Page 1 of 2
Multi-Tenancy -- User view all services
Posted: Thu Nov 26, 2015 8:41 am
by ayoubitou
Hi,
I have installed Nagios XI and add 6 hosts and 8 services. I also create a user account "user1" and then put it to the hostgroup "CUD".
All hosts are in a host group, Services are associated to the Host group. The contact group of the host is "CUD". There are not a contact group or contact user for services. So normally the user should have a view of hosts but not Services. I have already read the "Multi-Tenancy guide" and i do not understand why services are visible to the user while he is not in their alert contact.
Thanks,
Re: Multi-Tenancy -- User view all services
Posted: Sun Nov 29, 2015 10:59 pm
by Box293
This is what is called object inheritance.
https://assets.nagios.com/downloads/nag ... tance.html
Refer to the Implied Inheritance section.
Re: Multi-Tenancy -- User view all services
Posted: Mon Jan 04, 2016 7:46 am
by ayoubitou
Hi
I have placed "CUD" in localhost contact group and then admins in contact group of PING service. The issue is that users of "CUD" still seeing PING service. So my PING service inherit contact group from the host even if i specified another contact group to the service. How can i resolve this ?
Re: Multi-Tenancy -- User view all services
Posted: Mon Jan 04, 2016 4:39 pm
by rkennedy
Can you post your host / service definitions for us to review?
Re: Multi-Tenancy -- User view all services
Posted: Mon Jan 04, 2016 5:01 pm
by ayoubitou
Service definition for localhost :
Code: Select all
define service {
host_name localhost
service_description HTTP
use local-service
check_command check_http
register 1
}
define service {
host_name localhost
service_description PING
use local-service
check_command check_ping!100.0,20%!500.0,60%!!!!!!
contact_groups admins
register 1
}
Host definition :
Code: Select all
define host {
host_name localhost
use linux-server
alias localhost
address 127.0.0.1
contact_groups CUD
notes 50.6439101, 3.1359789
register 1
}
I don't want that users of CUD seen PING Service per example. Is it possible ?
Re: Multi-Tenancy -- User view all services
Posted: Mon Jan 04, 2016 5:56 pm
by lmiltchev
When a contact is added to a host, he/she will be able to view all of the services on this host. It is the "default" (expected) behavior.
Try removing the "CUD" contactgroup from the "localhost" host, and add it to all of the "localhost" services but "PING".
Re: Multi-Tenancy -- User view all services
Posted: Mon Jan 04, 2016 6:09 pm
by ayoubitou
It works this way. But the user will have only a service view . I want him to have a view of the host and services that I choose.
This is the documentation of Object Inheritance :
Normally you have to either explicitly specify the value of a required variable in an object definition or inherit it from a template. There are a few exceptions to this rule, where Nagios will assume that you want to use a value that instead comes from a related object. For example, the values of some service variables will be copied from the host the service is associated with if you don't otherwise specify them.
If I understand well. In my case, I have specified a different contact group for the PING service. So he musn't inherit contact group from host. Is it correct ?
Re: Multi-Tenancy -- User view all services
Posted: Tue Jan 05, 2016 4:25 pm
by ssax
If you want the user to be able to see the host then that automatically gives them access to view the hosts, you are unable to limited the services they can access if they are added to the host.
The only way to limit which services they can see is to not add them to the host and only assign them to the services.
Re: Multi-Tenancy -- User view all services
Posted: Wed Jan 13, 2016 6:29 am
by ayoubitou
I'm still searching for the solution.
I found this :
http://permalink.gmane.org/gmane.networ ... eckmk/2284
Can I override a service contactgroups ?
Re: Multi-Tenancy -- User view all services
Posted: Wed Jan 13, 2016 6:16 pm
by tmcdonald
Unless I am misunderstanding your question, I don't believe you can override a contactgroup on a service except by changing the definition on the service itself.