Advanced permissions/user properties

Ton Voon ton.voon at altinity.com
Fri Nov 3 15:24:35 CET 2006
Previous message: Advanced permissions/user properties
Next message: Advanced permissions/user properties
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi Alex,

This is a really interesting idea. We've recently made a patch to  
Nagios so that a contact will only see the services in the CGIs based  
on their contact groups - currently Nagios 2.x will show all services  
if that contact is a contact for the host (which you would normally  
do so they receive host notifications).

Our patch means we use contactgroups to "slice" which services are  
visible per contact. I'll be blogging about this soon (when I get a  
spare 30 mins!).

However, this still lacks the ability to show some services but only  
allow changes to a subset, which is what Tobias is interested in.

I think the "read/write" attribute needs to be associated with the  
contact. So this implementation looks more obvious (to me):

define contact {
	name person
	contactgroups cg1,cg2,cg3		# means can submit commands
	contactgroups_viewonly cg5,cg6
}

This would effectively mean the can_submit_commands attribute is  
redundant, because you just use contactgroups_viewonly instead of  
contactgroups.

Does this make sense?

Ton

On 3 Nov 2006, at 01:21, Alex Burger wrote:

> Hi Tobias.
>
> I have expanded on the Altinity patch by adding a  
> 'can_submit_commands'
> and 'can_submit_commands_strict' option to contact groups.  The
> limitation of having a can_submit_commands option on the user is that
> it's an all or nothing option.  A user is either view-only for all
> devices, or not.
>
> I will be using can_submit_commands_strict for people who need to be
> able to submit commands for the servers and services they manage, but
> also be able to only view some other servers and devices.  I don't  
> want
> the users to be able to view ALL devices.
>
> *can_submit_commands_strict:*  You grant users full access to all or
> some systems, but want to restrict them from issuing commands for a  
> few
> devices.
>
> If a device has multiple contact groups defined and any one of them
> denies submit commands with can_submit_commands_strict 0, then the  
> user
> is denied even if the user belongs to a group that permits it.
>
> *can_submit_commands:*  You grant users read/only access to all  
> systems,
> but you want to allow the user to issue commands for a few devices.
>
> With can_submit_commands, if a device has multiple contact groups
> defined and any one of them allows submit commands, the user can  
> submit
> commands.  If there was only one contact group listed and it had
> can_submit_commands set to 0, the user would not be able to submit  
> commands.
>
> Is this what you are looking for?
>
> Alex
>
>
>
> Tobias Klausmann wrote:
>> Hi!
>>
>> I've got a problem that I don't how to solve best in Nagios. I
>> think other people have run into the same problem (I know that
>> someone has run into a /similar/ problem).
>>
>> I'm running 2.5 on a mid-sized installations (~300 hosts, ~2500
>> services). Thing is, our projects/(host|service)groups vary
>> wildly in who is responsible for them. Unfortunately, all these
>> projects are also heavily intertwined in their dependencies.
>>
>> Say we have a web mail project A. This consists of several
>> web servers, databases and the like. It is heavily dependent on
>> the LDAP project B and the mail server project C. While B and C
>> have the same group of admins, project A is managed by an
>> entirely different group of people.
>>
>> As such, we have configured Nagios that the group that is
>> responsible for project can only see the machines of project A and
>> the "B-and-C-people" can only see B and C.
>>
>> Everything is peachy.
>>
>> Except. Sometimes, project A may look like it's broken (pages
>> time out etc). But in reality, there's a spam attack and the
>> project B (the LDAP infrastructure) is so slow it simply grinds
>> to a halt. In this case it would obviously be nice if the people
>> from project A could see that project B is slow. Yet they should
>> not be able to change the notification options/acknowledgements
>> etc etc of projects B or C.
>>
>> The altinity people have created a patch for the "view some,
>> change none" scenario[0]. Unfortunately, what I'd need is a
>> mechanism for the "view some, change a few" scenario I outlined
>> above.
>>
>> How do others deal with this kind of problem? I'm sure we're not
>> the only ones who've run into it.
>>
>> As of currently, our best guess would be to create
>> pseudo-accounts (like john.foo and john.foo-admin) and hack the
>> CGI(s) to only allow the commands from -admin accounts which are
>> in the notification list (with notification options set to "n").
>> We already do this to let people see machines they don't
>> mailed/paged/called about.
>>
>> Regards,
>> Tobias
>>
>> [0] http://altinity.blogs.com/dotorg/2006/02/a_view_some_cha.html
>
>
> ---------------------------------------------------------------------- 
> ---
> Using Tomcat but need to do more? Need to support web services,  
> security?
> Get stuff done quickly with pre-integrated technology to make your  
> job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache  
> Geronimo
> http://sel.as-us.falkag.net/sel? 
> cmd=lnk&kid=120709&bid=263057&dat=121642
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when  
> reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
>
>
> This message has been scanned for viruses by MailController -  
> www.MailController.altohiway.com



http://www.altinity.com
T: +44 (0)870 787 9243
F: +44 (0)845 280 1725
Skype: tonvoon


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20061103/b765aee3/attachment.html>
-------------- next part --------------
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue. 
::: Messages without supporting info will risk being sent to /dev/null
Previous message: Advanced permissions/user properties
Next message: Advanced permissions/user properties
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Users mailing list