Revamped credential and permission system for the data
|Target version:||Icinga 1.x - 1.9|
We are working on some major credential changes for 1.9 and like to her feedback for what we are doing.
Please comment below this issue, I'll refer and maybe also close other issues in favor of this one.
Most of the work and testing will be done by me and Jannis.
Feel free to comment and add suggestions or questions.
Git branches we are working on:
- Reverting to the "old" credential model with selective joins and sql filters (pre 1.8)
- Fixing several issues in terms of Role inheritance
- Connecting the single "targets" by OR instead of AND (some credentials already work like this)
- Updating/Fixing all basic credentials with full testing
- Aggregating credentials into host / service limits instead of single credentials linked by AND
- Finding missing indexes in the IDO database
- Testing and verifing the changes with PgSQL and Oracle
- Performance tunes and testing
The whole idea
The whole credential system will consist of 2 pools of credentials:
- hostname matching
- host custom variables
- servicename matching
- service custom variables
The rights of a user will be aggregated and inherited from every target that is set on the user directly or a role he is member of.
The permission to grant rights by matching contactname and groups will be working as intended (some fixes are necessary), and it will be working in addition to other credentials the user might have.
A permission filter (in the end of our work) should work like this:
(hostname LIKE 'test%' OR hostname LIKE 'qa%' OR hostgroup = 'testservers' or _HOSTcv1 LIKE= 'test') AND (servicename LIKE 'disk%' OR servicename LIKE 'proc%' OR servicegroup = 'unixchecks' OR _SERVICEcv1 LIKE 'team1')
After Step 1 (temporary):
(hostname LIKE 'test%' OR hostname LIKE 'qa%') AND (hostgroup = 'testservers') AND (servicename LIKE 'disk%' OR servicename LIKE 'proc%') AND (servicegroup = 'unixchecks')
The final idea is to build a aggregate of all permissions a user has, but requiring him to match a host and a service credential.
Migrated DQLViews to new credential grouping system
- all credentials are added via OR
- and grouped into affecting host and service
- extensions for IcingaDoctrine_Query to allow manipulation
of the Where DqlParts
This is no longer required with the new CustomVariableExtender.
Migrated the credentials for the Notification View to the new logic.
Removed CanBeNull feature from Legacy credentials
Not longer needed with the migration to grouped credentials
Migrated LegacyApi to new credential grouping system
- grouping the credentials like in the DQLViews:
((<hostcredentials> AND <servicecredentials>) OR <othercredentials)
- other credentials is Contactgroup stuff
- the credential targets are grouped by OR instead of AND
#7 Updated by ossmon almost 3 years ago
- File CVRestriction.JPG added
i've downloaded and installed your git version (ad31b...).
I've tested with custom variables as described in issue #3578
It doesn't work.
In the config exist only one host with a custom variable VAR1 and one of its service has also the same custom variable VAR1.
1) The user has no restriction. He sees all the hosts and all the services
2) The user has the custom variable VAR1 as restriction for host and service. I will expect that the user only see one host and one service.
=> The user see many hosts and services (not only one)
=> He sees more hosts and services than without restriction
#8 Updated by lazyfrosch almost 3 years ago
- % Done changed from 0 to 80
The branch feature/credentials-3715 has been merged into next.
I think the credential system should now work as intended, please test and also have a look if the detail tabs of a host or service to see if the LegacyApi permissions work as well.
@ossmon: Please test ;)
@tommi / dnsmichi: Could you try the latest changes in a Oracle environment with some credentials?
#11 Updated by dnsmichi almost 3 years ago
set users to special permissions - e.g. hostgroups or servicegroups, and then check if they can only see those. if you have custom vars defined on services or hosts, add the permissions on the user admin panel as well for custom vars, and verify that the user may only see those. last but not least, test mixed permissions, like multiple groups, cvs, and such. should work with all 3 rdbms.
#12 Updated by Tommi almost 3 years ago
- File web19_correct_status_with_root.jpg added
- File web19_wrong_status.jpg added
- File web19_wrong_status2.jpg added
just did such tests after upgrading to the current next branch. Added a new user (there is another small issue i logged in #3999) and add restriction to one hostgroup, one servicegroup and one (host)custom variable value. This should match for exact one database instance and hiding all others. First off all, no database syntax errors appeared while running my tests. But the Screen contents aren't as expected. It doubled the numbers of services and host and shows services which are not matched with the supplied custom variables when using the restricted user. Just added a few screenshots of this issue
#13 Updated by dnsmichi almost 3 years ago
- File icinga_web_1.9_oracle_permissions_hg_01.png added
- File icinga_web_1.9_oracle_permissions_hg_02.png added
looks like the distinct fix does not work anymore for the status cronk.
first of my test row with oracle: 1 hostgroup, and more.
single hostgroup contains 2 hosts which relate to 6 services. that's totally fine.
(left is iceweasel with the test session, right is chromium with root permissions)
when i add yet another hostgroup, which also contains both hosts, the display in the grid stays the same (12) but the status cronk counters are wrong. they sump up to 18 being ok, which is not shown in the grid. the correct number is still 12.
first conclusion - the status cronk counter does not know about the new privileges.
#14 Updated by dnsmichi almost 3 years ago
- File icinga_web_1.9_oracle_permissions_sg_01.png added
- File icinga_web_1.9_oracle_permissions_sg_03.png added
- File icinga_web_1.9_oracle_permissions_sg_02.png added
there's a pattern: when i use a service group with 3 services attached, and then add another servicegroup with just one service (which is among the 3 others already), then the grid shows the correct count (3), but the status cronk sums that up to 4 (which is wrong).
single big servicegroup
servicegroup with another servicegroup containing service
furthermore, the status cronk is broken for hosts - the servicegroup permission seems to not affect it in any way and just shows all counters and even allows to view all hosts, even if they are not related to the servicegroup.
so for the servicegroups in oracle, there seems to be 2 issues: status cronk counters for services with servicegroups, and host status counters/view overall.
#16 Updated by dnsmichi almost 3 years ago
I've created a dedicated test config for that, used from within the core's test config (which i keep writing for issues and their resolval / regression testing.
#19 Updated by dnsmichi almost 3 years ago
- Status changed from Assigned to Resolved
- % Done changed from 80 to 100
for the initial issue, i consider this resolved and working. thanks for the hard work on this, further bugs may be collected and fixed on the bugfix 1.9.x tree. just make sure to commit often and even more often to allow easier git flowing ;)