Diable grafana graph but still display empty graph when restriction custom variables is applied

Hello,

I want to hide on icingaweb the “Custom variables” section to some users. So under the role setting, i set up Restrictions/monitoring/blacklist/properties as: service.vars.**.*, host.vars.**.*. that works fine for my purpose. However, there are some services checks which there are no performance data, so i set the variable for the service to vars.grafana_graph_disable = true. this does not seem to take affect anymore if i set the restriction like above. User can still see the empty graph.
Is there way to set the restriction to any except some variables? I don’t seem to find that on icinga documentation.

Appreciate any help here.

Hello,

blacklisting will make variables unuseable for all modules for that user/role. If you can wait for icingaweb 2.8 there will be an option to hide variables (modules still can use the variables). Or you patch your files manualy if you cant wait, see this PR for the files that need to be changed.

Regards,
Carsten

Carsten, this PR has already been reverted. The proposed change has the exact same effect as the restriction the OP is talking about. (monitoring/blacklist/properties)

Blacklisting make variables unuseable for other modules. And no some modules dont need/want to implement a db query to get the variables when they are already in the host/service object.

Just think about a coreswitch with 400+ ports and variables/dirctionaries for each port, i rather hide them then to see a lot of lines with *** . But i wait for friday, at the moment iam too disapointed

Disappointed? Again, the proposed change has the same effect. It also hides customvariables for modules.

Oh, and if you didn’t knew it already. Modules can indeed access any custom variable, as long as they know its exact name. Then instead of accessing $object->customvars it’s done by accessing $object->$name.

It’s only $object->customvars that is affected by security options. The rationale for this is that a module can’t scan for every variable but access it directly if it got knowledge of its name. (Either by configuration or a module specific name such as grafana_graph_disable)

Thank you Carsten and Johannes for putting your thought here.
@Johannes: i don’t get your statement by accessing the name instead of the customvars. How can I configure that?
Also, is it possible to configure blacklist everything but some exceptions?

You can’t configure that. That’s a change in the grafana module.

Sorry, forgot to take a look at this. The blacklist restriction is not intended to be used to hide customvariables completely. There is no such a feature available. (That’s what Carsten is missing)

The blacklist should only be used to hide specific sections or single properties such as passwords, tokens and other secrets. Of course it can also be used to hide everything, but then you can’t make exceptions, it’s a all or nothing.

Try to only blacklist the variables you really don’t want to be seen by your customers. The restriction then might become more complex, but that’s the only way. You can separate multiple conditions with a comma. And if you flip .**.* so that it’s .*.** instead, you only hide second level sections and downwards. Since grafana_graph_disable is on the first level, it keeps being available. You can read more in the documentation if haven’t already.

1 Like

Thank you Johannes.
There are not many variables in my monitoring, so i can try like you suggest.
Was wondering if there is another more elegant way to do so.