Icinga2web: Credentials to setup ADO-Mysql database

jpamba · May 26, 2020, 11:26am

Hi,
I’m getting this error “The provided credentials cannot be used to grant all required privileges to the login “icingaweb2”.”

I’m not sure why the user is not working yet privileges have been granted.

 SHOW GRANTS FOR 'icingaweb2'@'localhost';
+-------------------------------------------------------------------------------------------------------------------+
| Grants for icingaweb2@localhost                                                                                   |
+-------------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'icingaweb2'@'localhost' IDENTIFIED BY PASSWORD '*4070762B124C533A474BED7B047B0710DC135B4A' |
| GRANT ALL PRIVILEGES ON `icingaweb2`.* TO 'icingaweb2'@'localhost'   

show databases;
+--------------------+
| Database           |
+--------------------+
| icinga             |
| icinga2            |
| icingaweb2         |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+

icinga2 --version
icinga2 - The Icinga 2 network monitoring daemon (version: r2.11.3-1)

Copyright (c) 2012-2020 Icinga GmbH (https://icinga.com/)
License GPLv2+: GNU GPL version 2 or later <http://gnu.org/licenses/gpl2.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

System information:
  Platform: Debian GNU/Linux
  Platform version: 9 (stretch)
  Kernel: Linux
  Kernel version: 4.9.0-8-amd64
  Architecture: x86_64

Build information:
  Compiler: GNU 6.3.0
  Build host: runner-LTrJQZ9N-project-298-concurrent-0

Application information:

General paths:
  Config directory: /etc/icinga2
  Data directory: /var/lib/icinga2
  Log directory: /var/log/icinga2
  Cache directory: /var/cache/icinga2
  Spool directory: /var/spool/icinga2
  Run directory: /run/icinga2

Old paths (deprecated):
  Installation root: /usr
  Sysconf directory: /etc
  Run directory (base): /run
  Local state directory: /var

Internal paths:
  Package data directory: /usr/share/icinga2
  State path: /var/lib/icinga2/icinga2.state
  Modified attributes path: /var/lib/icinga2/modified-attributes.conf
  Objects path: /var/cache/icinga2/icinga2.debug
  Vars path: /var/cache/icinga2/icinga2.vars
  PID path: /run/icinga2/icinga2.pid

lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 9.8 (stretch)
Release:        9.8
Codename:       stretch

anon66228339 · May 27, 2020, 6:03am

Hello and welcome,

you use another user icinga_install to install the database. You need to give this users the correct rights to setup the database.

Regards,
Carsten

PS.: I edited you post for betteer readability, please use code blocks in furture posts.

jpamba · May 27, 2020, 6:12am

Dear Carsen,
Thanks for editing the post and the reply. I used the user ‘icinga_install’ user with all privileges as shown below to do the setup but still the message was coming. Please advise how do to assign required privileges.

MariaDB [icingaweb2]> SHOW GRANTS FOR 'icinga_install';
+---------------------------------------------------------------------------------------------------------------+
| Grants for icinga_install@%                                                                                   |
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'icinga_install'@'%' IDENTIFIED BY PASSWORD '*80B6469BA7090F9CA76CAE9B9BF38B8B375790C9' |
+---------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

MariaDB [icingaweb2]> SHOW GRANTS FOR 'icinga_install'@'localhost';
+--------------------------------------------------------------------------------------------------------------------------------+
| Grants for icinga_install@localhost                                                                                            |
+--------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'icinga_install'@'localhost' IDENTIFIED BY PASSWORD '*80B6469BA7090F9CA76CAE9B9BF38B8B375790C9' |
+--------------------------------------------------------------------------------------------------------------------------------+

anon66228339 · May 27, 2020, 6:18am

Hello,

the documentation is unclear on that point, just use the root user to install it or give this user also the the GRANT OPTION

GRANT ALL PRIVILEGES ON *.* TO 'icinga_install'@'%' WITH GRANT OPTION;

Regards

jpamba · May 27, 2020, 7:10am

I tried with the ‘icinga_install’ and ‘root’ users and it didn’t work. For root I got a different error.

SHOW GRANTS FOR 'root'@'localhost';                           +------------------------------------------------------------------------------------------------+
| Grants for root@localhost                                                                      |
+------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' IDENTIFIED VIA unix_socket WITH GRANT OPTION |
| GRANT PROXY ON ''@'%' TO 'root'@'localhost' WITH GRANT OPTION                                  |
+------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

MariaDB [(none)]> SHOW GRANTS FOR 'icinga_install'@'localhost';
+--------------------------------------------------------------------------------------------------------------------------------+
| Grants for icinga_install@localhost                                                                                            |
+--------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'icinga_install'@'localhost' IDENTIFIED BY PASSWORD '*80B6469BA7090F9CA76CAE9B9BF38B8B375790C9' |
+--------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> SHOW GRANTS FOR 'icinga_install'@'%';                         +------------------------------------------------------------------------------------------------------------------------------------------+
| Grants for icinga_install@%                                                                                                              |
+------------------------------------------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'icinga_install'@'%' IDENTIFIED BY PASSWORD '*80B6469BA7090F9CA76CAE9B9BF38B8B375790C9' WITH GRANT OPTION |
+------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

anon66228339 · May 27, 2020, 7:20am

Your root is onnly allowed via socket, but now the icinga_install should do the job, just use the ip of your host to connect and not localhost.

jpamba · May 27, 2020, 8:17am

The connection was refused. Nor sure if 1 put host ip (that of icinga2 server) in right place. There is some issue connecting the the mysql database remotely. The machine hosting it is a virtual machine running on Oracle virtualbox. It’s possible to ping the server but not connect to the mysql.

root@reports:~# iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
root@reports:~# systemctl iptables-persistent save
Unknown operation iptables-persistent.
root@reports:~#  iptables-persistent save
-bash: iptables-persistent: command not found
root@reports:~# iptables-
iptables-apply    iptables-restore  iptables-save     iptables-xml
root@reports:~# iptables-save
# Generated by iptables-save v1.6.0 on Wed May 27 11:11:31 2020
*filter
:INPUT ACCEPT [13146:2667765]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [666:95065]
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
COMMIT
# Completed on Wed May 27 11:11:31 2020

anon66228339 · May 27, 2020, 8:31am

You can also delete the icinga_install user in mysql that is only allowed by localhost or give him also the grant option.

Regards,
Carsten

homerjay · May 27, 2020, 9:13am

Hi.

Are remote connections to MariaDB allowed?
Please check the MariaDB config, e.g.:

/etc/mysql/mariadb.conf.d/50-server.cnf

and look for the bind address:

bind-address
# e.g.: bind-address 192.168.6.19

Make sure, that it is set to the IP you want it to be available at.

Also check in the same file, that “skip-networking” is commented out (leading “#”).
MariaDB has to be restarted after changes.

You could also try a simple TCP-connect-test from the host with icingaweb2, e.g. by:

nc 192.168.6.19 3306 -v

If the result is successful, you could try to connect from the same host (hosting icingaweb2) with, e.g.:

mysql -p -h 192.168.6.19 -u icingaweb2  icingaweb2

Greetings.

jpamba · May 27, 2020, 9:46am

Thanks a lot @anon66228339 and @homerjay. The installation got as far as the monitoring screen and then there was a permission issue.

Below is the summary screen

There are no privileges for icinga_admin

MariaDB [(none)]> SHOW GRANTS FOR 'icinga_admin'@'%' ;                          ERROR 1141 (42000): There is no such grant defined for user 'icinga_admin' on host '%'
MariaDB [(none)]> SHOW GRANTS FOR 'icinga_admin' ;
ERROR 1141 (42000): There is no such grant defined for user 'icinga_admin' on host '%'
MariaDB [(none)]> SHOW GRANTS FOR 'icinga_admin';
ERROR 1141 (42000): There is no such grant defined for user 'icinga_admin' on host '%'
MariaDB [(none)]> SHOW GRANTS FOR 'icinga_admin%';
ERROR 1141 (42000): There is no such grant defined for user 'icinga_admin%' on host '%'

MariaDB [(none)]>

MariaDB [(none)]> select host, user from mysql.user order by 1;
+---------------+----------------+
| host          | user           |
+---------------+----------------+
| %             | icinga_install |
| 127.0.0.1     | icingaweb2     |
| 192.168.6.199 | icinga_install |
| 192.168.6.199 | icingaweb2     |
| 192.168.6.199 | root           |
| localhost     | icinga         |
| localhost     | icinga2        |
| localhost     | icinga_install |
| localhost     | icingaweb2     |
| localhost     | root           |
+---------------+----------------+
10 rows in set (0.00 sec)

homerjay · May 27, 2020, 10:06am

Hi again.

Please note, that this step is about the IDO-resource, not icingaweb2.

I assume, that you already created the database.
But see here for further infos.

Greetings.

jpamba · May 27, 2020, 10:24am

The link you is advised is what led me this setup. Final step in the link is to use the web setup. the setup was meant to setup the database however the database is empty. Maybe it will be done later is setup.

MariaDB [(none)]> use icingaweb2
Database changed
MariaDB [icingaweb2]> show tables;
Empty set (0.01 sec)

homerjay · May 27, 2020, 10:32am

The screenshot you posted shows the user which is typically used for the icingaweb2 database, not the IDO-database.
Did you maybe enter the wrong user (and password) combination?

Greetings.

jpamba · May 27, 2020, 10:47am

When I use the ‘icinga_install’ user the message improves.

Been trying to grant privs to ‘icinga2’ which I used early before entering the web setup but not working. The password for icinga2 user is not working remotely using a mysql client.

MariaDB [icingaweb2]> select host, user from mysql.user order by 1;             +---------------+----------------+
| host          | user           |
+---------------+----------------+
| %             | icinga_install |
| 127.0.0.1     | icingaweb2     |
| 192.168.6.199 | icinga2        |
| 192.168.6.199 | icinga_install |
| 192.168.6.199 | icingaweb2     |
| 192.168.6.199 | root           |
| localhost     | icinga         |
| localhost     | icinga2        |
| localhost     | icinga_install |
| localhost     | icingaweb2     |
| localhost     | root           |
+---------------+----------------+

MariaDB [icingaweb2]> SHOW GRANTS FOR 'icinga2'@'localhost';
+----------------------------------------------------------------------------------------------------------------+
| Grants for icinga2@localhost                                                                                   |
+----------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'icinga2'@'localhost' IDENTIFIED BY PASSWORD '*80B6469BA7090F9CA76CAE9B9BF38B8B375790C9' |
| GRANT ALL PRIVILEGES ON `icinga2`.* TO 'icinga2'@'localhost'                                                   |
+----------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)

MariaDB [icingaweb2]> SHOW GRANTS FOR 'icinga2'@'192.168.6.19';
ERROR 1141 (42000): There is no such grant defined for user 'icinga2' on host '192.168.6.19'

Found this setup in the ido-mysql.conf which looks to be pointing to the user name and database expected

homerjay · May 27, 2020, 11:21am

Hi.

So you mean that icinga2 is writing to a local MySQL/MariaDB Database and icingaweb2 uses a database on 192.168.6.19 ? Or is icinga2 on 192.168.6.19?
Your screenshot shows, that you try to use the icingaweb2-database again. This is typically not the ido-database. This dialog refers to the ido-database.
Did you follow the schema-import of the documentation (which was already mentionend above)?

If this hints don’t help, would you please provide all of the following information:

On which host runs icinga2?
On which host runs icingaweb2?
On which host runs MariaDB? Are there multiple MariaDB Servers which are used?
The IP of (almost one) MariaDB Server is 192.168.6.19, is that correct?

jpamba · May 27, 2020, 11:31am

So you mean that icinga2 is writing to a local MySQL/MariaDB Database and icingaweb2 uses a database on 192.168.6.19 ? Or is icinga2 on 192.168.6.19?

Both icinga2 and icingaweb2 are writing to the database on 192.168.6.19

Your screenshot shows, that you try to use the icingaweb2-database again. This is typically not the ido-database. This dialog refers to the ido-database.

I changed the database and there was an error

Did you follow the schema-import of the documentation (which was already mentionend above)?

Yes. Used user ‘icinga’ and ‘icinga2’. Working on the permission for both now. My intention was to use ‘icinga2’ user for this purpose,

If this hints don’t help, would you please provide all of the following information:

On which host runs icinga2?

On which host runs icingaweb2?

On which host runs MariaDB? Are there multiple MariaDB Servers which are used?

The IP of (almost one) MariaDB Server is 192.168.6.19, is that correct?

icinga2, icingaweb2 and the mariadb all run on the same host 192.168.6.19.

homerjay · May 27, 2020, 12:03pm

So what happens, when you try to connect via commandline to MariaDB from the host with icingaweb2 (I assume 192.168.6.19 from the screenshot)?

mysql -p -h 192.168.6.19 -u icinga2 icinga2

Edit: The screenshot of your mysql.user table doesn’t show icinga2 at host 192.168.6.19

Your screenshot above, of the /etc/icinga2/features-enabled/ido-mysql.conf, shows that icinga2 connects to a local database. I don’t get that. It seemed, that icinga2 is on a different host than 192.168.6.19?!

If this doesn’t help, would you please provide ALL of the requested information?
(Well, you answered some of them, but just to clear it up and make others follow your setup-structure)

IP of host which runs icinga2?
IP of host which runs icingaweb2?
IP of host which runs MariaDB?
The contents (without password) of the /etc/icinga2/features-enabled/ido-mysql.conf
again the mysql output of: select host, user from mysql.user order by 1;

Greetings.

jpamba · May 28, 2020, 4:14am

@homerjay Thanks a lot. The issue was resolved by granting the privileges in the link advised. I think I granted them to icinga user rather than icinga2 during setup. Below command was used:

GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE ON **icinga2.*** TO 'icinga2'@'localhost' IDENTIFIED BY 'somepassword!';
GRANT SELECT, INSERT, UPDATE, DELETE, DROP, CREATE VIEW, INDEX, EXECUTE ON **icinga2**.* TO 'icinga2'@'192.168.6.199' IDENTIFIED BY 'somepassword';

I was able to complete the installation. There was an issue setting up the command transport to use the API. I ignored it and set up using command line. Is it possible to do the setup later to use API ? Below is the message.

homerjay · May 28, 2020, 7:11am

Hi.

You can edit it afterwards. See here

Please note, that this is the connection to the icinga2-API.
I assume, that it is reachable at 192.168.6.199, not 192.168.6.19.

You have to create an API-User previously, see info at the link.

Greetings.

jpamba · May 28, 2020, 10:25am

Thanks a lot @homerjay and @anon66228339 for the support.