Advanced permissions/user properties

Alex Burger alex_b at users.sourceforge.net
Fri Sep 28 16:09:16 CEST 2007

Previous message: Nagios3.0b4 : shutdown after a few minutes
Next message: Advanced permissions/user properties
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

As there is still no PHP replacement interface for Nagios, I have 
decided to update my advanced permissions patch that I posted last year. 
  I am currently using it in production with Nagios 2.8.

I have updated the 2.x patch to support Nagios 2.8 and 2.9.  I will be 
updating the 3.x patch to support 3.0b4 soon.

The current version of the patch can be found at 
http://www.fragit.net/nagios.html

I would appreciate any comments or suggestions.

Alex


Alex Burger wrote:
> 
> On the Nagios-Users list there is a discussion on the same subject about 
> adding advanced permissions to Nagios for hosts and services.  Users 
> (including myself) were looking for a way to grant users the ability to 
> view hosts, but not submit commands and to allow for more complex 
> permissions.
> 
> It made the most sense to model the permission system with how file 
> system permissions are handled.  With file system permissions, we would 
> assign a group to a folder, and then pick what rights the group would 
> have. It made sense to do the same thing with Nagios in the 
> contact_groups/contact option for hosts and services:
> 
> *Examples:*
> 
> define host{
>           host_name               localhost
>           contact_groups          netops:rwxn, helpdesk:r
>           contact                 alex:rwxn               (Nagios 3)
> }
> 
> For backwards compatibility, if no permissions are set, the defaults 
> would be rwxn (as defined in cgi.cfg and nagios.cfg) so the following 
> would be the same:
> 
> define host{
>           host_name               localhost
>           contact_groups          netops, helpdesk:r
>           contact                 alex                    (Nagios 3)
> }
> 
> *Permissions:*
> 
> r: View in web interface
> 
> x: Submit commands for this host/service in web interface
> 
> w: Not really needed yet.  Maybe some of the other programs that allow 
> you to modify the configuration files could use w to allow a user to 
> modify the host / service.
> 
> n: Notify if contact has a pager or email defined
> 
> The addition of these permissions allow for senarios such as:
> 
> -you want users to be able to view all or some hosts and services, but 
> not submit commands
> -you want users to be able to view all or some hosts and services, but 
> also be able to submit commands for a select few
> -you want users to be able to view all or some hosts and services, but 
> only get notifications for only a select few
> 
> If permissions are not set on the contact_groups or contact line, then 
> the defaults will be used.  If there is no default_permissions option in 
> cgi.cfg and nagios.cfg, then it will default to full permissions (the 
> same checks that Nagios currently performs).
> 
> Here is a description of the option for cgi.cfg and nagios.cfg:
> 
> # DEFAULT HOST/SERVICE PERMISSIONS
> # This option contains a list of default permissions for hosts and
> # services that will be used when permissions are not explicitly
> # set on a host or service.  When not defined, the default is all
> # permissions (rwxn).  Note:  This option must be set the same in
> # both cgi.cfg and nagios.cfg.
> 
> #default_permissions=rwxn
> 
> As you can see, the option needs to be in both config files although I 
> would prefer to have it only in nagios.cfg.  It is needed in nagios.cfg 
> for base/notifications.c which has nothing to do with the cgi.  If 
> someone knows how to combine the two, please let me know.
> 
> I also changed how services are displayed.  If you are not a contact for 
> a service (you do not have the 'r' permission), then the service will 
> not be displayed.  I prefer to have it this way so I can prevent some 
> admins from seeing services such as a the service I use to receive SNMP 
> traps.  The problem with this right now is that even though the user 
> only sees the services they has permissions for, as long as the user has 
> rx permissions to the host, the user can do a 'Enable notifications for 
> all services on this host' which will do ALL services.
> 
> If this patch is accepted, then we will have to add permission checks to 
> the commands that process child objects.
> 
> Attached are patches for Nagios 2.5 and 3.0 (CVS as of 11/6/06).
> 
> Alex


-------------------------------------------------------------------------
This SF.net email is sponsored by: Microsoft
Defy all challenges. Microsoft(R) Visual Studio 2005.
http://clk.atdmt.com/MRT/go/vse0120000070mrt/direct/01/

Previous message: Nagios3.0b4 : shutdown after a few minutes
Next message: Advanced permissions/user properties
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Developers mailing list