CCM/Inheritance issue

[jsmurphy]

I've hit a bit of a major show stopper with my XI deployment regarding user view/control restriction. Just as a bit of background on what I've configured; we have contact-users that contain email/SMS addressing for the support teams, we then have contacts defined that are AD user accounts to match XI users, the AD accounts are put into dummy-groups that match AD groups (I wrote a script that synchs AD users and groups to Nagios contacts and XI user accounts). The contact-users are placed into a contact-group created for that user... which is then attached to either a service or host template. AD-groups are attached to contact-groups if they are responsible for that support queue.

In picture form: (arrow direction denotes which object has the reference to the other)
contact-user -> contact-group <- AD-group <- AD users
host template -> contact group

So obviously first/second level support teams will receive most low level problems before reaching third level queues and the first level team might be responsible for basic satellite site server and network support. So they will be able to see all that through the contact-group inheritance, what about third level teams though? They only want to know about their devices and adding them to the first level team contact-group will allow them to see and control far beyond they need to.

To overcome this obstacle I have secondary host-templates that specify subsets of devices that certain groups are likely going to need to see and control... I.e. So our level 3 middleware team can see and control all servers with databases/mainframe/AS400/etc, but they are not a direct contact for windows servers but if they do maintenance on a windows server with a database they may need to set down time. I've used the + flag on the secondary host-templates to ensure that the hostgroups for the view subsets are additive but CCM doesn't appear to be writing that flag. What's even more curious is in the user view they can see some of the devices they've been assigned via this method but not all of them, especially considering the template order in CCM is uniform across all hosts so without the flag you would expect the view groups to have no visibility or full visibility (as one should overwrite the other) not partial visibility.

This stops us from being able to provide adequate device ownership to our support teams which is posing a real problem to us when we want to open it up beyond just infrastructure and have XI manage all of our IT monitoring. We were just about there when we hit this unexpected hurdle.

This is the end of a rather long day so this may or may not have turned out as coherent as I had intended

[jsmurphy]

As a followup I set up a static file and put one of the subset-groups into it and added the + to the hostgroups and it made no difference, so that doesn't seem to be relevant from a what-the-user-sees perspective (though it may still prevent notifications getting to their correct destinations).

Edit: I've spent the better part of today investigating this issue further and discovered that there seems to be some kind of deeper display issues across the board, some hosts appear multiple times as completely separate entities and each entity has a portion of the services. If I search specifically for a single host it displays correctly. Below I've attached screenshots of two hosts in the core interface and in the XI interface that aren't being displayed correctly:

adcnagcore.JPG

adcnagxi.JPG

I don't think this is directly relevant to the original post but it does seem to suggest a much wider spread display problem (using r1.9 on the CentOS 6.0 VM image).

[mguthrie]

From what you're describing, I'm guess this could be one of two possibilities.
#1. ndoutils didn't sync up the new config information, you could try restarting nagios and ndoutils and see if this resolves it.

#2. It's possible there's a bug in the permissions logic somewhere in the ndoutils query. If that's the case, we'll have to see if we can isolate and recreate the issue.

If you come across an example as to how to recreate this, it will probably save us some time if it's a replicable bug.

[mguthrie]

Ok, so I did some digging on this, and here's what I found. Let me know if you're seeing other issues.

- With Nagios Core, and the "Unified" Hostgroups pages in XI, hostgroups are only visible for a contact if they are authorized for *all* hosts in that hostgroup.

- With XI's hostgroup pages, hostgroups are visible if the user has *any* authorized hosts in that group, but it will only show authorized hosts.

I discussed this with our senior developer, and he's going to look into changing this logic for Core, since we both felt the more "expected" behavior would be to see the group if it has *any* members.

[jsmurphy]

Unfortunately not quite the problem we are seeing... The best test case we have at the moment is for our network gear in store locations, first level is the direct contact but third level networks should have full visibility of all the equipment. They all have the same single hostgroup and templates (the base template and the secondary view-template). The first level team can see everything as expected... the third level team can only see about half of the devices in that hostgroup and they are definitely a member for all of them, I went and double checked several of the ones that aren't appearing.

To replicate this issue shouldn't be too hard, this is the exact setup in play for the scenario described above:
Create about 2000 hosts that all belong to the same hostgroup (defined on the host) with 2 passive services attached to the hostgroup.
Those hosts should have two templates defined (defined on the host) one should contain all the regular notification and scheduling stuff including a single contact group, the second should have just a contact group with the + flag set.

[mguthrie]

So just to make sure I understand the issue clearly:

- These third level contacts can view their hosts individually, but they're not showing up in the hostgroups correctly?

Can you compare the hostgroup views in Nagios XI, with the "unified" and non-unified hostgroup dashlets, and let me know if *both* views are returning incorrect information, or if it's just one of the views. Is it the unified view, or the dashlet view that's returning incorrect results?

[jsmurphy]

No, no, they aren't showing up individually or in the hostgroup... they aren't showing up anywhere for that user at all. It's failing in a very consistent way across all pages and if another user from that same group logs in they are unable to see the exact same devices.

[mguthrie]

OH, ok. Different issue then. Ok, I'll do some testing on this and see if I can recreate it.

Just a sidenote. We had a weird issue today with another user where they weren't seeing their authorized hosts. But when another user was created, with the exact same configs and groups assignments, all hosts showed up fine. Oddly it seemed like the issue was specific to the particular username. Does this sound similar to anything you're experiencing?

[jsmurphy]

I think I've actually just found the root cause to this issue... I was about to pm you the actual host configs when I noticed this pattern on the hosts:

### NOT WORKING
use fst-main-template,vt-loc-stores-networks

### WORKING
use vt-loc-stores-networks,fst-main-template

Buggered if I know how that happened considering it was scripted, or how I am going to fix it considering there's a couple hundred... but I'm 99% confident this will be the cause of my woes. Everyone can go home now, false alarm, user error

The thing is, I would have assumed that the top one would work properly and the second one wouldn't (as in it makes more logic sense to do the base template first and then apply the +hostgroups on top of it... unless it reads the order backwards?)

[mguthrie]

Yeah this gets into the tricky rules with object inheritance, I think that matches the examples described at the bottom of this doc.
http://nagios.sourceforge.net/docs/3_0/ ... tance.html