Question on Host Contact Permissions

[MBowman325]

Hello! I've done a search and I found some people asking the opposite of what I'm looking for, so I'll throw this out.

Our department has an instance of Nagios (3.5.0) and we're gearing up to allow limited access to others outside our department. When I assign a contact to a host, the user can see the host as expected, but when they click on host groups, they can see all the other hosts in that group. They cannot view any services, but they see that it's up (or down). The same goes with Service Groups - they can see the summary with host status summary and service status summary, but cannot drill down further. Essentially a host contact can see some trivial information about other systems (or a list of systems in the groups this host is a part of) but nothing beyond that. We would rather these users not see anything beyond what we give them.

I'd configured a 3.2 environment quite a while back with some DBAs and programmers having limited access and I don't recall this being an issue then, but that was a few years ago. Have I missed something here?

Support information - the host contact is an AD user not defined in any way in the cgi.cfg. The contact is not a part of an AD group defined in the apache configuration for the admins. The contact is not a member of the admin group in the contacts.cfg file. If the contact is defined in the service definition versus the host definition, all appears as expected and the user is shown "It appears as though ..." message. I have not yet gone back to create a new local user to test this behavior with.

Thanks!

[sreinhardt]

Unfortunately, I believe this is how it is intended. Much like if you are a contact on a host, but not for the services, you will see all of the services. A good general rule is that if you are a part of the group or a contact for something in a group, expect to be able to at least see the status of other objects in that group.

[MBowman325]

That's a bit of a bummer. That said, we weren't planning on very many people to be host contacts - primarily service contacts.

Thanks!

[slansing]

You could re-work a second set of hosts for their eyes only, and then leave the original ones for your team as they are now. Beyond that, it would be difficult to navigate around the built in contact rules. Another possible option is BPI Groups:

http://assets.nagios.com/downloads/nagi ... _Addon.pdf

http://assets.nagios.com/downloads/nagi ... BPI_v2.pdf

[MBowman325]

A quick glance at the BPI option is pretty slick! I think that might be ideal for a couple of applications with cross system dependencies. I'll look more into that.

Those outside our immediate group would primarily be application support. With limited exception, they would need access to only their service checks and not additional system checks. I think. A decision hasn't been made yet on what they need, if anything.

The better solution might be to set up a check for a directory (some tend to grow fairly quick) and allow them access to that and whatever port / service checks. Which I can group for a particular application, at which point it won't matter if they see what else is there or not.

[slansing]

It seems like you have the logic down for what you guys need to do, now it's on to implementation when they choose how they want objects grouped, let us know if you need help further on this!