How to create a user with read only access to all objects in xoa for monitoring purposes

johnhabs

Hi
I am working on setting up monitoring of xoa using the zabbix template at https://github.com/bufanda/zabbix--template-xenorchestra
The monitoring uses a token to access xoa and retrieve the information about xoa, pools, hosts and storage. It works quite well if the token comes from an admin user but I would like to gather this information using a token from a user that is only able to view information and can is not able to modify anything in xoa. I thought that I could do this by creating a user account with user permissions and then giving them the Viewer role for all objects but what I see when the check is run using this user's token is:

xoa.check
{}
{
  "code": 2,
  "data": {
    "permission": "admin",
    "object": {}
  },
  "message": "not enough permissions",
  "name": "XoError",
  "stack": "XoError: not enough permissions
    at Module.unauthorized (/usr/local/lib/node_modules/xo-server/node_modules/xo-common/src/api-errors.js:21:32)
    at Xo.call (file:///usr/local/lib/node_modules/xo-server/src/xo-mixins/api.mjs:145:18)
    at Api.#callApiMethod (file:///usr/local/lib/node_modules/xo-server/src/xo-mixins/api.mjs:387:29)
    at runNextTicks (node:internal/process/task_queues:60:5)
    at processImmediate (node:internal/timers:454:9)
    at process.callbackTrampoline (node:internal/async_hooks:130:17)"

I did try applying ACL's to an admin user that set the role for all objects to viewer but that user account appears to maintain full access to xoa.

Just wondering how to get a user to be able to have the xoa.check permission but not be able to modify objects in xoa.

Thank you

olivierlambert

Ping @julien-f