I am about to get familiar with Icinga2 and we have a problem with reporting which I hope to get help/explanation here.
We have IcingaWeb2 v2.9.5 set up. Reporting v0.10, including pdf export and scheduling, is properly working on our RHEL8 system. Many different systems are being monitored and we have different subsets of people with different permissions.
There are host/service groups which names are staring with CDDR. They group all hosts/services which can be viewed from anybody who is allowed to login to our IcingaWeb frontend. This is realized by roles.ini as following:
users = “icingaadmin”
permissions = “"
monitoring/filter/objects = "”
groups = “*”
users = “*”
permissions = “module/monitoring,user/password-change”
monitoring/filter/objects = “hostgroup_name=CDDR*&servicegroup_name=CDDR*”
If anybody - even icingaadmin - creates a report, any filter in that report is just applied to objects in those CDDR groups. No chance to include hosts and services which do not belong to that groups (unfortunately that are the most objects).
It seems to us like the reporting module accesses the database with some id that applies to that “*/*” section in roles.ini. Our expected behavior was that the reporting module acts with the same permissions as the user who is logged in trying to create a report.
I hope I could express the problem somehow clear enough with my (yet) limited skill about Icinga.
Do we have a wrong understanding about how reporting acts? Where could we start to troubleshoot? Is this expected behavior and we need to redesign our permissions?
1000Thx in advance for reading and your ideas on that!