icingaweb2-module-director icon indicating copy to clipboard operation
icingaweb2-module-director copied to clipboard

Published 20 hours ago verified publisher icon Icinga

More hosts visible than user is restricted to

Open MisterMountain opened this issue 2 years ago • 10 comments

Hello,

if you have a User in Icingaweb2, that is restricted to only view a single hostgroup, you can still see all other hosts being not in the mentioned single hostgroup.

Expected Behavior

Host should not be visible in the Overview

Current Behavior

All hosts are visible in the Overview (icingaweb2/director/hosts), although not all of them are in the only allowed hostgroup

Possible Solution

Steps to Reproduce (for bugs)

  1. Create a user role test
  2. Create a user test
  3. Set these Permissions in the /etc/icingaweb2/roles.ini: [test] users = "test" permissions = module/director,director/hosts,director/inspect,director/monitoring/hosts,monitoring/*,module/monitoring" director/filter/hostgroups = "testgroup" director/service_set/filter-by-name = "testgroup"
  4. Create a hostgroup "testgroup" in the icinga director
  5. now login with your previously created user "test"
  6. go to icingaweb2/director/hosts
  7. try to open a host, that is not in the hostgroup "testgroup"
  8. you should encounter an error like this:
No such object available

#0 /usr/share/icingaweb2/modules/director/application/controllers/ServiceController.php(73): Icinga\Module\Director\Web\Controller\ObjectController->loadSpecificObject()
#1 /usr/share/icingaweb2/modules/director/application/controllers/ServiceController.php(48): Icinga\Module\Director\Controllers\ServiceController->getOptionalRelatedObjectFromParams()
#2 /usr/share/php/Icinga/Web/Controller/ActionController.php(170): Icinga\Module\Director\Controllers\ServiceController->init()
#3 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(59): Icinga\Web\Controller\ActionController->__construct()
#4 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch()
#5 /usr/share/php/Icinga/Application/Web.php(290): Zend_Controller_Front->dispatch()
#6 /usr/share/php/Icinga/Application/webrouter.php(105): Icinga\Application\Web->dispatch()
#7 /usr/share/icingaweb2/public/index.php(4): require_once(String)
#8 {main}

Your Environment

  • Director version (System - About): 1.10.2
  • Icinga Web 2 version and modules (System - About): 2.11.4
  • Icinga 2 version (icinga2 --version): 2.13.6-1
  • Operating System and version: Ubuntu Jammy
  • Webserver, PHP versions: apache2 2.4.52, PHP 8.1

MisterMountain avatar Feb 07 '23 10:02 MisterMountain

ref/NC/776097

MisterMountain avatar Feb 07 '23 10:02 MisterMountain

You're combining multiple restriction mechanisms:

  • director/monitoring/hosts grants access to all Hosts available to this user in the Icinga monitoring module
  • director/hosts grants access to all Hosts in the Director and to the "Hosts" view. The restriction director/filter/hostgroups filters those hosts

With this combination, a single Host view succeeds, if either such a given filter matches - or the monitoring module allows to see a Host. Does this match what you're seeing in this setup?

Thomas-Gelf avatar Feb 13 '23 10:02 Thomas-Gelf

NB: director/monitoring/hosts and director/hosts are usually exclusive, normally you grant only one of them.

Thomas-Gelf avatar Feb 13 '23 10:02 Thomas-Gelf

Good to know that its common practice to only use one of those (director/monitoring/hosts might be kind of deprecated, as the monitoring module and IDO is).

Even if only apply only one of these filters, i can still see all hosts in the overview, even those i am not allowed to see: https://imgur.com/a/MNNH595 Is there an option to see only the hosts in the Host Overview i am allowed to see in detail/can see without an error message?

MisterMountain avatar Feb 13 '23 10:02 MisterMountain

I'm not following the "best" practice of deprecating software and components, before their successor becomes stable. Without director/hosts you should neither see the "Hosts" menu entry, nor related dashlets, your screenshot doesn't fit what you're describing.

Thomas-Gelf avatar Feb 13 '23 12:02 Thomas-Gelf

@MisterMountain: could you please give the current master a try? I discovered some bug related to monitoring-module-related permissions, and pushed quite some changes. Grant just director/monitoring/hosts, and director/monitoring/services if you want. Don't grant director/hosts, as it would grant access to all hosts.

Thomas-Gelf avatar Feb 23 '23 11:02 Thomas-Gelf

Hi Tom, i try do test your last comment, but with current master, without grant ondirector/hostsi didn't see any hosts. if i activate this grant, i can see all hosts, but i just can edit the host from the testgroup which should be restricted and at the others i get the same error messages from the top, with monitoring module or just with icingadb, quite the same result, does i configure something wrong?

carraroj avatar Mar 01 '23 12:03 carraroj

Any News on this?

chrnie avatar Mar 13 '23 13:03 chrnie

Hi,

tried this on the current master Git commit 12cca3ebcf520b5502378a95b16bd2db362163a1

This is also fixed in v1.11.0 a6f0a08

No longer an issue.

martialblog avatar Dec 19 '23 14:12 martialblog

Was fixed in https://github.com/Icinga/icingaweb2-module-director/commit/91b99d8e46045f26992bddce46eb813165edea23

Can be closed

martialblog avatar Dec 19 '23 14:12 martialblog