admin api key

[WillemDH]

Hello,

I'm in need of a cahin which can do an apply configuration. So I was thinking of using the REST api. But applying configuration is only for admins?

This seems kind of 'dangerous' as if someone intercepts the apik key of an admin, he could theoretically create an admin users and do whatever he wants? Please correct me if I'm wrong. It seems to me that enabling the REST api to create users (POST system/user) is a dangerous thing? Intercepting the api key is really easy..
An other option would be to 'execute a remote command through SSH' with a user with limited permissions, but which can execute /usr/local/nagiosxi/scripts/reconfigure_nagios.sh

How would you guys create a Reactor event chains which can apply configuration on a Nagios server in a secure way?

Grtz

Willem

[tmcdonald]

Any API can be dangerous if not secured properly. SSL between Reactor and XI that the API calls are routed through should be enough in most cases to make in-transit key retrieval a non-issue. There are of course many factors in play with security, but assuming the key was not previously sniffed SSL should suffice. I might need to double-check and see if Reactor will respect the SSL settings, not quite sure how it makes those API calls.

[WillemDH]

Could you please elaborate with SSL should suffice? When I execute a Bash script which does:

Code: Select all

curl -XGET "http://nagiosserver/nagiosxi/api/v1/system/applyconfig?apikey=blablaapikey8t&pretty=1"

I'm not going over SSL right? Do you mean I need to follow this:

https://library.nagios.com/library/prod ... -nagios-xi

and then go to https://....

Is the URL also encrypted?

[scottwilkerson]

Could you please elaborate with SSL should suffice? When I execute a Bash script which does:

Code: Select all

curl -XGET "http://nagiosserver/nagiosxi/api/v1/system/applyconfig?apikey=blablaapikey8t&pretty=1"

I'm not going over SSL right? Do you mean I need to follow this:

https://library.nagios.com/library/prod ... -nagios-xi

and then go to https://....

Is the URL also encrypted?

Yes, however the URL may be found in log files unencrypted so you should POST the data like so

Code: Select all

curl -XPOST --data "apikey=blablaapikey8t&pretty=1" "http://nagiosserver/nagiosxi/api/v1/system/applyconfig

[WillemDH]

Ah Thanks Scott. Seems indeed better to use:

Code: Select all

curl -XPOST --data "apikey=blablaapikey8t&pretty=1" "http://nagiosserver/nagiosxi/api/v1/system/applyconfig

I still need to try out https://library.nagios.com/library/prod ... -nagios-xi first... I've been pushing it forward for too long..

One more question => Where can I find another user's api key?

[scottwilkerson]

Ah Thanks Scott. Seems indeed better to use:

Code: Select all

curl -XPOST --data "apikey=blablaapikey8t&pretty=1" "http://nagiosserver/nagiosxi/api/v1/system/applyconfig

I still need to try out https://library.nagios.com/library/prod ... -nagios-xi first... I've been pushing it forward for too long..

One more question => Where can I find another user's api key?

If you are an Admin, you can do a couple things. You can masquerade as the user and look at their account, or you can go to the Admin -> Manage Components -> Backend API URL component and you can see the api keys for all the users.

[WillemDH]

Ok, thanks. Got a couple more question. Is there a way to modify or regenerate a user's api key? In case someone's key would be compromised or something like that. Are the changes made by the REST api logged in the audit log? Is it clear when something is done with the api and when something is done manually?

[lmiltchev]

Is there a way to modify or regenerate a user's api key? In case someone's key would be compromised or something like that.

As of now, I don't see any options in XI for regenerating the API key. I will check this our with our developers. Do you want me to file a feature request for adding this functionality in future releases of XI?

Are the changes made by the REST api logged in the audit log? Is it clear when something is done with the api and when something is done manually?

I added and deleted a host via the REST API and it can verify that my actions were indeed recorded in the audit log:

Code: Select all

2015-11-04 16:27:36	147	Nagios CCM	MODIFY	nagiosxi	localhost	Host file deleted: testapihostapply.cfg
2015-11-04 16:25:56	140	Nagios CCM	MODIFY	nagiosxi	localhost	File imported - File \[overwite flag\]: /usr/local/nagios/etc/import/ttjkgiog.tmp.cfg \[1\]

[WillemDH]

As of now, I don't see any options in XI for regenerating the API key. I will check this our with our developers. Do you want me to file a feature request for adding this functionality in future releases of XI?

Seems like an important feature in some cases.

I added and deleted a host via the REST API and it can verify that my actions were indeed recorded in the audit log:

Is there a difference when something is done with the REST api or done with the CCM? It seems important that it is logged which technique is used to do something? So we can track this with NLS or sth similar.

[tmcdonald]

It doesn't explicitly state, but in some cases it can be inferred. When I created a host with the REST API I got this entry:

File imported - File \[overwite flag\]: /usr/local/nagios/etc/import/53khkcbm.tmp.cfg \[1\]

which did not happen with a manual CCM host creation. So I think this would be a good enhancement to have.

Update: Added as feature request 6913