Minimal permissions to access REST API

Answered

Comments

3 comments

  • Avatar
    Andrey Terentyev

    Hi Michael,

    At the moment, there is no possibility to set special permission per API endpoint (or set).
    Could you please give us more details on your scenario? What API are you going to utilize? What data, counters are you going to use? What Zabbix features do you plan to utilize (templates, discovery rules etc) ?
    It would be very helpful for us for rethinking permissions system.

    0
    Comment actions Permalink
  • Avatar
    Evgeny Balashov

    We recommend always creating a special account in the system and choose appropriate predefined roll, or set up custom permissions.

    Specific role/permissions depend on the capabilities that you use in the integration, so to start I recommend:

    1. Outline a list of actions and API calls that are used in the integration
    2. Think what permissions are required for that, and set up the account manually
    3. Test that everything works.

    After that you can add this set of permissions to the manual.

    There is also an option to create this user using API requests, but those requests will require administrator privileges.

     

    0
    Comment actions Permalink
  • Avatar
    Michael Pasqualone

    Thanks Andrey,

    This is still a work in progress for us, here is the current Zabbix template that utilises the REST API for 4.2: https://github.com/michaelp85/zabbix-nxwitness/blob/master/zbx_export_templates.xml

    I used Zabbix's discovery engine to build the host and trigger prototypes for camera monitoring.

    What the template currently archives:

    • Monitoring recording status of each camera.
    • CPU load % of mediaserver
    • Network interface bandwidth monitoring
    • Server status
    • Server uptime

    Currently we only have triggers/alerts associated to whether the camera recording is down for each camera.

    We also have the Zabbix agent installed onto each NX witness server, and using that to monitor the mediaserver process, and all other standard OS level monitoring.

    What API are you going to? What data, counters are you going to use?

    Currently using these endpoints:

    • /ec2/metrics/values
    • /ec2/getCamerasEx

    Thou, I'll likely expand into others as I build this out. As for which data/counters I want to access, I think the answer is pretty much "all". So I think what would be beneficial for me is ability to create a user account that is admin-like, but is read only - so sees the same API endpoints and data as an "admin" user, but without ability to modify/change anything. That way if our Zabbix infrastructure is breached and this user account is discovered, they won't be able to do any damage to NX with the account having read only permissions.

    Screenshot of latest data:

     

    1
    Comment actions Permalink

Please sign in to leave a comment.