Multi-tenancy of the director

Icinga Director
#1

I have an icinga2 cluster (with icingaweb2) on one of which the director is still running.

Our service team can work wonderfully through the director. Permission to host groups and the like.

Can I open the director for “external” customers so that the customer’s changes are only rolled out on one zone / satellite and the customer cannot see the entries etc. from the service team?

Only found this here Allow to switch between/use multiple databases · Issue #1498 · Icinga/icingaweb2-module-director · GitHub … Doesn’t help me with this topic.

#2

You should be able to limit access to the monitoring/director module to specific hosts/service/groups via the Roles menu:
/icingaweb2/role/list

There you can restrict access to the Director module

image
image858×847 26.9 KB

and the monitoring module

image
image904×1119 44.4 KB

so specific users/groups belonging to that role can only see the configured objects.

The filters you can use are described here:
https://icinga.com/docs/icinga-web-2/latest/modules/monitoring/doc/06-Security/#restrictions

As for the multiple director databases, I had no knowledge of that until now, as it is completely undocumented.
But it seems to work, just tested it:
image

image image

Configs:

# cat /etc/icingaweb2/resources.ini
...

[icingadirector_db]
type = "db"
db = "mysql"
host = "localhost"
dbname = "icingadirector"
username = "icingadirector"
password = "."
use_ssl = "0"
charset = "utf8"

[icingadirector_db_customer]
type = "db"
db = "mysql"
host = "localhost"
dbname = "icingadirectorcustomer"
username = "test"
password = "test123"
use_ssl = "0"
charset = "utf8"

# cat /etc/icingaweb2/modules/director/config.ini
[db]
resource = "icingadirector_db"
resources = "icingadirector_db_customer"

Though hitting F5 in the browser always switches me to the primary resource. Not sure if my config is correct like this. As it is an undocumented feature im not sure how stable/usable it really is.

Also the webinterface does only update to the “correct” resource, when deploying the config and the checks for the other resource obviously get “stale”, as they are not executed.
So I not really seeing a usecase for this atm.

1 Like
#3

Thanks for your answer.
I also have the roles and filter for our sub service teams. The colleagues can also roll out changes that are waiting for each other.

I found no way to restrict the deployment.
So Group A create object… Group B create object and for i.e Group C deploy all changes…

I have already found the double DB topic and test it.

But I cannot create a permission for a user / group that they can use the director with this ie. (Costumer_DB) resource.

Hope there is a way to use…
Hopefully for each Customer create own ICINGA (Master, Slave, DB Cluster, Satellite) is not the right answer.

Best Regards

#4

You at least can configure the roles in a way that users can create some config objects, but can’t deploy the config:
image

image
image858×1180 34.9 KB

A satellite for each customer is, imo, the best solution.
You even could install a local db and webinterface there and each customer only sees their data.

If you want the customer to additionally manage their own monitored systems, it gets more complex.
Not sure if a multi Director db and interface setup is something one wants to support/maintain.