search

jjethwa / icinga2

GNU General Public License v3.0
223 stars 189 forks source link

Icinga2 API user access denied #189

Open trickert76 opened 5 years ago

trickert76 commented 5 years ago

Hi,

I created a new user via IcingaWeb2 WebUI and want to access the API via 5665. The port is running and answering, but my credentials aren't working - but via 80/443 it is working. I've also changed the Icingaadmins Password and also this account cannot call /v1/status. I got always a 401. The log in data/icinga/log/icinga2/icinga2.log says: 

[2019-07-13 12:21:29 +0000] information/ApiListener: New client connection from [xyz]:50355 (no client certificate)
[2019-07-13 12:21:29 +0000] information/HttpServerConnection: Request: GET /icingaweb2/v1/status (from [xyz]:50355), user: <unauthenticated>)
[2019-07-13 12:21:29 +0000] warning/HttpServerConnection: Unauthorized request: GET /icingaweb2/v1/status
Context:
    (0) Handling new API client connection

[2019-07-13 12:21:29 +0000] information/HttpServerConnection: HTTP client disconnected (from [xyz]:50355)

The only thing is - the hostname doesnt match the certificate, but that should not be relevant at this point. I only want to use HTTP Basic via HTTPS.

I didn't change anything in the image, except the user+pass credentials. The admin and my user have all privileges (via group). I don't understand, why the credentials work on 80/443 for IcingaWeb2 and not on 5665 for API...?

bebehei commented 5 years ago

The api credentials are an ApiUser object in the Icinga2 configuration and are independent of the icingaweb2 credentials. If you want perdistent access to the icinga2 api, you have to create such object manually.

trickert76 commented 5 years ago

Okay, thanks - but is then the documentation correct? Because it says, the Container is automatically configured as an API master. Okay. The Master is running, but it cannot be used, because there is no user „configured“ - which is in my understanding meant by „automatically configured“.

Am 13.07.2019 um 15:20 schrieb Benedikt Heine notifications@github.com:

The api credentials are an ApiUser object in the Icinga2 configuration and are independent of the icingaweb2 credentials. If you want perdistent access to the icinga2 api, you have to create such object manually.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub, or mute the thread.

trickert76 commented 5 years ago

I had a look into this - there is a file in conf.d/api-user.conf - that is a link to /tmp/icinga2-api-user.conf but the file doesn't exist. And there is a file conf.d/api-users.conf - which defines a root user with a random password.

This user/password works in the API. So - this is maybe a documentation issue and maybe a configuration issue too, because this values should be configurable via env variables?

trickert76 commented 5 years ago

Would it be a good idea to make a sed for this in one of the scripts?

jjethwa commented 5 years ago

Hi @trickert76

The API user in the conf file under /tmp is used for Director setup. See: https://github.com/jjethwa/icinga2/blob/master/content/opt/setup/61-icingaweb2-director#L55-L71

In your case, it looks like you want to have a persistent API user available? It might be best to have a separate conf file for that user and add it in using a volume under conf.d?