Nagios Support Forum

I'm beginning to experiment with multi-tenancy in XI and it doesn't seem to be workng the way I expected.
How granular are the multi-tenancy capabilities? From glancing at the docs, I would have thought that
I could configure contacts down to the individual service level, however it *appears* that if a user is a
contact for the host, then they can see all services for that host, whether or not they are a contact for
a particular service. I haven't tried making a user a contact for just one service yet, since I'd rather
know what to expect before I put in a lot of time testing corner cases.

For example, I was hoping that I could configure the host and internal checks (cpu, memory, disk, etc..)
to use the sysadmin contact group and the external services (http/https for example) to the applications
contact group so that the admins would see and get notifications for hw/os problems and the app folks
would see and be notified for application problems (there's always some overlap, but this is just an
example).

If it's all or nothing for a given host and it's services, I just need to know so I can plan accordingly.

(I've read the muti-tenancy pdf and it only goes to the "this host belongs to one group, that host to
another group" level, which does seem to work as described.)

Contacts/Users can be configured on a service object level. They will be able to see the service and interact with it, while restricted from seeing the host details or interacting with teh host.

I'm pretty sure that is not what I have observed. I'll work up a couple of test cases and document the results here. (might be a day or so)

No problem. I just did a test in 2012r2.2 and I could add contacts to service objects. After which, the associated user could see the service in "service details" but could not pull up the host details.

Yes, I was able to duplicate that behavior.

However, try this case:

A host with several services and two contact groups (A,B).
Contact group A is assigned to the host and all services.
Contact group B is not assigned to the host or any of the services.
(Checking for visibility in 'Operations Center' and 'Service Details'...both show the same behavior)

Logging in to XI as a user in Contact Group A, I can see the host and all services.
Logging in to XI as a user in Contact Group B, I can not see the host or any of it's services.
Add Contact Group B to one of the services and save the config.
I can see that service, but not the host or the other services. (correct behavior)
Add Contact Group B to the host and save the config.
Now I can see the host and ALL services, even though Contact Group B is not assigned to
the other services.
Remove Contact Group B from the single service it was assigned to. No effect.
Remove Contact Group B from the host. Now I can't see the host or any services.
Add Contact Group B to the host. Now I can see the host and all services.

So it *appears* that the services inherit the contact groups from the host (or there's a malformed SQL query).

This is the default behavior. Please, read the "Implied Inheritance" section in the official Nagios Core documentation here:

http://nagios.sourceforge.net/docs/3_0/ ... tance.html

Read it....didn't help that much as it was so general that I couldn't tell whether or not services should inherit contacts/contactgroups
from hosts...(I'm not sure what service variables are inherited from hosts and where the linkage exists).

In any case, I did find some google hits that indicated that if the service had a contact group defined, that the host contact
groups should not be inherited (local definition should not be overridden).
Note that in my example, I had a local contact group defined for the services, but adding a 2nd contact group to the host
caused the services to inherit both contact groups.

see Nagios Tracker issue: 0000314

That issue concerned contacts vs contactgroups and host -> service inheritance, but it did contain the follow statement:

"According to the docs, contacts should only be inherited from host to
service if the service has no other contacts what so ever..."

If you look at the service in the CCM where you added the contact group, do you have the + radio box selected? This would be additive inheritance meaning it would get the contact group from the host based on the Implied inheritance, as well as any defined in templates, as well as those defined in the service definition itself.

Implied Inheritance

Normally you have to either explicitly specify the value of a required variable in an object definition or inherit it from a template. There are a few exceptions to this rule, where Nagios will assume that you want to use a value that instead comes from a related object. For example, the values of some service variables will be copied from the host the service is associated with if you don't otherwise specify them.

The following table lists the object variables that will be implicitly inherited from related objects if you don't explicitly specify their value in your object definition or inherit them from a template.
Object Type Object Variable Implied Source
Services contact_groups contact_groups in the associated host definition

Cancelling Inheritance of String Values

In some cases you may not want your host, service, or contact definitions to inherit values of string variables from the templates they reference. If this is the case, you can specify "null" as the value of the variable that you do not want to inherit.


Additive Inheritance of String Values

Nagios gives preference to local variables instead of values inherited from templates. In most cases local variable values override those that are defined in templates. In some cases it makes sense to allow Nagios to use the values of inherited and local variables together.

This "additive inheritance" can be accomplished by prepending the local variable value with a plus sign (+). This features is only available for standard (non-custom) variables that contain string values.

Looking back at your previous post

Yes, I was able to duplicate that behavior.

However, try this case:

A host with several services and two contact groups (A,B).
Contact group A is assigned to the host and all services.
Contact group B is not assigned to the host or any of the services.
(Checking for visibility in 'Operations Center' and 'Service Details'...both show the same behavior)

Logging in to XI as a user in Contact Group A, I can see the host and all services.
Logging in to XI as a user in Contact Group B, I can not see the host or any of it's services.
Add Contact Group B to one of the services and save the config.
I can see that service, but not the host or the other services. (correct behavior)
Add Contact Group B to the host and save the config.
Now I can see the host and ALL services, even though Contact Group B is not assigned to
the other services.
Remove Contact Group B from the single service it was assigned to. No effect.
Remove Contact Group B from the host. Now I can't see the host or any services.
Add Contact Group B to the host. Now I can see the host and all services.

So it *appears* that the services inherit the contact groups from the host (or there's a malformed SQL query).

This all looks like expected behavior. If you have a contact or contact group applied to a host, they can see the host and ALL the services. If the contact doesn't have rights on the host it will only see services that are explicitly defined.

No, all the services have the (I assume) default 'Standard' selection. I checked the documentation pull down and don't see anything related to the ContactGroup options so I can't say for sure what they should do other than what you just posted.

Are you saying that by default nagios adds host contacts/contactgroups to services even if you have local settings? (which I do in this case)

I checked the config file in /usr/local/nagios/etc/services
There are no '+' signs prepended to the contact groups entry. (no individual contacts used for either host or services)

Host: contact_groups NOC,Admin

Service: contact_groups Admin


The services in question only use the generic-service template:

define service {
name generic-service
is_volatile 0
max_check_attempts 5
check_interval 5
retry_interval 1
active_checks_enabled 1
passive_checks_enabled 1
check_period 24x7
parallelize_check 1
obsess_over_service 1
check_freshness 0
event_handler_enabled 1
flap_detection_enabled 1
process_perf_data 1
retain_status_information 1
retain_nonstatus_information 1
notification_interval 240
first_notification_delay 30
notification_period 24x7
notification_options w,c,r,
notifications_enabled 1
icon_image unknown.png
failure_prediction_enabled 1
register 0

}

The host uses the xiwizard_genericnetdevice_host template, which uses the xiwizard_generic_service

define service {
name xiwizard_generic_service
check_command check_xi_service_none!!!!!!!!
is_volatile 0
max_check_attempts 5
check_interval 5
retry_interval 1
active_checks_enabled 1
passive_checks_enabled 1
check_period xi_timeperiod_24x7
parallelize_check 1
obsess_over_service 1
check_freshness 0
event_handler_enabled 1
flap_detection_enabled 1
process_perf_data 1
retain_status_information 1
retain_nonstatus_information 1
notification_interval 240
first_notification_delay 30
notification_period xi_timeperiod_24x7
notification_options w,c,r,
notifications_enabled 1
failure_prediction_enabled 1
register 0

}