[ZBX-12023] Trigger permissions don't work properly Created: 2017 Apr 07  Updated: 2018 Feb 16  Resolved: 2018 Feb 16

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: API (A)
Affects Version/s: 3.0.7
Fix Version/s: 2.2.19rc1, 3.0.10rc1, 3.2.7rc1, 3.4.0alpha1

Type: Incident report Priority: Major
Reporter: Maksims Tarleckis (Inactive) Assignee: Unassigned
Resolution: Fixed Votes: 0
Labels: events, graphprototypes, graphs, permissions, triggerprototypes, triggers
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: File 2_2_ZBX_12023.patch     File 3_0_ZBX_12023.patch     File 3_2_ZBX_12023.patch    
Team: Team B
Story Points: 14

 Description   

Triggers was not allowed for user if even one of related hosts in expression is not included to host group for that user.

Steps to reproduce for

  • go to fronted of Zabbix v3.0.* (also can be re-producible on later versions) with PostgreSQL
  • add user: zbx9774
  • add user group: group-1
  • add user group: group-2
  • add user group: group-3
  • add host: TEST
  • add host: TEST2
  • add host: TEST3
  • add hostgroup: gTEST (with host TEST)
  • add hostgroup: gTEST2 (with host TEST2, TEST3)
  • add item: trap1 (for host TEST)
  • add item: trap2 (for host TEST2)
  • add item: trap3 (for host TEST3)
  • add trigger: (for host TEST) with expression: {TEST:trap1.last()}=1 or {TEST2:trap2.last()}=1 or {TEST3:trap3.last()}=1
  • run ./zabbix_sender -vv -z localhost -s "TEST" -k trap1 -o 1
  • run ./zabbix_sender -vv -z localhost -s "TEST2" -k trap2 -o 1
  • run ./zabbix_sender -vv -z localhost -s "TEST3" -k trap3 -o 1
  • for user-group:group-1 add read/write perm. for gTEST
  • login as zbx9774
  • goto Monitoring -> Problems (Monitoring -> Events for old frontend)

ACTUAL RESULT:
user can't see any events by this trigger
Through API user can see all events:

curl --request POST \
  --url http://localhost/zabbix30/api_jsonrpc.php \
  --header 'cache-control: no-cache' \
  --header 'content-type: application/json' \
  --data '{\n    "jsonrpc": "2.0",\n    "method": "event.get",\n    "params": {\n        "output": "extend",\n        "select_acknowledges": "extend",\n        "selectTags": "extend",\n        "sortfield": ["clock", "eventid"],\n        "sortorder": "DESC",\n        "limit": 10\n    },\n    "auth": "d806c25e68ae49c591b6e0de4f63b854",\n    "id": 1\n}'

but can't see triggers

curl --request POST \
  --url http://localhost/zabbix30/api_jsonrpc.php \
  --header 'cache-control: no-cache' \
  --header 'content-type: application/json' \
  --data '{\n    "jsonrpc": "2.0",\n    "method": "trigger.get",\n    "params": {\n        "output": "extend",\n        "select_acknowledges": "extend",\n        "selectTags": "extend",\n        "limit": 10\n    },\n    "auth": "5e5feacab92f9a8f335ba1310be6b4a3",\n    "id": 1\n}'

EXPECTED RESULT:
user should see all events on ./events.php page and can fetch trigger through API



 Comments   
Comment by Alexander Vladishev [ 2017 Jun 01 ]

Permissions in triggers.get() method works as expected.

event.get() and problem.get() methods are fixed with ZBX-12133 and ZBX-12225 in:

  • pre-3.2.7 r68759
  • pre-3.4.0 r68760

event.get() method is fixed in:

  • pre-2.2.19 r68776
  • pre-3.0.10 r68774
Comment by Ivo Kurzemnieks [ 2018 Feb 14 ]

(1) No translation string changes.

sasha CLOSED

Comment by Ivo Kurzemnieks [ 2018 Feb 14 ]

(2) [D] API documentation has no mentions about this. And changelog "fixed permission issue with event.get method" is just too cryptic for any user to understand what has been fixed. I understand that the issue was that event.get (and problem.get) returned events that were generated from triggers that belong to multiple groups and user had permissions to only one group. If that is so, why not write that in changelog and API documentation?

sasha WON'T FIX

Generated at Thu Mar 28 15:59:18 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.