Revisiting - Network outage view without access to all hosts

[louisvd]

Hi

I have almost the identical issue to one posted three days ago, but now that thread is locked, hence my "Revisiting" thread.

@marcelst asked how to permit users to view the "Network Outages" view without granting them access to all hosts. The difference was that he was on 3.51. He was answered by @ssax stating that he would have to alter the code of outages.c and recompile.

I am running on RHEL 7.2 and have Nagios Core 4.0.8 from the repository.

My issue is that according to the Nagios Documentation on https://assets.nagios.com/downloads/nag ... utages_cgi:

Authorization Requirements:

If you are authorized for all hosts you can view all hosts.
If you are an authenticated contact you can view hosts for which you are a contact.

So I have users that are in a Contact Group which permits them access to all the features of hosts and services, but when they select the "Network Outages" link (outages.cgi) they get the permission denied screen.

So my question thus is:

• Am I implementing it wrong?
  Is the documentation wrong?
  Does the code need to be revised?

I guess the logic on this could be tricky. If a user has access to a subset of hosts, and one of his hosts goes down causing a network blockage, then yes, he should see that. But if an upstream host to which he does not have access goes down causing a network blockage ... then what should he see? Changing the code in marcelst's case, would potentially causing his multi-tenant installation to allow certain tenants to see blockages on hosts that they should not know about.

[ssax]

The code uses is_authorized_for_all_hosts which means they have to have that set for their user.

That being said, I agree there looks to be a discrepancy with the documentation.

I will reach out to the developers on this to see what the intended functionality is, if you don't hear back from me by the end of Monday, please respond to this thread.

Thank you

[rkennedy]

An authenticated contact is an authenticated user whose username matches the short name of a contact definition.

Take a look at this link, it should provide a bit more information and the clarification you're looking for -
https://assets.nagios.com/downloads/nag ... iauth.html

[jfrickson]

If you are comfortable with changing code and compiling, I have a patch that might take care of your problem.

[louisvd]

An authenticated contact is an authenticated user whose username matches the short name of a contact definition.

Take a look at this link, it should provide a bit more information and the clarification you're looking for -
https://assets.nagios.com/downloads/nag ... iauth.html

Sadly this page does not. I did in fact comb through it before posting. It also makes one believe that if I am authorised to view a host, I should see it in this case too, especially since Network Outages is not included in the list of "no one has access to" items.

[louisvd]

If you are comfortable with changing code and compiling, I have a patch that might take care of your problem.

Thanks for the code. I have grabbed it. I am comfortable compiling things, just don't know how the "patch" thing works. Reading the patch you provided I could edit it by hand, however!

My only reason for reluctance is because I am using the repository version of Nagios, so when an update is released I am going to lose these changes - and will probably have forgotten about it at that stage. Also, it would make sense to get some clarity on the TRUE intended mechanism of this all - especially in light of the apparent conflict between the documentation and the actual implementation.

[jfrickson]

Thanks for the code. I have grabbed it. I am comfortable compiling things, just don't know how the "patch" thing works. Reading the patch you provided I could edit it by hand, however!

My only reason for reluctance is because I am using the repository version of Nagios, so when an update is released I am going to lose these changes - and will probably have forgotten about it at that stage. Also, it would make sense to get some clarity on the TRUE intended mechanism of this all - especially in light of the apparent conflict between the documentation and the actual implementation.

If that patch works for you, it will become "official", so it will make it into the repository eventually. I assume it's a CentOS repo? Which version?

Based on the documentation, and the ease of the fix, we decided that your proposed use is the way it should be.

So try it out and let me know how it goes.

[louisvd]

If that patch works for you, it will become "official", so it will make it into the repository eventually. I assume it's a CentOS repo? Which version?

Based on the documentation, and the ease of the fix, we decided that your proposed use is the way it should be.

So try it out and let me know how it goes.

Awesome news! It's always great to see the "Community" in action!

I am actually on Redhat Enterprise Linux 7.2 (64-bit), using the EPEL Repo, which means I am presently on Nagios version 4.0.8-1.el7.

Give me a few days to get the source and compile and test - I have to fit this in between the "crisis of the day".

I will report back to the forum later this week.

[jfrickson]

I am actually on Redhat Enterprise Linux 7.2 (64-bit), using the EPEL Repo, which means I am presently on Nagios version 4.0.8-1.el7.

Ok, that one will definitely get updated. Sometime. Whenever. (It's a long process!) 6.x (running nagios 3.x) most likely won't get updated any more.

Give me a few days to get the source and compile and test - I have to fit this in between the "crisis of the day".

I will report back to the forum later this week.

I certainly know how "crisis of the day" (or "crisis of the hour") goes. I'll wait for your report.