Own Icingaweb2 Module only shown with "Allow Anything *" Role

tux12fun · June 19, 2019, 9:43am

Hi,

Currently I write a Module for Icingaweb2 and this Module looks like this:

namespace Icinga\Module\CeGraph;

use Icinga\Module\Monitoring\Object\MonitoredObject;
use Icinga\Module\Monitoring\Object\Host;
use Icinga\Module\Monitoring\Object\Service;
use Icinga\Application\Hook\GrapherHook;
use Icinga\Web\Url;

class Grapher extends GrapherHook{
....

public function getPreviewHtml(MonitoredObject $object){
   return "myHTMLCodeForGraph";
}

The Problem: This Module is only shown with Rolle Allow Anything *" Role.

With this role everything is working fine and the IFrame with the Graph is shown.

Have I missed something with a rights Mangement? and is there any Guide where i can fetch this knowlege?

Icingaweb2 is the latest version from Repo on a Ubuntu 18.04.2 with PHP7.2

dnsmichi · June 19, 2019, 11:04am

Hi,

Allow to access module cegraph (module/cegraph) should be available inside the Roles configuration pane automatically. Can you share the content of configuration.php if existing?

If you need more fine granular permissions or restrictions, such as limited access to graphs, you can provide them via configuration.php and check them in the particular functions then, e.g. when rendering a graph.

The Graphite module has a debug permission for example …

github.com

Icinga/icingaweb2-module-graphite/blob/master/configuration.php#L22


    'label' => $this->translate('Backend'),
    'url' => 'config/backend'
));


$this->provideConfigTab('advanced', array(
    'title' => $this->translate('Advanced configuration'),
    'label' => $this->translate('Advanced'),
    'url' => 'config/advanced'
));


$this->providePermission('graphite/debug', $this->translate('Allow debugging directly via the web UI'));

… which is checked here …

github.com

Icinga/icingaweb2-module-graphite/blob/master/library/Graphite/Util/InternalProcessTracker.php#L50


    return self::$enabled;
}


/**
 * Enable recording
 *
 * @throws SecurityException
 */
public static function enable()
{
    if (! Auth::getInstance()->hasPermission('graphite/debug')) {
        throw new SecurityException('No permission for graphite/debug');
    }


    self::$enabled = true;
}


/**
 * Introduce a "sub-process"
 */
public static function indent()

Another example for filters is provided within the business process module, and others around.

Cheers,
Michael

tux12fun · June 19, 2019, 11:09am

Hello Michael,

I don’t have a configuration.php file. In Icinga2 the permission for

is set, in the Role. So i expected to see the Graph. But it is only visible if I add:

After my meeting, I try to add the check “hasPermission” to debug the rights.

Thank you for your quick reply.

dnsmichi · June 19, 2019, 11:36am

Can you share the code in a GitHub repo to get a better idea or even try it out?

tux12fun · June 19, 2019, 12:24pm

Hello Michael,

I’ve stripped down my Module to this view lines of code. And surprise the init function isn’t called without the “Alles erlauben (*)” rule.

Folder Structure
=============
root@sm01:/usr/share/icingaweb2/modules/CeGraph# find . -type f -ls
   1576360      4 -rw-r--r--   1 root     root           82 Jun 18 09:45 ./module.info
   1576380      0 -rw-r--r--   1 root     root            0 Jun 19 14:08 ./application/views/scripts/index/index.phtml
   1576379      4 -rw-r--r--   1 root     root          176 Jun 18 10:03 ./application/controllers/IndexController.php
   1576361      4 -rw-r--r--   1 root     root           74 Jun 19 14:03 ./run.php
   1576362      8 -rw-r--r--   1 root     root         6086 Jun 19 14:06 ./library/CeGraph/Grapher.php

Content of important Files:

=== run.php ===
<?php
    $this->provideHook('grapher', 'Icinga\\Module\\CeGraph\\Grapher');

=== IndexController.php ===
<?php
use Icinga\Web\Controller;
class CeGraph_IndexController extends Controller {
    public function indexAction() {
        $this->setViewScript('index/iframe');
    } 
}

=== Grapher.php ===
<?php
namespace Icinga\Module\CeGraph;
use Icinga\Module\Monitoring\Object\MonitoredObject;  
use Icinga\Module\Monitoring\Object\Host; 
use Icinga\Module\Monitoring\Object\Service;
use Icinga\Application\Hook\GrapherHook; 
use Icinga\Web\Url;

class Grapher extends GrapherHook{
    protected function init(){
       die("Initialized");
    }

   public function getPreviewHtml(MonitoredObject $object){
      return "test";
   }
   
   public function has(MonitoredObject $object){
       if ($object instanceof Host) {
          $service = 'Hostcheck';
       } elseif ($object instanceof Service) {
          $service = $object->service_description;
       } else {
          return false;
       }

      $host = $object->host_name;
      return true;
   }

Can it be possible that there is any permission for the Hook that is missing?

tux12fun · July 1, 2019, 8:09am

@dnsmichi haben Sie noch eine Idee, woran es liegen könnte?

Vielen Dank schon mal an dieser Stelle, dass Sie sich den Post
genauer angesehen haben.

dnsmichi · July 1, 2019, 8:32am

Please stick with English to allow others to follow the conversation.

I didn’t have time yet to look into it, my schedule is very full. Maybe @nilmerg can peek into it and immediately tell you about the error.

Cheers,
Michael

nilmerg · July 1, 2019, 9:16am

Might it be the case that the role for which your graph is not shown has also access to another module which provides graphs?

Icinga Web 2 does only render a single graphing extension to the detail view. So if another module also provides one and is loaded first, its graph is displayed instead of yours.

If that’s the case, try the DetailViewExtensionHook which doesn’t have this limitation. Though, be aware that we didn’t put this limitation there without reason. Graphing extensions tend to increase the loading times, multiple ones even further.

tux12fun · July 1, 2019, 11:39am

Hello Johannes,

I have only one module that implements the GrapherHook. And if I add “Allow everything (*)” the Module is executed. If I remove the right my Plugin disappears even the Allow access to the Module is set. Initialization isn’t even called.

nilmerg · July 3, 2019, 5:35am

Try to use the namespace Icinga\Module\Cegraph instead. Note the lowercase g. There’s some matching going on and I fear it can’t cope with mixed case very well.

Additionally, consider to use the namespace Icinga\Module\Cegraph\Controllers for file IndexController.php. This way you can remove the CeGraph_ prefix in the class name.

tux12fun · July 3, 2019, 8:15am

Hello Johannes,

I’ve debuged a bit into the /usr/share/php/Icinga/Application/Hook.php and I can see, that the permission is only true if the module name is in lower case letters otherwise the

protected static function hasPermission($class)

is returning a false.

But i don’t understand his behavior until now

tux12fun · July 3, 2019, 8:24am

Currently I get an:

Erraneous hook implementation, class "Icinga\Module\cegraph\Grapher" does not exist

#0 /usr/share/php/Icinga/Application/Hook.php(281): Icinga\Application\Hook::createInstance(String,         String)
#1     /usr/share/icingaweb2/modules/monitoring/library/Monitoring/Web/Controller/MonitoredObjectController    .php(50): Icinga\Application\Hook::all(String)
#2 /usr/share/php/Icinga/Web/Controller/ActionController.php(151):     Icinga\Module\Monitoring\Web\Controller\MonitoredObjectController->prepareInit()
#3 /usr/share/php/Icinga/Web/Controller/Dispatcher.php(59): Icinga\Web\Controller\ActionController->__construct(Object(Icinga\Web\Request), Object(Icinga\Web\Response), Array)
#4 /usr/share/icingaweb2/library/vendor/Zend/Controller/Front.php(937): Icinga\Web\Controller\Dispatcher->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#5 /usr/share/php/Icinga/Application/Web.php(300): Zend_Controller_Front->dispatch(Object(Icinga\Web\Request), Object(Icinga\Web\Response))
#6 /usr/share/php/Icinga/Application/webrouter.php(104): Icinga\Application\Web->dispatch()
#7 /usr/share/icingaweb2/public/index.php(4): require_once(String)
#8 {main}

—.

/usr/share/icingaweb2/modules/cegraph# find .
.
./module.info
./application
./application/views
./application/views/scripts
./application/views/scripts/index
./application/views/scripts/index/index.phtml
./application/controllers
./application/controllers/IndexController.php
./run.php
./library
./library/cegraph
./library/cegraph/Grapher.php


cat run.php
<?php

$this->provideHook('Grapher', 'Icinga\\Module\\cegraph\\Grapher');

tux12fun · July 3, 2019, 8:37am

Now its working. It’s all a naming Problem with upper und lowercase letters. - Someting to blast your mind.

cegraph/
cegraph/module.info
cegraph/application
cegraph/application/views
cegraph/application/views/scripts
cegraph/application/views/scripts/index
cegraph/application/views/scripts/index/index.phtml
cegraph/application/controllers
cegraph/application/controllers/IndexController.php
cegraph/run.php
cegraph/library
cegraph/library/Cegraph
cegraph/library/Cegraph/Grapher.php

Module Directory have to be in lowercase. in Run.php the Directory have to start with an upper case letter and in the library directory it have to be with an upper case letter. Namespace an in Class has lowercase letter.

cat run.php
<?php
   $this->provideHook('Grapher', 'Icinga\Module\Cegraph\Grapher');

cat library/Cegraph/Grapher.php
<?php
 namespace Icinga\Module\cegraph;
use Icinga\Module\Monitoring\Object\MonitoredObject;
use Icinga\Module\Monitoring\Object\Host;
use Icinga\Module\Monitoring\Object\Service;
use Icinga\Application\Hook\GrapherHook;
use Icinga\Web\Url;

use Icinga\Authentication\Auth;
use Icinga\Security\SecurityException;

class Grapher extends GrapherHook{
....

nilmerg · July 3, 2019, 10:55am

Correct.

Incorrect. Namespaces are supposed to be uppercase first. (i.e. namespace Icinga\Module\Cegraph;)