This issue has been migrated from Redmine: https://dev.icinga.com/issues/3715
Created by mfrosch on 2013-02-19 14:43:04 +00:00
Status: Resolved (closed on 2013-05-06 08:11:40 +00:00)
Target Version: 1.9
Last Update: 2013-05-06 08:11:40 +00:00 (in Redmine)
We are working on some major credential changes for 1.9 and like to her feedback for what we are doing.
Please comment below this issue, I'll refer and maybe also close other issues in favor of this one.
Most of the work and testing will be done by me and Jannis.
Feel free to comment and add suggestions or questions.
Git branches we are working on:
The whole idea
The whole credential system will consist of 2 pools of credentials:
The rights of a user will be aggregated and inherited from every target that is set on the user directly or a role he is member of.
The permission to grant rights by matching contactname and groups will be working as intended (some fixes are necessary), and it will be working in addition to other credentials the user might have.
A permission filter (in the end of our work) should work like this:
(hostname LIKE 'test%' OR hostname LIKE 'qa%' OR hostgroup = 'testservers' or _HOSTcv1 LIKE= 'test')
(servicename LIKE 'disk%' OR servicename LIKE 'proc%' OR servicegroup = 'unixchecks' OR _SERVICEcv1 LIKE 'team1')
After Step 1 (temporary):
(hostname LIKE 'test%' OR hostname LIKE 'qa%')
(hostgroup = 'testservers')
(servicename LIKE 'disk%' OR servicename LIKE 'proc%')
(servicegroup = 'unixchecks')
The final idea is to build a aggregate of all permissions a user has, but requiring him to match a host and a service credential.
2013-04-25 11:59:18 +00:00 by mfrosch 1335fd3
Migrated DQLViews to new credential grouping system
* all credentials are added via OR
* and grouped into affecting host and service
* extensions for IcingaDoctrine_Query to allow manipulation
of the Where DqlParts
2013-04-25 13:04:10 +00:00 by mfrosch 9dc7513
Redesign CustomVariableExtender for new credential system
The WHERE statements are now aggregated correctly to match
the key/values exactly.
2013-04-25 13:05:57 +00:00 by mfrosch f8f035e
This is no longer required with the new CustomVariableExtender.
Migrated the credentials for the Notification View to the new logic.
2013-04-25 13:38:49 +00:00 by mfrosch 4a78f84
Removed CanBeNull feature from Legacy credentials
Not longer needed with the migration to grouped credentials
2013-04-26 09:53:43 +00:00 by mfrosch 0a496b0
Migrated LegacyApi to new credential grouping system
* grouping the credentials like in the DQLViews:
((<hostcredentials> AND <servicecredentials>) OR <othercredentials)
* other credentials is Contactgroup stuff
* the credential targets are grouped by OR instead of AND
2013-04-26 09:54:15 +00:00 by mfrosch 4e7c0f7
2013-04-30 15:44:21 +00:00 by mfrosch b982b4f
Fix duplication problem in StatusSummary Cronk
caused by 1-n credential joins
Updated by ossmon on 2013-02-20 06:58:57 +00:00
I hope it will solve also the issue #3578 (it prohibits us to migrate to 1.8.X from 1.7.2). We are ready to test it when you are finished.
Updated by mfriedrich on 2013-02-25 08:27:59 +00:00
hmmm, if applicable, i'd like to discuss a backport into current 1.8 tree when this is finally tested for the 1.9 tree.
Updated by ossmon on 2013-03-21 14:15:57 +00:00
Hi Markus, when do you think that you will have a version to be tested ?
Updated by mfrosch on 2013-04-22 17:50:47 +00:00
I've integrated and pushed the grouped aggregation of credentials to feature/credentials-3715-step2
@mhein: We still need to implement this kind of grouping for the Legacy Api stuff.
And many testing...
Updated by ossmon on 2013-04-22 19:25:09 +00:00
Hi Markus, should I test your git version or should I wait for more time ?
Updated by mfrosch on 2013-04-23 06:25:23 +00:00
Hey, any test is welcome. It would be great to get your feedback, especially in terms of your use of permissions!
Updated by ossmon on 2013-04-23 07:48:02 +00:00
i've downloaded and installed your git version (ad31b...).
I've tested with custom variables as described in issue #3578
It doesn't work.
In the config exist only one host with a custom variable VAR1 and one of its service has also the same custom variable VAR1.
=> The user see many hosts and services (not only one)
=> He sees more hosts and services than without restriction
Updated by mfrosch on 2013-04-26 10:02:55 +00:00
The branch feature/credentials-3715 has been merged into next.
I think the credential system should now work as intended, please test and also have a look if the detail tabs of a host or service to see if the LegacyApi permissions work as well.
@ossmon: Please test ;)
@tommi / dnsmichi: Could you try the latest changes in a Oracle environment with some credentials?
Updated by ossmon on 2013-04-26 11:31:09 +00:00
It works fine now ! Congratulation !
Updated by Tommi on 2013-04-26 18:53:22 +00:00
Howto test? Which settings/configs are required?
Updated by mfriedrich on 2013-04-26 18:56:28 +00:00
set users to special permissions - e.g. hostgroups or servicegroups, and then check if they can only see those. if you have custom vars defined on services or hosts, add the permissions on the user admin panel as well for custom vars, and verify that the user may only see those. last but not least, test mixed permissions, like multiple groups, cvs, and such. should work with all 3 rdbms.
Updated by Tommi on 2013-04-28 16:37:02 +00:00
just did such tests after upgrading to the current next branch. Added a new user (there is another small issue i logged in #3999) and add restriction to one hostgroup, one servicegroup and one (host)custom variable value. This should match for exact one database instance and hiding all others. First off all, no database syntax errors appeared while running my tests. But the Screen contents aren't as expected. It doubled the numbers of services and host and shows services which are not matched with the supplied custom variables when using the restricted user. Just added a few screenshots of this issue
Updated by mfriedrich on 2013-04-28 17:34:51 +00:00
looks like the distinct fix does not work anymore for the status cronk.
first of my test row with oracle: 1 hostgroup, and more.
single hostgroup contains 2 hosts which relate to 6 services. that's totally fine.
(left is iceweasel with the test session, right is chromium with root permissions)
when i add yet another hostgroup, which also contains both hosts, the display in the grid stays the same (12) but the status cronk counters are wrong. they sump up to 18 being ok, which is not shown in the grid. the correct number is still 12.
first conclusion - the status cronk counter does not know about the new privileges.
Updated by mfriedrich on 2013-04-28 17:41:48 +00:00
there's a pattern: when i use a service group with 3 services attached, and then add another servicegroup with just one service (which is among the 3 others already), then the grid shows the correct count (3), but the status cronk sums that up to 4 (which is wrong).
single big servicegroup
servicegroup with another servicegroup containing service
furthermore, the status cronk is broken for hosts - the servicegroup permission seems to not affect it in any way and just shows all counters and even allows to view all hosts, even if they are not related to the servicegroup.
so for the servicegroups in oracle, there seems to be 2 issues: status cronk counters for services with servicegroups, and host status counters/view overall.
Updated by mfriedrich on 2013-04-28 17:43:40 +00:00
for the host counters and views - this is the exact same as the full root admin would see, below is a screenshot for you to reproduce.
Updated by mfriedrich on 2013-04-28 18:45:20 +00:00
I've created a dedicated test config for that, used from within the core's test config (which i keep writing for issues and their resolval / regression testing.
Updated by mfriedrich on 2013-04-28 19:38:16 +00:00
further oracle tests on the issue with
are collected in #4002 as seperated issue.
Updated by mfriedrich on 2013-05-04 12:20:01 +00:00
further oracle distinct issues are collected in #4048
Updated by mfriedrich on 2013-05-06 08:11:40 +00:00
for the initial issue, i consider this resolved and working. thanks for the hard work on this, further bugs may be collected and fixed on the bugfix 1.9.x tree. just make sure to commit often and even more often to allow easier git flowing ;)