Nagios Support Forum

Using the API I'm able to add comments to hosts and services as per the External command https://assets.nagios.com/downloads/nag ... ernalcmds/. This all works fine.
When you add comments via the GUI the Author is fixed to whichever account you login as (as it should be). However, when adding comments via the external command method the author is just a string argument and can be whoever or whatever you want. As a feature request it would be better if Author was set to the API token's account name (by querying user accounts). My thought is that the command (e.g. ADD_HOST_COMMENT) could remain as it is, so that the same functionality could exist, but if the command was submitted to the Nagios server via the API then it would enforce that the owner of the API token would become the author.
Another option would be to allow an API token to be queried via the API in order to retrieve the account information. I could use this method to enforce the author within my code. It doesn't stop anyone from circumventing this by creating their own API call but it's an option.

Your thoughts?

Hi @IPOInS,

Appreciate your feedback. I can submit a feature request on your behalf to the dev team, so if the user field is left out it will default to the user sending the command (API Key). As to if or when a feature request is implemented, that has up to our product teams.

Regarding the API key, I believe one reason that this is not available is to maintain a certain level of security for a user's API key.

Let us know if you have any other questions.

Best Regards,
Benjamin

Hi Benjamin

Thanks for the response. I appreciate their priorities and this might not be at the top of the list
As for the API Key query, what I was thinking is that you could at least query your own API key and not to be able to query anyone else's account for an API key. Just like you can view your own account Information from the link in the top right hand corner of the Nagios XI menu in the GUI.

I agree on the security concerns, and like passwords these keys should be kept secret and handled accordingly. I also think it's worth pointing out that anyone who has sufficient rights via the GUI to manage user accounts can see everyone's API key. Ideally these should only be viewable once at the time of generation and only by the owner of the account. If they forget their key they simply login and generate a new one.

Hi @IPOInS,

Your welcome, and thanks for the clarification, that makes sense. I can also pass along the suggestions about the user's API key, appreciate the feedback.

Let me know if you need to have any more questions or comments.

--Benjamin