Page 1 of 2
admin api key
Posted: Tue Nov 03, 2015 6:55 am
by WillemDH
Hello,
I'm in need of a cahin which can do an apply configuration. So I was thinking of using the REST api. But applying configuration is only for admins?
This seems kind of 'dangerous' as if someone intercepts the apik key of an admin, he could theoretically create an admin users and do whatever he wants? Please correct me if I'm wrong. It seems to me that enabling the REST api to create users (POST system/user) is a dangerous thing? Intercepting the api key is really easy..
An other option would be to 'execute a remote command through SSH' with a user with limited permissions, but which can execute /usr/local/nagiosxi/scripts/reconfigure_nagios.sh
How would you guys create a Reactor event chains which can apply configuration on a Nagios server in a secure way?
Grtz
Willem
Re: admin api key
Posted: Tue Nov 03, 2015 10:52 am
by tmcdonald
Any API can be dangerous if not secured properly. SSL between Reactor and XI that the API calls are routed through should be enough in most cases to make in-transit key retrieval a non-issue. There are of course many factors in play with security, but assuming the key was not previously sniffed SSL should suffice. I might need to double-check and see if Reactor will respect the SSL settings, not quite sure how it makes those API calls.
Re: admin api key
Posted: Tue Nov 03, 2015 11:03 am
by WillemDH
Could you please elaborate with
SSL should suffice? When I execute a Bash script which does:
Code: Select all
curl -XGET "http://nagiosserver/nagiosxi/api/v1/system/applyconfig?apikey=blablaapikey8t&pretty=1"
I'm not going over
SSL right? Do you mean I need to follow this:
https://library.nagios.com/library/prod ... -nagios-xi
and then go to https://....
Is the URL also encrypted?
Re: admin api key
Posted: Tue Nov 03, 2015 4:36 pm
by scottwilkerson
WillemDH wrote:Could you please elaborate with
SSL should suffice? When I execute a Bash script which does:
Code: Select all
curl -XGET "http://nagiosserver/nagiosxi/api/v1/system/applyconfig?apikey=blablaapikey8t&pretty=1"
I'm not going over
SSL right? Do you mean I need to follow this:
https://library.nagios.com/library/prod ... -nagios-xi
and then go to https://....
Is the URL also encrypted?
Yes, however the URL may be found in log files unencrypted so you should POST the data like so
Code: Select all
curl -XPOST --data "apikey=blablaapikey8t&pretty=1" "http://nagiosserver/nagiosxi/api/v1/system/applyconfig
Re: admin api key
Posted: Tue Nov 03, 2015 4:50 pm
by WillemDH
Ah Thanks Scott. Seems indeed better to use:
Code: Select all
curl -XPOST --data "apikey=blablaapikey8t&pretty=1" "http://nagiosserver/nagiosxi/api/v1/system/applyconfig
I still need to try out
https://library.nagios.com/library/prod ... -nagios-xi first... I've been pushing it forward for too long..
One more question => Where can I find another user's api key?
Re: admin api key
Posted: Wed Nov 04, 2015 11:52 am
by scottwilkerson
WillemDH wrote:Ah Thanks Scott. Seems indeed better to use:
Code: Select all
curl -XPOST --data "apikey=blablaapikey8t&pretty=1" "http://nagiosserver/nagiosxi/api/v1/system/applyconfig
I still need to try out
https://library.nagios.com/library/prod ... -nagios-xi first... I've been pushing it forward for too long..
One more question => Where can I find another user's api key?
If you are an Admin, you can do a couple things. You can masquerade as the user and look at their account, or you can go to the Admin -> Manage Components -> Backend API URL component and you can see the api keys for all the users.
Re: admin api key
Posted: Wed Nov 04, 2015 12:45 pm
by WillemDH
Ok, thanks. Got a couple more question.
Is there a way to modify or regenerate a user's api key? In case someone's key would be compromised or something like that. Are the changes made by the REST api logged in the audit log? Is it clear when something is done with the api and when something is done manually?
Re: admin api key
Posted: Wed Nov 04, 2015 5:33 pm
by lmiltchev
Is there a way to modify or regenerate a user's api key? In case someone's key would be compromised or something like that.
As of now, I don't see any options in XI for regenerating the API key. I will check this our with our developers. Do you want me to file a feature request for adding this functionality in future releases of XI?
Are the changes made by the REST api logged in the audit log? Is it clear when something is done with the api and when something is done manually?
I added and deleted a host via the REST API and it can verify that my actions were indeed recorded in the audit log:
Code: Select all
2015-11-04 16:27:36 147 Nagios CCM MODIFY nagiosxi localhost Host file deleted: testapihostapply.cfg
2015-11-04 16:25:56 140 Nagios CCM MODIFY nagiosxi localhost File imported - File \[overwite flag\]: /usr/local/nagios/etc/import/ttjkgiog.tmp.cfg \[1\]
Re: admin api key
Posted: Thu Nov 05, 2015 3:02 am
by WillemDH
As of now, I don't see any options in XI for regenerating the API key. I will check this our with our developers. Do you want me to file a feature request for adding this functionality in future releases of XI?
Seems like an important feature in some cases.
I added and deleted a host via the REST API and it can verify that my actions were indeed recorded in the audit log:
Is there a difference when something is done with the REST api or done with the CCM? It seems important that it is logged which technique is used to do something? So we can track this with NLS or sth similar.
Re: admin api key
Posted: Thu Nov 05, 2015 5:42 pm
by tmcdonald
It doesn't explicitly state, but in some cases it can be inferred. When I created a host with the REST API I got this entry:
File imported - File \[overwite flag\]: /usr/local/nagios/etc/import/53khkcbm.tmp.cfg \[1\]
which did not happen with a manual CCM host creation. So I think this would be a good enhancement to have.
Update: Added as feature request 6913