Respect Service Template Zones in Service Sets #2356
Comments
|
ref/IP/34331 |
|
There is also a security aspect to this: Currently, if one sets a password as a variable (custom properties) on a service in a service set, the password is deployed to all the agents and can be found as plaintext in For example, if we have a service set for our mysql-servers including the password for the database connection, this password can be found on all the other hosts as well, even if they are not using said service set. This means the external development company that has root-permissions on a dev-system can get the mysql password. This could be prevented by setting the zone to |
|
I also discussed the security aspect in the Icinga community. https://community.icinga.com/t/how-to-store-passwords-credentials/8029 |
|
ref/NC/761567 |
|
ref/IP/43726 @Thomas-Gelf Can we please have this with v1.11? 😃 |
|
@bobapple: sure! It's already in the master, but was pinned to the wrong GitHub milestone. Has been fixed, thank you! |
Expected Behavior
I want to be able to put Services in specific Zones by tweaking their Templates
Current Behavior
While this works fine for Single Services (and Apply Rules), it doesn't work as expected for Service Sets. It's possible to tweak the zone property of the Service, but Service (Set) Apply Rules are still rendered to the global zone.
Technical reason: the "main" object tells the Config Renderer about it's preferred Zone. In this case, the Set is this "main object". As the Set has no Zone, the Renderer falls back to it's default decision tree. It never "talks" to single Services, as they do not exist at all - the Set generates them on the fly for rendering purposes only.
Possible Solution
Fix this 🤣. And have a look at #1589, it is related.
The text was updated successfully, but these errors were encountered: