Feature #3715

Revamped credential and permission system for the data

Added by lazyfrosch about 1 year ago. Updated 12 months ago.

Status:ResolvedStart date:02/19/2013
Priority:HighDue date:
Assignee:lazyfrosch% Done:

100%

Category:Authorization
Target version:Icinga 1.x - 1.9

Description

We are working on some major credential changes for 1.9 and like to her feedback for what we are doing.

Please comment below this issue, I'll refer and maybe also close other issues in favor of this one.

Most of the work and testing will be done by me and Jannis.

Feel free to comment and add suggestions or questions.

Git branches we are working on:
feature/datapermissions*

Cheers
Markus

Step 1

  • Reverting to the "old" credential model with selective joins and sql filters (pre 1.8)
  • Fixing several issues in terms of Role inheritance
  • Connecting the single "targets" by OR instead of AND (some credentials already work like this)
  • Updating/Fixing all basic credentials with full testing

Step 2

  • Aggregating credentials into host / service limits instead of single credentials linked by AND
  • Finding missing indexes in the IDO database

Step 3

  • Testing and verifing the changes with PgSQL and Oracle
  • Performance tunes and testing

The whole idea

The whole credential system will consist of 2 pools of credentials:

  • host
    • hostname matching
    • hostgroups
    • host custom variables
  • services
    • servicename matching
    • servicegroups
    • service custom variables

The rights of a user will be aggregated and inherited from every target that is set on the user directly or a role he is member of.

The permission to grant rights by matching contactname and groups will be working as intended (some fixes are necessary), and it will be working in addition to other credentials the user might have.

A permission filter (in the end of our work) should work like this:

(hostname LIKE 'test%' OR hostname LIKE 'qa%' OR hostgroup = 'testservers' or _HOSTcv1 LIKE= 'test')
AND
(servicename LIKE 'disk%' OR servicename LIKE 'proc%' OR servicegroup = 'unixchecks' OR _SERVICEcv1 LIKE 'team1')

After Step 1 (temporary):

(hostname LIKE 'test%' OR hostname LIKE 'qa%')
AND
(hostgroup = 'testservers')
AND
(servicename LIKE 'disk%' OR servicename LIKE 'proc%')
AND
(servicegroup = 'unixchecks')

The final idea is to build a aggregate of all permissions a user has, but requiring him to match a host and a service credential.

CVRestriction.JPG (42 KB) ossmon, 04/23/2013 09:48 am

web19_correct_status_with_root.jpg - correct status with user root and full acess (160 KB) Tommi, 04/28/2013 06:37 pm

web19_wrong_status.jpg - This host and the services should not appear, they dont match the custom variables. overall, the count is wrong anyway, only one host is down (174 KB) Tommi, 04/28/2013 06:37 pm

web19_wrong_status2.jpg - within the service list the expectation was only matching hosts/services all criteria should appear here. The second host doesnt match (250 KB) Tommi, 04/28/2013 06:37 pm

icinga_web_1.9_oracle_permissions_hg_01.png (151 KB) dnsmichi, 04/28/2013 07:34 pm

icinga_web_1.9_oracle_permissions_hg_02.png (152 KB) dnsmichi, 04/28/2013 07:34 pm

icinga_web_1.9_oracle_permissions_sg_01.png (120 KB) dnsmichi, 04/28/2013 07:41 pm

icinga_web_1.9_oracle_permissions_sg_03.png (122 KB) dnsmichi, 04/28/2013 07:41 pm

icinga_web_1.9_oracle_permissions_sg_02.png (189 KB) dnsmichi, 04/28/2013 07:41 pm

icinga_web_1.9_oracle_permissions_sg_04.png (137 KB) dnsmichi, 04/28/2013 07:43 pm


Related issues

Related to Web - Feature #3659: Ability to hide services where user is no contact Feedback 02/08/2013
Related to Web - Bug #3625: problems with user restriction in servicegroup Resolved 02/04/2013
Related to Web - Bug #3578: Combined customvariable restriction has no effect Resolved 01/28/2013
Related to Web - Bug #4002: new restrictions: overlapping counters wrong in status cr... Resolved 04/28/2013
Related to Web - Bug #4048: new restrictions and oracle: host and servicegroups weird... Feedback 05/04/2013

Associated revisions

Revision 1335fd3c
Added by lazyfrosch 12 months ago

Migrated DQLViews to new credential grouping system

  • all credentials are added via OR
  • and grouped into affecting host and service
  • extensions for IcingaDoctrine_Query to allow manipulation
    of the Where DqlParts

refs #3715

Revision 9dc7513f
Added by lazyfrosch 12 months ago

Redesign CustomVariableExtender for new credential system

The WHERE statements are now aggregated correctly to match
the key/values exactly.

fixes #3578
refs #3715

Revision f8f035e2
Added by lazyfrosch 12 months ago

Removed NotificationCustomVariableExtender

This is no longer required with the new CustomVariableExtender.

Migrated the credentials for the Notification View to the new logic.

refs #3715

Revision 4a78f84a
Added by lazyfrosch 12 months ago

Removed CanBeNull feature from Legacy credentials

Not longer needed with the migration to grouped credentials

refs #3715

Revision 0a496b0c
Added by lazyfrosch 12 months ago

Migrated LegacyApi to new credential grouping system

  • grouping the credentials like in the DQLViews:
    ((<hostcredentials> AND <servicecredentials>) OR <othercredentials)
  • other credentials is Contactgroup stuff
  • the credential targets are grouped by OR instead of AND

refs #3715

Revision 4e7c0f7b
Added by lazyfrosch 12 months ago

Redesign CustomVariableExtender for new credential system

The WHERE statements are now aggregated correctly to match
the key/values exactly.

fixes #3578
refs #3715

Revision b982b4f5
Added by lazyfrosch 12 months ago

Fix duplication problem in StatusSummary Cronk

caused by 1-n credential joins

refs #3715
refs #4002

History

#1 Updated by ossmon about 1 year ago

Hi,
I hope it will solve also the issue #3578 (it prohibits us to migrate to 1.8.X from 1.7.2). We are ready to test it when you are finished.

#2 Updated by dnsmichi about 1 year ago

hmmm, if applicable, i'd like to discuss a backport into current 1.8 tree when this is finally tested for the 1.9 tree.

#3 Updated by ossmon about 1 year ago

Hi Markus, when do you think that you will have a version to be tested ?

#4 Updated by lazyfrosch 12 months ago

I've integrated and pushed the grouped aggregation of credentials to feature/credentials-3715-step2

@mhein: We still need to implement this kind of grouping for the Legacy Api stuff.

And many testing...

#5 Updated by ossmon 12 months ago

Hi Markus, should I test your git version or should I wait for more time ?

#6 Updated by lazyfrosch 12 months ago

Hey, any test is welcome. It would be great to get your feedback, especially in terms of your use of permissions!

#7 Updated by ossmon 12 months ago

Hi Markus,
i've downloaded and installed your git version (ad31b...).
I've tested with custom variables as described in issue #3578
It doesn't work.

2 cases:

In the config exist only one host with a custom variable VAR1 and one of its service has also the same custom variable VAR1.

1) The user has no restriction. He sees all the hosts and all the services

=> OK

2) The user has the custom variable VAR1 as restriction for host and service. I will expect that the user only see one host and one service.

=> The user see many hosts and services (not only one)
=> He sees more hosts and services than without restriction

#8 Updated by lazyfrosch 12 months ago

  • % Done changed from 0 to 80

The branch feature/credentials-3715 has been merged into next.

I think the credential system should now work as intended, please test and also have a look if the detail tabs of a host or service to see if the LegacyApi permissions work as well.

@ossmon: Please test ;)

@tommi / dnsmichi: Could you try the latest changes in a Oracle environment with some credentials?

Thanks

#9 Updated by ossmon 12 months ago

It works fine now ! Congratulation !

#10 Updated by Tommi 12 months ago

Howto test? Which settings/configs are required?

#11 Updated by dnsmichi 12 months ago

set users to special permissions - e.g. hostgroups or servicegroups, and then check if they can only see those. if you have custom vars defined on services or hosts, add the permissions on the user admin panel as well for custom vars, and verify that the user may only see those. last but not least, test mixed permissions, like multiple groups, cvs, and such. should work with all 3 rdbms.

#12 Updated by Tommi 12 months ago

just did such tests after upgrading to the current next branch. Added a new user (there is another small issue i logged in #3999) and add restriction to one hostgroup, one servicegroup and one (host)custom variable value. This should match for exact one database instance and hiding all others. First off all, no database syntax errors appeared while running my tests. But the Screen contents aren't as expected. It doubled the numbers of services and host and shows services which are not matched with the supplied custom variables when using the restricted user. Just added a few screenshots of this issue

#13 Updated by dnsmichi 12 months ago

looks like the distinct fix does not work anymore for the status cronk.

first of my test row with oracle: 1 hostgroup, and more.

single hostgroup contains 2 hosts which relate to 6 services. that's totally fine.

(left is iceweasel with the test session, right is chromium with root permissions)

when i add yet another hostgroup, which also contains both hosts, the display in the grid stays the same (12) but the status cronk counters are wrong. they sump up to 18 being ok, which is not shown in the grid. the correct number is still 12.

first conclusion - the status cronk counter does not know about the new privileges.

#14 Updated by dnsmichi 12 months ago

there's a pattern: when i use a service group with 3 services attached, and then add another servicegroup with just one service (which is among the 3 others already), then the grid shows the correct count (3), but the status cronk sums that up to 4 (which is wrong).

single big servicegroup

servicegroup with another servicegroup containing service

furthermore, the status cronk is broken for hosts - the servicegroup permission seems to not affect it in any way and just shows all counters and even allows to view all hosts, even if they are not related to the servicegroup.

so for the servicegroups in oracle, there seems to be 2 issues: status cronk counters for services with servicegroups, and host status counters/view overall.

#15 Updated by dnsmichi 12 months ago

for the host counters and views - this is the exact same as the full root admin would see, below is a screenshot for you to reproduce.

#16 Updated by dnsmichi 12 months ago

I've created a dedicated test config for that, used from within the core's test config (which i keep writing for issues and their resolval / regression testing.

https://git.icinga.org/?p=icinga-core.git;a=blob_plain;f=tests/etc/3715.cfg;hb=69893673906567988829c71813b787e14f10d016

#17 Updated by dnsmichi 12 months ago

further oracle tests on the issue with

  • overlapping creates wrong status cronk counters
  • service restrictions do not affect host counters nor their view in grid

are collected in #4002 as seperated issue.

#18 Updated by dnsmichi 12 months ago

further oracle distinct issues are collected in #4048

#19 Updated by dnsmichi 12 months ago

  • Status changed from Assigned to Resolved
  • % Done changed from 80 to 100

for the initial issue, i consider this resolved and working. thanks for the hard work on this, further bugs may be collected and fixed on the bugfix 1.9.x tree. just make sure to commit often and even more often to allow easier git flowing ;)

Also available in: Atom PDF