How can I define a read-only API user

jeanm · February 14, 2025, 2:14pm

Hello,

People in my organisation wish to aggregate data from different sources and make reports. One of the reports must show the proportion of servers that are under monitoring vs. those that aren’t.

So they came to me and asked for a REST-API user that has read-only privileges to list the hosts.

I created a Director API role for this and assigned the role to the dedicated user, and it works, it can list the hosts in JSON format.

My issue is that I cannot limit the privileges to read-only. The same user can create new hosts, or modify existing hosts.

How could this limitation be achieved? Does anyone have experimented with this already?

Thank you,

Jean

PS: I prefer to use Director over plain Icinga2, because it will also report on the Disabled hosts.

rivad · February 14, 2025, 2:21pm

For the Icinga2 API just give them access to API endpoints that are read only.
From the documentation at Icinga2 Api - Icinga 2 :

permissions = [ "objects/query/Host" ]

For the director API you need to add a icingaweb2 user and set the read only director roles like every other icingaweb2 user.

For hosts in the director you could give them read only DB access if SQL is an option.

jeanm · February 14, 2025, 3:15pm

This is what I have trouble identifying - what options do I need to select (or leave unselected), and what are the filters that I need to specify?

rivad · February 14, 2025, 4:02pm

It looks like there isn’t a read only option for hosts in the director roles.

moreamazingnick · February 17, 2025, 5:58am

Did you try out these restriction:

director/icingadb/rw-object-filter

Additional (Icinga DB Web) object filter to further restrict write access

director/icingadb/hosts

Allow users to modify Hosts they are allowed to see in Icinga DB Web

apenning · February 17, 2025, 8:10am

I would highly second @rivad’s suggestion to use the Icinga 2 API. Creating an Icinga 2 ApiUser with the required permissions and submitting one querying API request would be enough to let the other team query every monitored host.

object ApiUser "foo" {
  password = "insecure"
  permissions = [ "objects/query/Host" ]
}

$ curl -k -s -S -u 'foo:insecure' -H 'Accept: application/json' -X GET 'https://localhost:5665/v1/objects/hosts' -d '{ "attrs": ["name", "address", "address6"], "pretty": true }' | jq '.[].[].attrs'
{
  "address": "10.0.0.23",
  "address6": "2001:db8::23",
  "name": "foo.example.com"
}
{
  "address": "10.0.0.42",
  "address6": "2001:db8::42",
  "name": "bar.example.com"
}
[ . . . ]