Restricting user for accessing details of remote hosts

[john.akash]

Hello Team,

I am having 27 servers in my nagios dashboard. Is it possible to restrict a user to view the host status for some particular server?. That is I need to provide a user to access 2 remote status only.

[abrist]

Yes, you do this by creating a monitoring contact named exactly the same as the user. Then add this contact to just the hosts you wish the user to see, and then make sure the user is not given any special privileges in cgi.cfg (like authorized for all hosts/services, admin, etc).

[john.akash]

Thanks for your response, now I am using ldap authentication for nagios dashboard. If I am trying in the way you suggested how can I set password for that particular user? Could you please provide me the steps to follow?

[scottwilkerson]

If you are using ldap authentication, the passwords would be set on your ldap server.

[john.akash]

Ok, that is fine I can add it, how can I add that particular user to the host, my configuration file for a particular host is as follows

define host{
use linux-server
check_period 24x7
check_interval 5
retry_interval 1
max_check_attempts 10
check_command check-host-alive
host_name MyUnix server
alias MyUnix server
address XX.XX.XX.XX
notification_options d,u,r ; Only send notifications for specific host states
contact_groups admins
icon_image ubuntu.png
statusmap_image ubuntu.gd2
}

All the service definition is come below this like check disk,memory,load etc, could you please let me know how can I add a user to this?

[scottwilkerson]

by adding to the contact_groups line, or by adding an additional line

Code: Select all

contacts    your_users_username

http://nagios.sourceforge.net/docs/3_0/ ... .html#host

[john.akash]

Hello Scottwilkerson,

Thanks for the quick response, I have added that contacts configuration and login through LDAP credentials works fine but that particular user can view all the host reports in the dash board. The way which I have configured is as follows

contacts.cfg
define contact{
contact_name user1
use generic-contact
alias user1
email [email protected]
pager 92929299292
}

Configuration file for my server myserver.cfg

define host{
use linux-server
check_period 24x7
check_interval 5
retry_interval 1
max_check_attempts 10
check_command check-host-alive
host_name MyServer
alias MyServer
address 192.168.60.23
notification_options d,u,r
contacts user1
icon_image Amazon.png
statusmap_image Amazon.gd2
}

Apache config for nagios

<VirtualHost *:80>
ServerName nagios.local.com
ScriptAlias /nagios/cgi-bin "/usr/local/nagios/sbin"

<Directory "/usr/local/nagios/sbin">
# SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all

##Ldap Authentication
AuthLDAPURL ldap://ldap.local.com:389/OU=People,DC=ldap,DC=local,DC=com?uid
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "local Nagios"
AuthLDAPBindDN "CN=Manager,DC=ldap,DC=local,DC=com"
AuthLDAPBindPassword MyPassword
require user user1 user2 user3
</Directory>

Alias /nagios "/usr/local/nagios/share"
<Directory "/usr/local/nagios/share">
# SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all

##Ldap Authentication
AuthLDAPURL ldap://ldap.local.com:389/OU=People,DC=ldap,DC=local,DC=com?uid
AuthBasicProvider ldap
AuthType Basic
AuthzLDAPAuthoritative off
AuthName "local Nagios"
AuthLDAPBindDN "CN=Manager,DC=ldap,DC=local,DC=com"
AuthLDAPBindPassword MyPassword
require user user1 user2 user3
</Directory>
</VirtualHost>

Where user1 is for accessing the status of particular host and user2 and user3 need to access the status of all the hosts.

[slansing]

If the user's contact is assigned to a service, he/she will be able to see the host as well, that is currently unfortunately how it works. We are investigating a way to change this, so that you can only see what you are assigned to.

[john.akash]

Hello Slansing ,

Thanks for the update. how can I achieve this in another way? How should be the configuration in that scenario?

[abrist]

Well, currently, you cannot restrict a view to just a specific service as they will be able to see the host. You can still restrict a user's view to only the host objects that they are contacts of. How do you have the cgi.cfg authorized_for values configured?

Code: Select all

grep "authorized_for" /usr/local/nagios/etc/cgi.cfg