Hello,
Recently I setup NagioXI to allow for separate logins and views simulating two of our customers. This way customer1 can login and can not see customer2, etc... This works just fine in NagioXI...I simply browse to http:172.16.130.77 and all appears to work as expected. We were excited to know we can now setup individual logins to display private customer stats and views.
Unfortunately I recently found that, if logged in as customer1, if I append (nagios) to the nagios XI link, http://172.16.130.77/nagios, I can see the old familiar Nagios screen, but also I can see everything in Nagios. This seems to defeat the whole reason for having separate logins.
Is there a recommended fix to prevent customers from seeing each others data?
Thanks!
Multi-Tenancy
Re: Multi-Tenancy
Hello,
I duplicated this locally and found out why. Firefox is is caching the information as when I cleared it it worked as intended. I can see how this would definitely raise an eyebrow though!
I duplicated this locally and found out why. Firefox is is caching the information as when I cleared it it worked as intended. I can see how this would definitely raise an eyebrow though!
Re: Multi-Tenancy
Here's the root cause of the problem...
Nagios core (accessed at http://localhost/nagios) using HTTP Basic authentication, while Nagios XI uses session-based authentication.
In Nagios XI you can logout of one account and login to another. XI will only show the hosts/services that the currently logged in user should see.
However, if a user logs into Nagios Core using HTTP basic authentication, there is no way to clear the credentials that get cached by the client's web browser. The have to close their web browser to completely "logout" of Nagios Core (e.g. destroy the cached credentials). This is a limitation of Nagios Core.
You could potentially prevent people from accessing Nagios Core directly by modifying the /etc/httpd/conf.d/nagios.conf file and uncommenting the "Order","Deny", and "Allow" statements. If you do this, make sure you have an "Allow from 127.0.0.1" statement, or Nagios XI won't be able to access Core.
Hope that helps.
Nagios core (accessed at http://localhost/nagios) using HTTP Basic authentication, while Nagios XI uses session-based authentication.
In Nagios XI you can logout of one account and login to another. XI will only show the hosts/services that the currently logged in user should see.
However, if a user logs into Nagios Core using HTTP basic authentication, there is no way to clear the credentials that get cached by the client's web browser. The have to close their web browser to completely "logout" of Nagios Core (e.g. destroy the cached credentials). This is a limitation of Nagios Core.
You could potentially prevent people from accessing Nagios Core directly by modifying the /etc/httpd/conf.d/nagios.conf file and uncommenting the "Order","Deny", and "Allow" statements. If you do this, make sure you have an "Allow from 127.0.0.1" statement, or Nagios XI won't be able to access Core.
Hope that helps.
As of May 25th, 2018, all communications with Nagios Enterprises and its employees are covered under our new Privacy Policy.
Ethan Galstad
President
Ethan Galstad
President
-
tdenham735
- Posts: 3
- Joined: Tue Feb 01, 2011 12:54 pm
Re: Multi-Tenancy
INteresting about the caching...
I'll give "Order","Deny", and "Allow" statements a try and see what happens.
Thanks!
I'll give "Order","Deny", and "Allow" statements a try and see what happens.
Thanks!
Re: Multi-Tenancy
Feel free to contact us if you have any issues with this or any questions.
Thanks!
Thanks!