Advanced permissions/user properties

Alex Burger alex_b at users.sourceforge.net
Fri Nov 3 02:21:47 CET 2006


Hi Tobias.

I have expanded on the Altinity patch by adding a 'can_submit_commands' 
and 'can_submit_commands_strict' option to contact groups.  The 
limitation of having a can_submit_commands option on the user is that 
it's an all or nothing option.  A user is either view-only for all 
devices, or not.

I will be using can_submit_commands_strict for people who need to be 
able to submit commands for the servers and services they manage, but 
also be able to only view some other servers and devices.  I don't want 
the users to be able to view ALL devices.

*can_submit_commands_strict:*  You grant users full access to all or 
some systems, but want to restrict them from issuing commands for a few 
devices.

If a device has multiple contact groups defined and any one of them 
denies submit commands with can_submit_commands_strict 0, then the user 
is denied even if the user belongs to a group that permits it.

*can_submit_commands:*  You grant users read/only access to all systems, 
but you want to allow the user to issue commands for a few devices.

With can_submit_commands, if a device has multiple contact groups 
defined and any one of them allows submit commands, the user can submit 
commands.  If there was only one contact group listed and it had 
can_submit_commands set to 0, the user would not be able to submit commands.

Is this what you are looking for?

Alex



Tobias Klausmann wrote:
> Hi!
> 
> I've got a problem that I don't how to solve best in Nagios. I
> think other people have run into the same problem (I know that
> someone has run into a /similar/ problem).
> 
> I'm running 2.5 on a mid-sized installations (~300 hosts, ~2500
> services). Thing is, our projects/(host|service)groups vary
> wildly in who is responsible for them. Unfortunately, all these
> projects are also heavily intertwined in their dependencies.
> 
> Say we have a web mail project A. This consists of several
> web servers, databases and the like. It is heavily dependent on
> the LDAP project B and the mail server project C. While B and C
> have the same group of admins, project A is managed by an
> entirely different group of people.
> 
> As such, we have configured Nagios that the group that is
> responsible for project can only see the machines of project A and
> the "B-and-C-people" can only see B and C.
> 
> Everything is peachy.
> 
> Except. Sometimes, project A may look like it's broken (pages
> time out etc). But in reality, there's a spam attack and the
> project B (the LDAP infrastructure) is so slow it simply grinds
> to a halt. In this case it would obviously be nice if the people
> from project A could see that project B is slow. Yet they should
> not be able to change the notification options/acknowledgements
> etc etc of projects B or C. 
> 
> The altinity people have created a patch for the "view some,
> change none" scenario[0]. Unfortunately, what I'd need is a
> mechanism for the "view some, change a few" scenario I outlined
> above.
> 
> How do others deal with this kind of problem? I'm sure we're not
> the only ones who've run into it.
> 
> As of currently, our best guess would be to create
> pseudo-accounts (like john.foo and john.foo-admin) and hack the
> CGI(s) to only allow the commands from -admin accounts which are
> in the notification list (with notification options set to "n").
> We already do this to let people see machines they don't
> mailed/paged/called about.
> 
> Regards,
> Tobias
> 
> [0] http://altinity.blogs.com/dotorg/2006/02/a_view_some_cha.html


-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null





More information about the Users mailing list