Nagios Host/Service viewing permissions

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
robfegan
Posts: 4
Joined: Wed Apr 18, 2018 7:32 am

Nagios Host/Service viewing permissions

Post by robfegan »

Hi,
I'm having trouble with restricting the items visible within Nagios Core 4.3.4.
From what am seeing it would appear that a service is visible to a contract group if they are listed in the contact groups at either the host or the service level.
I was hoping for more fine grained control than this, so maybe it's a configuration issue on my part.

Here is an overview of what I'm trying to achieve.
We want our Help Desk to be able to see the availability of all of our production hosts (the check-host-alive check).
Therefore I have included the Help Desk contact group in contact_groups setting for the production hosts.
However, on these production hosts, we want to limit the Help Desk's view of the services monitored.
For example, we want the Help Desk to see the C: drive space check service, but the D: drive space check would only be available to the application support team, as they are better placed to both judge the impact and resolve the issue.
I therefore included the Help Desk in the contact_groups for the C: drive check, but not the D: drive check.

However, it seems that, because the Help Desk contact group is enabled for the host, it can therefore see all services defined for that host.

I tried using !helpdesk in the contact_groups at the service level, but Nagios complains when I run the configuration check.

Is what I'm trying to do achievable?
Regards,
Rob
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios Host/Service viewing permissions

Post by scottwilkerson »

You will want to look at the section on "Implied Inheritance" on this doc
https://assets.nagios.com/downloads/nag ... tance.html

The services are going to pick up the hosts contact group unless you set them to something else.

So on the services you do not want the help desk contact group to see you need to explicitly set it to another contact group, or null
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
robfegan
Posts: 4
Joined: Wed Apr 18, 2018 7:32 am

Re: Nagios Host/Service viewing permissions

Post by robfegan »

Thanks Scott.

I tried your suggestions, but to no avail unfortunately.

Originally we had contact_groups set to admins, which although I wasn't sure was necessary (I've inherited this configuration), I thought would have prevented access for the helpdesk contact group. In order to try the 'null' option I commented out the contact_groups line, helpdesk could still see drive space checks defined to use this service defintion. Then I tried with a line actually setting contact_groups to null. This time I got warnings along the line of ;-
Warning: Service 'E:\ Drive Space' on host 'XXX' has no default contacts or contactgroups defined!

Again, the helpdesk account can still see the E:\ Drive Space


The disk-service definition from templates.cfg

define service{
name disk-service ; The 'name' of this service template
active_checks_enabled 1 ; Active service checks are enabled
passive_checks_enabled 1 ; Passive service checks are enabled/accepted
parallelize_check 1 ; Active service checks should be parallelized (disabling this can lead to major performance problems)
obsess_over_service 1 ; We should obsess over this service (if necessary)
check_freshness 0 ; Default is to NOT check service 'freshness'
notifications_enabled 1 ; Service notifications are enabled
event_handler_enabled 1 ; Service event handler is enabled
flap_detection_enabled 1 ; Flap detection is enabled
process_perf_data 1 ; Process performance data
retain_status_information 1 ; Retain status information across program restarts
retain_nonstatus_information 1 ; Retain non-status information across program restarts
is_volatile 0 ; The service is not volatile
check_period disk_check_hours ; The service will be checked only during extended office hours
max_check_attempts 3 ; Re-check the service up to 3 times in order to determine its final (hard) state
check_interval 15 ; Check the service every 15 minutes under normal conditions
retry_interval 1 ; Re-check the service every two minutes until a hard state can be determined
contact_groups null ; Notifications get sent out to everyone in the 'admins' group
notification_options w,u,c,r ; Send notifications about warning, unknown, critical, and recovery events
notification_interval 240 ; Re-notify about service problems every 4 hours
notification_period disk_check_hours ; Notifications will be sent out only during extended office hours
register 0 ; DONT REGISTER THIS DEFINITION - ITS NOT A REAL SERVICE, JUST A TEMPLATE!
}

The service defined for checking E: drive space

# Create a service for monitoring E:\ disk usage
# Change the host_name to match the name of the host you defined above

define service{
use disk-service
host_name <list of hosts>
hostgroup_name <list of hostgroups>
service_description E:\ Drive Space
check_command check_nt!USEDDISKSPACE!-l e -w 87 -c 90
process_perf_data 0
}

The host config file for the relevant host

define host{
use windows-live-server ; Inherit default values from a template
host_name <host name> ; The name we're giving to this host
alias <host name> ; A longer name associated with the host
address <IP address> ; IP address of the host


}

The windows-live-server template

define host{
name windows-live-server ; The name of this host template
use generic-host ; Inherit default values from the generic-host template
check_period 24x7 ; By default, Windows servers are monitored round the clock
check_interval 5 ; Actively check the server every 5 minutes
retry_interval 1 ; Schedule host check retries at 1 minute intervals
max_check_attempts 10 ; Check each server 10 times (max)
check_command check-host-alive ; Default command to check if servers are "alive"
notification_period 24x7 ; Send notification out at any time - day or night
notification_interval 360 ; Resend notifications every 30 minutes
notification_options d,r ; Only send notifications for specific host states
contact_groups admins,helpdesk ; Notifications get sent to the admins by default
hostgroups windows-live-servers ; Host groups that Windows servers should be a member of
register 0 ; DONT REGISTER THIS - ITS JUST A TEMPLATE
}
[img]C:\Users\fegar\Documents\Nagios\nagiosadmin_view.jpg[/img]
[img]C:\Users\fegar\Documents\Nagios\helpdesk_view.jpg[/img]

EDIT: Guess that isn't how I upload images then :)
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios Host/Service viewing permissions

Post by scottwilkerson »

I think I misunderstood the original questions, I thought it was about notifications.

I actually don't think there is any way for you to prevent contacts from seeing all services when they are a contact for the host.
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
robfegan
Posts: 4
Joined: Wed Apr 18, 2018 7:32 am

Re: Nagios Host/Service viewing permissions

Post by robfegan »

That's disappointing. I'm surprised more people haven't seen this as something of an issue.
Is there a process for requesting enhancements?
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios Host/Service viewing permissions

Post by scottwilkerson »

For Nagios Core you can make a request here
https://github.com/NagiosEnterprises/nagioscore/issues

Or if you make the modification you can submit the pull request here for possible inclusion in the open source software
https://github.com/NagiosEnterprises/nagioscore/pulls
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
robfegan
Posts: 4
Joined: Wed Apr 18, 2018 7:32 am

Re: Nagios Host/Service viewing permissions

Post by robfegan »

Thanks again Scott.
Have to admit I wouldn't know where to start on making the modifications myself :lol:
scottwilkerson
DevOps Engineer
Posts: 19396
Joined: Tue Nov 15, 2011 3:11 pm
Location: Nagios Enterprises
Contact:

Re: Nagios Host/Service viewing permissions

Post by scottwilkerson »

No problem, opening an issue at least will get the idea seen by developers.
Former Nagios employee
Creator:
ahumandesign.com
enneagrams.com
Locked