Page 1 of 2
User permission problem with service detail
Posted: Tue Nov 08, 2011 9:57 am
by hhlodge
I am seeing some oddness where a user with these privs is denied access (they get a "not authorized" error) to a service detail for which they are clearly a contact for.
Can (re)configure hosts and services
Can control all hosts and services
Can access advanced features
define service {
host_name PSMPR1A01
service_description TaskEng process
use xiwizard_windowswmi_service
servicegroups CCP
check_command check_xi_service_wmiplus_ccp!checkprocess!-a taskeng.exe -c 3:10!!!!!!
max_check_attempts 5
check_interval 5
retry_interval 1
notification_interval 60
first_notification_delay 0
notification_options w,u,r,c,f,s
notifications_enabled 1
contact_groups is,it-admins
register 1
}
Services on the same host configured with the same contact_group "is" can be accessed fine. Where/how could I troubleshoot this?
Also, for some hosts, it seems a user must also be a contact for a host if they are to have access to service details for that host, but I've yet to prove this out consistently. Does that seem right? It doesn't to me.
Re: User permission problem with service detail
Posted: Tue Nov 08, 2011 10:40 am
by hhlodge
I just deleted the service and re-imported it with "override database" checked and it still denies access. Odd.
Re: User permission problem with service detail
Posted: Tue Nov 08, 2011 10:45 am
by mguthrie
The following gives the most complete explanation for how the notification logic works, take a look at this first and see if the answer is in there.
http://nagios.sourceforge.net/docs/3_0/ ... tions.html
There are also few exceptions to the normal rules of notification logic:
Taken from the following page:
http://nagios.sourceforge.net/docs/3_0/ ... tance.html
Implied Inheritance
Normally you have to either explicitly specify the value of a required variable in an object definition or inherit it from a template. There are a few exceptions to this rule, where Nagios will assume that you want to use a value that instead comes from a related object. For example, the values of some service variables will be copied from the host the service is associated with if you don't otherwise specify them.
The following table lists the object variables that will be implicitly inherited from related objects if you don't explicitly specify their value in your object definition or inherit them from a template.
Object Type Object Variable Implied Source
Services contact_groups contact_groups in the associated host definition
notification_interval notification_interval in the associated host definition
notification_period notification_period in the associated host definition
Host Escalations contact_groups contact_groups in the associated host definition
notification_interval notification_interval in the associated host definition
escalation_period notification_period in the associated host definition
Service Escalations contact_groups contact_groups in the associated service definition
notification_interval notification_interval in the associated service definition
escalation_period notification_period in the associated service definition
Re: User permission problem with service detail
Posted: Tue Nov 08, 2011 10:49 am
by hhlodge
I understand all that, but all other services for that host have the exact same contact group definition and access is allowed, that's the troubling part.
Re: User permission problem with service detail
Posted: Tue Nov 08, 2011 10:57 am
by mguthrie
Let me do the quick summary on how it's "supposed" to work, and let me know yours is differing, and we'll try and troubleshoot it from there.
Contacts, contactgroup members, and escalated contacts can see all service details if they are assigned as host contacts.
If a contact(of some sort) is assigned only at the service level and not for the host, that contact will be able to view the service status, but not the host status.
These settings can also be overridden with the global settings for a particular user, like "Can see all hosts and services"
Re: User permission problem with service detail
Posted: Tue Nov 08, 2011 11:06 am
by hhlodge
The host and all services has the contact group "is" explicitly defined. They can view all but the one service, TaskEng process at the end of the config. That template is-service template was just put in place to try to resolve it, but did not.
Code: Select all
# cat /usr/local/nagios/etc/hosts/PSMPR1A01.cfg /usr/local/nagios/etc/services/PSMPR1A01.cfg
###############################################################################
#
# Host configuration file
#
# Created by: Nagios QL Version 3.0.3
# Date: 2011-11-08 10:55:14
# Version: Nagios 3.x config file
#
# --- DO NOT EDIT THIS FILE BY HAND ---
# Nagios QL will overwite all manual settings during the next update
#
###############################################################################
define host {
host_name PSMPR1A01
use xiwizard_windowswmi_host
alias CCP Application Server
address 192.168.251.36
parents ccp-netscreen
hostgroups windows-servers
max_check_attempts 3
check_interval 5
retry_interval 1
contact_groups is,it-admins
notification_interval 120
icon_image windowsxp.png
statusmap_image win_server.png
_xiwizard windowswmi
register 1
}
###############################################################################
#
# Host configuration file
#
# END OF FILE
#
###############################################################################
###############################################################################
#
# Service configuration file
#
# Created by: Nagios QL Version 3.0.3
# Date: 2011-11-08 10:55:18
# Version: Nagios 3.x config file
#
# --- DO NOT EDIT THIS FILE BY HAND ---
# Nagios QL will overwite all manual settings during the next update
#
###############################################################################
define service {
host_name PSMPR1A01
service_description CPU Usage
use xiwizard_windowswmi_service
servicegroups CCP
check_command check_xi_service_wmiplus_ccp!checkcpu!-w 80 -c 90!!!!!!
max_check_attempts 5
check_interval 5
retry_interval 1
notification_interval 60
notifications_enabled 0
contact_groups is,it-admins
_xiwizard windowswmi
register 1
}
define service {
host_name PSMPR1A01
service_description Drive C:
use xiwizard_windowswmi_service
servicegroups CCP
check_command check_xi_service_wmiplus_ccp!checkdrivesize!-a C: -w 85 -c 95!!!!!!
max_check_attempts 5
check_interval 5
retry_interval 1
notification_interval 240
first_notification_delay 0
notification_options w,u,c,r,f,s
notifications_enabled 1
contact_groups is,it-admins
register 1
}
define service {
host_name PSMPR1A01
service_description Eventlog - Application
use eventlog-to-syslog-service
servicegroups CCP
check_command check_xi_service_wmiplus_ccp!checkeventlog!-a Application -o 1 -3 1 -w 0!!!!!!
max_check_attempts 5
check_interval 5
retry_interval 1
notification_options w,c
_xiwizard windowswmi
register 1
}
define service {
host_name PSMPR1A01
service_description Eventlog - System
use eventlog-to-syslog-service
servicegroups CCP
check_command check_xi_service_wmiplus_ccp!checkeventlog!-a System -o 2 -3 1 -w 0!!!!!!
max_check_attempts 5
check_interval 5
retry_interval 1
notification_options w,c
_xiwizard windowswmi
register 1
}
define service {
host_name PSMPR1A01
service_description IIS Web Server
use xiwizard_windowswmi_service
servicegroups CCP
check_command check_xi_service_wmiplus_ccp!checkservice!-a W3SVC!!!!!!
max_check_attempts 3
check_interval 5
retry_interval 1
notification_interval 240
contact_groups it-admins
_xiwizard windowswmi
register 1
}
define service {
host_name PSMPR1A01
service_description Memory Usage
use xiwizard_windowswmi_service
servicegroups CCP
check_command check_xi_service_wmiplus_ccp!checkmem!-a physical -w 80 -c 90!!!!!!
max_check_attempts 5
check_interval 5
retry_interval 1
notification_interval 60
notifications_enabled 0
contact_groups is,it-admins
_xiwizard windowswmi
register 1
}
define service {
host_name PSMPR1A01
service_description Page File Usage
use xiwizard_windowswmi_service
servicegroups CCP
check_command check_xi_service_wmiplus_ccp!checkpage!-w 80 -c 90!!!!!!
max_check_attempts 5
check_interval 5
retry_interval 1
notification_interval 60
notifications_enabled 0
contact_groups is,it-admins
_xiwizard windowswmi
register 1
}
define service {
host_name PSMPR1A01
service_description Ping
use xiwizard_windowsserver_ping_service
servicegroups CCP
max_check_attempts 5
check_interval 5
retry_interval 1
notification_interval 60
notification_period 24x7
contacts dans
contact_groups is,it-admins
_xiwizard windowswmi
register 1
}
define service {
host_name PSMPR1A01
service_description TaskEng process
use is-service
servicegroups CCP
check_command check_xi_service_wmiplus_ccp!checkprocess!-a taskeng.exe -c 3:10!!!!!!
max_check_attempts 5
check_interval 5
retry_interval 1
notification_interval 60
first_notification_delay 0
notification_period 24x7
notification_options w,u,r,c,f,s
notifications_enabled 1
contact_groups is,it-admins
register 1
}
###############################################################################
#
# Service configuration file
#
# END OF FILE
#
###############################################################################
Re: User permission problem with service detail
Posted: Tue Nov 08, 2011 11:14 am
by mguthrie
The template probably wouldn't resolve it, because any configs defined in the service definition would override the template. However, you're right, the "is" group members should be able to view that service.
Try restarting ndoutils and see if resyncing clears things up.
If that doesn't work, try accessing the interface with one of those contacts in the Core interface and see if they're able to view the service there. You may need to add an apache authorization for that user in the htpasswd.users file.
Re: User permission problem with service detail
Posted: Tue Nov 08, 2011 11:20 am
by hhlodge
Restart did not help and that user can view the service in core.
Re: User permission problem with service detail
Posted: Tue Nov 08, 2011 11:59 am
by hhlodge
I just cloned the service and the user can view the cloned one. So to get over this, I plan to delete the problematic one and rename the clone. Do you want to dig into this more to try and find any potential issue or bug?
Re: User permission problem with service detail
Posted: Tue Nov 08, 2011 12:51 pm
by mguthrie
Well lets put it this way, if it's a bug, its the kind that is probably rare and hard to find since it lies somewhere with ndoutils syncing the new object configuration correctly. So lets try the clone solution for now and see if that works. However, if you see this issue resurface again we'll dig deeper and see if we can pin it down and recreate it.