bundles/icinga2: allow limiting permissions for api users

2020-12-20 09:33:17 +01:00 · 2020-12-20 09:33:17 +01:00 · 0b52f8e7e6
commit 0b52f8e7e6
parent 374ba3c16a
2 changed files with 9 additions and 4 deletions
--- a/bundles/icinga2/files/icinga2/api-users.conf
+++ b/bundles/icinga2/files/icinga2/api-users.conf
@ -1,7 +1,7 @@
-% for user, password in sorted(node.metadata.get('icinga2', {}).get('api_users', {}).items()):
+% for user, config in sorted(node.metadata.get('icinga2', {}).get('api_users', {}).items()):
 object ApiUser "${user}" {
-  password = "${password}"
-  permissions = [ "*" ]
+  password = "${config['password']}"
+  permissions = [ "${'", "'.join(sorted(config['permissions']))}" ]
 }

 % endfor
--- a/bundles/icinga2/metadata.py
+++ b/bundles/icinga2/metadata.py
@ -30,7 +30,12 @@ defaults = {
    },
    'icinga2': {
        'api_users': {
-            'root': repo.vault.password_for(f'{node.name} icinga2 api root'),
+            'root': {
+                'password': repo.vault.password_for(f'{node.name} icinga2 api root'),
+                'permissions': {
+                    '*',
+                },
+            },
        },
    },
    'icinga2_api': {