[ZBXNEXT-4566] Permission zabbix administrator on maps with images Created: 2018 Apr 07 Updated: 2019 Aug 10 |
|
Status: | Reopened |
Project: | ZABBIX FEATURE REQUESTS |
Component/s: | API (A) |
Affects Version/s: | None |
Fix Version/s: | None |
Type: | Change Request | Priority: | Major |
Reporter: | Diego Cavalcante | Assignee: | Unassigned |
Resolution: | Unresolved | Votes: | 8 |
Labels: | frontend | ||
Remaining Estimate: | Not Specified | ||
Time Spent: | Not Specified | ||
Original Estimate: | Not Specified | ||
Environment: |
Ubuntu 16.04 LTS |
Attachments: | bug01.png bug02.png bug03.png bug04.png bug05.png inserting-image-item-in-private-map-allows-all-zabbix-admins-see-some-content.mp4 | ||||||||
Issue Links: |
|
Description |
Good night dear. I recently encountered a problem regarding permissioning on maps, I have some maps, which are specific hosts and triggers for a group, to which only users who have the appropriate permissions in this group should have access to "list and view the maps", but that is not quite what is happening. If the user is of type "user zabbix" such maps are not listed nor displayed. I noticed that if the map contains only "host, trigger, group, map" elements, the permission applied to the user works perfectly and it is not able to list or view the maps. And if the map contains at least 1 element of type "image", the user is able to list and view the map in the way I described above, it seems to me that this is not correct. I faced this problem in version 3.4.6, and tried an upgrade to version 3.4.8 and the problem persists. Is it a permission setting, or a bug? In short: if any map that contains some element of type "image", any user of type "administrator zabbix" is able to list and see, if I remove all elements of the "image" type of maps, permission works perfectly. |
Comments |
Comment by Diego Cavalcante [ 2018 May 15 ] |
version 3.4.9 the problem persists. |
Comment by Aigars Kadikis [ 2018 May 23 ] |
Can confirm this on 3.4.9. Here is how to reproduce it: |
Comment by Diego Cavalcante [ 2018 May 23 ] |
Hello Aigars Kadikis, your reproduction of the problem was perfect. I can confirm that the problem affects all versions 3.4.x and all alphas of 4.0. |
Comment by Alexander Vladishev [ 2018 May 23 ] |
It works as documented.
|
Comment by Diego Cavalcante [ 2018 May 23 ] |
The way it is, I only see 2 exits: 1º Do not use elements of type "image" in the maps. Well, the permissions are respected. I have to choose between the 2. |
Comment by João Edson [ 2018 May 23 ] |
Step by the same problem as Diego and I do not see exit since if not leave some users as admin they no longer have access to some elements |
Comment by Alexander Vladishev [ 2018 May 24 ] |
I moved this issue to ZBXNEXT project. Please vote for this change request! |
Comment by Alex Tomasello [ 2018 Nov 27 ] |
In include/classes/api/services/CMap.php there are some lines that permit this:
// Setting PERM_READ permission for maps with at least one image.
$selement_images = self::getSelements(array_keys($sysmaps_r), SYSMAP_ELEMENT_TYPE_IMAGE);
self::setMapPermissions($sysmaps_r, $selement_images, [0 => []], $selement_maps);
self::setHasElements($sysmaps_r, $selement_images);
|
Comment by Alex Tomasello [ 2019 Jan 15 ] |
Any updates? |
Comment by Alex Tomasello [ 2019 Jan 23 ] |
Hi there, I've reported code lines involved in this issues/feature. This ticket was opened on 2018 Apr 07 ...Any updates? |
Comment by Dirk Bongard [ 2019 Aug 10 ] |
I wonder about this authorization concept. When I look at this list of references, I can not believe that large companies agree with this mess, or have spent a lot of money on work arounds. Example: We have several 24/7 data centers. Some have their own site administrators. To be able to administer their own hosts, they need to be Zabbix Adminstrator. This gives them all rights to maps again. The same issue is with Discovery. I am not able to give a DBA for a single host the rights for scheduled downtime without giving it the right Zabbix Adminstrator. By the wording, it is true that an administrator should see everything, but an application admin should be able to set up maintenance or add a template to his host. That's why many of us are Zabbix administrators and have in this case too many rights.
|