Module doesn't seem to log all IDs

[mtdeguzis]

I tested a login from myself in Chrome, then Firefox. This shows up fine:

[root@icinga icingaweb2]# tailf audit.json
{"activity_time":1532037082,"activity":"logout","message":"User logged out","identity":"mtdeguzis"}
{"activity_time":1532037094,"activity":"login","message":"User logged in","identity":"mtdeguzis"}
{"activity_time":1532107837,"activity":"login","message":"User logged in","identity":"mtdeguzis"}
{"activity_time":1532107845,"activity":"logout","message":"User logged out","identity":"mtdeguzis"

However, I had a user log in (who has read access), and his ID was not recorded.

Here is my configuration screen:

I grepped for his name and confirmed the login attempt at least in the typicaly icingaweb2 log:

/var/log/icingaweb2/icingaweb2.log:2018-07-20T13:29:13-04:00 - DEBUG - Issueing LDAP search. Use 'ldapsearch -P 3 -H "ldaps://host.domain.com:636" -D "CN=some_user,OU=some_ou=,DC=domain,DC=com" -W -b "DC=domain,DC=com" -s "sub" -z 0 -l 0 -a "never" "(&(&(objectCategory=person)(objectClass=user)(|(department=some_dept)(sAMAccountName=other_admin_user)(sAMAccountName=some_user)))(&(objectClass=user)(sAMAccountName=the_other_user)))"'

[mtdeguzis]

Confirmed this is a user rights issue after added the test user to the admin group:

{"activity_time":1532108759,"activity":"login","message":"User logged in","identity":"other_uer"}

The rights of a user should not affect their login/logout being recorded. Sounds like a bug

[mtdeguzis]

Rights for test-role group:

[test-role]
users = "other_user"
director/filter/hostgroups = "tech-team"
permissions = "module/doc, module/graphite, module/monitoring, monitoring/command/schedule-check, monitoring/command/acknowledge-problem, monitoring/command/remove-acknowledgement, monitoring/command/comment/*, monitoring/command/comment/add, monitoring/command/comment/delete, monitoring/command/downtime/*, monitoring/command/downtime/schedule, monitoring/command/downtime/delete, monitoring/command/process-check-result, monitoring/command/send-custom-notification"
monitoring/filter/objects = "hostgroup_name=tech-team|hostgroup_name=tech-team-servers-443|hostgroup_name=tech-team-servers-22"

[mtdeguzis]

Hi, any update?

[mtdeguzis]

Any update?

[nilmerg]

Hi,

sorry for the late response. You're right, this is a user rights issue. A user requires at least the permission module/audit so that his/her actions are logged.

While this is surely not optimal, it's neither a bug. It's due to the architectural design of modules and can't be changed without changing Icinga Web 2 as well. (And possibly other modules)

Though, mentioning it in the documentation is of course a start.. So, as long as it's not possible to avoid, I consider this a documentation related issue.

[mtdeguzis]

So would the suggestion be to create a base permission set that include this permission for all users?

[nilmerg]

Essentially, yes.

[mtdeguzis]

That worked. Thank you for the workaround

[nilmerg]

Will be no issue anymore with Icinga Web 2.7. (Icinga/icingaweb2#3849)