any read-only access to Core 3.0.3 web interface?

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
lyle
Posts: 158
Joined: Sun Nov 21, 2010 3:05 am

any read-only access to Core 3.0.3 web interface?

Post by lyle »

Someone just asked for access to our Nagios Core 3.0.3, and I just realized I didn't know if read-only access was available, or how to configure it.

Currently any SysAdmin in our group can log in to the web gui via Active Directory authentication, and have full control. That includes being able to shut down the server, via the "Process Info" page.

Thanks....Lyle
mguthrie
Posts: 4380
Joined: Mon Jun 14, 2010 10:21 am

Re: any read-only access to Core 3.0.3 web interface?

Post by mguthrie »

Global permissions can be set in the cgi.cfg file. I think you can set read-only as one of the permissions. The other method is if you create a contact and don't assign them global permissions, that contact will have read-only access to their assigned hosts and services.
lyle
Posts: 158
Joined: Sun Nov 21, 2010 3:05 am

Re: any read-only access to Core 3.0.3 web interface?

Post by lyle »

Thanks for the reply.

Our Apache2 conf file has both Nagios stanzas (share & cgibin) set for LDAP authentication. This has been working fine Too fine, in fact: all authenticated users can run scripts on the Nagios web page (ie stop the server), which I'm trying to throttle down a little.

The only entry in htpasswd.users is nagiosadmin (from install probably), but our Apache conf file makes no mention of /usr/local/nagios/etc/htpasswd.users so I don't think that file is involved with authentication. Also LDAP has no user named nagiosadmin.

cgi.cfg has the value of any uncommented "authorized_*" entry set to nagiosadmin only.

My question now: How the heck can _any_ of us issue commands via the web interface? If cgi.cfg has "authorized_for_system_commands=nagiosadmin" and that's not me, how can I run the scripts?

I do see the "authorized_for_read_only" option in cgi.cfg and will play with that. Thanks for that and any other advice.

....Lyle
mguthrie
Posts: 4380
Joined: Mon Jun 14, 2010 10:21 am

Re: any read-only access to Core 3.0.3 web interface?

Post by mguthrie »

Are all of the directives commented out? Can I see the cgi.cfg file?

Is it possible the LDAP auth has everything logging in as nagiosadmin? (Bear with me I don't know much about LDAP). When you log into the interface, the tactical overview shows who you're logged in as.
lyle
Posts: 158
Joined: Sun Nov 21, 2010 3:05 am

Re: any read-only access to Core 3.0.3 web interface?

Post by lyle »

I've sent you a PM with my config files.

"Tactical Monitoring Overview" says I'm logged in as "lryan", my ldap account. I checked our Active Directory (which gets propagated via ldap), and there's no nagiosadmin user and no groups with nagios in their name.

Thanks...Lyle
mguthrie
Posts: 4380
Joined: Mon Jun 14, 2010 10:21 am

Re: any read-only access to Core 3.0.3 web interface?

Post by mguthrie »

Bear with me in that I haven't worked with LDAP, but try adding your read-only users to this directive in the cgi.cfg file.

Code: Select all

# AUTHORIZED FOR READ ONLY
# A comma-delimited list of usernames that have read-only rights in the CGIs. 
# This will block any service or host commands normally shown on the extinfo CGI pages. 
# It will also block comments from being shown to read-only users. 

authorized_for_read_only=user1,user2
Locked