Restrict users to view certain hostgroups in c gi's

Frater, Greg J gjfrater at bechtel.com
Tue Dec 3 21:23:47 CET 2002


Look in your cgi.cfg file at the settings for the following: 

authorized_for_all_hosts 
authorized_for_all_host_commands 
authorized_for_all_services 
authorized_for_all_service_commands 

Make sure you haven't specified users here allowing them to view all
hosts/services etc.  By default they can only see host and services that
they own.


-----Original Message-----
From: Carroll, Jim P [Contractor] [mailto:jcarro10 at sprintspectrum.com]
Sent: Tuesday, December 03, 2002 8:24 AM
To: 'JPP'; nagios-users at lists.sourceforge.net
Subject: RE: [Nagios-users] Restrict users to view certain hostgroups in
c gi's


Odd.  I'm essentially doing this (basically the approach referenced in the
docs) using .htpasswd and .htaccess and the requisite definition in
httpd.conf.  I'm using discrete contacts, contactgroups and hostgroups, and
yet when I login, I can see everything.  It's only when I try to do
something (eg, acknowledge, comment) to a host outside of my group that I'm
told I don't have permission.

jc

> -----Original Message-----
> From: JPP [mailto:jpp at frws.com]
> Sent: Monday, December 02, 2002 6:37 PM
> To: nagios-users at lists.sourceforge.net
> Subject: Re: [Nagios-users] Restrict users to view certain 
> hostgroups in
> cgi's
> 
> 
> Hi all!
> 
> Yes you can do this! And use only 1 Nagios!
> 
> Create 2 separate hostgroups and assign them as 
> contacts/Admins/whatever 
> for those 2 separate hostgroups.
> And you have to give them 2 separate/distinct login names in 
> the Apache 
> htpasswd files or however you lock down the server directories/files.
> 
> In a nutshell:
> 
> 1. Create users in the Apache control/passwd file called Admin1 and 
> Admin2 (however you do this in your case)
> 2. Create these users in contacts.cfg for each hostgroup you wish to 
> separate. Call them Admin1 and Admin2 also
> 2. Create a group for each of them in contactgroups.cfg and 
> place them 
> and you as members in that group. Call them Admin1-Group and 
> Admin2-Group But do not place either of them in the others group.
> 3. In the services.cfg file - separate the 2 groups using the 
> contact_groups option.
> For Admin1-Server make the contact Admin1-Group
> For Admin2-Server make the contact Admin2-Group
> 
> I restarted Nagios - but may not have to...
> 
> Login as Admin1 and see what you see. Shut down your browser 
> and login 
> as Admin2 and see what you can see. Should be limited to the 
> servers/services in their group!
> 
> This works to make them only see the hosts assigned to their group IF:
> 1. The user name in Nagios matches the username used by Apache to 
> authenticate them.
> 2. The groups are separated totally from each other. They 
> cannot be on 
> any other group or list but the one you want them to view.
> 
> We do not use literal .htpasswd files, but I am sure the 
> concept is the 
> same. We use the equivalent files right in the httpd.conf to 
> protect all 
> the Nagios directories. And only one file, actually - with 
> many names in it.
> 
> Hope this does it for you!
> 
> JPP
> 
> 
> Carroll, Jim P [Contractor] wrote:
> 
> > I think you're taking the right approach for what you're 
> trying to do.  I'm
> > not aware of any features in Nagios to enable security 
> through obscurity.
> > 
> > jc
> > 
> > 
> >>-----Original Message-----
> >>From: Dushyanth Harinath [mailto:dushy at symonds.net]
> >>Sent: Saturday, November 30, 2002 6:30 AM
> >>To: nagios
> >>Subject: [Nagios-users] Restrict users to view certain hostgroups in
> >>cgi's
> >>
> >>
> >>Hi guys,
> >>
> >>I want to restrict some users (http authenticated) to see only a
> >>certain hostgroup. To make this work i have 2 separate copies 
> >>of nagios
> >>on different locations with different cgi-url and html-url. And iam
> >>running 2 instances of nagios with different set of 
> >>configuration files.
> >>The reason why iam doing this is I have 2 set of users who 
> >>should'nt see each
> >>others hosts information.
> >>
> >>Is it possible to achieve this with a single instance of nagios and
> >>different set of configuration files. Or is there any other way ?
> >>
> >>TIA
> >>Regards
> >>Dushyanth
> >>-- 
> >>The Definition of an Upgrade: Take old bugs out, put new ones in.
> >>
> >>http://symonds.net/~dushy
> >>
> >>
> >>-------------------------------------------------------
> >>This SF.net email is sponsored by: Get the new Palm Tungsten T 
> >>handheld. Power & Color in a compact size! 
> >>http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
> >>_______________________________________________
> >>Nagios-users mailing list
> >>Nagios-users at lists.sourceforge.net
> >>https://lists.sourceforge.net/lists/listinfo/nagios-users
> >>
> >>
> > 
> > 
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Get the new Palm Tungsten T 
> > handheld. Power & Color in a compact size! 
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
> > _______________________________________________
> > Nagios-users mailing list
> > Nagios-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nagios-users
> > 
> > 
> > 
> 
> 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Get the new Palm Tungsten T 
> handheld. Power & Color in a compact size! 
> http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> 


-------------------------------------------------------
This SF.net email is sponsored by: Microsoft Visual Studio.NET 
comprehensive development tool, built to increase your 
productivity. Try a free online hosted session at:
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users


-------------------------------------------------------
This SF.net email is sponsored by: Microsoft Visual Studio.NET 
comprehensive development tool, built to increase your 
productivity. Try a free online hosted session at:
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en




More information about the Users mailing list