Per host api user for passive check submission

Hi,

i am big fan of passive checks e.g. gitlab-runner docker container sending result of stuff. So i am using the icinga2 REST API to submit check results.

The point now is that i’d like to further tighten login credential “distribution” in the infrastructure. So basically i’d like to have an api user per agent host beeing able to submit only results for THAT hosts services, typically only on that hosts icinga2 agent.

Does anyone have a nice automated solution for this? I guess i cant generate api-users with the icinga2 DSL using some “secret” to be combined with the hostname, sha1, base64 to generate a password.

Or am i just to paranoid or think into the wrong direction?

Flo

Hi @fl0h0ff!

Have you tried restricting ApiUser permissions with filters?

https://icinga.com/docs/icinga-2/latest/doc/12-icinga2-api/#permissions

Best,
A/K

[lambda - How can I limit Icinga2 API permissions to only allow changing a single check result? - Stack Overflow]

first things first:
limit the rights of the user with the permissions entry, if not already done

permissions = [ "actions/process-check-result" ]

One idea:
write a script that reads icinga hosts with the icinga api and create a passive-api-users.conf with the content, you can choose how to generate your password.

object ApiUser "host1" {
  password = "<redacted>"
  permissions = [
    {
      permission = "actions/process-check-result"
      filter = {{ host.name == "host1" }}
    }
  ]
}

object ApiUser "host2" {
  password = "<redacted>"
  permissions = [
    {
      permission = "actions/process-check-result"
      filter = {{ host.name == "host2" }}
    }
  ]
}

Finally, yes. Please, take a look at GitHub - wolneykien/icinga2-usersyncd: A daemon to synchronize ApiUser entries with Host agents on an Icinga 2 instance .

Maybe the agent certificate could be reused instead of the API user PW?

Indeed, it is reused:

resp = self.client.objects.create(
            "ApiUser", self.prefix + hostname,
            templates = self.templates,
            attrs = {
                "client_cn": hostname
            }
        )

The certificate with CN=<hostname> is the agent certificate. However, the very task was to have a per-host API user (or, more precisely, per-agent certificate API user). What could we use instead of API (and API user) to push data to Icinga?