ZenPacks and JSON API

1.  How to add extra permissions to Zen Operator role : skills1st.UserRoles ZenPack advice

Posted 5 days ago


 I've been playing around with the very helpful ZenPack – ZenPacks.skills1st.UserRoles which adds the ability to have a user role – Zen_Operator that allows the user to manage events but not access the rest of the config of zenoss.

This allows the creation of a zenoss user that can operate day-to-day monitoring activities and deal with events without having to give them the ability to mess with device setting configuration settings / organiser locations etc.. i.e. prevent them from junking the setup by mistake. This is very very useful.

(Its slightly surprising this sort of role doesn't come out of the box as standard rather than the read only vs everything options that do)


However, I'd like to also be able to give this Zen_Operator user the ability to change device production status aswell as acknowledge events, but still be unable to change the rest of the settings.

 Is this possible by adding further permissions to the zen_operator role?

I've spotted the ZEN_CHANGE_DEVICE_PRODSTATE permission but can't seem to apply it to the role in such a way that allows production state change.

Any pointers on how to do this much appreciated.




Pheripheral Pheripheral

2.  RE: How to add extra permissions to Zen Operator role : skills1st.UserRoles ZenPack advice

Posted 5 days ago
check $ZENHOME/Products/ZenModel/ZenossSecurity.py

there are two levels of restrictions in zenoss one on the objects you can see that in decorators in the classes in the $ZENHOME/ZenModel classes and there are also sometimes additional ACL checks in the javascript (and sometimes those arent consistent) ...if you have to change the javascript either with or without a zenpack you need to recompile the javascript..

in the object you will see something like(our permissions are customized via zenpacks and we run core so this may not be exactly what you see in Device.py

security.declareProtected(ZEN_CHANGE_DEVICE_PRODSTATE, 'setProdState')
def setProdState(self, state, maintWindowChange=False, REQUEST=None):

in that case you need the permission ZEN_CHANGE_DEVICE_PRODSTATE associated with the ZEN_OPERATOR role.  i havent looked at Jane ZenPack but somewhere in there in the __init__ more than likely she assigns permissions to roles.  you would need that permission to just give out change prodstate and that would either need to be assigned to a global role or set as a management role at the organizer that you want to give the permisisons on.

sometimes again even if the user has the permission you may find that the javascript has its own idea of what is set so in that case you have to fix the js.

I hate giving out that permission because people permanently put things into MM and then i end up getting calls inevitably about it.  what I do is I have device commands that run scripts that create maintenance windows of hard coded 1-2,8, and 24 hour windows that way nobody forgets to remove their maintenance changes and im not dragged into us missing something because someone forgot to undo their maintenance state..in 4 you can do it with a dmd script in 5 you can do it with jsonapi which is alot faster.  to be able to create windows for multiple devices using a custom command though you need your own custom command widget that can select multiple devices and use that to send it to zenjobs so the users dont sit there for 100 years...or just do it via organizer...

also i set up global roles with zenoperator like permissions then assign people an admin role at the containers that the are responsible for again just a defensive measure so that people dont put the wrong things in MM and thus ending me up on a conference call..

Doug Syer
NWN Corporation
Waltham MA

3.  RE: How to add extra permissions to Zen Operator role : skills1st.UserRoles ZenPack advice

Posted 2 days ago
What a fantastic answer!

Jane Curry
Skills 1st United Kingdom

4.  RE: How to add extra permissions to Zen Operator role : skills1st.UserRoles ZenPack advice

Posted 2 days ago
Thanks for the answer.

I've tried some of this, but have not quite got it to work yet...

I've successfully added the permission via the __init__ file to assign the ZEN_CHANGE_DEVICE_PRODSTATE  permission to the zen operator role:
self.addPermissions(zport, ZEN_CHANGE_DEVICE_PRODSTATE,
[ZEN_OP_ROLE,], 1)

I can now see this reflected as tick against the zen operator role and the Change Device Production State permission in the  http://<zenossIP>:8080/zport/manage_access page, so I assume this is now correctly enabled.

So far so good. However, after restarting zenoss this seems to have no effect on whether I can actually update the production state as a zen operator. As you say this is most likely because of checks in the javascript preventing me from submitting a request to change the production state.
To this end i've attempted to identify the javascript that may need changing and attempted to change it:

To enable the actions-menu from the toolbar on the infrastructure screen, (it is the actions-menu that contains the Set Production State action), I spotted that the /Products/ZenUI3/browser/resources/js/zenoss/itinfrastructure.js file contains a line:
Ext.getCmp('actions-menu').setDisabled(Zenoss.Security.doesNotHavePermission('Change Device'));

This seemingly makes sure that this actions menu is disabled unless the user has the 'Change Device' permission.
I updated this to be:

Ext.getCmp('actions-menu').setDisabled(Zenoss.Security.doesNotHavePermission('Change Device Production State'));

and then recompiled the javascript in zenoss (by running /opt/zenoss/bin/buildjs.sh script) which generated a new /Products/ZenUI3/browser/resources/js/deploy/zenoss-compiled/js file. And also restarted zenoss itself.

I then logged in as a user with the zen operator role but I still cannot access the actions menu for devices, despite being able to see that my change to the itinfrastructure.js file is the one being loaded (via browser developer mode).

Am not sure where next to look to try and figure out the problem?

Pheripheral Pheripheral