Granular authorization
Myke Place
mp at xmission.com
Fri Sep 13 20:25:45 CEST 2002
Hi all,
I'm trying configure authorization and I'm running into a spot of trouble.
I'm hoping that somebody can provide some helpful comments or direction.
Right now we're allowing guests to authenticate to the webserver without a
username and password through a configuration in the Apache webserver that
looks like this:
ScriptAlias /nagios/cgi-bin/ /usr/local/adm/nagios/sbin/
<Directory "/usr/local/adm/nagios/sbin/">
AllowOverride AuthConfig
Options ExecCGI
Order Deny,Allow
Deny from [INTERNAL IP'S]
Satisfy any
</Directory>
with nagios/sbin being protected with the following:
AuthName "Monitoring and Administration"
AuthType Basic
AuthUserFile /usr/local/adm/nagios/etc/htpasswd.users
require valid-user
The cgi.cfg file include the following:
authorized_for_all_services=adminuser,guest
authorized_for_all_hosts=adminuser,guest
Of course guest is not listed in authorized_for_system_commands, etc.
The net result of this is that anyone who is not coming from an IP address
not specified in httpd.conf (the public) is prompted for a username and
password and those who are get a prompt (our staff) where they can view
and change hosts and services for which they are a contact.
Here's the dillema:
We want to be able to give guests who don't get a uname/pass prompt access
to some hosts and not others. However, if we add <guest> as a contact for
a host, this also allows the public to be able to issue commands to those
hosts through the Nagios web interface. Is there a way to give this guest
user perms such that they could only view a certain set of hosts and not
be able to issue commands anywhere?
Any ideas or suggestions would be very much appreciated. Thanks.
--------------------
Myke Place
mp at xmission.com
801.539.0852
www.radiojournal.org
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
More information about the Users
mailing list