Leaks in multi-tenant reports

[eloyd]

TL;DR version: Alert Histogram and Alert Stream reports ignore multi-tenancy restrictions based on the user logged in to Nagios.


I believe there is a leak in the multi-tenant code that allows someone who does not have access to a host to see information about that host through the reports screen. Here's the scenario:

We took our test platform running 5.4.2 Enterprise, and assigned all the host with even number in the last octet of their IP address to a new user name "foobar." We then logged in a private browser with cache cleared as "foobar." Foobar can see the hosts and services on the dozen or so boxes that foobar should be able to see. Then foobar goes to the reports tab and looks at "this month" (which is about half over). The "average host/service availability" at the top shows 0 outages, which is correct for those machines/services, but the bottom half shows only 99.997% uptime (which may just be a rounding error or it may be including other hosts). But it's still worth looking into.

More importantly, still in the reports tab, foobar goes to "Alert Stream" (one of my favorites to show customers). The "host" pull down shows the correct list of hosts (those dozen or so that foobar is supposed to be able to see). However, the actual alerts shown are for hosts that foobar does NOT have access to. They are legitimate alerts, but foobar should have no business seeing them here.

Heatmap, cloud, and timeline all show expected behavior of not showing foobar hosts/services that foobar is not supposed to see. "Network replay" says "You are not authorized to view all hosts and services" which I think should be fixed to show events for the hosts that foobar is allowed to see (let them see their own things everywhere). Executive Summary shows the top half correctly, but the alert histogram seems to include many alerts from hosts/services foobar is not entitled to see. In fact, the "Alert Histogram" report is definitely showing things foobar is not entitled to, since it's showing multiple alerts per day for "this month" when foobar's hosts only have two alerts for the entire month.

To complicate things, the "Network Report" link to NNA totally breaks the multi-tenancy and allows foobar full access to any source group within NNA (for us, that's a lot). I realize that there is no multi-tenancy capabilities in NNA at the moment, but this would be a great thing to add to allow users in XI to be able to see their hosts (and only their hosts) in NNA. "Network Query" report similarly doesn't respect the fact that foobar should have access to only one of the source groups we've defined in NNA, based on the hosts foobar has access to in XI.

[dwhitfield]

As for the 99.997% issue, I was not able to recreate that. I thought perhaps this was due to a server going in and out of view for the user, but that does not appear to be the case. Do you see this 99.997 issue across all hosts, users, and time periods? Do all of your time zones match up? I wasn't able to replicate many of these issues, even changing the time zone, but it might help us track down what is going on.

I'm not seeing what you are on the Alert Histogram. Does it pull in the improper info if you download the JPG or PDF?

I created bug report 11121 for the Alert Stream showing hosts it shouldn't.

I created a feature request 11123 for the network replay to respect multi-tenancy.

There is already multi-tenancy feature request for NNA. #5729

[eloyd]

Thanks. I've asked someone to probe more deeply into the 99% issue as well as grab some hard info for the alert histogram.

[dwhitfield]

Was this an upgrade to 5.4.2 or a fresh install? If an upgrade, from what version did you upgrade? If retention.dat is small enough, can you PM it or just post here as it's a test box? If it is too large, it would be interesting to see the entries associated with foobar. Of course, a sample of some of the hosts foobar should and should not see would also be useful.

I'd also be curious the access status of foobar. For example, does foobar have API access?