Hi,
I have a problem with empty hostgroups and livestatus. We have two
Icinga back-ends with partial Icinga configurations synced. I have the
same set of hostgroups on both back-ends. One backend has only few
monitored hosts and a number of hostgroups are empty.
Authenticated user on Multisite sees these empty hostgroups. I think,
that at least with group_authorization strict (default), these empty
groups should not be shown.
I tested a bit more deeply this problem with livestatus during
upgrade to CheckMK 1.2.2p3 (Debian package).
I tried this with livestatus from GIT HEAD, I was especially curious if
commits following affects the behaviour:
commit 76b29d95d0f4899f29796bbb7a468ffdec822302
Author: Andreas Boesl <ab@mathias-kettner.de>
···
Date: Thu Jul 10 14:11:48 2014 +0200
FIX table servicegroups: fixed service visibility when using group_authorization AUTH_STRICT
This only applies with the setting group_authorization = AUTH_STRICT
When an auth user was given the livestatus table servicegroups did not check if the auth
user had permissions to all objects of the servicegroup.
As a result the user was able to view servicegroups, even if he was not a contact for every object in it.
However, the "forbidden" object itself was not returned, just a subset of the group.
This was incorrect. The user needs to be contact of every element in this group.
Otherwise he should not see the group at all..
FIX livestatus table hostsbygroup: fixed bug with group_authorization strict
On calling the livestatus table hostsbygroup with an AuthUser the table
did not hide the entire hostsgroup in case the group_authorization was set to <tt>strict</tt>
and one host in the group was not a contact for the AuthUser.
This has been fixed.
With the group_authorization <tt>strict</tt> setting the AuthUser now
needs to be a contact of every host in the hostgroup, otherwise the hostgroup
is not shown at all.
User zito sees some hostgroups where it is the contact for member hosts,
but there are no hosts in the hostgroups Resitel-Stable-Miton-IIT-UNIX,
SLA15x5, SLA8x7.
The Multisite's view "Hostgroups (Summary)" shows these hostgroups, but
numbers of hosts are zero for these.
I have a problem with empty hostgroups and livestatus. We have two
Icinga back-ends with partial Icinga configurations synced. I have the
same set of hostgroups on both back-ends. One backend has only few
monitored hosts and a number of hostgroups are empty.
Authenticated user on Multisite sees these empty hostgroups. I think,
that at least with group_authorization strict (default), these empty
groups should not be shown.
I tested a bit more deeply this problem with livestatus during
upgrade to CheckMK 1.2.2p3 (Debian package).
I tried this with livestatus from GIT HEAD, I was especially curious if
commits following affects the behaviour:
commit 76b29d95d0f4899f29796bbb7a468ffdec822302
Author: Andreas Boesl <ab@mathias-kettner.de>
Date: Thu Jul 10 14:11:48 2014 +0200
FIX table servicegroups: fixed service visibility when using group_authorization AUTH_STRICT
This only applies with the setting group_authorization = AUTH_STRICT
When an auth user was given the livestatus table servicegroups did not check if the auth
user had permissions to all objects of the servicegroup.
As a result the user was able to view servicegroups, even if he was not a contact for every object in it.
However, the "forbidden" object itself was not returned, just a subset of the group.
This was incorrect. The user needs to be contact of every element in this group.
Otherwise he should not see the group at all..
commit e29b47d102b2b1baf35a3dbc7ce8888403a743b3
Author: Andreas Boesl <ab@mathias-kettner.de>
Date: Wed Apr 2 15:40:06 2014 +0200
FIX livestatus table hostsbygroup: fixed bug with group_authorization strict
On calling the livestatus table hostsbygroup with an AuthUser the table
did not hide the entire hostsgroup in case the group_authorization was set to <tt>strict</tt>
and one host in the group was not a contact for the AuthUser.
This has been fixed.
With the group_authorization <tt>strict</tt> setting the AuthUser now
needs to be a contact of every host in the hostgroup, otherwise the hostgroup
is not shown at all.
The hostgroups Resitel-Stable-Miton-IIT-UNIX, SLA15x5, SLA8x7 are empty.
The contact midl is responsible only for hosts from hostgroup Resitel-ROB and
should not see hostgroups Resitel-Stable-Miton-IIT-UNIX, SLA15x5, SLA8x7.
I think it makes sense to hide empty hostgroups. Correction - this is not
bug-report but feature-request...
Cheers
···
On Mon, Jul 14, 2014 at 09:03:29AM +0200, Andreas D�hler wrote:
I think this is right - the user can see the hostgroup as he is contact for
all hosts (0)
But i don't know if this is working as intended.
> Hi,
> I have a problem with empty hostgroups and livestatus. We have two
> Icinga back-ends with partial Icinga configurations synced. I have the
> same set of hostgroups on both back-ends. One backend has only few
> monitored hosts and a number of hostgroups are empty.
> Authenticated user on Multisite sees these empty hostgroups. I think,
> that at least with group_authorization strict (default), these empty
> groups should not be shown.
>
> I tested a bit more deeply this problem with livestatus during
> upgrade to CheckMK 1.2.2p3 (Debian package).
> I tried this with livestatus from GIT HEAD, I was especially curious if
> commits following affects the behaviour:
>
> commit 76b29d95d0f4899f29796bbb7a468ffdec822302
> Author: Andreas Boesl <ab@mathias-kettner.de>
> Date: Thu Jul 10 14:11:48 2014 +0200
>
> FIX table servicegroups: fixed service visibility when using
> group_authorization AUTH_STRICT
>
> This only applies with the setting group_authorization =
> AUTH_STRICT
>
> When an auth user was given the livestatus table servicegroups did
> not check if the auth
> user had permissions to all objects of the servicegroup.
> As a result the user was able to view servicegroups, even if he
> was not a contact for every object in it.
> However, the "forbidden" object itself was not returned, just a
> subset of the group.
> This was incorrect. The user needs to be contact of every element
> in this group.
> Otherwise he should not see the group at all..
>
> commit e29b47d102b2b1baf35a3dbc7ce8888403a743b3
> Author: Andreas Boesl <ab@mathias-kettner.de>
> Date: Wed Apr 2 15:40:06 2014 +0200
>
> FIX livestatus table hostsbygroup: fixed bug with
> group_authorization strict
>
> On calling the livestatus table hostsbygroup with an AuthUser the
> table
> did not hide the entire hostsgroup in case the group_authorization
> was set to <tt>strict</tt>
> and one host in the group was not a contact for the AuthUser.
>
> This has been fixed.
>
> With the group_authorization <tt>strict</tt> setting the AuthUser
> now
> needs to be a contact of every host in the hostgroup, otherwise
> the hostgroup
> is not shown at all.
>
>
> Unfortunately the problem is still there:
>
> mon2:~# { echo 'GET status'; echo 'Columns: livestatus_version'; echo;
> echo; } | nc nms1.i.cz 6557
> 1.2.5i5
>
> mon2:~# { echo 'GET hostgroups'; echo 'Columns: name'; echo 'AuthUser:
> zito'; echo; echo; } | nc nms1.i.cz 6557
> Resitel-ENV-PLZ
> Resitel-HEA
> Resitel-IIT-EUS-PLZ
> Resitel-IIT-Firewall
> Resitel-IIT-Unix
> Resitel-Stable-Miton-IIT-UNIX
> SLA15x5
> SLA8x7
>
> User zito sees some hostgroups where it is the contact for member hosts,
> but there are no hosts in the hostgroups Resitel-Stable-Miton-IIT-UNIX,
> SLA15x5, SLA8x7.
> The Multisite's view "Hostgroups (Summary)" shows these hostgroups, but
> numbers of hosts are zero for these.
>
> Cheers
> --
> Zito
> _______________________________________________
> checkmk-en mailing list
> checkmk-en@lists.mathias-kettner.de
> http://lists.mathias-kettner.de/mailman/listinfo/checkmk-en
>
