Mechanism to specify the user ACKing an Ackable via the ReST API
Description
When ACKing an Ackable object (i.e. an alarm or notification) via the respective ReST web service, the acknowledgement is always recorded with the username of the user whose credentials are in effect for the ReST HTTP request's session object. This is fine for use cases such as mobile apps where the user driving the API is the user whose name should be recorded in any ACKs generated, but not so great for back-end programming. There ought to be a provision for specifying the username to be recorded as doing the ACK, maybe in the form of a new "ackuser" parameter.
There will be implications to the security model for the ReST API – allowing just any user to impersonate another user when ACKing or unACKing an object won't be acceptable. As a start perhaps we could add a ROLE_IMPERSONATOR that grants a user in that role blanket permission to impersonate any other user.
When ACKing an Ackable object (i.e. an alarm or notification) via the respective ReST web service, the acknowledgement is always recorded with the username of the user whose credentials are in effect for the ReST HTTP request's session object. This is fine for use cases such as mobile apps where the user driving the API is the user whose name should be recorded in any ACKs generated, but not so great for back-end programming. There ought to be a provision for specifying the username to be recorded as doing the ACK, maybe in the form of a new "ackuser" parameter.
There will be implications to the security model for the ReST API – allowing just any user to impersonate another user when ACKing or unACKing an object won't be acceptable. As a start perhaps we could add a ROLE_IMPERSONATOR that grants a user in that role blanket permission to impersonate any other user.
This issue is in support of https://mynms.opennms.com/Ticket/Display.html?id=1002