Icinga
Changing permissions requires that all users log out and in again
hi,
Expected Behavior
When I change a role's permissions or filters they should immediate be applied the next request for the affected users.
Current Behavior
Currently the user needs to logout and log in again to reload his permissions.
Steps to Reproduce (for bugs)
- Create a role like this:
[test_role]
users = "user1"
permissions = "module/monitoring, monitoring/command/schedule-check"
- Let the user login, note that he can't see an hosts/services
- Amend the config with
monitoring/filter/objects = "host_name=icinga-client.example.com" - Not that even after hitting F5 user1 still can't see the icinga-client.
- Logout user1 and log in again and he suddenly can see the icinga-client.
Context
This is even worse if you want to remove someone's permission. If the user doesn't log gout he can still see the machines/check results and even schedule new checks.
Your Environment
- Icinga Web 2 version and modules (System - About): 2.6.1
- Version used (
icinga2 --version): 2.9.1-1 - Operating System and version: Debian stretch
- Enabled features (
icinga2 feature list): api checker command ido-pgsql mainlog notification - Config validation (
icinga2 daemon -C): valid
Hi,
Thanks for the report. We consider this feature for one of our next releases but there's no exact schedule yet.
Best, Eric
Thanks, but how is this considered a feature? Logged in users keeping there permissions indefinitely is intended?
The ideal solution and this I would agree is a feature/enhancement would be for each user to have their own api user.
Sounds like
- #3391
would be an alternative if it can also forcibly log out users.
