Hey, I noticed that the displayed members of a contact group varies depending on whether you are an administrator or a user with limited rights.
Icingaweb, as user testadmin:
As icingaweb-user testadmin everything is displayed correctly as provided in the example-configuration below.
Icingaweb, as user testuser
(restricted to monitoring/filter/objects = "hostgroup_name=hostgroup_testhosts*") :
As icingaweb-user testuser, the number of members of the contact group is displayed correctly, but the members not. In the configuration below, user_nogroup is not a member of the usergroup “usergroup_test”.
It looks to me as if the display of users and user groups in Icingaweb is linked to whether there are configured notifications or not. As Icingaweb-users do not have access to all objects due to their roles/filters, the effects mentioned above occure.
My question: Is this a desired behavior?
If yes, what would be the best-practice for “monitoring/filter/objects” in the Icinga roles, to avoid these effects?
Thanks,
Robert
Environment
Icinga Web 2 version
- 2.11.4
Used modules and their versions
- doc 2.11.4
- graphite 1.2.0
- icingalegacytheme 1.0.0
- monitoring 2.11.4
Web browser used
- Google Chrome Version 112.0.5615.138
Icinga 2 version used
- 2.13.2-1
PHP version used
- 5.4.16
Server operating system and version
- Red Hat Enterprise Linux Server release 7.9
Example Configuration:
/etc/icinga2/zones.d/satellite-zone/test/myhosts.conf:
object Host "testhost_a" {
import "generic-host"
address = "127.0.0.1"
vars.team = "testteam"
}
object Host "testhost_b" {
import "generic-host"
address = "127.0.0.1"
vars.team = "testteam"
}
host.vars.team is used to define members of a hostgroup
/etc/icinga2/zones.d/global-templates/test/hostgroups.conf:
object HostGroup "hostgroup_testhosts" {
assign where match("*testteam*", host.vars.team)
}
The hostgroup is used for object-filter in Icingaweb.
/etc/icingaweb2/roles.ini:
[role-testadmin]
users = "testadmin"
unrestricted = "1"
permissions = "*"
[role-testteam]
users = "testuser"
monitoring/filter/objects = "hostgroup_name=hostgroup_testhosts*"
permissions = "monitoring/*,module/monitoring"
Users, Usergroups & Notifications:
/etc/icinga2/zones.d/global-templates/test/notifications.conf:
object UserGroup "usergroup_test" {
}
object User "user_a" {
groups = [ "usergroup_test" ]
}
object User "user_b" {
groups = [ "usergroup_test" ]
}
object User "user_nogroup" {
}
apply Notification "notification-group" to Host {
command = "mail-host-notification"
user_groups = [ "usergroup_test" ]
assign where host.name == "testhost_a"
}
apply Notification "notification-nogroup" to Host {
command = "mail-host-notification"
users = [ "user_nogroup" ]
assign where host.name == "testhost_b"
}
However, it is not always just too many contact group members that are displayed. An AND-clause in the filter can result in the user with restricted rights not being able to see any contact groups and their members at all.
e.g.: monitoring/filter/objects = "hostgroup_name=testhosts*&servicegroup_name=testservice*"
Suppose here the hosts of the host group “test hosts” have notifications configured, but the services of the service group “testservice” have no notifications. The restricted icingaweb-user cannot see any members of the user group.