, that is indeed the resolution. I submitted #6176 to fix it.