[dev.icinga.com #3715] Revamped credential and permission system for the data #1032

Closed
icinga-migration opened this Issue Feb 19, 2013 · 19 comments

Projects

None yet

1 participant

@icinga-migration
Member

This issue has been migrated from Redmine: https://dev.icinga.com/issues/3715

Created by mfrosch on 2013-02-19 14:43:04 +00:00

Assignee: mfrosch
Status: Resolved (closed on 2013-05-06 08:11:40 +00:00)
Target Version: 1.9
Last Update: 2013-05-06 08:11:40 +00:00 (in Redmine)


We are working on some major credential changes for 1.9 and like to her feedback for what we are doing.

Please comment below this issue, I'll refer and maybe also close other issues in favor of this one.

Most of the work and testing will be done by me and Jannis.

Feel free to comment and add suggestions or questions.

Git branches we are working on:
feature/datapermissions*

Cheers
Markus

Step 1

  • Reverting to the "old" credential model with selective joins and sql filters (pre 1.8)
  • Fixing several issues in terms of Role inheritance
  • Connecting the single "targets" by OR instead of AND (some credentials already work like this)
  • Updating/Fixing all basic credentials with full testing

Step 2

  • Aggregating credentials into host / service limits instead of single credentials linked by AND
  • Finding missing indexes in the IDO database

Step 3

  • Testing and verifing the changes with PgSQL and Oracle
  • Performance tunes and testing

The whole idea

The whole credential system will consist of 2 pools of credentials:

  • host
    • hostname matching
    • hostgroups
    • host custom variables
  • services
    • servicename matching
    • servicegroups
    • service custom variables

The rights of a user will be aggregated and inherited from every target that is set on the user directly or a role he is member of.

The permission to grant rights by matching contactname and groups will be working as intended (some fixes are necessary), and it will be working in addition to other credentials the user might have.

A permission filter (in the end of our work) should work like this:

(hostname LIKE 'test%' OR hostname LIKE 'qa%' OR hostgroup = 'testservers' or _HOSTcv1 LIKE= 'test')
AND
(servicename LIKE 'disk%' OR servicename LIKE 'proc%' OR servicegroup = 'unixchecks' OR _SERVICEcv1 LIKE 'team1')

After Step 1 (temporary):

(hostname LIKE 'test%' OR hostname LIKE 'qa%')
AND
(hostgroup = 'testservers')
AND
(servicename LIKE 'disk%' OR servicename LIKE 'proc%')
AND
(servicegroup = 'unixchecks')

The final idea is to build a aggregate of all permissions a user has, but requiring him to match a host and a service credential.

Attachments

Changesets

2013-04-25 11:59:18 +00:00 by mfrosch 1335fd3

Migrated DQLViews to new credential grouping system

* all credentials are added via OR
* and grouped into affecting host and service
* extensions for IcingaDoctrine_Query to allow manipulation
  of the Where DqlParts

refs #3715

2013-04-25 13:04:10 +00:00 by mfrosch 9dc7513

Redesign CustomVariableExtender for new credential system

The WHERE statements are now aggregated correctly to match
the key/values exactly.

fixes #3578
refs #3715

2013-04-25 13:05:57 +00:00 by mfrosch f8f035e

Removed NotificationCustomVariableExtender

This is no longer required with the new CustomVariableExtender.

Migrated the credentials for the Notification View to the new logic.

refs #3715

2013-04-25 13:38:49 +00:00 by mfrosch 4a78f84

Removed CanBeNull feature from Legacy credentials

Not longer needed with the migration to grouped credentials

refs #3715

2013-04-26 09:53:43 +00:00 by mfrosch 0a496b0

Migrated LegacyApi to new credential grouping system

* grouping the credentials like in the DQLViews:
  ((<hostcredentials> AND <servicecredentials>) OR <othercredentials)
* other credentials is Contactgroup stuff
* the credential targets are grouped by OR instead of AND

refs #3715

2013-04-26 09:54:15 +00:00 by mfrosch 4e7c0f7

Redesign CustomVariableExtender for new credential system

The WHERE statements are now aggregated correctly to match
the key/values exactly.

fixes #3578
refs #3715

2013-04-30 15:44:21 +00:00 by mfrosch b982b4f

Fix duplication problem in StatusSummary Cronk

caused by 1-n credential joins

refs #3715
refs #4002

Relations:

@icinga-migration
Member

Updated by ossmon on 2013-02-20 06:58:57 +00:00

Hi,
I hope it will solve also the issue #3578 (it prohibits us to migrate to 1.8.X from 1.7.2). We are ready to test it when you are finished.

@icinga-migration
Member

Updated by mfriedrich on 2013-02-25 08:27:59 +00:00

hmmm, if applicable, i'd like to discuss a backport into current 1.8 tree when this is finally tested for the 1.9 tree.

@icinga-migration
Member

Updated by ossmon on 2013-03-21 14:15:57 +00:00

Hi Markus, when do you think that you will have a version to be tested ?

@icinga-migration
Member

Updated by mfrosch on 2013-04-22 17:50:47 +00:00

I've integrated and pushed the grouped aggregation of credentials to feature/credentials-3715-step2

@mhein: We still need to implement this kind of grouping for the Legacy Api stuff.

And many testing...

@icinga-migration
Member

Updated by ossmon on 2013-04-22 19:25:09 +00:00

Hi Markus, should I test your git version or should I wait for more time ?

@icinga-migration
Member

Updated by mfrosch on 2013-04-23 06:25:23 +00:00

Hey, any test is welcome. It would be great to get your feedback, especially in terms of your use of permissions!

@icinga-migration
Member

Updated by ossmon on 2013-04-23 07:48:02 +00:00

  • File added CVRestriction.JPG

Hi Markus,
i've downloaded and installed your git version (ad31b...).
I've tested with custom variables as described in issue #3578
It doesn't work.

CVRestriction.JPG

2 cases:

In the config exist only one host with a custom variable VAR1 and one of its service has also the same custom variable VAR1.

  1. The user has no restriction. He sees all the hosts and all the services

=> OK

  1. The user has the custom variable VAR1 as restriction for host and service. I will expect that the user only see one host and one service.

=> The user see many hosts and services (not only one)
=> He sees more hosts and services than without restriction

@icinga-migration
Member

Updated by mfrosch on 2013-04-26 10:02:55 +00:00

  • Done % changed from 0 to 80

The branch feature/credentials-3715 has been merged into next.

I think the credential system should now work as intended, please test and also have a look if the detail tabs of a host or service to see if the LegacyApi permissions work as well.

@ossmon: Please test ;)

@tommi / dnsmichi: Could you try the latest changes in a Oracle environment with some credentials?

Thanks

@icinga-migration
Member

Updated by ossmon on 2013-04-26 11:31:09 +00:00

It works fine now ! Congratulation !

@icinga-migration
Member

Updated by Tommi on 2013-04-26 18:53:22 +00:00

Howto test? Which settings/configs are required?

@icinga-migration
Member

Updated by mfriedrich on 2013-04-26 18:56:28 +00:00

set users to special permissions - e.g. hostgroups or servicegroups, and then check if they can only see those. if you have custom vars defined on services or hosts, add the permissions on the user admin panel as well for custom vars, and verify that the user may only see those. last but not least, test mixed permissions, like multiple groups, cvs, and such. should work with all 3 rdbms.

@icinga-migration
Member

Updated by Tommi on 2013-04-28 16:37:02 +00:00

  • File added web19_correct_status_with_root.jpg
  • File added web19_wrong_status.jpg
  • File added web19_wrong_status2.jpg

just did such tests after upgrading to the current next branch. Added a new user (there is another small issue i logged in #3999) and add restriction to one hostgroup, one servicegroup and one (host)custom variable value. This should match for exact one database instance and hiding all others. First off all, no database syntax errors appeared while running my tests. But the Screen contents aren't as expected. It doubled the numbers of services and host and shows services which are not matched with the supplied custom variables when using the restricted user. Just added a few screenshots of this issue

@icinga-migration
Member

Updated by mfriedrich on 2013-04-28 17:34:51 +00:00

  • File added icinga_web_1.9_oracle_permissions_hg_01.png
  • File added icinga_web_1.9_oracle_permissions_hg_02.png

looks like the distinct fix does not work anymore for the status cronk.

first of my test row with oracle: 1 hostgroup, and more.

single hostgroup contains 2 hosts which relate to 6 services. that's totally fine.

(left is iceweasel with the test session, right is chromium with root permissions)

icinga_web_1.9_oracle_permissions_hg_01.png

when i add yet another hostgroup, which also contains both hosts, the display in the grid stays the same (12) but the status cronk counters are wrong. they sump up to 18 being ok, which is not shown in the grid. the correct number is still 12.

icinga_web_1.9_oracle_permissions_hg_02.png

first conclusion - the status cronk counter does not know about the new privileges.

@icinga-migration
Member

Updated by mfriedrich on 2013-04-28 17:41:48 +00:00

  • File added icinga_web_1.9_oracle_permissions_sg_01.png
  • File added icinga_web_1.9_oracle_permissions_sg_03.png
  • File added icinga_web_1.9_oracle_permissions_sg_02.png

there's a pattern: when i use a service group with 3 services attached, and then add another servicegroup with just one service (which is among the 3 others already), then the grid shows the correct count (3), but the status cronk sums that up to 4 (which is wrong).

single big servicegroup
icinga_web_1.9_oracle_permissions_sg_01.png

servicegroup with another servicegroup containing service
icinga_web_1.9_oracle_permissions_sg_03.png

furthermore, the status cronk is broken for hosts - the servicegroup permission seems to not affect it in any way and just shows all counters and even allows to view all hosts, even if they are not related to the servicegroup.

icinga_web_1.9_oracle_permissions_sg_02.png

so for the servicegroups in oracle, there seems to be 2 issues: status cronk counters for services with servicegroups, and host status counters/view overall.

@icinga-migration
Member

Updated by mfriedrich on 2013-04-28 17:43:40 +00:00

  • File added icinga_web_1.9_oracle_permissions_sg_04.png

for the host counters and views - this is the exact same as the full root admin would see, below is a screenshot for you to reproduce.

icinga_web_1.9_oracle_permissions_sg_04.png

@icinga-migration
Member

Updated by mfriedrich on 2013-04-28 18:45:20 +00:00

I've created a dedicated test config for that, used from within the core's test config (which i keep writing for issues and their resolval / regression testing.

https://git.icinga.org/?p=icinga-core.git;a=blob\_plain;f=tests/etc/3715.cfg;hb=69893673906567988829c71813b787e14f10d016

@icinga-migration
Member

Updated by mfriedrich on 2013-04-28 19:38:16 +00:00

further oracle tests on the issue with

  • overlapping creates wrong status cronk counters
  • service restrictions do not affect host counters nor their view in grid

are collected in #4002 as seperated issue.

@icinga-migration
Member

Updated by mfriedrich on 2013-05-04 12:20:01 +00:00

further oracle distinct issues are collected in #4048

@icinga-migration
Member

Updated by mfriedrich on 2013-05-06 08:11:40 +00:00

  • Status changed from Assigned to Resolved
  • Done % changed from 80 to 100

for the initial issue, i consider this resolved and working. thanks for the hard work on this, further bugs may be collected and fixed on the bugfix 1.9.x tree. just make sure to commit often and even more often to allow easier git flowing ;)

@icinga-migration icinga-migration added this to the 1.9 milestone Jan 17, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment