community.zabbix icon indicating copy to clipboard operation
community.zabbix copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

Support Zabbix API tokens

Open rfdparker opened this issue 2 years ago • 16 comments

SUMMARY

Please consider adding support for Zabbix API tokens, as an alternative to username/password.

Zabbix 5.4 added support for API tokens, with later releases (e.g. 6.0 LTS and 6.2) continuing the support.

ISSUE TYPE
  • Feature Idea
COMPONENT NAME

Presumably all community.zabbix components which use the Zabbix API.

ADDITIONAL INFORMATION

Supporting API tokens would avoid the need to provide a Zabbix user's username/password to Ansible; each Zabbix API token is, however, associated with a Zabbix user.

Obviously, support for username/password would need to be retained to continue support earlier (pre-5.4) Zabbix releases.

rfdparker avatar Aug 19 '22 10:08 rfdparker

I am all for it. Currently, there are several issues that prevent the implementation of API tokens.

  1. We use zabbix-api package as a backend for API calls. This package doesn't support API tokens and probably never will, as it looks pretty much abandoned (no update for 4 years).
  2. This could be solved by migrating to different and more up-to-date backend library such as pyzabbix. But it requires Python >=3.6 and we must support older versions in collection to match Ansible project requirements. @D3DeFi correct me if I'm wrong, but I see currently Python >=2.7 or >=3.5 if it's used only on controller.
  3. Final option (and IMO the best) would be to use httpapi. But our implementation is not yet finished and original developer (rockaut) is not active in this collection anymore. And there is currently nobody which would be willing/have time to finish it.

mu1f407 avatar Aug 21 '22 08:08 mu1f407

Hi, It would be quite good to be able to use tokens indeed, and it's quite frightening to see that zabbix-api somehow died…

If you target ansible core 2.11+, Python 2.7 was ruled out as a target, with ansible 2.12 requiring Python 3.8, and ansible 2.13 actually depending on it. Not maintaining the API wrapper directly might be easier though, but it requires of course that it stays alive… I don't have much experience with pyzabbix, but it seems quite popular and not too ugly.

Edit: I noticed the httapi work was quite advanced though, maybe that's not too hard…

gilou avatar Aug 22 '22 23:08 gilou

I am all for it. Currently, there are several issues that prevent the implementation of API tokens.

1. We use [zabbix-api](https://pypi.org/project/zabbix-api/) package as a backend for API calls. This package doesn't support API tokens and probably never will, as it looks pretty much abandoned (no update for 4 years).

2. This could be solved by migrating to different and more up-to-date backend library such as [pyzabbix](https://github.com/lukecyca/pyzabbix). But it requires Python >=3.6 and we must support older versions in collection to match Ansible project requirements. @D3DeFi correct me if I'm wrong, but I see currently Python >=2.7 or >=3.5 if it's used only on controller.

I think this is no longer a problem for us. Ansible-2.10 is including version 0.3.0 of this collection or something like that. That version ofc had 2.7 and 3.5 support, but we can break away from them from now on and follow ansible-2.14 which is 3.8+ I think on the controller side

3. Final option (and IMO the best) would be to use httpapi. But our implementation is not yet finished and original developer (**rockaut**) is not active in this collection anymore. And there is currently nobody which would be willing/have time to finish it.

I would be voting for the 3rd one as we would break away from such situations in the future as we have now with zabbix-api. I would also wish for energy and time to pick this up after @rockaut and finish it. Unfortunately, I have neither atm.

D3DeFi avatar Aug 23 '22 13:08 D3DeFi

I'll try to take a look at httpapi.

BGmot avatar Aug 23 '22 13:08 BGmot

I cannot find any issues regarding httpapi, should I create one (or I am blind?) and add it the Project? We need a place to proceed with discussion on httpapi topic.

BGmot avatar Aug 25 '22 14:08 BGmot

Seems there is even a board for it @ https://github.com/ansible-collections/community.zabbix/projects/6#card-74573150 Issues were created directly in the project it seems (https://github.com/ansible-collections/community.zabbix/issues?q=is%3Aissue+is%3Aopen+httpapi), and there is a branch for it, probably in sync with @rockaut's own repo.

I'm planning on diving in it a bit, but probably not until end of september…

gilou avatar Aug 25 '22 14:08 gilou

I guess I'll ask all my stupid questions here https://github.com/ansible-collections/community.zabbix/issues/558

BGmot avatar Aug 25 '22 15:08 BGmot

someone enabled 2nd factor authentication in our infrastructure and all my Zabbix related playbooks have died. I've received token and have re-written most of my ansible playbooks to pure API requests using URI ansible module. Sadly, based on this thread, I can see that I need to re-write roles as well.

f22l2 avatar Aug 26 '22 13:08 f22l2

@f22l2 2FA? how is it related to playbooks using modules from this collection?

BGmot avatar Aug 30 '22 01:08 BGmot

@BGmot when 2FA enabled, after using user / password, you need authenticate using for example authenticator. So only token is a solution if you really want to bypass that . However, as it was mentioned before in this thread, modules currently are not supporting tokens, so the only option I believe would be switch to URI ansible modules as long as we won't switch to httpapi.

f22l2 avatar Aug 30 '22 05:08 f22l2

What 2FA? Zabbix does not have 2FA, third party solution?

BGmot avatar Aug 30 '22 06:08 BGmot

@BGmot yep some integration, but imho we are talking about the unsupported token option - not 2FA in general. Problem in front of us is: using zabbix.collection modules we are enforced to use login / password approach not a token (which we would like to have) :)

f22l2 avatar Aug 30 '22 07:08 f22l2

I am afraid a token won't help you if your 2FA fences all Zabbix URLs.

BGmot avatar Aug 30 '22 12:08 BGmot

I think we can support tokens even if we are not able to solve 2FA problems as that brings a tons of new complications in itself and is a no go for us.

But, this is me assuming that we have httapi everywhere in the (near)?future and that it will require only something like single if/else to extend it with option to have tokens.

Otherwise it is not worth an effort for us until Zabbix decides to introduce native tokens to their ecosystem.

D3DeFi avatar Aug 31 '22 13:08 D3DeFi

Zabbix already introduced tokens... ecosystem? And yes I hope we'll be able to use tokens soon. I just wanted to point out that 2FA in no way should affect username/password or token authentication (at least my implementation of Zabbix 2FA does not).

BGmot avatar Aug 31 '22 14:08 BGmot

Zabbix already introduced tokens... ecosystem?

And yes I hope we'll be able to use tokens soon.

Sorry, I somehow missed the news. I am not up to speed with latest Zabbix releases that much unfortunately.

D3DeFi avatar Aug 31 '22 14:08 D3DeFi

I suggest closing this as fixed in #806. User can now provide Authentication token as an alternative to username and password if they opt for the httpapi connection plugin.

And it seems that we cannot address 2FA any further in this regard.

@BGmot can we close?

D3DeFi avatar Oct 19 '22 16:10 D3DeFi

Yes please close.

BGmot avatar Oct 19 '22 16:10 BGmot