I have installed the director but some changes have not deployed. The director is raising the error " * * API request failed: Unhandled exception (RestApiResponse.php:113)". Error occurs when you go to Icinga > Deployments > Infrastructure > Endpoints or Icinga API user.
/*
* Endpoint and Zone configuration for a cluster setup
* This local example requires `NodeName` defined in
* constants.conf.
*/
object Endpoint NodeName {
host = NodeName
}
object Zone ZoneName {
endpoints = [ NodeName ]
}
/*
* Defines a global zone for distributed setups with masters,
* satellites and clients.
* This is required to sync configuration commands,
* templates, apply rules, etc. to satellite and clients.
* All nodes require the same configuration and must
* have `accept_config` enabled in the `api` feature.
*/
object Zone "global-templates" {
global = true
}
/*
* Defines a global zone for the Icinga Director.
* This is required to sync configuration commands,
* templates, apply rules, etc. to satellite and clients.
* All nodes require the same configuration and must
* have `accept_config` enabled in the `api` feature.
*/
object Zone "director-global" {
global = true
}
Below are install packages for director:
root@reports:~# dpkg -l php php-curl php-posix php-sockets mariadb
Desired=Unknown/Install/Remove/Purge/Hold
| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
||/ Name Version Architecture Description
+++-==================================-======================-======================-=========================================================================
ii php 1:7.0+49 all server-side, HTML-embedded scripting language (default)
ii php-curl 1:7.0+49 all CURL module for PHP [default]
un php-posix <none> <none> (no description available)
un php-sockets <none> <none> (no description available)
Which versions of Icinga 2, Web and Director are you using? Could you please have a look at the Icinga 2 logs. There should be something about the failing request.
About the software versions:
Icinga 2 version: r2.11.3-1
Icinga Web 2 Version 2.7.3
director 1.7.2
Think the permission issue is related to the file “/etc/icinga2/conf.d/api-users.conf” shown below. The user icingaweb2 in particular may not have enough rights.
/**
* The ApiUser objects are used for authentication against the API.
*/
object ApiUser "root" {
password = "somepassword"
// client_cn = ""
permissions = [ "*" ]
}
object ApiUser "icingaweb2" {
password = "somepassword"
permissions = [ "status/query", "actions/*", "objects/modify/*", "objects/query/*" ]
}
Thanks for coming back with the solution here. I had this issue too. Following the documentation, everything on the Icinga doc pages suggests that the API-User should have the following restrictions:
permissions = [ “status/query”, “actions/", "objects/modify/”, “objects/query/*” ]
But obviously that’s not correct, as your solution where pemissions updated to [*] fixes it. Documentation is lacking in accurate information for people without an in-depth understanding of what Director does and how it communicates with the Icinga2 side of things.
You’re welcome. Think it’s better I try contact the developers about the issue to either get clarification from them or have the documentation improved. Will update here on progress
The director user obviously needs * permissions, as it is supposed to be able to generate its own configuration and can therefore do whatever it wants anyway.
For the Icingaweb2 user it is reasonable to have the permissions limited, so it cannot be hijacked. Therefore I would advise to leave it at permissions = [ "status/query", "actions/*", "objects/modify/*", "objects/query/*" ]
as it was
In any case, you can always get in touch or contribute over at GitHub, if you think something needs changing.
Thanks for the response and it does make sense that the director Api have the higher privileges. I have setup a director Api user but I don’t know how to let director know that thats the one use.