Icinga2 permissions for all LDAP users

Question

I have a Icinga2 running with Active Directory as authentication backend and Icinga Web 2 as frontend.

The frontend permissions can be configured using the roles.ini in Icingaweb2's config folder. This is what I have in there:

# roles.ini

[Users]
users = "*"
permissions = "module/monitoring"

As you can see, I want to give all authenticated users access to the monitoring module. I have no group, which contains all users so I cannot use a group for that.

This does not work. How is the correct syntax to give the permission to all users?

(Of course, using existing user names or group names does work, backend configuration therefore is correct.) Thank you very much in advance!

Answer 1

This feature was implemented in IcingaWeb2 version 2.5, see https://github.com/Icinga/icingaweb2/pull/3096. It's a very simple patch against AdmissionLoader.php, which you can also apply separately by hand:

commit f495b390da6eb257ca101889deb70ccc22bb99c7
Author: Eric Lippmann <eric.lippmann@icinga.com>
Date:   Thu Nov 16 12:01:06 2017 +0100

    Apply role to all users if the role is defined with users=*

    If the users directive contains at least one single asterisk, the role is applied to all users.
    So, this supports roles which define users=username, ..., * and users=*

    refs #3095

diff --git a/library/Icinga/Authentication/AdmissionLoader.php b/library/Icinga/Authentication/AdmissionLoader.php
index 0a80be127..8ee43dbfb 100644
--- a/library/Icinga/Authentication/AdmissionLoader.php
+++ b/library/Icinga/Authentication/AdmissionLoader.php
@@ -28,6 +28,9 @@ class AdmissionLoader
         $username = strtolower($username);
         if (! empty($section->users)) {
             $users = array_map('strtolower', StringHelper::trimSplit($section->users));
+            if (in_array('*', $users)) {
+                return true;
+            }
             if (in_array($username, $users)) {
                 return true;
             }