Can't get permissions to work

jhagg · January 15, 2020, 1:34pm

I have a Icinga2-system with local icinga-agents for most of my hosts. (Currently with >100 hosts and >2000 services checked.)
It works great, no problem!

Now I’m trying to add more people than myself and don’t want them to change things they shouldn’t.

I have Icinga2, version 2.11.2-1.buster from
http://packages.icinga.com/debian, running on a host with Debian sid, php 7.2, apache2 2.4.41-2.
Also icingaweb2 2.7.3-1.buster.

Enabled features: api checker command graphite ido-mysql mainlog notification statusdata

---------------------------------------
roles.ini (this is visible):
[test11]
groups = "test1"
permissions = "application/share/navigation,module/monitoring"

roles.ini (this is not visible):
[test11]
groups = "test1"
permissions = "application/share/navigation,monitoring/command/schedule-check,monitoring/command/acknowledge-problem,monitoring/command/comment/add,monitoring/command/downtime/*"
---------------------------------------

The main problem is that I want people to be able to look at hosts but not change anything important.
So I tried enable only the monitoring/commands that I wanted.

But my testuser only got an empty screen, only Dashboard, System and login in the left sidebar and nothing except a welcome in the main window.

I got the normal left menu only after I enabled “General Module Access”, but this also enabled all feature commands like “Active Checks”, “Passive Checks” and so on.

What is the proper way to setup an almost read-only role?
I still want them to be able to check, acknowledge and comment.

By the way, it seems as if it is necessary to remove all cookies and reload the page after a change in permissions to make the change visible.

Is that how it works or is it just me missing something?

nilmerg · January 15, 2020, 2:26pm

Are you sure you’re not talking about Full Module Access? Because general module access does really only grant no more than access to a module. Any other permission the module may require is not included. So module/monitoring permits read-only access in terms of the monitoring module. But it’s of course mandatory if users are supposed to do anything with the module.

It’s perfectly fine to only permit general module access and a small selection of commands. Just like you did in your second example, but that’s missing the module/monitoring permission.

A simple logout should suffice.

jhagg · January 16, 2020, 12:11pm

Are you sure you’re not talking about Full Module Access? Because general
module access does really only grant no more than access to a module. Any
other permission the module may require is not included. So
module/monitoring permits read-only access in terms of the monitoring
module. But it’s of course mandatory if users are supposed to do anything
with the module.

Hmm, it seems as if I missed something, the feature commands are actually not changeable if not enabled.

It took some time to figure out when changes in the role actually takes effect and that’s why I could use the controls even if they where not supposed to work.

A simple logout should suffice.

It did. Although it was easier deleting the cookies and reload the page so I can stay on the same page.

I’m using apache for authentication, so when I logout from icinga and click on login, I’m automatically logged in without password.
Maybe something that should be fixed?

Anyway, now I know how and when the permissions are applied so it’s much easier to test.

Thanks!