Hello,
For the past few months, we have been working on migrating off of Nagios Core to the Nagios XI. I have been able to successfuly complete the migration, with one exception.
I cannot seem to limit users ability to view and receive alert notifications to specific hosts and/or service checks. No matter what I try, every user in Nagios XI is able to view the host and service check status for every single host and service configured in Nagios. Additionally, every user is receiving alert notifications for everything.
I have tried following the "Multi-Tenancy" documentation to configure these limitations properly, but so far I can't seem to get it working. Under the "Core Configuration Manager" area inside the Nagios Xi web interface, I have created multiple "Contact Groups" to assign the users to (i.e. windows-admin, linux-admins, db-admins). After these groups were created, I added each of the corresponding users to their defined groups. I then used the "Bulk Modifications Tool" to assign each of the groups to their corresponding hosts and services that they should be allowed to use and receive alerts from.
However, whenever I "masquerade" as a user or login as one of the test users I have setup, I am still able to see every single host and service configured in Nagios XI. I have also confirmed that user's are getting notifications for hosts and services for that they are not configured as a contact for. For example, Windows Admins are receiving alerts from Linux systems from Nagios.
I am not sure what additional information you may need, but we have Nagios XI running on a Red Hat 8 server. Our initial deployment was Nagios XI version 5.11.1, but I just recently upgraded to the latest version of 2024R1.0.1.
Any help is greatly appreciated, as I am constantly getting chewed out by the various admins teams for receiving alert spam for systems that don't need alerts from.
Thanks,
John
Can't seem to limit users to specific hosts or services
- jmichaelson
- Posts: 117
- Joined: Wed Aug 23, 2023 1:02 pm
Re: Can't seem to limit users to specific hosts or services
Hi John, my first inclination is that on the user account page under admin, for these users, is that they have the "Can see all hosts and services" check box checked.
I'm going to guess that you've looked at these docs, but I'm going to post them here for reference.
https://assets.nagios.com/downloads/nag ... Rights.pdf
https://assets.nagios.com/downloads/nag ... gement.php
Let us know if this helps or if you have further problems.
I'm going to guess that you've looked at these docs, but I'm going to post them here for reference.
https://assets.nagios.com/downloads/nag ... Rights.pdf
https://assets.nagios.com/downloads/nag ... gement.php
Let us know if this helps or if you have further problems.
Please let us know if you have any other questions or concerns.
-Jason
-Jason
Re: Can't seem to limit users to specific hosts or services
Hello jmichealson,
I had thought about that as well, but I confirmed that the "Can see all hosts and services" check is not currently checked for each of the users.
I will note though that when I initially created each the users, I did have that box checked, as I initially misunderstood its purpose.
For example, on one of the Windows Admin user accounts, I have them configured as a "User" and none of the checkboxes below that dropdown are checked (as a test to see if I could limit their access).
Thanks,
John
I had thought about that as well, but I confirmed that the "Can see all hosts and services" check is not currently checked for each of the users.
I will note though that when I initially created each the users, I did have that box checked, as I initially misunderstood its purpose.
For example, on one of the Windows Admin user accounts, I have them configured as a "User" and none of the checkboxes below that dropdown are checked (as a test to see if I could limit their access).
Thanks,
John
-
- Posts: 97
- Joined: Wed Aug 23, 2023 11:29 am
Re: Can't seem to limit users to specific hosts or services
Hi @jcgrayjr,
I would suggest ensuring that the changes you apply via bulk modifications are actually reflected in XI. Go to the CCM, edit a host/service, and verify the correct contact groups are configured. If xi_contactgroup_all is selected, every user will be able to see the host/service and receive notifs. Additionally, verify that a host/service for which a particular "User" user is not within the contact list (and contact group list) cannot be seen by said user.
Please let us know what you find. For additional context in the meantime, this is how permissions work in XI.
Thank you!
I would suggest ensuring that the changes you apply via bulk modifications are actually reflected in XI. Go to the CCM, edit a host/service, and verify the correct contact groups are configured. If xi_contactgroup_all is selected, every user will be able to see the host/service and receive notifs. Additionally, verify that a host/service for which a particular "User" user is not within the contact list (and contact group list) cannot be seen by said user.
Please let us know what you find. For additional context in the meantime, this is how permissions work in XI.
Thank you!
Re: Can't seem to limit users to specific hosts or services
I do have a quick question:
Does adding a contact or contact group to a host, also add the contact to each of the individual service checks on the host or would I also have to add them to each of them individually?
I know when adding a contact or contact group on the host, they do not appear on notifications configuration for each of the individual service check configurations. But, as a test to try to get this to work, I removed every single contact and contact group from all of the hosts and service check configs. I then added my test account to only a single host, but not any of its individually defined service checks. The test account immediately started receiving alerts for the individual service checks on that host.
Thanks,
John
Does adding a contact or contact group to a host, also add the contact to each of the individual service checks on the host or would I also have to add them to each of them individually?
I know when adding a contact or contact group on the host, they do not appear on notifications configuration for each of the individual service check configurations. But, as a test to try to get this to work, I removed every single contact and contact group from all of the hosts and service check configs. I then added my test account to only a single host, but not any of its individually defined service checks. The test account immediately started receiving alerts for the individual service checks on that host.
Thanks,
John
Re: Can't seem to limit users to specific hosts or services
So, it looks like I got it to work. I was able to limit my test user and another normal user to specific hosts and service checks.
However, to get it to work, I had to add each user individually to each host or service check. If I added them to a contact group and then added the contact group to specific hosts and service checks, they were able to see every host and service check in Nagios XI.
Additionally, if I added the single contact user to hosts and service checks using the "Bulk Modifications Tool", the changes would not take effect for the users until I restarted the Nagios services on the Red Hat Linux server.
I did some testing and so far, it seems to be working after these changes.
Thanks,
John
However, to get it to work, I had to add each user individually to each host or service check. If I added them to a contact group and then added the contact group to specific hosts and service checks, they were able to see every host and service check in Nagios XI.
Additionally, if I added the single contact user to hosts and service checks using the "Bulk Modifications Tool", the changes would not take effect for the users until I restarted the Nagios services on the Red Hat Linux server.
I did some testing and so far, it seems to be working after these changes.
Thanks,
John
Re: Can't seem to limit users to specific hosts or services
There is the ability to do this with inheritance options. Do you recall what you had set the inheritance options to when running the bulk mod tool? This does sound strange though if you're services have no contacts however they are still getting notified.
Re: Can't seem to limit users to specific hosts or services
That may be it. I had not paid attention to the inheritance setting when doing the bulk mod tool. I left it at its default, which looks like the default is set to "standard".
Re: Can't seem to limit users to specific hosts or services
So, I have done some extensive testing on this over the past few days and it looks like something in Nagios XI is messed up with our contact groups, or at least with using them for limiting users to which host and service checks they can view and get alerts from.
This is what I have found so far:
Say I am working with the following two users:
Bill - Windows Admin (not an admin in Nagios XI)
Joe - Linux Admin (not an admin in Nagios XI)
If I remove all contacts and contact groups from all of our hosts and service checks, I can verify that Bill and Joe cannot see any hosts or service checks in the Nagios XI web console by masquerading as them. I then create a "windows-admins" contact group and assign Bill to it, followed by creating a "linux-admins" contact group and assign Joe to it.
I then go and manually assign the "windows-admins" contact group to one or more Windows hosts in the Core Config Manager. I then masquerade as Bill to verify that he can now see the hosts and service checks for the hosts that the contact group was assigned to, which is working as intended.
However, I then go back and masquerade as Joe, who is in the "linux-admins" contact group and neither Joe, nor his contact group, have been assigned to anything in Nagios XI yet. Joe can also see all of the Windows host and service checks that the "windows-admins" contact group has been assigned to, even though he shouldn't be able to.
So, I then go back and manually add the "linux-admins" contact group to one or more of the Linux hosts, and verify that Joe can see these newly assigned Linux hosts and service checks, which he now can in addition to the Windows ones I mentioned earlier. Unfortunately, checking out Bill's views again, and Bill can also see both the Windows and Linux hosts and their service checks.
If remove the contact groups from the hosts and service checks again, back to where no is assigned to anything, and then go back and manually add Bill as a notification contact on the Windows hosts (not through the contact group) and manually add Joe as a notification contact on the Linux hos (not through the contact group), it works perfectly. Bill can only see his assigned Windows hosts and service checks and Joe can only see his assigned Linux hosts and service checks.
In the test I did, I did not use the Bulk Modification Tool this time. I did everything manually and I can't seem to get limiting users and their alerts using contact groups. I have no idea why it is doing this, but for now, I am just setting up everyone's host and service checks assignments individually.
Thanks,
John
This is what I have found so far:
Say I am working with the following two users:
Bill - Windows Admin (not an admin in Nagios XI)
Joe - Linux Admin (not an admin in Nagios XI)
If I remove all contacts and contact groups from all of our hosts and service checks, I can verify that Bill and Joe cannot see any hosts or service checks in the Nagios XI web console by masquerading as them. I then create a "windows-admins" contact group and assign Bill to it, followed by creating a "linux-admins" contact group and assign Joe to it.
I then go and manually assign the "windows-admins" contact group to one or more Windows hosts in the Core Config Manager. I then masquerade as Bill to verify that he can now see the hosts and service checks for the hosts that the contact group was assigned to, which is working as intended.
However, I then go back and masquerade as Joe, who is in the "linux-admins" contact group and neither Joe, nor his contact group, have been assigned to anything in Nagios XI yet. Joe can also see all of the Windows host and service checks that the "windows-admins" contact group has been assigned to, even though he shouldn't be able to.
So, I then go back and manually add the "linux-admins" contact group to one or more of the Linux hosts, and verify that Joe can see these newly assigned Linux hosts and service checks, which he now can in addition to the Windows ones I mentioned earlier. Unfortunately, checking out Bill's views again, and Bill can also see both the Windows and Linux hosts and their service checks.
If remove the contact groups from the hosts and service checks again, back to where no is assigned to anything, and then go back and manually add Bill as a notification contact on the Windows hosts (not through the contact group) and manually add Joe as a notification contact on the Linux hos (not through the contact group), it works perfectly. Bill can only see his assigned Windows hosts and service checks and Joe can only see his assigned Linux hosts and service checks.
In the test I did, I did not use the Bulk Modification Tool this time. I did everything manually and I can't seem to get limiting users and their alerts using contact groups. I have no idea why it is doing this, but for now, I am just setting up everyone's host and service checks assignments individually.
Thanks,
John
- jmichaelson
- Posts: 117
- Joined: Wed Aug 23, 2023 1:02 pm
Re: Can't seem to limit users to specific hosts or services
OK John, that definitely sounds like an issue. I'll open one up internally to have a look at it.
Please let us know if you have any other questions or concerns.
-Jason
-Jason