How can I limit Icinga2 API permissions to only allow changing a single check result?

Question

I've got a backup script that, upon successful completion, calls the Icinga2 REST API via curl (command is below).

This works perfectly well, but I'd like to secure the API user so that it can only change this one check result. I'm not sure what the correct syntax is for the lambda function I need to set for my filter to only allow changing the "backupninja" check result.

object ApiUser "backupninja" {
  password = "<redacted>"
  permissions = [ "actions/process-check-result" ]
  filter = {{ }}
}

My command, if it matters:

curl -s -u $ICINGA2_API_USER:$ICINGA2_API_PASSWORD -H 'Accept: application/json' -X POST "https://$ICINGA2_HOST:$ICINGA2_API_PORT/v1/actions/process-check-result?service=$HOSTNAME\!backupninja" -d '{ "exit_status": 0, "plugin_output": "backupninja completed successfully" }'

score 1 · Answer 1 · answered Feb 06 '17 at 19:33

I found the answer in the Global Functions section of the docs:

object ApiUser "backupninja" {
  password = "<redacted>"
  permissions = [
    {
      permission = "actions/process-check-result"
      filter = {{ match("backupninja", service.display_name) }}
    }
  ]
}

How can I limit Icinga2 API permissions to only allow changing a single check result?

1 Answers1