From 0b52f8e7e683dceeb13c8ae5d0ebe03f724c6f09 Mon Sep 17 00:00:00 2001
From: Franziska Kunsmann <hi@kunsmann.eu>
Date: Sun, 20 Dec 2020 09:33:17 +0100
Subject: [PATCH] bundles/icinga2: allow limiting permissions for api users

---
 bundles/icinga2/files/icinga2/api-users.conf | 6 +++---
 bundles/icinga2/metadata.py                  | 7 ++++++-
 2 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/bundles/icinga2/files/icinga2/api-users.conf b/bundles/icinga2/files/icinga2/api-users.conf
index 59be6f0..77e3737 100644
--- a/bundles/icinga2/files/icinga2/api-users.conf
+++ b/bundles/icinga2/files/icinga2/api-users.conf
@@ -1,7 +1,7 @@
-% for user, password in sorted(node.metadata.get('icinga2', {}).get('api_users', {}).items()):
+% for user, config in sorted(node.metadata.get('icinga2', {}).get('api_users', {}).items()):
 object ApiUser "${user}" {
-  password = "${password}"
-  permissions = [ "*" ]
+  password = "${config['password']}"
+  permissions = [ "${'", "'.join(sorted(config['permissions']))}" ]
 }
 
 % endfor
diff --git a/bundles/icinga2/metadata.py b/bundles/icinga2/metadata.py
index 3a2305d..5a3f561 100644
--- a/bundles/icinga2/metadata.py
+++ b/bundles/icinga2/metadata.py
@@ -30,7 +30,12 @@ defaults = {
     },
     'icinga2': {
         'api_users': {
-            'root': repo.vault.password_for(f'{node.name} icinga2 api root'),
+            'root': {
+                'password': repo.vault.password_for(f'{node.name} icinga2 api root'),
+                'permissions': {
+                    '*',
+                },
+            },
         },
     },
     'icinga2_api': {