yesterday I just got noticed about a possible problem with the visibility of hosts and servers in Icingaweb2, when a user is member of several AD groups. Before creating an issue, I will discuss it here:
I am managing the visibility of hosts and servers via roles, hosts and service variables, filter and AD groups. E.g. We have a Icingaweb role “A”. This role has an Active Directory group “A-Devs” assigned. Only this group, no users. The monitoring/filter/objects for this role are
and there are
vars.team += "[A-Dev]" host and service variables in the Icinga config (DSL, no director).
Then there is a second role “B”, with an AD Group assigned “B-Devs” and the filter
_host_team=*"B-Dev"*|_service_team=*"B-Dev"* and so on…
So yesterday I got a situation, where a user of “A”, also wanted to see the hosts and services of “B”. But adding him to the “B-Dev” AD group did not resolved the problem. He still just saw the hosts and servers of “A”. After deleting him from the “A-Dev” AD group, he finally could see the “B” hosts and servers. In this case, it was not problematic, because “A” was his former team and “B” is his new one. But as I read the Icingaweb Docs correctly, he should see both “A” and “B”:
When multiple roles assign restrictions to the same user, either directly or indirectly through a group, all filters will be combined using an OR-Clause , resulting in the final expression:
So in my understanding, if a user is member of several groups, he should see all hosts and servers of these groups. But that currently doesn’t seem to work. Strange part is, I am sure, it was working in the past. The alphabetical order also seems to play a part here, as “A” matched earlier than “B”. I am currently at Icingaweb 2.8.0.
Anybody an idea, if there is sth. wrong? The filter rules for the roles where told to my by @elippmann a long time ago back in the monitoring-portal.