Someone just asked for access to our Nagios Core 3.0.3, and I just realized I didn't know if read-only access was available, or how to configure it.
Currently any SysAdmin in our group can log in to the web gui via Active Directory authentication, and have full control. That includes being able to shut down the server, via the "Process Info" page.
Thanks....Lyle
any read-only access to Core 3.0.3 web interface?
Re: any read-only access to Core 3.0.3 web interface?
Global permissions can be set in the cgi.cfg file. I think you can set read-only as one of the permissions. The other method is if you create a contact and don't assign them global permissions, that contact will have read-only access to their assigned hosts and services.
Re: any read-only access to Core 3.0.3 web interface?
Thanks for the reply.
Our Apache2 conf file has both Nagios stanzas (share & cgibin) set for LDAP authentication. This has been working fine Too fine, in fact: all authenticated users can run scripts on the Nagios web page (ie stop the server), which I'm trying to throttle down a little.
The only entry in htpasswd.users is nagiosadmin (from install probably), but our Apache conf file makes no mention of /usr/local/nagios/etc/htpasswd.users so I don't think that file is involved with authentication. Also LDAP has no user named nagiosadmin.
cgi.cfg has the value of any uncommented "authorized_*" entry set to nagiosadmin only.
My question now: How the heck can _any_ of us issue commands via the web interface? If cgi.cfg has "authorized_for_system_commands=nagiosadmin" and that's not me, how can I run the scripts?
I do see the "authorized_for_read_only" option in cgi.cfg and will play with that. Thanks for that and any other advice.
....Lyle
Our Apache2 conf file has both Nagios stanzas (share & cgibin) set for LDAP authentication. This has been working fine Too fine, in fact: all authenticated users can run scripts on the Nagios web page (ie stop the server), which I'm trying to throttle down a little.
The only entry in htpasswd.users is nagiosadmin (from install probably), but our Apache conf file makes no mention of /usr/local/nagios/etc/htpasswd.users so I don't think that file is involved with authentication. Also LDAP has no user named nagiosadmin.
cgi.cfg has the value of any uncommented "authorized_*" entry set to nagiosadmin only.
My question now: How the heck can _any_ of us issue commands via the web interface? If cgi.cfg has "authorized_for_system_commands=nagiosadmin" and that's not me, how can I run the scripts?
I do see the "authorized_for_read_only" option in cgi.cfg and will play with that. Thanks for that and any other advice.
....Lyle
Re: any read-only access to Core 3.0.3 web interface?
Are all of the directives commented out? Can I see the cgi.cfg file?
Is it possible the LDAP auth has everything logging in as nagiosadmin? (Bear with me I don't know much about LDAP). When you log into the interface, the tactical overview shows who you're logged in as.
Is it possible the LDAP auth has everything logging in as nagiosadmin? (Bear with me I don't know much about LDAP). When you log into the interface, the tactical overview shows who you're logged in as.
Re: any read-only access to Core 3.0.3 web interface?
I've sent you a PM with my config files.
"Tactical Monitoring Overview" says I'm logged in as "lryan", my ldap account. I checked our Active Directory (which gets propagated via ldap), and there's no nagiosadmin user and no groups with nagios in their name.
Thanks...Lyle
"Tactical Monitoring Overview" says I'm logged in as "lryan", my ldap account. I checked our Active Directory (which gets propagated via ldap), and there's no nagiosadmin user and no groups with nagios in their name.
Thanks...Lyle
Re: any read-only access to Core 3.0.3 web interface?
Bear with me in that I haven't worked with LDAP, but try adding your read-only users to this directive in the cgi.cfg file.
Code: Select all
# AUTHORIZED FOR READ ONLY
# A comma-delimited list of usernames that have read-only rights in the CGIs.
# This will block any service or host commands normally shown on the extinfo CGI pages.
# It will also block comments from being shown to read-only users.
authorized_for_read_only=user1,user2