ObjectQueryHandler: Check user permissions on joined relations

[yhabteab]

fixes #9339

[Al2Klimov]

Much better! Now as we have a clear view, let’s have a look...

[Al2Klimov]

This is a bad idea. Figure out and explain in your own words why.

[yhabteab]

Is it probably due to the fact that the same permission might be used with different filters repeatedly? I don't know, why should one even do something like that!

[Al2Klimov]

Oh, not necessarily the same. Think of query/* and query/Host e.g..

[Al2Klimov]

OK, in case of insufficient permission you skip it... but otherwise you unconditionally include it, right? This is a also bad idea. Figure out and explain in your own words why.

[yhabteab]

Have to evaluate the permission filters as well!

[Al2Klimov]

Exactly. You know what to do...

[julianbrost]

This comment should be resolved, shouldn't it?

[Al2Klimov]

Riddle 1

The default config with icinga2 api setup and

object ApiUser "root" {
  password = "123456"

  var perm = {
    permission = "objects/query/checkcommand"
    filter = {{ true }}
  }

  var fperm = () use (perm) => perm

  permissions = [ "*" ] + range(10000).map(fperm)
}

leaks memory with

curl -ksSu root:123456 -H 'Accept: application/json' -X GET -d '{"joins":["check_command"],"pretty":true}' https://127.0.0.1:5665/v1/objects/hosts

Why?

Riddle 2

The default config with icinga2 api setup and

object ApiUser "root" {
  password = "123456"

  permissions = [ {
    permission = "objects/query/service"
  }, {
    permission = "objects/query/checkcommand"
    filter = {{ false }}
  } ]
}

outputs some of the check commands with

curl -ksSu root:123456 -H 'Accept: application/json' -X GET -d '{"joins":["check_command", "host"],"pretty":true}' https://127.0.0.1:5665/v1/objects/services

Why?

Please only explanation in own words for now, thx.

[yhabteab]

Riddle 1

Isn't that obvious to you? When you specify the same permission 10K times with a callable filter, what would you expect to happen? I also get a stack overflow error but that is not something being added by this PR. Just try querying the CheckCommands directly and see what happens there.

[2022-07-22 11:31:32 +0200] information/ApiListener: New client connection from [::ffff:127.0.0.1]:50112 (no client certificate)
Stack overflow while evaluating expression: Recursion level too deep.
[2022-07-22 11:31:32 +0200] information/HttpServerConnection: Request: GET /v1/objects/checkcommands (from [::ffff:127.0.0.1]:50112), user: dummy, agent: curl/7.79.1, status: Not Found).
[2022-07-22 11:31:32 +0200] information/HttpServerConnection: HTTP client disconnected (from [::ffff:127.0.0.1]:50112)

Riddle 2

Yep, need to cache the permission filter of the individual types as well.

[Al2Klimov]

Isn't that obvious to you?

Oh, I exactly know why is what happening here. That’s why I called it a riddle. :-)

When you specify the same permission 10K times with a callable filter, what would you expect to happen? I also get a stack overflow error but that is not something being added by this PR.

Absolutely. But Icinga even manages to properly handle that (pseudo) stack overflow. So not leaking memory is the least thing Icinga shall do. I'm joining check commands and only they have a such filter, so your join permission check is clearly responsible. Also I have no doubt it also works with a smaller filter, but mine leaks memory faster.

[Al2Klimov]

Riddle 2

Still happening.

[julianbrost]

@yhabteab @Al2Klimov Are you done with these riddles (i.e. do both of you agree that they are (re)solved)?

[julianbrost]

This comment should be resolved, shouldn't it?

[julianbrost]

Tested it and worked fine. Just some formatting and details in the comments left (unless you want to do the extended suggestion within this PR).

[julianbrost]

Code looks fine and my tests were successful, just a small formatting issue in one of the comments left.