Storing roles in database

Hi guys, we have setup redundant frontends for IcingaWeb2 backed by a single database. Authentication and preferences are successfully shared between the nodes using their respective database backends, but editing roles from the web interface ends up saving on the local roles.ini file.

I skimmed though the documentation and GitHub issues and AFAIK there is no mention anywhere of a database backend for roles.

Am I missing something? How do you share roles between multiple IcingaWeb2 frontends? If there is currently no solution, are there plans for a db role backend in the future?

Thank you

Hi,

currently that’s not possible, but there’s plans to change that. I’m not sure if that involves roles.ini as well.

I know that @Carsten built something with DRBD/NFS, that should work very well iirc.

Cheers,
Michael

Yes we are investigating possible workarounds but I’d prefer to not introduce additional potential points of failure with an underlying shared $something (DRBD, NFS, Gluster, whatever).

I have not dived in the code but it should be “just” a matter of implementing a database backend like it has already been done for the config_backend ?

I’m not sure how many days of development this will take, since next to implementing the backend schema, forms and storage, you’ll also need to take care about migrations and documentation.

I uae Glusterfs for /etc/icingaweb2 . Works stable without any problems for years now.

2 Likes

We use a simple rsync that has just permission to sync the roles.ini and a few other icingaweb2 configuration files in our cloud environments where a shared FS is not available. Works fine as well. Only drawback is that you have to wait a full minute until it’s synced in the worst-case. :wink:

1 Like

@winem if the cron schedule is a problem you can trigger the job instantly on file changes by leveraging inotify: a SystemD path resource or the inotifywait tool will do the trick.

This is not directly applicable on my side because every node could introduce changes, there should be additional logic to prevent / limit race conditions.

1 Like

Oh, true and a good point. Inotify / incron would help here.