[ZBX-15078] API "Frontend Access Disabled" w/LDAP Issue Created: 2018 Oct 27  Updated: 2018 Dec 03  Resolved: 2018 Nov 29

Status: Closed
Project: ZABBIX BUGS AND ISSUES
Component/s: API (A)
Affects Version/s: 4.0.1rc2, 4.0.1, 4.0 (plan)
Fix Version/s: 4.0.3rc1, 4.2.0alpha2, 4.2 (plan)

Type: Problem report Priority: Critical
Reporter: Jonathan W Assignee: Gregory Chalenko
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Team: Team D
Sprint: Sprint 46, Nov 2018
Story Points: 0.125

 Description   

In version 4.0 it looks like "Frontend access: Disabled" has changed in the way it works just a bit.  I think this is related to ZBXNEXT-4573.

In 3.4 and prior when using LDAP as the authentication mechanism "Disabled" worked as expected by still authenticating API users with frontend access disabled against LDAP instead of the internal database.

Now that it seems both internal and LDAP can be used at the same time Disabled seems to ignore LDAP even if it's the default and it only looks at the internal user database for authentication.

I propose one of three fixes:

  • Adjust "Disabled" to read from the default authentication mechanism as it did <4.0.
  • Adjust "Disabled" to read more like "Disabled (internal)"
  • Create a second "Disabled" option so there's one for internal, and one for LDAP

The latter is the preferred method as it provides the most flexibility and keeps the functionality that many like myself are used to present.

As it stands, anyone using LDAP that upgrades to 4.0 that's doing anything via the API will face authentication failures which can be a very big deal.



 Comments   
Comment by Edgars Melveris [ 2018 Nov 02 ]

Hello Jonathan!

I'm not sure I understand your problem.

At which group exactly are you referring to? There are 2:

"Disabled"

"No access to the frontend"

Do you mean, that with group "Disabled" you should still be able to connect to API?

Or do you mean, that with group "No access to the frontend" API authenticates users differently, than the frontend?

Comment by Jonathan W [ 2018 Nov 02 ]

I was referring to the group "No access to the frontend" with the setting "Frontend access" set to "Disabled".

This "Disabled" setting on "Frontend" access works differently now.  Previously it would still let users auth via the default authentication method (LDAP in my case) thus my API users authed against LDAP.

After upgrading, all of my API users were broken and I couldn't figure out why.  Then I noticed there's a new setting here for "LDAP" which fixes things but also lets these API users login on the frontend.

"Disabled" for "Frontend access" forces you to auth API users against the internal user database and it's also a breaking change for upgrades where people like myself are using LDAP as the default authentication mechanism.

I hope this makes more sense.

Comment by Edgars Melveris [ 2018 Nov 05 ]

I can confirm, that the situation you describe is true. I'm not sure, if this is a bug, but if not, it probably needs to be documented.

So here is what I found.

On version 3.4.14:

Create user with password "123", added it to "Disable frontend access" group.

Checked, that I can login to API, with password "123".

Changed the authentication settings to LDAP (user "user" with password "Test123" exists in LDAP)

Checked, that I can login to API, with password "Test123"

 

On version 4.0.1:

Create user with password "123", added it to "Disable frontend access" group.

Checked, that I can login to API, with password "123".

Changed the default authentication settings to LDAP (same LDAP used)

Checked, that I cannot login to API, with password "Test123"

When user removed from group "Disable frontend access", I can login via API and frontend with password "Test123"

 

So it looks like at least inconsistent behavior between internal and LDAP login.

Comment by Gregory Chalenko [ 2018 Nov 06 ]

System default authentication defines authentication method for API requests when user group GUI access is disabled.

RESOLVED in development branch svn://svn.zabbix.com/branches/dev/ZBX-15078.

Comment by Gregory Chalenko [ 2018 Nov 28 ]

Fixed in:

  • 4.0.3rc1 r87378
  • 4.2.0alpha2 r87381
Generated at Fri Mar 29 01:45:44 EET 2024 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.