search

Icinga / icingaweb2-module-director

The Director aims to be your new favourite Icinga config deployment tool. Director is designed for those who want to automate their configuration deployment and those who want to grant their “point & click” users easy access to the configuration.
https://icinga.com/docs/director/latest
GNU General Public License v2.0
413 stars 203 forks source link

More hosts visible than user is restricted to #2701

Open MisterMountain opened 1 year ago

MisterMountain commented 1 year ago

Hello,

if you have a User in Icingaweb2, that is restricted to only view a single hostgroup, you can still see all other hosts being not in the mentioned single hostgroup.

Expected Behavior

Host should not be visible in the Overview

Current Behavior

All hosts are visible in the Overview (icingaweb2/director/hosts), although not all of them are in the only allowed hostgroup

Possible Solution

Steps to Reproduce (for bugs)

  1. Create a user role test
  2. Create a user test
  3. Set these Permissions in the /etc/icingaweb2/roles.ini: [test] users = "test" permissions = module/director,director/hosts,director/inspect,director/monitoring/hosts,monitoring/*,module/monitoring" director/filter/hostgroups = "testgroup" director/service_set/filter-by-name = "testgroup"
  4. Create a hostgroup "testgroup" in the icinga director
  5. now login with your previously created user "test"
  6. go to icingaweb2/director/hosts
  7. try to open a host, that is not in the hostgroup "testgroup"
  8. you should encounter an error like this:
No such object available

#0 /usr/share/icingaweb2/modules/director/application/controllers/ServiceController.php(73): Icinga\Module\Director\Web\Controller\ObjectController->loadSpecificObject()
#1 /usr/share/icingaweb2/modules/director/application/controllers/ServiceController.php(48): Icinga\Module\Director\Controllers\ServiceController->getOptionalRelatedObjectFromParams()
#2 /usr/share/php/Icinga/Web/Controller/ActionController.php(170): Icinga\Module\Director\Controllers\ServiceController->init()
#3 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(59): Icinga\Web\Controller\ActionController->__construct()
#4 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch()
#5 /usr/share/php/Icinga/Application/Web.php(290): Zend_Controller_Front->dispatch()
#6 /usr/share/php/Icinga/Application/webrouter.php(105): Icinga\Application\Web->dispatch()
#7 /usr/share/icingaweb2/public/index.php(4): require_once(String)
#8 {main}

Your Environment

MisterMountain commented 1 year ago

ref/NC/776097

Thomas-Gelf commented 1 year ago

You're combining multiple restriction mechanisms:

With this combination, a single Host view succeeds, if either such a given filter matches - or the monitoring module allows to see a Host. Does this match what you're seeing in this setup?

Thomas-Gelf commented 1 year ago

NB: director/monitoring/hosts and director/hosts are usually exclusive, normally you grant only one of them.

MisterMountain commented 1 year ago

Good to know that its common practice to only use one of those (director/monitoring/hosts might be kind of deprecated, as the monitoring module and IDO is).

Even if only apply only one of these filters, i can still see all hosts in the overview, even those i am not allowed to see: https://imgur.com/a/MNNH595 Is there an option to see only the hosts in the Host Overview i am allowed to see in detail/can see without an error message?

Thomas-Gelf commented 1 year ago

I'm not following the "best" practice of deprecating software and components, before their successor becomes stable. Without director/hosts you should neither see the "Hosts" menu entry, nor related dashlets, your screenshot doesn't fit what you're describing.

Thomas-Gelf commented 1 year ago

@MisterMountain: could you please give the current master a try? I discovered some bug related to monitoring-module-related permissions, and pushed quite some changes. Grant just director/monitoring/hosts, and director/monitoring/services if you want. Don't grant director/hosts, as it would grant access to all hosts.

carraroj commented 1 year ago

Hi Tom, i try do test your last comment, but with current master, without grant ondirector/hostsi didn't see any hosts. if i activate this grant, i can see all hosts, but i just can edit the host from the testgroup which should be restricted and at the others i get the same error messages from the top, with monitoring module or just with icingadb, quite the same result, does i configure something wrong?

chrnie commented 1 year ago

Any News on this?

martialblog commented 11 months ago

Hi,

tried this on the current master Git commit 12cca3ebcf520b5502378a95b16bd2db362163a1

This is also fixed in v1.11.0 a6f0a08

No longer an issue.

martialblog commented 11 months ago

Was fixed in https://github.com/Icinga/icingaweb2-module-director/commit/91b99d8e46045f26992bddce46eb813165edea23

Can be closed