Advanced permissions/user properties

Alex Burger alex_b at users.sourceforge.net
Sat Nov 11 03:54:01 CET 2006

Previous message: Minor bug in cgiutils.c reads incorrect config file
Next message: Advanced permissions/user properties
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On the Nagios-Users list there is a discussion on the same subject about 
adding advanced permissions to Nagios for hosts and services.  Users 
(including myself) were looking for a way to grant users the ability to 
view hosts, but not submit commands and to allow for more complex 
permissions.

It made the most sense to model the permission system with how file 
system permissions are handled.  With file system permissions, we would 
assign a group to a folder, and then pick what rights the group would 
have. It made sense to do the same thing with Nagios in the 
contact_groups/contact option for hosts and services:

*Examples:*

define host{
           host_name               localhost
           contact_groups          netops:rwxn, helpdesk:r
           contact                 alex:rwxn               (Nagios 3)
}

For backwards compatibility, if no permissions are set, the defaults 
would be rwxn (as defined in cgi.cfg and nagios.cfg) so the following 
would be the same:

define host{
           host_name               localhost
           contact_groups          netops, helpdesk:r
           contact                 alex                    (Nagios 3)
}

*Permissions:*

r: View in web interface

x: Submit commands for this host/service in web interface

w: Not really needed yet.  Maybe some of the other programs that allow 
you to modify the configuration files could use w to allow a user to 
modify the host / service.

n: Notify if contact has a pager or email defined

The addition of these permissions allow for senarios such as:

-you want users to be able to view all or some hosts and services, but 
not submit commands
-you want users to be able to view all or some hosts and services, but 
also be able to submit commands for a select few
-you want users to be able to view all or some hosts and services, but 
only get notifications for only a select few

If permissions are not set on the contact_groups or contact line, then 
the defaults will be used.  If there is no default_permissions option in 
cgi.cfg and nagios.cfg, then it will default to full permissions (the 
same checks that Nagios currently performs).

Here is a description of the option for cgi.cfg and nagios.cfg:

# DEFAULT HOST/SERVICE PERMISSIONS
# This option contains a list of default permissions for hosts and
# services that will be used when permissions are not explicitly
# set on a host or service.  When not defined, the default is all
# permissions (rwxn).  Note:  This option must be set the same in
# both cgi.cfg and nagios.cfg.

#default_permissions=rwxn

As you can see, the option needs to be in both config files although I 
would prefer to have it only in nagios.cfg.  It is needed in nagios.cfg 
for base/notifications.c which has nothing to do with the cgi.  If 
someone knows how to combine the two, please let me know.

I also changed how services are displayed.  If you are not a contact for 
a service (you do not have the 'r' permission), then the service will 
not be displayed.  I prefer to have it this way so I can prevent some 
admins from seeing services such as a the service I use to receive SNMP 
traps.  The problem with this right now is that even though the user 
only sees the services they has permissions for, as long as the user has 
rx permissions to the host, the user can do a 'Enable notifications for 
all services on this host' which will do ALL services.

If this patch is accepted, then we will have to add permission checks to 
the commands that process child objects.

Attached are patches for Nagios 2.5 and 3.0 (CVS as of 11/6/06).

Alex

-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch-nagios3.0-permissions
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20061110/5501222d/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: patch-nagios2.5-permissions
URL: <https://www.monitoring-lists.org/archive/developers/attachments/20061110/5501222d/attachment-0001.ksh>
-------------- next part --------------
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-------------- next part --------------
_______________________________________________
Nagios-devel mailing list
Nagios-devel at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-devel

Previous message: Minor bug in cgiutils.c reads incorrect config file
Next message: Advanced permissions/user properties
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list