Icinga api - downtime from windows client - restrictions and ldap user

el-dummy · January 19, 2022, 5:44pm

Hi,
I have a script that set a downtime with powershell. That works fine with a user configured here in the director:
grafik

Is it possible to restrict this user only to set downtimes? How?
Can I use a ldap user for this instead of the api user? How?

I have tried to set a rule with this settings
grafik
and

that does not work!

moreamazingnick · January 19, 2022, 9:19pm

yes you can.

but here is some more background knowledge:
this is an icinga api user.
you can look it up in the file /etc/icinga2/conf.d/api-users.conf

https://icinga.com/docs/icinga-2/latest/doc/12-icinga2-api/

# vim /etc/icinga2/conf.d/api-users.conf

object ApiUser "root" {
  password = "icinga"
}

api users support permissions, see:
https://icinga.com/docs/icinga-2/latest/doc/12-icinga2-api/#icinga2-api-permissions

permissions = [ "objects/query/Host", "objects/query/Service" ]

and permissions support:
actions/schedule-downtime
actions/remove-downtime

object ApiUser "downtime" {
  password = "icingadowntime"
  permissions = [ "actions/schedule-downtime", "actions/remove-downtime" ]

}

that should do the trick

el-dummy · January 20, 2022, 7:53am

Thanks, that works … but I have tow api-users.conf
grafik

Where is defined which one is used?

Is it possible to use ldap User?

And why I can not see the user in the director (I have do a “icinga2 daemon -C” and “systemctl reload icinga2” and kixstart ?
grafik
In the conf files I have two users in the director I see only one with the same name. Are that not the same users?

nilmerg · January 20, 2022, 12:22pm

Not with the Icinga 2 API. For that you have to use Icinga Web 2’s API.

el-dummy · January 20, 2022, 12:34pm

I think I don’t understand the difference between the web api and the Icinga api. My powershell script make a webrequest

$icinga_uri = “https://”+$icinga_host+“:5665/v1/actions/schedule-downtime”

Invoke-WebRequest -Method POST -Uri $icinga_uri -Body ($body|ConvertTo-Json) -Headers $headers -Credential $auth -ContentType “application/json”

And this works with the users in the api-users.conf

nilmerg · January 20, 2022, 12:42pm

Icinga 2’s authentication is entirely internal and based on the api-users.conf.

Icinga Web 2’s API utilizes all authentication backends (including LDAP) that are available to normal users as well. It also provides a much more broad authorization mechanism, that’s what you’ve shown above in the screenshots. The user with the role shown in your OP can then schedule/remove downtimes and also access the director’s API features (also by use of the Icinga Web 2 API), but the latter is not required for just scheduling/removing downtimes. What the user can do and what not, is possible to inspect using the Audit feature or by just logging in as that user. What’s possible in the UI, is the very same for the Icinga Web 2 API.

el-dummy · January 24, 2022, 11:00am

Thanks for your answers … I think this is the last open question. I have two api-users.conf. I don’t know whre is defined which one is used. And I don’t see the new configured user in the GUI “Icinga Api users”

rsx · January 24, 2022, 11:51am

icinga2 object list -t apiuser will show you which user are active and where they are defined.

el-dummy · January 24, 2022, 2:24pm

Thanks for your help.