Ad Widget

Collapse

Least privilege for API interaction

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • mfs
    Junior Member
    • Mar 2022
    • 4
    #1

    Least privilege for API interaction

    Hello, I upgraded from Zabbix 5.0 to Zabbix 6.0 to take advantage of the new API token functionality but I'm unable to ged the data I need through the API unless the user role is set to Super Admin

    What I would like to do is to use the API in a python script through an authentication associated to a user that can't logon to the web interface and can only use the methods included in the script.

    The API is working but the problem is that unless the user associated to the token is a Super Admin, I have no access to other users' data.

    This is my query:

    Code:
    {"jsonrpc": "2.0",
"method": "user.get",
"params": {
    "output" : [ "userid", "name", "surname", "username", "medias" ],
    "selectMedias" : [ "mediatypeid", "sendto", "active" ] ,
    "selectMediatypes" : [ "name" ] },
"auth": "**********************************",
"id": 50}

    If the user "api_user" which owns the auth token is NOT a Super Admin, this is the only thing I get back from the query:

    Code:
    {"jsonrpc":"2.0","result":[{"userid":"13","name":"","surname":"","username":" api_user","medias":[],"mediatypes":[]}],"id":50}
    On the other hand, if I make "api_user" a Super Admin, I get these same fields for all the users in the system.

    How do I get around this?

    [EDIT] I think I got it. User/Admin/Super Admin are just presets. I need to select "Super Admin" to enable all the checkboxes, then I can select the ones I need. Since I need to modify the users' media settings, I need to tick the "User" and "Media types" checkboxes an nothing else. This doesn't mean that the user is a Super Admin because everything else is disabled, especially the GUI access.
    Last edited by mfs; 15-11-2022, 12:30.
    Tags: None
    • cyber
      Senior Member
      Zabbix Certified SpecialistZabbix Certified Professional
      • Dec 2006
      • 4807
      #2
      User modifications can be done by super admin only... That's why you cannot get info about other users with a "normal user".
      I would just create suitable role for api user, not edit the one used for all other Superadmins...

        Comment

        • mfs
          Junior Member
          • Mar 2022
          • 4
          #3
          Originally posted by cyber
          User modifications can be done by super admin only... That's why you cannot get info about other users with a "normal user".
          I would just create suitable role for api user, not edit the one used for all other Superadmins...
          Yes, that's what I did. I Created a "API" User Role, that's what I was fiddling with. I wasn't comfortable with selecting "Super admin" in the "User type" drop down but now I see what it means. It just enables all the boxes to be selected or not. This role I created can now do just what I need it to do and nothing else, it's not a Super admin regardless of the "User type".
          Last edited by mfs; 16-11-2022, 15:05.

            Comment

            • molnart
              Junior Member
              • Feb 2024
              • 5
              #4
              this somehow doesnt work for me. I am just trying to get the list of hosts (for testing purposes) but whenever I set anything else than superadmin in User type I do not get any reponse, even if I have enabled all the settings.

              See the attachments, the super user role can access the API, the user role cant. The settings are the same.
              Attached Files

                Comment

                • cyber
                  Senior Member
                  Zabbix Certified SpecialistZabbix Certified Professional
                  • Dec 2006
                  • 4807
                  #5
                  Originally posted by molnart
                  this somehow doesnt work for me.
                  Ordinary user needs all the access permissions in place to be able to query anything over API. Same as in GUI, if user is not in appropriate usergroup(s), which have access to appropriate hostgroup(s), then they do not see any data... Same applies to API access...

                    Comment

                    • Brambo
                      Senior Member
                      • Jul 2023
                      • 245
                      #6
                      In my setup where I use the API to backup templates I have the following setup.
                      Create a user with role Admin (needed because of access to templates.)
                      Create an API token which is linked to that user.
                      Created an User groups for API access, limiting this on read right to the specific template group. AND when you have a template with Host Prototype in it, you need to set read rights on that host group as well.
                      Assign this user group to the User.
                      Access to UI elements are not needed.
                      Enable Access to API
                      And specify what API access, in my situation that is template.get, templategroup.get and configuration.export.
                      Depending on your needs setup the user-group and api access lines to what you want to do.

                      Depending on your code to talk to the API dont forget to set your headers correctly, my example is part of a Powershell script. Where $apikey is the key your made with step of of create an APIkey.
                      Code:
                      $headers.add('Authorization' , "Bearer $apikey")
                      Last edited by Brambo; 02-09-2024, 12:13. Reason: header API key info added.

                        Comment

                        Previous template Next
                        Working...