icinga2 icon indicating copy to clipboard operation
icinga2 copied to clipboard
verified publisher icon Icinga

icinga api permissions do not affect joins

Open chrnie opened this issue 3 years ago • 1 comments

Describe the bug

I expect that api-users who do not have permission to see check_commands will not be able to view them via a join.

To Reproduce

2 Api Users:

$ cat api-users.conf 

object ApiUser "root" {
  password = "toor"
  permissions = [ "*" ]
}
object ApiUser "dummy" {
  password = "toor"
  permissions = [
        {
                permission = "objects/query/Host"
        },
        {
                permission = "objects/query/Service"
        }
	]
}

1 Host/Service

  • icinga-master.localdomain!swap

Expected behavior

GET check_command directly works as expected. root can query, dummy can't query.

AS root:

    $ curl -ksu root:toor 'https://127.0.0.1:5665/v1/objects/CheckCommands/swap' 
    {"results":[{"attrs":{"__name":"swap","active":true,"arguments":{"-a":{"description":"Conduct comparisons [...]

AS dummy:

    $ curl -ksu dummy:toor 'https://127.0.0.1:5665/v1/objects/CheckCommands/swap' 
    {"error":404,"status":"No objects found."}

Unexpected behavior

GET Service and JOIN check_command

AS root:

    $ curl -ksu root:toor 'https://127.0.0.1:5665/v1/objects/Services?service=icinga-master.localdomain!swap&joins=check_command'
    {"results":[{"attrs":{"__name":"icinga-master.localdomain!swap",[...]},"joins":{"check_command":{"__name":"swap","active":true[...]}},"meta":{},"name":"icinga-master.localdomain!swap","type":"Service"}]}

AS dummy:

    $ curl -ksu dummy:toor 'https://127.0.0.1:5665/v1/objects/Services?service=icinga-master.localdomain!swap&joins=check_command'
    {"results":[{"attrs":{"__name":"icinga-master.localdomain!swap",[...]},"joins":{"check_command":{"__name":"swap","active":true[...]}},"meta":{},"name":"icinga-master.localdomain!swap","type":"Service"}]}

Screenshots

If applicable, add screenshots to help explain your problem.

Your Environment

Does affect all OS and icinga-versions. Tested with icinga2-docker

$ docker exec -it icinga-master icinga2 --version
icinga2 - The Icinga 2 network monitoring daemon (version: v2.13.2)

Additional context

This is not the same issue as https://github.com/Icinga/icinga2/issues/7766 This issue was submitted from RT:727817

chrnie avatar Apr 12 '22 10:04 chrnie

ref/NC/727817

Al2Klimov avatar Apr 12 '22 16:04 Al2Klimov