[#ZBX-24280] super admin get access denied

[ZBX-24280] super admin get access denied Created: 2024 Mar 29 Updated: 2024 Oct 30
Status:	Open
Project:	ZABBIX BUGS AND ISSUES
Component/s:	Server (S)
Affects Version/s:	6.4.13
Fix Version/s:	None

Type:

Incident report

Priority:

Trivial

Reporter:

adnet

Assignee:

Michal Kudlacz

Resolution:

Unresolved

Votes:

Labels:

None

Remaining Estimate:

Not Specified

Time Spent:

Not Specified

Original Estimate:

Not Specified

Environment:

server 6.4.13 on debian 11

Attachments:

Screenshot from 2024-03-29 16-49-18.png

zabbixdebug.txt

Description

Steps to reproduce:

ince some upgrade but i cannot pinpoint the one, we have on some host the message access denied when modifying elements like a macro override on a host.

Result:

Details Access denied

You are logged in as "gadnet". You have no permissions to access this page.
If you think this message is wrong, please consult your administrators about getting the necessary permissions.

Expected:

Superadmin cannot have access denied at all.

I can change the same macro on other host but in some i have

i cannot find any reason behind this error has it is not universal, it is on some host.

regards,

Ghislain.

Comments

Comment by adnet [ 2024 Mar 29 ]

Super admin role

Users ³

Admin (Zabbix Administrator), gadnet (), nicolas ()

Comment by adnet [ 2024 Apr 05 ]

i tried to find any differences in the database with other host, and in the user and user role tables. But i really cannot find why i got this access denied error as a super admin.

best regards,

Ghislain.

Comment by adnet [ 2024 Apr 09 ]

when i add some debug $view['messages'][] = print_r(CWebUser::$data,true);

i got:

infoArray
(
[userid] => 3
[username] => gadnet
[name] => adnet
[surname] => ghislain
[url] =>
[autologin] => 1
[autologout] => 0
[lang] => en_US
[refresh] => 30s
[theme] => dark-theme
[attempt_failed] => 0
[attempt_ip] =>
[attempt_clock] => 0
[rows_per_page] => 50
[timezone] => system
[roleid] => 3
[userdirectoryid] => 0
[ts_provisioned] => 0
[debug_mode] => 0
[deprovisioned] =>
[gui_access] => 0
[auth_type] => 0
[type] => 3
[userip] =xxxxx
[sessionid] => xxx
[secret] => xxx
)

Comment by Michal Kudlacz [ 2024 Apr 10 ]

Hi,

Thanks for this bug report. It's difficult to reproduce, so it would be great to find out more details.
Did you have Zabbix below version 5.2 at any point?

I'm aware you have done a db comparison. Could you show results of the following queries anyway please?

SELECT userid, username, roleid, userdirectoryid, ts_provisioned FROM users WHERE username = "gadnet";
SELECT * FROM role;
SELECT * FROM role_rule;
SELECT * FROM rights;
SELECT * FROM usrgrp;
SELECT * FROM users_groups;

Could you turn debug on and copy output to a text file as you come across 'access denied' message?

Thanks

Comment by adnet [ 2024 Apr 10 ]

of course, here is the result. I tried to figure it out and search in the code but was unable to find the issue.

mysql> SELECT userid, username, roleid, userdirectoryid, ts_provisioned FROM users WHERE username = "gadnet";
---------------------------------------------------
| userid | username | roleid | userdirectoryid | ts_provisioned |
---------------------------------------------------
| 3 | gadnet | 3 | NULL | 0 |
---------------------------------------------------
1 row in set (0.00 sec)mysql> SELECT * FROM role;
---------------------------------------------+
| roleid | name | type | readonly |
---------------------------------------------+
| 1 | User role | 1 | 0 |
| 2 | Admin role | 2 | 0 |
| 3 | Super admin role | 3 | 1 |
| 4 | Guest role | 1 | 0 |
| 5 | scripts externes hostlist | 1 | 0 |
---------------------------------------------+
5 rows in set (0.00 sec)mysql> SELECT * FROM role_rule;
-----------------------------------------------------------------------------------------------------+
| role_ruleid | roleid | type | name | value_int | value_str | value_moduleid | value_serviceid |
-----------------------------------------------------------------------------------------------------+
| 1 | 1 | 0 | ui.default_access | 1 | | NULL | NULL |
| 2 | 1 | 0 | services.read | 1 | | NULL | NULL |
| 3 | 1 | 0 | services.write | 0 | | NULL | NULL |
| 4 | 1 | 0 | modules.default_access | 1 | | NULL | NULL |
| 5 | 1 | 0 | api.access | 1 | | NULL | NULL |
| 6 | 1 | 0 | api.mode | 0 | | NULL | NULL |
| 7 | 1 | 0 | actions.default_access | 1 | | NULL | NULL |
| 8 | 2 | 0 | ui.default_access | 1 | | NULL | NULL |
| 9 | 2 | 0 | services.read | 1 | | NULL | NULL |
| 10 | 2 | 0 | services.write | 1 | | NULL | NULL |
| 11 | 2 | 0 | modules.default_access | 1 | | NULL | NULL |
| 12 | 2 | 0 | api.access | 1 | | NULL | NULL |
| 13 | 2 | 0 | api.mode | 0 | | NULL | NULL |
| 14 | 2 | 0 | actions.default_access | 1 | | NULL | NULL |
| 15 | 3 | 0 | ui.default_access | 1 | | NULL | NULL |
| 16 | 3 | 0 | services.read | 1 | | NULL | NULL |
| 17 | 3 | 0 | services.write | 1 | | NULL | NULL |
| 18 | 3 | 0 | modules.default_access | 1 | | NULL | NULL |
| 19 | 3 | 0 | api.access | 1 | | NULL | NULL |
| 20 | 3 | 0 | api.mode | 0 | | NULL | NULL |
| 21 | 3 | 0 | actions.default_access | 1 | | NULL | NULL |
| 22 | 4 | 0 | ui.default_access | 1 | | NULL | NULL |
| 23 | 4 | 0 | services.read | 1 | | NULL | NULL |
| 24 | 4 | 0 | services.write | 0 | | NULL | NULL |
| 25 | 4 | 0 | modules.default_access | 1 | | NULL | NULL |
| 26 | 4 | 0 | api.access | 0 | | NULL | NULL |
| 27 | 4 | 0 | actions.default_access | 0 | | NULL | NULL |
| 29 | 5 | 0 | ui.default_access | 1 | | NULL | NULL |
| 31 | 5 | 0 | services.write | 0 | | NULL | NULL |
| 33 | 5 | 0 | api.access | 1 | | NULL | NULL |
| 34 | 5 | 0 | api.mode | 1 | | NULL | NULL |
| 35 | 5 | 0 | actions.default_access | 0 | | NULL | NULL |
| 36 | 5 | 1 | api.method.0 | 0 | host.get | NULL | NULL |
| 37 | 5 | 1 | api.method.1 | 0 | hostgroup.get | NULL | NULL |
| 38 | 5 | 1 | api.method.2 | 0 | hostinterface.get | NULL | NULL |
| 39 | 5 | 0 | ui.monitoring.dashboard | 0 | | NULL | NULL |
| 40 | 5 | 0 | ui.monitoring.maps | 0 | | NULL | NULL |
| 41 | 5 | 0 | services.read | 0 | | NULL | NULL |
| 42 | 5 | 0 | modules.default_access | 0 | | NULL | NULL |
| 43 | 5 | 1 | api.method.3 | 0 | history.get | NULL | NULL |
-----------------------------------------------------------------------------------------------------+
40 rows in set (0.00 sec)mysql> SELECT * FROM rights;
----------------------------+
| rightid | groupid | permission | id |
----------------------------+
| 1 | 13 | 2 | 29 |
| 2 | 13 | 2 | 19 |
| 3 | 13 | 2 | 28 |
| 4 | 13 | 2 | 26 |
| 5 | 13 | 2 | 42 |
| 6 | 13 | 2 | 41 |
| 7 | 13 | 2 | 35 |
| 8 | 13 | 2 | 36 |
| 9 | 13 | 2 | 37 |
| 10 | 13 | 2 | 38 |
| 11 | 13 | 2 | 20 |
| 12 | 13 | 2 | 5 |
| 13 | 13 | 2 | 23 |
| 14 | 13 | 2 | 40 |
| 15 | 13 | 2 | 27 |
| 16 | 13 | 2 | 7 |
| 17 | 13 | 2 | 30 |
| 18 | 13 | 2 | 2 |
| 19 | 13 | 2 | 24 |
| 20 | 13 | 2 | 33 |
| 21 | 13 | 2 | 31 |
| 22 | 13 | 2 | 32 |
| 23 | 13 | 2 | 39 |
| 24 | 13 | 2 | 34 |
| 25 | 13 | 2 | 6 |
| 26 | 13 | 2 | 25 |
| 27 | 13 | 2 | 4 |
----------------------------+
27 rows in set (0.00 sec)mysql> SELECT * FROM usrgrp;
----------------------------------------------------------------------------------+
| usrgrpid | name | gui_access | users_status | debug_mode | userdirectoryid |
----------------------------------------------------------------------------------+
| 7 | Zabbix administrators | 0 | 0 | 0 | NULL |
| 8 | Guests | 1 | 0 | 0 | NULL |
| 9 | Disabled | 0 | 1 | 0 | NULL |
| 11 | Enabled debug mode | 0 | 0 | 1 | NULL |
| 12 | No access to the frontend | 3 | 0 | 0 | NULL |
| 13 | Read API | 0 | 0 | 0 | NULL |
----------------------------------------------------------------------------------+
6 rows in set (0.00 sec)mysql> SELECT * FROM users_groups;
------------------
| id | usrgrpid | userid |
------------------
| 4 | 7 | 1 |
| 5 | 7 | 3 |
| 7 | 7 | 5 |
| 2 | 8 | 2 |
| 3 | 9 | 2 |
| 6 | 13 | 4 |
------------------
6 rows in set (0.00 sec)mysql>

Comment by adnet [ 2024 Apr 10 ]

and yes it is an upgraded version that is there since a long time i think it goes to zabbix4 at least.

Comment by adnet [ 2024 Apr 10 ]

zabbixdebug.txt

so much things in it

Comment by adnet [ 2024 Apr 16 ]

i tried to see if there was an upgrade script that failed in the databases schema but i cannot find any .sql that i was missed.

FYI i always done the upgrades using apt.

regards,

ghislain

Comment by adnet [ 2024 Jun 11 ]

is there any possibilities that zabbix 7 could correct this ?

Comment by Michal Kudlacz [ 2024 Jun 14 ]

Hello,

Thanks for sharing details.

Permission checks were reworked as per ~~ZBXNEXT-5878~~, ~~ZBXNEXT-8532~~ and chances are that the issue doesn't affect 7.0:
https://www.zabbix.com/documentation/current/en/manual/introduction/whatsnew700#faster-permission-checks

You can check the number of sessions per user:

SELECT userid, count(*) FROM sessions WHERE status = 0  GROUP BY userid;

And a total count of active sessions:

SELECT count(*) FROM sessions WHERE status = 0;

Is it feasible to upgrade to the latest minor?

Comment by adnet [ 2024 Jun 28 ]

i upgraded to 7.0 but still cannot modify some host, the same return me:

DetailsAccess denied

You are logged in as "xxxx". You have no permissions to access this page.
If you think this message is wrong, please consult your administrators about getting the necessary permissions.

xxx is my super-admin account

every time i try to change a inherited macro on those host i got this message.

[/etc/apt/sources.list.d]: dpkg -l 'zabbix*'|grep ii
ii zabbix-agent 1:7.0.0-1+debian12 amd64 Zabbix network monitoring solution - agent
ii zabbix-frontend-php 1:7.0.0-1+debian12 all Zabbix network monitoring solution - PHP front-end
ii zabbix-get 1:7.0.0-1+debian12 amd64 Zabbix network monitoring solution - get
ii zabbix-release 1:7.0-1+debian12 all Zabbix official repository configuration
ii zabbix-sender 1:7.0.0-1+debian12 amd64 Zabbix network monitoring solution - sender
ii zabbix-server-mysql 1:7.0.0-1+debian12 amd64 Zabbix network monitoring solution - server (MySQL)
ii zabbix-sql-scripts 1:7.0.0-1+debian12 all Zabbix network monitoring solution - sql-scripts
ii zabbix-web-service 1:7.0.0-1+debian12 amd64 Zabbix network monitoring solution - web-service

Comment by Carlos Santos [ 2024 Oct 30 ]

I am having the same issue when accessing a module:

Access denied

You are logged in as "xxx_admin". You have no permissions to access this page.
If you think this message is wrong, please consult your administrators about getting the necessary permissions.

xxx_admin belongs to a group not Super Admin but has SuperAdmin role in that group. Using the default Admin user gets the same error.

Zabbix version: 7.0.3

Let me know if you need more information.

Comment by adnet [ 2024 Oct 30 ]

on our side as unfortunatly the bug cannot be corrected and we could not find anyway to make it work even looking at the code we had to reinstall zabbix from scratch and loose everything in the process

regards,

Ghislain.

Generated at Mon Jun 02 17:09:50 EEST 2025 using Jira 9.12.4#9120004-sha1:625303b708afdb767e17cb2838290c41888e9ff0.

[ZBX-24280] super admin get access denied Created: 2024 Mar 29 Updated: 2024 Oct 30