Re: [Nagios-devel] Advanced permissions/user properties

Support forum for Nagios Core, Nagios Plugins, NCPA, NRPE, NSCA, NDOUtils and more. Engage with the community of users including those using the open source solutions.
Locked
Guest

Re: [Nagios-devel] Advanced permissions/user properties

Post by Guest »


As there is still no PHP replacement interface for Nagios, I have
decided to update my advanced permissions patch that I posted last year.
I am currently using it in production with Nagios 2.8.

I have updated the 2.x patch to support Nagios 2.8 and 2.9. I will be
updating the 3.x patch to support 3.0b4 soon.

The current version of the patch can be found at
http://www.fragit.net/nagios.html

I would appreciate any comments or suggestions.

Alex


Alex Burger wrote:
>
> On the Nagios-Users list there is a discussion on the same subject about
> adding advanced permissions to Nagios for hosts and services. Users
> (including myself) were looking for a way to grant users the ability to
> view hosts, but not submit commands and to allow for more complex
> permissions.
>
> It made the most sense to model the permission system with how file
> system permissions are handled. With file system permissions, we would
> assign a group to a folder, and then pick what rights the group would
> have. It made sense to do the same thing with Nagios in the
> contact_groups/contact option for hosts and services:
>
> *Examples:*
>
> define host{
> host_name localhost
> contact_groups netops:rwxn, helpdesk:r
> contact alex:rwxn (Nagios 3)
> }
>
> For backwards compatibility, if no permissions are set, the defaults
> would be rwxn (as defined in cgi.cfg and nagios.cfg) so the following
> would be the same:
>
> define host{
> host_name localhost
> contact_groups netops, helpdesk:r
> contact alex (Nagios 3)
> }
>
> *Permissions:*
>
> r: View in web interface
>
> x: Submit commands for this host/service in web interface
>
> w: Not really needed yet. Maybe some of the other programs that allow
> you to modify the configuration files could use w to allow a user to
> modify the host / service.
>
> n: Notify if contact has a pager or email defined
>
> The addition of these permissions allow for senarios such as:
>
> -you want users to be able to view all or some hosts and services, but
> not submit commands
> -you want users to be able to view all or some hosts and services, but
> also be able to submit commands for a select few
> -you want users to be able to view all or some hosts and services, but
> only get notifications for only a select few
>
> If permissions are not set on the contact_groups or contact line, then
> the defaults will be used. If there is no default_permissions option in
> cgi.cfg and nagios.cfg, then it will default to full permissions (the
> same checks that Nagios currently performs).
>
> Here is a description of the option for cgi.cfg and nagios.cfg:
>
> # DEFAULT HOST/SERVICE PERMISSIONS
> # This option contains a list of default permissions for hosts and
> # services that will be used when permissions are not explicitly
> # set on a host or service. When not defined, the default is all
> # permissions (rwxn). Note: This option must be set the same in
> # both cgi.cfg and nagios.cfg.
>
> #default_permissions=rwxn
>
> As you can see, the option needs to be in both config files although I
> would prefer to have it only in nagios.cfg. It is needed in nagios.cfg
> for base/notifications.c which has nothing to do with the cgi. If
> someone knows how to combine the two, please let me know.
>
> I also changed how services are displayed. If you are not a contact for
> a service (you do not have the 'r' permission), then the service will
> not be displayed. I prefer to have it this way so I can prevent some
> admins from seeing services such as a the service I use to receive SNMP
> traps. The problem with this right now is that even though the user
> only sees the services they has permissions for, as long as the user has
> rx permissions to the host, the user can do a 'Enable notifications for
> all services on this host' which will do ALL services.
>
> If this patch is accepted, then we will have to add permission checks to
> the commands that proce

...[email truncated]...


This post was automatically imported from historical nagios-devel mailing list archives
Original poster: [email protected]
Top
Locked

Return to “Open Source Nagios Projects”