> On the Nagios-Users list there is a discussion on the same subject about
> adding advanced permissions to Nagios for hosts and services. Users
> (including myself) were looking for a way to grant users the ability to
> view hosts, but not submit commands and to allow for more complex
> permissions.
>
> It made the most sense to model the permission system with how file
> system permissions are handled. With file system permissions, we would
> assign a group to a folder, and then pick what rights the group would
> have. It made sense to do the same thing with Nagios in the
> contact_groups/contact option for hosts and services:
[...]
> If permissions are not set on the contact_groups or contact line, then
> the defaults will be used. If there is no default_permissions option in
> cgi.cfg and nagios.cfg, then it will default to full permissions (the
> same checks that Nagios currently performs).
>
> Here is a description of the option for cgi.cfg and nagios.cfg:
>
> # DEFAULT HOST/SERVICE PERMISSIONS
> # This option contains a list of default permissions for hosts and
> # services that will be used when permissions are not explicitly
> # set on a host or service. When not defined, the default is all
> # permissions (rwxn). Note: This option must be set the same in
> # both cgi.cfg and nagios.cfg.
>
> #default_permissions=3Drwxn
I think the default perms should be added to a contact or contactgroup.
So i can give the Contact "netop" the Perms "r n" globaly.
define contact{
contact_name netop=20
permissions r,n
=2E...
}
or=20
define contactgroup{
contactgroup_name netpos
member netop
permissions r,n
....
}
> As you can see, the option needs to be in both config files although I
> would prefer to have it only in nagios.cfg. It is needed in nagios.cfg
> for base/notifications.c which has nothing to do with the cgi. If
> someone knows how to combine the two, please let me know.
>
> I also changed how services are displayed. If you are not a contact for
> a service (you do not have the 'r' permission), then the service will
> not be displayed. I prefer to have it this way so I can prevent some
> admins from seeing services such as a the service I use to receive SNMP
> traps. The problem with this right now is that even though the user
> only sees the services they has permissions for, as long as the user has
> rx permissions to the host, the user can do a 'Enable notifications for
> all services on this host' which will do ALL services.
>
> If this patch is accepted, then we will have to add permission checks to
> the commands that process child objects.
>
> Attached are patches for Nagios 2.5 and 3.0 (CVS as of 11/6/06).
I will test the patch with the latest 3.0 CVS next Week.
Thanks Alex ! Great work.
And thanks for snmptt
J=C3=B6rg
This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]