Redis user acl for icingadb

Icinga 2 Icinga DB
1

Hi,

what is the minimum user acl for the redis user used by icingadb?

Every time i restrict the user to keys in

~icinga:* 
~icingadb:*

I get a backtrace that keys are not accessible. I tried running with ~* and dumped the keys and i fail to see keys not in those prefixes:

Dec 20 15:37:17 pax icingadb[15499]: NOPERM No permissions to access a key
                                     can't execute Redis script
                                     github.com/icinga/icingadb/pkg/icingadb/overdue.Sync.sync
                                             github.com/icinga/icingadb/pkg/icingadb/overdue/sync.go:164
                                     github.com/icinga/icingadb/pkg/icingadb/overdue.Sync.Sync.func4
                                             github.com/icinga/icingadb/pkg/icingadb/overdue/sync.go:74
                                     golang.org/x/sync/errgroup.(*Group).Go.func1
                                             golang.org/x/sync@v0.12.0/errgroup/errgroup.go:78
                                     runtime.goexit
                                             runtime/asm_amd64.s:1700

users.acl in redis:

user icingadb >SecurePassword allchannels ~icinga:* ~icingadb:* allcommands on

A feature request would be to log the key which has been tried to access.

Flo

2

Thanks for posting. Based on your stack trace, the get_overdues.lua script cannot be executed in Redis.

This script gets a temporary key which is used temporary and directly deleted afterwards. However, we could consider prefixing this one.

Btw, it seems like you are running an outdated Icinga DB version. Please consider upgrading.

3

Quick update: Icinga DB should now only use keys from the icinga and icingadb namespaces. This was changed in #1058 and will be documented via #1064. Thanks again for reporting this issue.