search

Icinga / icingaweb2-module-director

The Director aims to be your new favourite Icinga config deployment tool. Director is designed for those who want to automate their configuration deployment and those who want to grant their “point & click” users easy access to the configuration.
https://icinga.com/docs/director/latest
GNU General Public License v2.0
412 stars 201 forks source link

Authentication director/filter/hostgroups doesnt work for inherit groups #1663

Closed tgruenert closed 4 years ago

tgruenert commented 5 years ago

Expected Behavior

Please use inherit information from templates also as a criteria in filters at role definition.

Current Behavior

Filter on hostgroup in a role work only if hostgroup is set directly inside host definition.

Steps to Reproduce (for bugs)

  1. Define a host X based on a host template Xt. Host template is member of group A. So as far as i unterstand the host X is also member of hostgroup A. At GUI this is shown as inherit group. Nice feature.
  2. I define a role with filter director/filter/hostgroups=A.
  3. The user U based on this role see no hosts in director.
  4. Change Host X and set hostgroup directly to A.
  5. User U see the host inside director as expected.

Context

Environment

icinga2 --version

icinga2 - The Icinga 2 network monitoring daemon (version: r2.9.1-1)
System information:
  Platform: Debian GNU/Linux
  Platform version: 9 (stretch)
  Kernel: Linux
  Kernel version: 4.17.0-0.bpo.3-amd64
  Architecture: x86_64
.........
Build information:
  Compiler: GNU 6.3.0
  Build host: 83e7f59f33f0

Disabled features: debuglog elasticsearch gelf influxdb opentsdb perfdata statusdata syslog Enabled features: api checker command compatlog graphite ido-mysql livestatus mainlog notification

Thomas-Gelf commented 5 years ago

This used to be a problem, but should work fine right now. What Director version are you using?

tgruenert commented 5 years ago

gui show "master". it is deployd via docker from https://hub.docker.com/r/jordan/icinga2/ at 2018-08-11 hope this helps.

otherwise a hint how getting the commit id you locking for would be very welcome.

cbuehrer commented 5 years ago

Hi, i have the same problem. (Director version 1.6.2)

Any help would be highly appreciated Christof

slaveeu commented 5 years ago

I had a similar problem . The code section from IcingaHostForm.php

if (! $restriction->allowsHost($this->object())) { throw new AuthenticationException($this->translate( 'Unable to store a host with the given properties because of insufficient permissions' )); }

throws an exception in this scenarion because:

A possible workarround might be to update function allowsHost from file HostgroupRestriction.php

public function allowsHost(IcingaHost $host) { if (! $this->isRestricted()) { return true; } if (! $host->hasBeenLoadedFromDb()) { $host->setGroups($host->listInheritedGroupNames()); if ($host->hasModifiedGroups()) { foreach ($this->listRestrictedHostgroups() as $group) { ...

Thomas-Gelf commented 4 years ago

This should now work, otherwise please let me know.

ziirish commented 4 years ago

Hello,

I'm using director module v1.7.2 and I'm still encountering the same issue as @cbuehrer I can provide screenshots if that can be of any help.

As a reminder, steps to reproduce are:

Thanks

mvahani commented 4 years ago

@Thomas-Gelf I'm using the same version as @ziirish and get the same result. Was the fix for this issue not included in the last version or is there something else causing this now? Don't know if it's worth replying here or if a new issue should be created?

slaveeu commented 4 years ago

Just to confirm that with the same director version and I am also encounter the same issue