search

Icinga / icingaweb2-module-director

The Director aims to be your new favourite Icinga config deployment tool. Director is designed for those who want to automate their configuration deployment and those who want to grant their “point & click” users easy access to the configuration.
https://icinga.com/docs/director/latest
GNU General Public License v2.0
413 stars 203 forks source link

Group restricted user can't create or re-modify host attributes #1464

Closed Wintermute2k6 closed 6 years ago

Wintermute2k6 commented 6 years ago

Expected Behavior

Detail View/modification of Host Object attributes with restricted user

Current Behavior

Modification/View simply stops working or just shows plain error page.

Possible Solution

Better error page with 'user has not appropriate rights to access/modify this object' or the correct modification of the host object.

Steps to Reproduce (for bugs)

Members of the group 'testgroup 1234' should be able to modify/create objects of the 'test_hostgroup1'.

Create User Object which is part of a group with the following rights:

[testgroup DB]

groups = "testgroup 1234"

permissions = "application/share/navigation, application/stacktraces, module/director, director/api, director/audit, director/showconfig, director/deploy, director/hosts, director/services, director/users, director/notifications, director/inspect, module/monitoring, monitoring/command/schedule-check, monitoring/command/acknowledge-problem, monitoring/command/remove-acknowledgement, monitoring/command/comment/add, monitoring/command/downtime/schedule, monitoring/command/downtime/delete, monitoring/command/process-check-result"

monitoring/filter/objects = "_host_db=true|hostgroup_name=test_hostgroup1|hostgroup_name=test_hostgroup2|hostgroup_name=test_hostgroup3|hostgroup_name=test_hostgroup4"

director/filter/hostgroups = "test_hostgroup1"

users = "testuser1"

Your Environment

Icinga Web 2 Modules: MODULE VERSION STATE DESCRIPTION batman master enabled Batman Theme director 1.4.3 enabled Director - Config tool for Icinga 2 doc 2.5.0 enabled Documentation module fileshipper 1.0.1 enabled Fileshipper for Icinga Director monitoring 2.5.0 enabled Icinga monitoring module nagvis 1.1.1 enabled NagVis integration pnp 1.0.1 enabled Timeseries grapher integration for PNP4Nagios unicorn master enabled Unicorn Theme

Packages: icingaweb2-2.5.0-1.el7.icinga.noarch php-5.4.16-43.el7_4.x86_64 httpd-2.4.6-67.el7_4.6.x86_64

Icinga 2

Debuglog is disabled. Not all checks might succeed

Packages:

Icinga 2 Version : 2.8.0 Done checking packages. See Anomaly section if something odd was found.

Features: Disabled features: compatlog debuglog elasticsearch gelf graphite influxdb opentsdb syslog Enabled features: api checker command ido-mysql livestatus mainlog notification perfdata statusdata

OS

OS Version: Red Hat Enterprise Linux Server release 7.4 (Maipo) Hypervisor: Running virtually on a VMware hypervisor CPU cores: 4 RAM: 7.6G

Errors

No such object available #0 /usr/share/icingaweb2/modules/director/library/Director/Web/Controller/ObjectController.php(328): Icinga\Module\Director\Web\Controller\ObjectController->loadObject() #1 /usr/share/icingaweb2/modules/director/library/Director/Web/Controller/ObjectController.php(62): Icinga\Module\Director\Web\Controller\ObjectController->eventuallyLoadObject() #2 /usr/share/php/Icinga/Web/Controller/ActionController.php(152): Icinga\Module\Director\Web\Controller\ObjectController->init() #3 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(59): Icinga\Web\Controller\ActionController->__construct(Object(Icinga\Web\Request), Object(Icinga\Web\Response), Array) #4 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response)) #5 /usr/share/php/Icinga/Application/Web.php(407): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response)) #6 /usr/share/php/Icinga/Application/webrouter.php(104): Icinga\Application\Web->dispatch() #7 /usr/share/icingaweb2/public/index.php(4): require_once('/usr/share/php/...') #8 {main}

================================================================

No such object available #0 /usr/share/icingaweb2/modules/director/library/Director/Web/Controller/ObjectController.php(328): Icinga\Module\Director\Web\Controller\ObjectController->loadObject() #1 /usr/share/icingaweb2/modules/director/library/Director/Web/Controller/ObjectController.php(62): Icinga\Module\Director\Web\Controller\ObjectController->eventuallyLoadObject() #2 /usr/share/php/Icinga/Web/Controller/ActionController.php(152): Icinga\Module\Director\Web\Controller\ObjectController->init() #3 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(59): Icinga\Web\Controller\ActionController->__construct(Object(Icinga\Web\Request), Object(Icinga\Web\Response), Array) #4 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response)) #5 /usr/share/php/Icinga/Application/Web.php(407): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response)) #6 /usr/share/php/Icinga/Application/webrouter.php(104): Icinga\Application\Web->dispatch() #7 /usr/share/icingaweb2/public/index.php(4): require_once('/usr/share/php/...') #8 {main}

At the same time the object is created: "test" is created by Author test Date 2018-04-10 10:29:11 action create icinga_host "test" checksum 6595337e09654cd55170a9b77735b5d58ac7243f zones.d/master/hosts.conf 1 object Host "test" { 2 import "test DB Instance" 3 4 display_name = "test" 5 } 6 7

================================================================

SQLSTATE[42S22]: Column not found: 1054 Unknown column 'o.object_name' in 'where clause', query was: SELECT h.id FROM icinga_hostgroup AS h WHERE (id = '17') AND (o.object_name IN ('test DB Instance'))

0 /usr/share/icingaweb2/library/vendor/Zend/Db/Statement.php(297): Zend_Db_Statement_Pdo->_execute(Array)

1 /usr/share/icingaweb2/library/vendor/Zend/Db/Adapter/Abstract.php(470): Zend_Db_Statement->execute(Array)

2 /usr/share/icingaweb2/library/vendor/Zend/Db/Adapter/Pdo/Abstract.php(232): Zend_Db_Adapter_Abstract->query('SELECT h.id FRO...', Array)

3 /usr/share/icingaweb2/library/vendor/Zend/Db/Adapter/Abstract.php(816): Zend_Db_Adapter_Pdo_Abstract->query(Object(Zend_Db_Select), Array)

4 /usr/share/icingaweb2/modules/director/library/Director/Restriction/HostgroupRestriction.php(86): Zend_Db_Adapter_Abstract->fetchOne(Object(Zend_Db_Select))

5 /usr/share/icingaweb2/modules/director/library/Director/Restriction/HostgroupRestriction.php(21): Icinga\Module\Director\Restriction\HostgroupRestriction->allowsHostGroup(Object(Icinga\Module\Director\Objects\IcingaHostGroup))

6 /usr/share/icingaweb2/modules/director/library/Director/Web/Controller/Extension/ObjectRestrictions.php(41): Icinga\Module\Director\Restriction\HostgroupRestriction->allows(Object(Icinga\Module\Director\Objects\IcingaHostGroup))

7 /usr/share/icingaweb2/modules/director/library/Director/Web/Controller/ObjectController.php(348): Icinga\Module\Director\Web\Controller\ObjectController->allowsObject(Object(Icinga\Module\Director\Objects\IcingaHostGroup))

8 /usr/share/icingaweb2/modules/director/library/Director/Web/Controller/ObjectController.php(328): Icinga\Module\Director\Web\Controller\ObjectController->loadObject()

9 /usr/share/icingaweb2/modules/director/library/Director/Web/Controller/ObjectController.php(62): Icinga\Module\Director\Web\Controller\ObjectController->eventuallyLoadObject()

10 /usr/share/php/Icinga/Web/Controller/ActionController.php(152): Icinga\Module\Director\Web\Controller\ObjectController->init()

11 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(59): Icinga\Web\Controller\ActionController->__construct(Object(Icinga\Web\Request), Object(Icinga\Web\Response), Array)

12 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))

13 /usr/share/php/Icinga/Application/Web.php(407): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))

14 /usr/share/php/Icinga/Application/webrouter.php(104): Icinga\Application\Web->dispatch()

15 /usr/share/icingaweb2/public/index.php(4): require_once('/usr/share/php/...')

16 {main}

Thomas-Gelf commented 6 years ago

Main problem here is that your user has been granted admin permissions, while being restricted to just a couple of host groups. Let me go through the single problems I see here:

So, while the join error should be fixed I consider this low prio as you're not expected to reach this scenario at all. What exactly are you trying to accomplish with this set of permissions? Eventually I can help with a better idea on how to tackle your requirements.

Regards, Thomas

winter1967 commented 6 years ago

I'm sorry, but it isn't the declaration / solution. It happens, too when those restrictions are set:

[Director Vollzugriff-test]
users = "a-winter"
permissions = "module/batman, module/director, director/hosts, director/services, module/monitoring, module/unicorn"
monitoring/filter/objects = "_host_db=true|hostgroup_name=Linux-Datenbankserver|hostgroup_name=MicrosoftMSSQLServer|hostgroup_name=Oracle-Server"
director/filter/hostgroups = "mssql-instanzen"

When i want overwrite a thresold:

#0 /usr/share/icingaweb2/modules/director/library/Director/Web/Controller/ObjectController.php(328): Icinga\Module\Director\Web\Controller\ObjectController->loadObject()
#1 /usr/share/icingaweb2/modules/director/library/Director/Web/Controller/ObjectController.php(62): Icinga\Module\Director\Web\Controller\ObjectController->eventuallyLoadObject()
#2 /usr/share/php/Icinga/Web/Controller/ActionController.php(152): Icinga\Module\Director\Web\Controller\ObjectController->init()
#3 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(59): Icinga\Web\Controller\ActionController->__construct(Object(Icinga\Web\Request), Object(Icinga\Web\Response), Array)
#4 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#5 /usr/share/php/Icinga/Application/Web.php(407): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#6 /usr/share/php/Icinga/Application/webrouter.php(104): Icinga\Application\Web->dispatch()
#7 /usr/share/icingaweb2/public/index.php(4): require_once('/usr/share/php/...')
#8 {main}

The threshold has been set after this error and in future, i will doesn't displayed in future. The consequence ist, that, when a admin made an modification the server, were the modifecation has been made, it will be lost for him in the director view!

Thomas-Gelf commented 6 years ago

Looks much better, the error is a different one. What path did you take to arrive to this point? Is the threshold defined in a host field or on a service? Could you please try again and also leave director/services away? You will still be allowed to change your host's services.

And, in addition to this: any chance you could give the current master a try? There have been some related changes and fixes. For example there is now a check in place that should make sure that you're not allowed to apply your changes if the resulting object would afterwards no longer be visible to your user. Please note that when trying the master and given that you want to have a save path back you need to create a db-snapshot first, as the master applies schema-migrations.

winter1967 commented 6 years ago

With the given restrictions, i have the following Director entries: Host ->with 9 of 30 hosts (the other hosts i can't see) Services -> 0 of ~ 30 services

I open the host definition (without errors) then i open the tab "services" of this host i see the services, inherit from the template "DB-MSSQL Instanzen" i open one of this services, for example "Mssql_BatchRequess" i can see the thesholds and i change one, i click "overwrite variables" for change the setting at now i've this error

#0 /usr/share/icingaweb2/modules/director/library/Director/Web/Controller/ObjectController.php(328): Icinga\Module\Director\Web\Controller\ObjectController->loadObject()
#1 /usr/share/icingaweb2/modules/director/library/Director/Web/Controller/ObjectController.php(62): Icinga\Module\Director\Web\Controller\ObjectController->eventuallyLoadObject()
#2 /usr/share/php/Icinga/Web/Controller/ActionController.php(152): Icinga\Module\Director\Web\Controller\ObjectController->init()
#3 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(59): Icinga\Web\Controller\ActionController->__construct(Object(Icinga\Web\Request), Object(Icinga\Web\Response), Array)
#4 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#5 /usr/share/php/Icinga/Application/Web.php(407): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#6 /usr/share/php/Icinga/Application/webrouter.php(104): Icinga\Application\Web->dispatch()
#7 /usr/share/icingaweb2/public/index.php(4): require_once('/usr/share/php/...')
#8 {main}

It's a little bit spooky, because the host on the left side (Hosts) disappears, i can't 9 hosts see, but 8 hosts, would i change some settings of the remaining hosts, they would disappears too, and i think after a while i've 0 hosts :-(

Thomas-Gelf commented 6 years ago

That's REALLY spooky. Pretty strange, I work with customers intensively using this feature - I'd face a lot of complaints if it wouldn't work. Could you please (as an admin) have a look at that host's history and check what kind of changes it got applied? One assumption: did it have directly assigned groups, are they still there? That could differ from the environments I'm working with, as I'm mostly using this combined with hostgroups assigned via apply rules. (because hostgroup-based permissions also work for hosts being member of groups assign via weird rules)

winter1967 commented 6 years ago

Heres one change i made: Host "K00337v03-Session", here are the changes:

Before: mssql_health_warning = "750"

After: mssql_health_warning = "751"

display_name = "K00337\\I337V03"    4      display_name = "K00337\\I337V03" 
5      groups = [ "mssql-instanzen" ]         5    groups = [ "mssql-instanzen" ] 
6      vars["_override_servicevars"] = {        6      vars["_override_servicevars"] = { 
7          MSSQL_BatchRequests = {        7        MSSQL_BatchRequests = { 
8              mssql_health_critical = "1500"   8              mssql_health_critical = "1500" 
9              mssql_health_warning = "750"  9             mssql_health_warning = "751"
10         }                                                 10        } 
11         MSSQL_CheckpointPages = {         11        MSSQL_CheckpointPages = { 
12             mssql_health_critical = "1500"  12              mssql_health_critical = "1500" 
13             mssql_health_warning = "750" 13             mssql_health_warning = "750" 
14         }                                                14         }

After this change, the host isn't visible for me.

The objects have directly assigned groups (from the host definition in director)

After undo my changes, the host is visible for my test-account.

[Director Vollzugriff-test]
users = "a-winter"
permissions = "module/director, director/hosts, director/services, module/monitoring"
director/filter/hostgroups = "mssql-instanzen"
hashfunktion commented 6 years ago

I can confirm the same issue in my environment.

_Icinga 2 (version: r2.8.4-1) System information: Platform: Ubuntu Platform version: 16.04.4 LTS (Xenial Xerus) Kernel: Linux Kernel version: 4.4.0-127-generic Architecture: x8664

Build information: Compiler: GNU 5.3.1 Build host: 9c880c2f42f5

Server version: Apache/2.4.18 (Ubuntu) Server built: 2018-04-18T14:53:04 PHP 7.0.30-0ubuntu0.16.04.1

Icinga Web 2 NameVersion businessprocess2.1.0 company0.0.0 director1.4.3 fileshipper1.0.1 Grafana master map1.0.4 monitoring2.5.3

Thomas-Gelf commented 6 years ago

I've been able to reproduce this, will be fixed.

Thomas-Gelf commented 6 years ago

@widhalmt: thanks for your help to track this down!

hashfunktion commented 6 years ago

Thanks @Thomas-Gelf & @widhalmt !