ZenPacks and JSON API

Expand all | Collapse all

How to add extra permissions to Zen Operator role : skills1st.UserRoles ZenPack advice

  • 1.  How to add extra permissions to Zen Operator role : skills1st.UserRoles ZenPack advice

    Posted 01-12-2018 09:52 AM

    Hi,

     I've been playing around with the very helpful ZenPack – ZenPacks.skills1st.UserRoles which adds the ability to have a user role – Zen_Operator that allows the user to manage events but not access the rest of the config of zenoss.

    This allows the creation of a zenoss user that can operate day-to-day monitoring activities and deal with events without having to give them the ability to mess with device setting configuration settings / organiser locations etc.. i.e. prevent them from junking the setup by mistake. This is very very useful.

    (Its slightly surprising this sort of role doesn't come out of the box as standard rather than the read only vs everything options that do)

     

    However, I'd like to also be able to give this Zen_Operator user the ability to change device production status aswell as acknowledge events, but still be unable to change the rest of the settings.

     Is this possible by adding further permissions to the zen_operator role?

    I've spotted the ZEN_CHANGE_DEVICE_PRODSTATE permission but can't seem to apply it to the role in such a way that allows production state change.


    Any pointers on how to do this much appreciated.

      

    Thanks

    Dafydd



    ------------------------------
    Pheripheral Pheripheral
    CompanyName
    ------------------------------


  • 2.  RE: How to add extra permissions to Zen Operator role : skills1st.UserRoles ZenPack advice

    Posted 01-12-2018 10:51 AM
    check $ZENHOME/Products/ZenModel/ZenossSecurity.py

    there are two levels of restrictions in zenoss one on the objects you can see that in decorators in the classes in the $ZENHOME/ZenModel classes and there are also sometimes additional ACL checks in the javascript (and sometimes those arent consistent) ...if you have to change the javascript either with or without a zenpack you need to recompile the javascript..

    in the object you will see something like(our permissions are customized via zenpacks and we run core so this may not be exactly what you see in Device.py

    security.declareProtected(ZEN_CHANGE_DEVICE_PRODSTATE, 'setProdState')
    def setProdState(self, state, maintWindowChange=False, REQUEST=None):

    in that case you need the permission ZEN_CHANGE_DEVICE_PRODSTATE associated with the ZEN_OPERATOR role.  i havent looked at Jane ZenPack but somewhere in there in the __init__ more than likely she assigns permissions to roles.  you would need that permission to just give out change prodstate and that would either need to be assigned to a global role or set as a management role at the organizer that you want to give the permisisons on.

    sometimes again even if the user has the permission you may find that the javascript has its own idea of what is set so in that case you have to fix the js.

    I hate giving out that permission because people permanently put things into MM and then i end up getting calls inevitably about it.  what I do is I have device commands that run scripts that create maintenance windows of hard coded 1-2,8, and 24 hour windows that way nobody forgets to remove their maintenance changes and im not dragged into us missing something because someone forgot to undo their maintenance state..in 4 you can do it with a dmd script in 5 you can do it with jsonapi which is alot faster.  to be able to create windows for multiple devices using a custom command though you need your own custom command widget that can select multiple devices and use that to send it to zenjobs so the users dont sit there for 100 years...or just do it via organizer...

    also i set up global roles with zenoperator like permissions then assign people an admin role at the containers that the are responsible for again just a defensive measure so that people dont put the wrong things in MM and thus ending me up on a conference call..


    ------------------------------
    Doug Syer
    NWN Corporation
    Waltham MA
    ------------------------------



  • 3.  RE: How to add extra permissions to Zen Operator role : skills1st.UserRoles ZenPack advice

    Posted 01-15-2018 05:29 AM
    What a fantastic answer!
    Cheers,
    Jane

    ------------------------------
    Jane Curry
    Skills 1st United Kingdom
    jane.curry@skills-1st.co.uk
    ------------------------------



  • 4.  RE: How to add extra permissions to Zen Operator role : skills1st.UserRoles ZenPack advice

    Posted 01-16-2018 11:00 AM
    Hi,
    Thanks for the answer.

    I've tried some of this, but have not quite got it to work yet...

    I've successfully added the permission via the __init__ file to assign the ZEN_CHANGE_DEVICE_PRODSTATE  permission to the zen operator role:
    self.addPermissions(zport, ZEN_CHANGE_DEVICE_PRODSTATE,
    [ZEN_OP_ROLE,], 1)

    I can now see this reflected as tick against the zen operator role and the Change Device Production State permission in the  http://<zenossIP>:8080/zport/manage_access page, so I assume this is now correctly enabled.

    So far so good. However, after restarting zenoss this seems to have no effect on whether I can actually update the production state as a zen operator. As you say this is most likely because of checks in the javascript preventing me from submitting a request to change the production state.
    To this end i've attempted to identify the javascript that may need changing and attempted to change it:

    To enable the actions-menu from the toolbar on the infrastructure screen, (it is the actions-menu that contains the Set Production State action), I spotted that the /Products/ZenUI3/browser/resources/js/zenoss/itinfrastructure.js file contains a line:
    Ext.getCmp('actions-menu').setDisabled(Zenoss.Security.doesNotHavePermission('Change Device'));

    This seemingly makes sure that this actions menu is disabled unless the user has the 'Change Device' permission.
    I updated this to be:

    Ext.getCmp('actions-menu').setDisabled(Zenoss.Security.doesNotHavePermission('Change Device Production State'));

    and then recompiled the javascript in zenoss (by running /opt/zenoss/bin/buildjs.sh script) which generated a new /Products/ZenUI3/browser/resources/js/deploy/zenoss-compiled/js file. And also restarted zenoss itself.

    I then logged in as a user with the zen operator role but I still cannot access the actions menu for devices, despite being able to see that my change to the itinfrastructure.js file is the one being loaded (via browser developer mode).

    Am not sure where next to look to try and figure out the problem?



    ------------------------------
    Pheripheral Pheripheral
    CompanyName
    ------------------------------



  • 5.  RE: How to add extra permissions to Zen Operator role : skills1st.UserRoles ZenPack advice

    Posted 02-20-2018 04:30 PM
    Im guessing if everything went well assigning the roles that the users would able to change the production state from the device overview page.  im pretty sure that part of the gui only checks the zope permissions but to be honest id have to look to be sure.

    the action menu i believe requires change device by default and after that it probably checks against zope permissions.

    Ext.getCmp('actions-menu').setDisabled(Zenoss.Security.doesNotHavePermission('Change Device'));

    typically once you are past the zope side there either but button panel has an acl or the button does or something.  its a pain but once you do it once or twice it becomes pretty easy to figure it out.  now trying to change permissions on the report tree...like giving someone ability to create reports without having manage dmd...that isnt pretty..

    ------------------------------
    Doug Syer
    NWN Corporation
    Waltham MA
    ------------------------------



  • 6.  RE: How to add extra permissions to Zen Operator role : skills1st.UserRoles ZenPack advice

    Posted 05-09-2018 06:14 AM
    Edited by Pheripheral Pheripheral 05-09-2018 12:05 PM
    Thanks for the help on this,

    In the end I decided to go the route of adding a custom menu control to toggle between a monitored and un-monitored status rather than attempting to massage the existing controls into letting me edit them from a non manager account, and this worked nicely. The new menu item calls through to a router and then a facade I added which had a simple method to set the production state on it to required state. The javascript for the menu also refreshed the header panel and device status to show the change on the device page immediately.




    ------------------------------
    Pheripheral Pheripheral
    CompanyName
    ------------------------------



  • 7.  RE: How to add extra permissions to Zen Operator role : skills1st.UserRoles ZenPack advice

    Posted 21 days ago
    Yes, you need Change Device Production State permission to change prod state, but there are several bugs in the Drop down action menu permissions.

    You actually need change device, manage device and delete device permissions to be able to access and execute the production state change from that menu.

    There is a jira for it. But in general, the roles and permissions are a mess.

    ------------------------------
    jstanley
    ------------------------------