Hiding custom variables like http auth pairs (user/password) from the icingaweb2 dashboard

hash02 · February 27, 2020, 2:47pm

Hello,
I have a couple of services configured with vars.http_auth_pair custom variable:

object Service custom_http_service {
…
vars.http_auth_pair = “user:password”
…
}

inside the object Service defintion.
From what I understand, adding
*http_auth_pair to protected_customvars in /etc/icingaweb2/config.ini like so:

...
[security]
protected_customvars = "pw,pass,auth,*http_auth_pair"
...

Should mask these vars in the icingaweb2 dashboard.
I am using the dashboard with the initial icingaweb2 user I set up during install which has admin rights over the whole dashboard.
I still see the user:pass tuples on those specific services and I don’t want that.
What am I doing wrong ?

fluxX · February 27, 2020, 3:04pm

Hi,

you can do that in Icinga Web 2. Nav to https://your.host/config/modules#!/monitoring/config/security, add http_auth_pair and hit Save.

Example:

- added mssql_health_warning into the list.

Greetz

hash02 · February 28, 2020, 12:35pm

hi, did not work, the field contains
*pw*, *pass*,community, http_auth_pair
still shows the user and password on the specific host/service

log1c · February 28, 2020, 12:39pm

Have you tried *auth*?
Works for me

cheko · July 31, 2020, 5:40am

Excellent, that works for http_auth_pair, but when I’m looking at the object inspection, I still see it under vars and executed commands. How can I hide those entries?

log1c · July 31, 2020, 6:45am

For that you will have to limit the access to the Icinga Director module.
You will need to configure Roles with different permissions. If everyone uses the default icingaadmin user, that won’t be possible.
At least I don’t know any other way.

cheko · July 31, 2020, 6:47am

Okay, fair enough. Thanks.