mirror of
https://github.com/Icinga/icingadb.git
synced 2026-02-19 02:28:28 -05:00
3a6df542f7
The get_overdues.lua script uses a temporary Redis key to store data. So far, this key was a random UUID, not being prefixed or namespaced. This does not work when applying Redis ACLs on keys, as this random key is unpredictable. Now, this key is prefixed with "icingadb:temp:". This was initially reported in the Community Forum[^0] where the user applied ACLs to the Redis user for Icinga DB. It was easy to reproduce this by creating or reconfiguring a dedicated Redis user, allowing all operations on keys in the "icinga:" and "icingadb:" namespaces. > 127.0.0.1:6380> ACL SETUSER icingadb on >icingadb ~icinga:* ~icingadb:* +@all > OK > 127.0.0.1:6380> ACL LIST > 1) "user default on nopass sanitize-payload ~* &* +@all" > 2) "user icingadb on sanitize-payload #1631be4f74353b72282ba144d82b6764f885feefc99c15c2c5f37b5c65bb3006 ~icinga:* ~icingadb:* resetchannels +@all" After a while, the previous code failed as expected. > 2026-01-07T11:22:10.253Z FATAL icingadb NOPERM No permissions to access a key > can't execute Redis script > github.com/icinga/icingadb/pkg/icingadb/overdue.Sync.sync > /go/src/github.com/Icinga/icingadb/pkg/icingadb/overdue/sync.go:164 > github.com/icinga/icingadb/pkg/icingadb/overdue.Sync.Sync.func3 > /go/src/github.com/Icinga/icingadb/pkg/icingadb/overdue/sync.go:70 > golang.org/x/sync/errgroup.(*Group).Go.func1 > /go/pkg/mod/golang.org/x/sync@v0.19.0/errgroup/errgroup.go:93 > runtime.goexit > /usr/local/go/src/runtime/asm_amd64.s:1700 With this change, Icinga DB only uses these two namespaces and continuous to operate. [^0]: https://community.icinga.com/t/redis-user-acl-for-icingadb/15309 |
||
|---|---|---|
| .. | ||
| common | ||
| contracts | ||
| icingadb | ||
| icingaredis | ||
| notifications | ||