Dear list,
I have a couple of questions regarding Icingaweb2 and the way
permissions, roles and filters are applied.
(a)
Let's say I have a couple of users, groups for them and roles because
different Ops teams are working with Icinga2.
Each Ops team shall only change the objects they are responsible for
(e.g. tomcat servers), while they should be able to see all objects
within Icinga2 at the same time. This is something which could be useful
when there are issues within the infrastructure and their
servers/services are affected. They should be able to see if only their
stuff is affected or if the whole infrastructure goes down (or some
network hardware in the neighbourhood, for example).
How do I apply roles and filters correctly then? In my case, I tried to
create the role "tomcat admins", allowed access to module/monitoring
(e.g. with filter host_name=*) and then added e.g. the permission to
delete downtimes for hosts and services
(monitoring/command/downtime/delete). I can't add another filter here
only applying to this second permission set, since a filter is already
set and always seems to refer to all selected permissions.
So I guess I can't do what I need within one role, am I correct? In my
opinion, filters, blacklists etc. should always come in pair with a
permission set, so you can set filters individually for each selected
permission.
(b) I tried something else afterwards. I added role "sees-everything"
which basically grants access to all monitoring objects and then added
another role called "tomcat admins" which has a filter on
host_name=tomcat* and the permission set monitoring/command/downtime/delete.
Now, when I apply both roles to the same set of users, the result is
unexpected. Instead of all permissions with their filters being "merged"
correctly, the strongest filter (host_name=*) was applied and the users
can delete downtimes for all hosts (not only for those starting with
"tomcat").
Is this an expected behaviour? Did you guys encounter something similar?
Or am I reading the documentation wrong and this is supposed to happen?
I am thankful for every input!
Best regards
Valentin
--
Valentin Höbel
Senior Consultant IT Infrastructure
mobil 0711-30585357
Linux Information Systems
LIS Stuttgart GmbH
Talstraße 41 70188 Stuttgart Germany
Geschäftsführer Tilo Mey
Amtsgericht Stuttgart, HRB 729287, Ust-IdNr DE264295269
Volksbank Stuttgart EG, BIC VOBADESS, IBAN DE75600901000340001003
_______________________________________________
icinga-users mailing list
icinga-users@lists.icinga.org
https://lists.icinga.org/mailman/listinfo/icinga-users
