Page MenuHomePhabricator

icinga login case mismatch
Open, MediumPublic


About half the time I try to ack something in icinga I get a permission denied error. That is because for some reason I have two icinga accounts, one is "Andrew Bogott" and one is "andrew bogott".

"Andrew Bogott" is the account name I use on every other wmf website but that account does not have the access rights to do anything in icinga. "andrew bogott" has the rights I need on icinga but I never remember to log in that way.

Also, icinga sessions are long-lived and icinga doesn't present a 'log out' button so once I've logged in as Andrew Bogott I have to live with it for weeks or do some kind of fancy thing to clear my cookies.

I know I am not the only person suffering from this issue and it is extremely annoying and disruptive, causing many mistaken pages and delayed acks.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald Transcript

To clarify: it seems that if I log in to icinga with a MiXEd but inCORreCt case username icinga cheerfully creates me an account with that name and my actual sso password, then logs me in as that user, but provides no actual access rights. It needs to pick a lane and either apply rights or not log me in at all.

Peachey88 updated the task description. (Show Details)
Peachey88 removed a project: LDAP.

Icinga itself can't be blamed because the login in front of Icinga does not come from Icinga. It's us who slapped that in front of it at one point in the past because of some security vulnerability and then we never questioned if it can be removed again. Before that Icinga used to be public (to read, not to run commands on it).

That login is not case-sensitive and allows both versions.

Icinga itself just knows one user name ("contact"), the one that has privileges and is case sensitive. Any user has the right to view everything but not to run commands.

Some users have solved this by simply adding both capitalized and non-capitalized versions to the Icinga config. See modules/icinga/files/cgi.cfg and authorized_for_system_information.




jijiki triaged this task as Medium priority.Mon, Mar 29, 9:18 PM