Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Restricting by hostgroup_name shows only this hostgroup and no other groups containing the host #3349

Open
dgoetz opened this issue Feb 8, 2018 · 7 comments
Labels
area/authentication Affects user authentication or authorization enhancement New feature or improvement ref/NC stalled Blocked or not relevant yet

Comments

@dgoetz
Copy link
Contributor

dgoetz commented Feb 8, 2018

Update: (by @nilmerg)

This is related to #3550 and is avoidable the same way: By custom variables.

Instead of restricting on hostgroup_name, use a custom variable: _host_adminonly!=yes

Original:

Expected Behavior

If I restrict access to hosts by hostgroup_name, I would like users to see also other hostgroups containing those hosts.

Current Behavior

If I restrict by hostgroup_name I only see this hostgroup.

Possible Solution

Show all hostgroups which have at least one host in it after restriction is applied.

Context

If I have many hostgroups they are probably nested or created for different purposes so limiting restricted users to see only the one hostgroup hides useful information. One example for nested groups would be different roles in project, for different purposes having groups for stages and application. Losing those groups because you are restricted to the hostgroup for the project makes using the interface more difficult as you will always have to use filters if possible at all.

Your Environment

  • Icinga Web 2 version and modules (System - About): 2.5.0
  • Version used (icinga2 --version): 2.8.0
@lazyfrosch
Copy link
Contributor

@dgoetz could you show the filters and the SQL query snippet when adding ?format=sql to the URL

@rgevaert
Copy link
Contributor

rgevaert commented Feb 11, 2018

@lazyfrosch below we have a filter that only shows the "systemen_hosts" hostgroup. That hostgroup is defined like this:

object HostGroup "systemen_hosts" {
    display_name = "Systemen host"
    assign where host.vars.kernel
}

There are many other hostgroups defined in our setup. But when you log in, you only see that one hostgroup.

The filter:
[systemen]
groups = "XYZGROUP"
permissions = "module/director, director/, module/doc, module/monitoring, monitoring/command/"
monitoring/filter/objects = "hostgroup_name=systemen_hosts"

QUERY
=====
SELECT hostgroupsummary.hostgroup_alias, hostgroupsummary.hostgroup_name,
SUM(CASE WHEN host_state = 1 AND host_handled = 1 THEN 1 ELSE 0 END) AS
hosts_down_handled, SUM(CASE WHEN host_state = 1 AND host_handled = 0 THEN
1 ELSE 0 END) AS hosts_down_unhandled, SUM(CASE WHEN host_state = 99 THEN 1
ELSE 0 END) AS hosts_pending, SUM(CASE WHEN host_state IS NOT NULL THEN 1
ELSE 0 END) AS hosts_total, SUM(CASE WHEN host_state = 2 AND host_handled =
1 THEN 1 ELSE 0 END) AS hosts_unreachable_handled, SUM(CASE WHEN host_state
= 2 AND host_handled = 0 THEN 1 ELSE 0 END) AS hosts_unreachable_unhandled,
SUM(CASE WHEN host_state = 0 THEN 1 ELSE 0 END) AS hosts_up, SUM(CASE WHEN
service_state = 2 AND service_handled = 1 THEN 1 ELSE 0 END) AS
services_critical_handled, SUM(CASE WHEN service_state = 2 AND
service_handled = 0 THEN 1 ELSE 0 END) AS services_critical_unhandled,
SUM(CASE WHEN service_state = 0 THEN 1 ELSE 0 END) AS services_ok, SUM(CASE
WHEN service_state = 99 THEN 1 ELSE 0 END) AS services_pending, SUM(CASE
WHEN service_state IS NOT NULL THEN 1 ELSE 0 END) AS services_total,
SUM(CASE WHEN service_state = 3 AND service_handled = 1 THEN 1 ELSE 0 END)
AS services_unknown_handled, SUM(CASE WHEN service_state = 3 AND
service_handled = 0 THEN 1 ELSE 0 END) AS services_unknown_unhandled,
SUM(CASE WHEN service_state = 1 AND service_handled = 1 THEN 1 ELSE 0 END)
AS services_warning_handled, SUM(CASE WHEN service_state = 1 AND
service_handled = 0 THEN 1 ELSE 0 END) AS services_warning_unhandled FROM
(SELECT hg.alias COLLATE latin1_general_ci AS hostgroup_alias, hgo.name1 AS
hostgroup_name, CASE WHEN (hs.problem_has_been_acknowledged +
hs.scheduled_downtime_depth) > 0 THEN 1 ELSE 0 END AS host_handled, CASE
WHEN hs.has_been_checked = 0 OR (hs.has_been_checked IS NULL AND
hs.hoststatus_id IS NOT NULL) THEN 99 ELSE hs.current_state END AS
host_state, NULL AS service_handled, NULL AS service_state FROM
icinga_objects AS hgo
 INNER JOIN icinga_hostgroups AS hg ON hg.hostgroup_object_id =
hgo.object_id AND hgo.is_active = 1 AND hgo.objecttype_id = 3
 LEFT JOIN icinga_hostgroup_members AS hgm ON hgm.hostgroup_id =
hg.hostgroup_id
 LEFT JOIN icinga_objects AS ho ON hgm.host_object_id = ho.object_id AND
ho.is_active = 1 AND ho.objecttype_id = 1
 LEFT JOIN icinga_hoststatus AS hs ON hs.host_object_id = ho.object_id
WHERE ( (hgo.name1 = 'systemen_hosts') ) GROUP BY hgo.object_id,
	hg.hostgroup_id,
	hs.hoststatus_id UNION ALL SELECT hg.alias COLLATE latin1_general_ci AS
hostgroup_alias, hgo.name1 AS hostgroup_name, NULL AS host_handled, NULL AS
host_state, CASE WHEN (ss.problem_has_been_acknowledged +
ss.scheduled_downtime_depth + COALESCE(hs.current_state, 0)) > 0 THEN 1
ELSE 0 END AS service_handled, CASE WHEN ss.has_been_checked = 0 OR
(ss.has_been_checked IS NULL AND ss.servicestatus_id IS NOT NULL) THEN 99
ELSE ss.current_state END AS service_state FROM icinga_objects AS hgo
 INNER JOIN icinga_hostgroups AS hg ON hg.hostgroup_object_id =
hgo.object_id AND hgo.is_active = 1 AND hgo.objecttype_id = 3
 LEFT JOIN icinga_hostgroup_members AS hgm ON hgm.hostgroup_id =
hg.hostgroup_id
 LEFT JOIN icinga_objects AS ho ON hgm.host_object_id = ho.object_id AND
ho.is_active = 1 AND ho.objecttype_id = 1
 LEFT JOIN icinga_hosts AS h ON h.host_object_id = ho.object_id
 LEFT JOIN icinga_services AS s ON s.host_object_id = h.host_object_id
 LEFT JOIN icinga_objects AS so ON so.object_id = s.service_object_id AND
so.is_active = 1 AND so.objecttype_id = 2
 LEFT JOIN icinga_hoststatus AS hs ON hs.host_object_id = ho.object_id
 LEFT JOIN icinga_servicestatus AS ss ON ss.service_object_id =
so.object_id WHERE ( (hgo.name1 = 'systemen_hosts') ) GROUP BY
hgo.object_id,
	hg.hostgroup_id,
	hs.hoststatus_id,
	ss.servicestatus_id) AS hostgroupsummary GROUP BY hostgroup_name,
	hostgroup_alias ORDER BY hostgroup_alias ASC

COUNT
=====
SELECT COUNT(*) AS cnt FROM (SELECT hgo.object_id FROM icinga_objects AS
hgo
 INNER JOIN icinga_hostgroups AS hg ON hg.hostgroup_object_id =
hgo.object_id AND hgo.is_active = 1 AND hgo.objecttype_id = 3 WHERE (
(hgo.name1 = 'systemen_hosts') ) GROUP BY hgo.object_id) AS t

@lazyfrosch
Copy link
Contributor

Looks like the hostgroup filter is incomplete here. Will review it.

@lazyfrosch lazyfrosch self-assigned this Feb 12, 2018
@lippserd
Copy link
Member

lippserd commented Mar 5, 2018

The hostgroup filter is not incomplete. If you restrict objects by hostgroup_name, you restrict the hostgroups too. Though, I understand that it would be helpful to see the other hostgroups the host is part of. If we implement this, I don't think that it is a good idea to change the current behavior. We could support this via a dedicated role option or a new operator. Anyway, this feature requires a lot of coding and testing efforts. So, I don't think that we'll implement this without sponsoring anytime soon. Help would be much appreciated.

@lippserd lippserd added enhancement New feature or improvement needs-sponsoring labels Mar 5, 2018
@Thomas-Gelf
Copy link
Contributor

+1 for not making this the default. And btw, environment or application should be system properties, read: custom variables. That way they are shown to every user with enough permissions to see the host. You can still assign the Production hostgroup to every Host with environment == "production" in case you need to have them in a group.

@widhalmt
Copy link
Member

widhalmt commented Aug 9, 2019

ref/NC/620273

@nilmerg
Copy link
Member

nilmerg commented Oct 7, 2019

Updated OP to include the current work-around.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area/authentication Affects user authentication or authorization enhancement New feature or improvement ref/NC stalled Blocked or not relevant yet
Projects
None yet
Development

No branches or pull requests

7 participants