Granular authorization

[Myke Place]

Hi all,

I'm trying configure authorization and I'm running into a spot of trouble.
I'm hoping that somebody can provide some helpful comments or direction.

Right now we're allowing guests to authenticate to the webserver without a
username and password through a configuration in the Apache webserver that
looks like this:

ScriptAlias /nagios/cgi-bin/ /usr/local/adm/nagios/sbin/
<Directory "/usr/local/adm/nagios/sbin/">
        AllowOverride AuthConfig
        Options ExecCGI
        Order Deny,Allow
        Deny from [INTERNAL IP'S]
        Satisfy any
</Directory>

with nagios/sbin being protected with the following:

AuthName "Monitoring and Administration"
AuthType Basic
AuthUserFile /usr/local/adm/nagios/etc/htpasswd.users
require valid-user

The cgi.cfg file include the following:

authorized_for_all_services=adminuser,guest
authorized_for_all_hosts=adminuser,guest

Of course guest is not listed in authorized_for_system_commands, etc.

The net result of this is that anyone who is not coming from an IP address
not specified in httpd.conf (the public) is prompted for a username and
password and those who are get a prompt (our staff) where they can view
and change hosts and services for which they are a contact.


Here's the dillema:

We want to be able to give guests who don't get a uname/pass prompt access
to some hosts and not others. However, if we add <guest> as a contact for
a host, this also allows the public to be able to issue commands to those
hosts through the Nagios web interface. Is there a way to give this guest
user perms such that they could only view a certain set of hosts and not
be able to issue commands anywhere?

Any ideas or suggestions would be very much appreciated. Thanks.

--------------------
Myke Place
mp at xmission.com
801.539.0852
www.radiojournal.org




-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf