[ZBX-15078] API "Frontend Access Disabled" w/LDAP Issue Created: 2018 Oct 27 Updated: 2018 Dec 03 Resolved: 2018 Nov 29 |
|
Status: | Closed |
Project: | ZABBIX BUGS AND ISSUES |
Component/s: | API (A) |
Affects Version/s: | 4.0.1rc2, 4.0.1, 4.0 (plan) |
Fix Version/s: | 4.0.3rc1, 4.2.0alpha2, 4.2 (plan) |
Type: | Problem report | Priority: | Critical |
Reporter: | Jonathan W | Assignee: | Gregory Chalenko |
Resolution: | Fixed | Votes: | 0 |
Labels: | None | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified |
Team: | Team D |
Sprint: | Sprint 46, Nov 2018 |
Story Points: | 0.125 |
Description |
In version 4.0 it looks like "Frontend access: Disabled" has changed in the way it works just a bit. I think this is related to In 3.4 and prior when using LDAP as the authentication mechanism "Disabled" worked as expected by still authenticating API users with frontend access disabled against LDAP instead of the internal database. Now that it seems both internal and LDAP can be used at the same time Disabled seems to ignore LDAP even if it's the default and it only looks at the internal user database for authentication. I propose one of three fixes:
The latter is the preferred method as it provides the most flexibility and keeps the functionality that many like myself are used to present. As it stands, anyone using LDAP that upgrades to 4.0 that's doing anything via the API will face authentication failures which can be a very big deal. |
Comments |
Comment by Edgars Melveris [ 2018 Nov 02 ] |
Hello Jonathan! I'm not sure I understand your problem. At which group exactly are you referring to? There are 2: "Disabled" Do you mean, that with group "Disabled" you should still be able to connect to API? Or do you mean, that with group "No access to the frontend" API authenticates users differently, than the frontend? |
Comment by Jonathan W [ 2018 Nov 02 ] |
I was referring to the group "No access to the frontend" with the setting "Frontend access" set to "Disabled". This "Disabled" setting on "Frontend" access works differently now. Previously it would still let users auth via the default authentication method (LDAP in my case) thus my API users authed against LDAP. After upgrading, all of my API users were broken and I couldn't figure out why. Then I noticed there's a new setting here for "LDAP" which fixes things but also lets these API users login on the frontend. "Disabled" for "Frontend access" forces you to auth API users against the internal user database and it's also a breaking change for upgrades where people like myself are using LDAP as the default authentication mechanism. I hope this makes more sense. |
Comment by Edgars Melveris [ 2018 Nov 05 ] |
I can confirm, that the situation you describe is true. I'm not sure, if this is a bug, but if not, it probably needs to be documented. So here is what I found. On version 3.4.14: Create user with password "123", added it to "Disable frontend access" group. Checked, that I can login to API, with password "123". Changed the authentication settings to LDAP (user "user" with password "Test123" exists in LDAP) Checked, that I can login to API, with password "Test123"
On version 4.0.1: Create user with password "123", added it to "Disable frontend access" group. Checked, that I can login to API, with password "123". Changed the default authentication settings to LDAP (same LDAP used) Checked, that I cannot login to API, with password "Test123" When user removed from group "Disable frontend access", I can login via API and frontend with password "Test123"
So it looks like at least inconsistent behavior between internal and LDAP login. |
Comment by Gregory Chalenko [ 2018 Nov 06 ] |
System default authentication defines authentication method for API requests when user group GUI access is disabled. RESOLVED in development branch svn://svn.zabbix.com/branches/dev/ZBX-15078. |
Comment by Gregory Chalenko [ 2018 Nov 28 ] |
Fixed in:
|