Global Read Access to Configs - Adding flag for this

spinza · 27 June 2017 09:52

I’d like to add a flag to allow global read users to access configs. I’ve integrated with Oxidized (and run Oxidized with hide secrets option) so the configs are not sensitive to me. I’d like to override LibreNMS hiding them for global read users.

I see this is checked in two places:

github.com

librenms/librenms/blob/master/html/pages/device.inc.php#L347


    <i class="fa fa-exclamation-circle fa-lg icon-theme"  aria-hidden="true"></i> Alerts
    </a>
    </li>';


echo '<li role="presentation" '.$select['alert-stats'].'>
    <a href="'.generate_device_url($device, array('tab' => 'alert-stats')).'">
    <i class="fa fa-bar-chart fa-lg icon-theme"  aria-hidden="true"></i> Alert Stats
    </a>
    </li>';


if (is_admin()) {
    if (!is_array($config['rancid_configs'])) {
        $config['rancid_configs'] = array($config['rancid_configs']);
    }


    foreach ($config['rancid_configs'] as $configs) {
        if ($configs[(strlen($configs) - 1)] != '/') {
            $configs .= '/';
        }


        if (is_file($configs.$device['hostname'])) {

And also:

github.com

librenms/librenms/blob/master/html/pages/device/showconfig.inc.php#L4


<?php


// FIXME svn stuff still using optc etc, won't work, needs updating!
if (is_admin()) {
if (!is_array($config['rancid_configs'])) {
    $config['rancid_configs'] = array($config['rancid_configs']);
}


if (isset($config['rancid_configs'][0])) {
    foreach ($config['rancid_configs'] as $configs) {
        if ($configs[(strlen($configs) - 1)] != '/') {
            $configs .= '/';
        }

I propose to add the following to those statements:

if (is_admin() || (is_read() && $config['allow_global_read_to_see_configs']  === true)) {

This would add a config variable with default false.

Some trickiness is that there are separate config variables for rancid and oxidized. Though this variable would be shared between them. The alternative is to restructure those statements and have separate $config['rancid']['allow_global_read] and $config['oxidized']['allow_global_read].

Let me know your thoughts and if something of this nature will be merged.

murrant · 27 June 2017 12:43

I’m pretty sure it would. I prefer one option, but it needs a shorter name. You should also add it to the the settings page.

Like this: https://github.com/librenms/librenms/blob/612186dabfe9f7fe649f451df0902fbec0917547/sql-schema/191.sql

Please send a PR, that is the best way to discuss things like this

spinza · 27 June 2017 22:06

OK

Not sure what that link is referring to?

Well wanted to start with a Issue but the guidance in the default issue said discuss here…
Was a CATCH

murrant · 4 January 2018 19:52

You don’t need an issue to create a pull request.

moisseev · 11 June 2020 09:46

I need to make device configurations accessible by Global Read users. Sure I should add a configuration option for that, but for now just for testing I’ve changed this line:

--- ./includes/html/pages/device/showconfig.inc.php.orig        2020-06-11 11:01:47.910831000 +0300
+++ ./includes/html/pages/device/showconfig.inc.php     2020-06-11 12:32:00.635838000 +0300
@@ -4,7 +4,7 @@
 use LibreNMS\Config;
 use Symfony\Component\Process\Process;

-if (Auth::user()->hasGlobalAdmin()) {
+if (Auth::user()->hasGlobalRead()) {
     if (Config::has('rancid_configs') && !is_array(Config::get('rancid_configs'))) {
         Config::set('rancid_configs', (array)Config::get('rancid_configs', []));
     }

Everything works fine except the “Config” tab doesn’t appear on device pages. Could anyone give me a hint how to enable the “Config” tab?

frank42 · 16 November 2021 10:31

I just ran across the same problem. I have two admins and about a dozen people with Global Read access. Before installing oxidized, I was thinking that “Global Read” really means “Global Read” and not “Global Read except this and that”.
It’s intended that some people have Global Read permission and not Admin. It’s the people I trust to view anything. And I need these people to have read access to the fetched oxidized files as well.

I don’t see any reason why this ticket must mold around for almost 4,5 years.

netzbus · 16 November 2023 08:32

Any news in this Topic here ?

murrant · 16 November 2023 14:59

LibreNMS now supports roles and permissions. But there is currently no webui to add and manage custom permissions yet (and currently no one is working on that that I know of).

So, waiting for someone to contribute code for that.

frank42 · 17 November 2023 10:54

I would be happy to use this new roles and permissions system without webui, I only care about giving access to oxidized to my global read users, no matter which kind of interface to use.

Unfortunately, the docs page at Authentication Options - LibreNMS Docs still seems to reference to the old system, so any hint on how to use the new roles and permissions system is appreciated.

laf · 17 November 2023 11:56

The webui still needs updating to make use of the roles and permissions so you can’t just update the DB and it do what you want it to do.