Leaks in multi-tenant reports
Posted: Sat Feb 18, 2017 9:28 pm
TL;DR version: Alert Histogram and Alert Stream reports ignore multi-tenancy restrictions based on the user logged in to Nagios.
I believe there is a leak in the multi-tenant code that allows someone who does not have access to a host to see information about that host through the reports screen. Here's the scenario:
We took our test platform running 5.4.2 Enterprise, and assigned all the host with even number in the last octet of their IP address to a new user name "foobar." We then logged in a private browser with cache cleared as "foobar." Foobar can see the hosts and services on the dozen or so boxes that foobar should be able to see. Then foobar goes to the reports tab and looks at "this month" (which is about half over). The "average host/service availability" at the top shows 0 outages, which is correct for those machines/services, but the bottom half shows only 99.997% uptime (which may just be a rounding error or it may be including other hosts). But it's still worth looking into.
More importantly, still in the reports tab, foobar goes to "Alert Stream" (one of my favorites to show customers). The "host" pull down shows the correct list of hosts (those dozen or so that foobar is supposed to be able to see). However, the actual alerts shown are for hosts that foobar does NOT have access to. They are legitimate alerts, but foobar should have no business seeing them here.
Heatmap, cloud, and timeline all show expected behavior of not showing foobar hosts/services that foobar is not supposed to see. "Network replay" says "You are not authorized to view all hosts and services" which I think should be fixed to show events for the hosts that foobar is allowed to see (let them see their own things everywhere). Executive Summary shows the top half correctly, but the alert histogram seems to include many alerts from hosts/services foobar is not entitled to see. In fact, the "Alert Histogram" report is definitely showing things foobar is not entitled to, since it's showing multiple alerts per day for "this month" when foobar's hosts only have two alerts for the entire month.
To complicate things, the "Network Report" link to NNA totally breaks the multi-tenancy and allows foobar full access to any source group within NNA (for us, that's a lot). I realize that there is no multi-tenancy capabilities in NNA at the moment, but this would be a great thing to add to allow users in XI to be able to see their hosts (and only their hosts) in NNA. "Network Query" report similarly doesn't respect the fact that foobar should have access to only one of the source groups we've defined in NNA, based on the hosts foobar has access to in XI.
I believe there is a leak in the multi-tenant code that allows someone who does not have access to a host to see information about that host through the reports screen. Here's the scenario:
We took our test platform running 5.4.2 Enterprise, and assigned all the host with even number in the last octet of their IP address to a new user name "foobar." We then logged in a private browser with cache cleared as "foobar." Foobar can see the hosts and services on the dozen or so boxes that foobar should be able to see. Then foobar goes to the reports tab and looks at "this month" (which is about half over). The "average host/service availability" at the top shows 0 outages, which is correct for those machines/services, but the bottom half shows only 99.997% uptime (which may just be a rounding error or it may be including other hosts). But it's still worth looking into.
More importantly, still in the reports tab, foobar goes to "Alert Stream" (one of my favorites to show customers). The "host" pull down shows the correct list of hosts (those dozen or so that foobar is supposed to be able to see). However, the actual alerts shown are for hosts that foobar does NOT have access to. They are legitimate alerts, but foobar should have no business seeing them here.
Heatmap, cloud, and timeline all show expected behavior of not showing foobar hosts/services that foobar is not supposed to see. "Network replay" says "You are not authorized to view all hosts and services" which I think should be fixed to show events for the hosts that foobar is allowed to see (let them see their own things everywhere). Executive Summary shows the top half correctly, but the alert histogram seems to include many alerts from hosts/services foobar is not entitled to see. In fact, the "Alert Histogram" report is definitely showing things foobar is not entitled to, since it's showing multiple alerts per day for "this month" when foobar's hosts only have two alerts for the entire month.
To complicate things, the "Network Report" link to NNA totally breaks the multi-tenancy and allows foobar full access to any source group within NNA (for us, that's a lot). I realize that there is no multi-tenancy capabilities in NNA at the moment, but this would be a great thing to add to allow users in XI to be able to see their hosts (and only their hosts) in NNA. "Network Query" report similarly doesn't respect the fact that foobar should have access to only one of the source groups we've defined in NNA, based on the hosts foobar has access to in XI.