diff options
Diffstat (limited to 'doc/06-Security.md')
-rw-r--r-- | doc/06-Security.md | 242 |
1 files changed, 242 insertions, 0 deletions
diff --git a/doc/06-Security.md b/doc/06-Security.md new file mode 100644 index 0000000..b8d7cf2 --- /dev/null +++ b/doc/06-Security.md @@ -0,0 +1,242 @@ +# Security + +Access control is a vital part of configuring Icinga Web 2 securely. It is important that not every user that has +access to Icinga Web 2 can perform any action or see any host and service. Allow only a small group of administrators +to change the Icinga Web 2 configuration to prevent mis-configuration and security breaches. Define different rules +to users and groups of users which should only see a part of the monitoring environment they're in charge of. + +This chapter will describe how to configure such rules in Icinga Web 2 and how permissions, refusals, restrictions +and role inheritance work. + +## Basics + +Icinga Web 2 access control is done by defining **roles** that associate privileges with **users** and **groups**. +Privileges of a role consist of **permissions**, **refusals** and **restrictions**. A role can **inherit** privileges +from another role. + +### Role Memberships + +A role is tied to users or groups of users. Upon login, a user's roles are identified by the username or names of +groups the user is a member of. + +> **Note** +> +> Since Icinga Web 2, users in the Icinga configuration and the web authentication are separated, to allow use of +> external authentication providers. This means that users and groups defined in the Icinga configuration are not +> available to Icinga Web 2. It uses its own authentication backend to fetch users and groups from, +> [which must be configured separately](05-Authentication.md#authentication). + +### Privileges + +Permissions are used to grant access. Whether this means that a user can see a certain area or perform a distinct +action is fully up to the permission in question. Without granting a permission, the user will lack access and won't +see the area or perform the action. + +Refusals are used to deny access. So they're the exact opposite of permissions. Most permissions can be refused. +Refusing a permission will block the user's access no matter if another role grants the permission. Refusals +override permissions. + +Restrictions are expressions that limit access. What this exactly means is up to how the restriction is being utilized. +Without any restriction, a user is supposed to see *everything*. A user that occupies multiple roles, which all define +a restriction of the same type, will see *more*. + +## Roles + +A user can occupy multiple roles. Permissions and restrictions stack up in this case, thus will grant *more* access. +Refusals still override permissions however. A refusal of one role negates the granted permission of any other role. + +### Configuration + +Roles can be changed either through the UI, by navigating to the page **Configuration > Authentication > Roles**, +or by editing the configuration file `/etc/icingaweb2/roles.ini`. + +#### Example + +The following shows a role definition from the configuration file mentioned above: + +``` +[winadmin] +users = "jdoe, janedoe" +groups = "admin" +permissions = "config/*, module/monitoring, monitoring/commands/schedule-check" +refusals = "config/authentication" +monitoring/filter/objects = "host_name=*win*" +``` + +This describes a role with the name `winadmin`. The users `jdoe` and `janedoe` are members of it. Just like the +members of group `admin` are. Full configuration access is granted, except of the authentication configuration, +which is forbidden. It also grants access to the *monitoring* module which includes the ability to re-schedule +checks, but only on objects related to hosts whose name contain `win`. + +#### Syntax + +Each role is defined as a section, with the name of the role as section name. The following +options can be defined for each role in a default Icinga Web 2 installation: + +Name | Description +--------------------------|----------------------------------------------- +parent | The name of the role from which to inherit privileges. +users | Comma-separated list of **usernames** that should occupy this role. +groups | Comma-separated list of **group names** whose users should occupy this role. +permissions | Comma-separated list of **permissions** granted by this role. +refusals | Comma-separated list of **permissions** refused by this role. +unrestricted | If set to `1`, owners of this role are not restricted in any way (Default: `0`) +monitoring/filter/objects | **Filter expression** that restricts the access to monitoring objects. + +### Administrative Roles + +Roles that have the wildcard `*` as permission, have full access and don't need any further permissions. However, +they are still affected by refusals. + +Unrestricted roles are supposed to allow users to access data without being limited to a subset of it. Once a user +occupies an unrestricted role, restrictions of the same and any other role are ignored. + +### Inheritance + +A role can inherit privileges from another role. Privileges are then combined the same way as if a user occupies +all roles in the inheritance path. Or to rephrase that, each role shares its members with all of its parents. + +## Permissions + +Each permission in Icinga Web 2 is denoted by a **namespaced key**, which is used to group permissions. All permissions +that affect the configuration of Icinga Web 2, are in a namespace called **config**, while all configuration options +that affect modules are covered by the permission `config/modules`. + +**Wildcards** can be used to grant all permissions in a certain namespace. The permission `config/*` grants access to +all configuration options. Just specifying a wildcard `*` will grant all permissions. + +Access to modules is restricted to users who have the related module permission granted. Icinga Web 2 provides +a module permission in the format `module/<moduleName>` for each installed module. + +### General Permissions + +Name | Permits +-----------------------------|----------------------------------------------- +\* | allow everything, including module-specific permissions +application/announcements | allow to manage announcements +application/log | allow to view the application log +config/\* | allow full config access +config/access-control/\* | allow to fully manage access control +config/access-control/groups | allow to manage groups +config/access-control/roles | allow to manage roles +config/access-control/users | allow to manage user accounts +config/general | allow to adjust the general configuration +config/modules | allow to enable/disable and configure modules +config/navigation | allow to view and adjust shared navigation items +config/resources | allow to manage resources +user/\* | allow all account related functionalities +user/application/stacktraces | allow to adjust in the preferences whether to show stacktraces +user/password-change | allow password changes in the account preferences +user/share/navigation | allow to share navigation items +module/`<moduleName>` | allow access to module `<moduleName>` (e.g. `module/monitoring`) + +### Monitoring Module Permissions + +The built-in monitoring module defines an additional set of permissions, that +is described in detail in the monitoring module documentation. + +## Restrictions + +Restrictions can be used to define what a user can see by specifying an expression that applies to a defined set of +data. By default, when no restrictions are defined, a user will be able to see the entire data that is available. + +The syntax of the expression used to define a particular restriction varies. This can be a comma-separated list of +terms, or [a full-blown filter](06-Security.md#filter-expressions). For more details on particular restrictions, +check the table below or the module's documentation providing the restriction. + +### General Restrictions + +Name | Applies to +--------------------------|------------------------------------------------------------------------------------------ +application/share/users | which users a user can share navigation items with (comma-separated list of usernames) +application/share/groups | which groups a user can share navigation items with (comma-separated list of group names) + +### Username placeholder + +It is possible to reference the local username (without the domain part) of the user in restrictions. To accomplish +this, put the macro `$user.local_name$` in the restriction where you want it to appear. + +This can come in handy if you have e.g. an attribute on hosts or services defining which user is responsible for it: +`_host_deputy=$user.local_name$|_service_deputy=$user.local_name$` + +### Filter Expressions + +Filters operate on columns. A complete list of all available filter columns on hosts and services can be found in +the monitoring module documentation. + +Any filter expression that is allowed in the filtered view, is also an allowed filter expression. +This means, that it is possible to define negations, wildcards, and even nested +filter expressions containing AND and OR-Clauses. + +The filter expression will be **implicitly** added as an **AND-Clause** to each query on +the filtered data. The following shows the filter expression `host_name=*win*` being applied on `monitoring/filter/objects`. + + +Regular filter query: + + AND-- service_problem = 1 + | + +--- service_handled = 0 + + +With our restriction applied, any user affected by this restrictions will see the +results of this query instead: + + + AND-- host_name = *win* + | + +--AND-- service_problem = 1 + | + +--- service_handled = 0 + +#### Stacking Filters + +When multiple roles assign restrictions to the same user, either directly or indirectly +through a group, all filters will be combined using an **OR-Clause**, resulting in the final +expression: + + + AND-- OR-- $FILTER1 + | | + | +-- $FILTER2 + | | + | +-- $FILTER3 + | + +--AND-- service_problem = 1 + | + +--- service_handled = 0 + + +As a result, a user is be able to see hosts that are matched by **ANY** of +the filter expressions. The following examples will show the usefulness of this behavior: + +#### Example 1: Negation + +``` +[winadmin] +groups = "windows-admins" +monitoring/filter/objects = "host_name=*win*" +``` + +Will display only hosts and services whose host name contains **win**. + +``` +[webadmin] +groups = "web-admins" +monitoring/filter/objects = "host_name!=*win*" +``` + +Will only match hosts and services whose host name does **not** contain **win** + +Notice that because of the behavior of two stacking filters, a user that is member of **windows-admins** and **web-admins**, will now be able to see both, Windows and non-Windows hosts and services. + +#### Example 2: Hostgroups + +``` +[unix-server] +groups = "unix-admins" +monitoring/filter/objects = "(hostgroup_name=bsd-servers|hostgroup_name=linux-servers)" +``` + +This role allows all members of the group unix-admins to see hosts and services +that are part of the host-group linux-servers or the host-group bsd-servers. |