XCP-ng
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    How to create a user with read only access to all objects in xoa for monitoring purposes

    Scheduled Pinned Locked Moved Xen Orchestra
    5 Posts 4 Posters 365 Views 6 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      johnhabs
      last edited by johnhabs

      Hi
      I am working on setting up monitoring of xoa using the zabbix template at https://github.com/bufanda/zabbix--template-xenorchestra
      The monitoring uses a token to access xoa and retrieve the information about xoa, pools, hosts and storage. It works quite well if the token comes from an admin user but I would like to gather this information using a token from a user that is only able to view information and is not able to modify anything in xoa. I thought that I could do this by creating a user account with user permissions and then giving them the Viewer role for all objects but what I see when the check runs using this user's token is:

      xoa.check
{}
{
  "code": 2,
  "data": {
    "permission": "admin",
    "object": {}
  },
  "message": "not enough permissions",
  "name": "XoError",
  "stack": "XoError: not enough permissions
    at Module.unauthorized (/usr/local/lib/node_modules/xo-server/node_modules/xo-common/src/api-errors.js:21:32)
    at Xo.call (file:///usr/local/lib/node_modules/xo-server/src/xo-mixins/api.mjs:145:18)
    at Api.#callApiMethod (file:///usr/local/lib/node_modules/xo-server/src/xo-mixins/api.mjs:387:29)
    at runNextTicks (node:internal/process/task_queues:60:5)
    at processImmediate (node:internal/timers:454:9)
    at process.callbackTrampoline (node:internal/async_hooks:130:17)"

      I did try applying ACL's to an admin user that set the role for all objects to viewer but that user account appears to maintain full access to xoa.

      Just wondering how to get a user to be able to have the xoa.check permission but not be able to modify objects in xoa.

      Thank you

      1 Reply Last reply Reply Quote 0
      • olivierlambertO Online
        olivierlambert Vates 🪐 Co-Founder CEO
        last edited by

        Ping @julien-f

        1 Reply Last reply Reply Quote 0
        • H Offline
          haaanti
          last edited by

          Any advance? I am also setting up this same zabbix template.

          1 Reply Last reply Reply Quote 0
          • olivierlambertO Online
            olivierlambert Vates 🪐 Co-Founder CEO
            last edited by

            Ping @lsouai-vates

            F 1 Reply Last reply Reply Quote 0
            • F Online
              FritzGerald @olivierlambert
              last edited by

              Hello everyone. I tripped over this issue. If someone got another approach I would be interested.

              Thanks to @lsouai-vates I had a look at:

              https://github.com/vatesfr/xen-orchestra/blob/ab56924b1d046ccf6c09dfe7a4ab47deb5d77f4a/packages/xo-acl-resolver/index.js

              and

              https://github.com/vatesfr/xen-orchestra/blob/ab56924b1d046ccf6c09dfe7a4ab47deb5d77f4a/packages/xo-server/src/xo-mixins/acls.mjs#L150-L168

              To what I understand it is not possible as a Non-Admin user to get information like pools, ... By creating a new admin user limiting the resources via ACLS with viewer right worked around this. However, granting admin rights still looks sort of strange.

              Just in case someone struggled as well this information might help.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post