Managing multiple credential sets

[jbrandon2]

We are implementing Nagios for non-critical parts of our environment for a few months to see how it stacks up against our current monitoring solution, so far, it's great. Before I try to engineer solutions to the couple of problems we have I thought I might ask to see if/how other people are overcoming these things:

Our current solution, What's Up Gold, has a credential library. You put domain/username/password combinations in the library (they're stored encrypted, supposedly) and when you add a machine for monitoring you just choose which credential set to use. This is important to us because we're monitoring equipment across 7 Windows AD structures with very limited trust relationships in place only between a couple of them.

I know that the general way to store credentials in Nagios, Core at least, is to place $USERxx$ macros in the /etc/nagios/private/resources.cfg file, and I know I could simply create $USER3$-$USER16$, thus having multiple credentials available, but I would then have to have a separate set of check commands in place for each domain, even if I used the same username/password in each domain, the domain prefix has to be provided...

Has anyone encountered this hurdle before and if so, how did YOU solve it?

[jsmurphy]

I haven't had to solve this particular problem before, but here's how I would solve it:
1. Create the same username/password on all of the domains (I know we still need to solve that pesky domain prefix problem )
2. Enter that as an entry in your resources.cfg file
3. On your AD integrated hosts create a custom macro that contains the name of the domain that host is in i.e.

define host {
hostname blah
address x.x.x.x
...
_DOMAINNAME domain1
}

4. Edit your command so that it looks something like $USER1$/mycommand -H blah -c dosomething -u "$_HOSTDOMAINNAME$\\$USER3$ -p $USER4$

I can't remember if that's exactly the right syntax for a custom macro but the documentation is here: http://nagios.sourceforge.net/docs/3_0/macros.html

This might work for you?

[jbrandon2]

I do appreciate the effort, it's always nice to know that at least someone's trying to help. Unfortunately, this doesn't really change the current state overly much. It would still require me to have one set of commands for each of the Windows domains, much as I do now. For example, if this were the current state:

Code: Select all

$USER3$=domain1/nagios.user
$USER4$=S0meP@ssword
$USER5$=domain2/nagios.user
$USER6$=S0me0therP@ass
$USER7$=domain3/nagios.user
$USER8$=Y3t@notherPass


Changing to the same user/password in each domain would simplify it slightly to this:

Code: Select all

$USER3$=nagios.user
$USER4$=S0meP@ssword
$USER5$=Domain1
$USER6$=Domain2
$USER7$=Domain3


But would still require this:

Code: Select all

define command {
  command_name Percent_Disk_Used_Domain1
  command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -m checkvolsize -u $USER5$/$USER3$ -p $USER4$ -a $ARG1$ -w $ARG2$ -c $ARG3$
}
define command {
  command_name Percent_Disk_Used_Domain2
  command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -m checkvolsize -u $USER6$/$USER3$ -p $USER4$ -a $ARG1$ -w $ARG2$ -c $ARG3$ARG4$
}
define command {
  command_name Percent_Disk_Used_Domain3
  command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -m checkvolsize -u $USER7$/$USER3$ -p $USER4$ -a $ARG1$ -w $ARG2$ -c $ARG3$
}


Now, if I could somehow assign another parameter to a host, such as domain name, and then reference that parameter in the check command, you would be on to something solid. That way my check command could look something like this, and only require one check command.

Code: Select all

define command {
  command_name Percent_Disk_Used
  command_line $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -m checkvolsize -u $HOSTDOMAIN$/$USER3$ -p $USER4$ -a $ARG1$ -w $ARG2$ -c $ARG3$
}


I know everything I'm using is open source, and I'm free to modify it to add this functionality, but my knowledge of scripting isn't that strong, and I'd rather stick with something that won't break with upgrades.

[jsmurphy]

You may want to read my post a little more carefully... trust me the answer is there

[jbrandon2]

You may want to read my post a little more carefully... trust me the answer is there

And so it would seem. I do apologize, when I read your post about the custom macro I must have just assumed I knew what you meant, or I missed a keyword or something. If in fact host-based macros are doable, that would certainly resolve the issue. Thank you very much.

[jbrandon2]

Okay, so, progress... Yes, custom variables work. There's only a minor nuance struggle left, one that would be more convenient, but certainly isn't as much of a deal-breaker as the whole situation was.

The following lines are spread across a couple of different files, but for the sake of simple presentation they're all lumped in to one block here:

Code: Select all

define host {
  name                               Credentials-Domain1
  register                            0
  _user                               domain1/nagios.service
  _password                       $USER3$
}

define host {
  host_name                      test1
  address                           test1.domain1.local
  max_check_attempts       2
  check_interval                 2
  retry_interval                  1
  notification_interval        30
  notification_options         d,u,r
  active_checks_enabled     1
  notifications_enabled       1
  check_command               check-host-alive
  check_period                   24x7
  notification_period          daytime
  contact_groups                +sysadmins
  use                                 Credentials-Domain1
}

define service {
  service_description         Disk_Used
  max_check_attempts      2
  check_interval                60
  retry_interval                 5
  notification_interval       1440
  notification_options        w,u,c,r
  active_checks_enabled    1
  notifications_enabled      1
  check_command              check_used_space!.!75!90!-o 1 -3 1
  check_period                  24x7
  notification_period         daytime
  contact_groups              +sysadmins
}

define host {
define command {
  command_name               check_used_space
  command_line                  $USER1$/check_wmi_plus.pl -H $HOSTADDRESS$ -m checkvolsize -u $_HOSTUSER$ -p $_HOSTPASSWORD$ -a $ARG1$ -w $ARG2$ -c $ARG3$
}


Then, of course, in my resources.cfg I have $USER3$ defined as the password that matches the account specified by the host template.

Unfortunately, $USER3$ doesn't seem to expand if referenced in the custom variable $_HOSTPASSWORD$. Using it the way I have it set up now, if everything were to evaluate, would work fine, and it would allow me to have separate passwords for these accounts as well because each template would specify the username and which $USERx$ macro to use for a password (so they can be "hidden"). If I change the check command to use $USER3$ instead of $_HOSTPASSWORD$ everything works fine, so it's pretty clear where the problem lies.

Is there a way to use a user macro within a custom variable/macro like I'm trying to or is the best I'm going to get this is use the same password for all of my service accounts and consider myself fortunate?

[jsmurphy]

You know, I've often wondered this (if you could reference a resource macro from a custom macro) but never had probable cause to actually try it out, so thanks for running that little experiment for me .

Unfortunately my bag of tricks doesn't extend that far... without being able to reference another macro, I can't see another way around it. But at least life is a little easier now

[jbrandon2]

Unfortunately my bag of tricks doesn't extend that far... without being able to reference another macro, I can't see another way around it. But at least life is a little easier now

True enough, thanks much.