Restrict users to view certain hostgroups in c gi's

Carroll, Jim P [Contractor] jcarro10 at sprintspectrum.com
Wed Dec 4 00:49:48 CET 2002


Ah, interesting.  I'm using '*', as per the comments in cgi.cfg.

In my case, I actually *don't* want to partition viewing.  But out of idle
curiosity, can you specify a contactgroup name there?  Or do you have to use
individual names, as per htaccess.users?  It would be great to be able to
add a username to as few places as possible, to keep administrative overhead
down to a dull roar.

Heh... now you've got me wondering whether I should be carving up the
viewing, too.

Very interesting.

jc

> -----Original Message-----
> From: Frater, Greg J [mailto:gjfrater at bechtel.com]
> Sent: Tuesday, December 03, 2002 2:24 PM
> To: Carroll, Jim P [Contractor]; 'JPP';
> nagios-users at lists.sourceforge.net
> Subject: RE: [Nagios-users] Restrict users to view certain 
> hostgroups in
> c gi's
> 
> 
> Look in your cgi.cfg file at the settings for the following: 
> 
> authorized_for_all_hosts 
> authorized_for_all_host_commands 
> authorized_for_all_services 
> authorized_for_all_service_commands 
> 
> Make sure you haven't specified users here allowing them to view all
> hosts/services etc.  By default they can only see host and 
> services that
> they own.
> 
> 
> -----Original Message-----
> From: Carroll, Jim P [Contractor] [mailto:jcarro10 at sprintspectrum.com]
> Sent: Tuesday, December 03, 2002 8:24 AM
> To: 'JPP'; nagios-users at lists.sourceforge.net
> Subject: RE: [Nagios-users] Restrict users to view certain 
> hostgroups in
> c gi's
> 
> 
> Odd.  I'm essentially doing this (basically the approach 
> referenced in the
> docs) using .htpasswd and .htaccess and the requisite definition in
> httpd.conf.  I'm using discrete contacts, contactgroups and 
> hostgroups, and
> yet when I login, I can see everything.  It's only when I try to do
> something (eg, acknowledge, comment) to a host outside of my 
> group that I'm
> told I don't have permission.
> 
> jc
> 
> > -----Original Message-----
> > From: JPP [mailto:jpp at frws.com]
> > Sent: Monday, December 02, 2002 6:37 PM
> > To: nagios-users at lists.sourceforge.net
> > Subject: Re: [Nagios-users] Restrict users to view certain 
> > hostgroups in
> > cgi's
> > 
> > 
> > Hi all!
> > 
> > Yes you can do this! And use only 1 Nagios!
> > 
> > Create 2 separate hostgroups and assign them as 
> > contacts/Admins/whatever 
> > for those 2 separate hostgroups.
> > And you have to give them 2 separate/distinct login names in 
> > the Apache 
> > htpasswd files or however you lock down the server 
> directories/files.
> > 
> > In a nutshell:
> > 
> > 1. Create users in the Apache control/passwd file called Admin1 and 
> > Admin2 (however you do this in your case)
> > 2. Create these users in contacts.cfg for each hostgroup 
> you wish to 
> > separate. Call them Admin1 and Admin2 also
> > 2. Create a group for each of them in contactgroups.cfg and 
> > place them 
> > and you as members in that group. Call them Admin1-Group and 
> > Admin2-Group But do not place either of them in the others group.
> > 3. In the services.cfg file - separate the 2 groups using the 
> > contact_groups option.
> > For Admin1-Server make the contact Admin1-Group
> > For Admin2-Server make the contact Admin2-Group
> > 
> > I restarted Nagios - but may not have to...
> > 
> > Login as Admin1 and see what you see. Shut down your browser 
> > and login 
> > as Admin2 and see what you can see. Should be limited to the 
> > servers/services in their group!
> > 
> > This works to make them only see the hosts assigned to 
> their group IF:
> > 1. The user name in Nagios matches the username used by Apache to 
> > authenticate them.
> > 2. The groups are separated totally from each other. They 
> > cannot be on 
> > any other group or list but the one you want them to view.
> > 
> > We do not use literal .htpasswd files, but I am sure the 
> > concept is the 
> > same. We use the equivalent files right in the httpd.conf to 
> > protect all 
> > the Nagios directories. And only one file, actually - with 
> > many names in it.
> > 
> > Hope this does it for you!
> > 
> > JPP
> > 
> > 
> > Carroll, Jim P [Contractor] wrote:
> > 
> > > I think you're taking the right approach for what you're 
> > trying to do.  I'm
> > > not aware of any features in Nagios to enable security 
> > through obscurity.
> > > 
> > > jc
> > > 
> > > 
> > >>-----Original Message-----
> > >>From: Dushyanth Harinath [mailto:dushy at symonds.net]
> > >>Sent: Saturday, November 30, 2002 6:30 AM
> > >>To: nagios
> > >>Subject: [Nagios-users] Restrict users to view certain 
> hostgroups in
> > >>cgi's
> > >>
> > >>
> > >>Hi guys,
> > >>
> > >>I want to restrict some users (http authenticated) to see only a
> > >>certain hostgroup. To make this work i have 2 separate copies 
> > >>of nagios
> > >>on different locations with different cgi-url and 
> html-url. And iam
> > >>running 2 instances of nagios with different set of 
> > >>configuration files.
> > >>The reason why iam doing this is I have 2 set of users who 
> > >>should'nt see each
> > >>others hosts information.
> > >>
> > >>Is it possible to achieve this with a single instance of 
> nagios and
> > >>different set of configuration files. Or is there any other way ?
> > >>
> > >>TIA
> > >>Regards
> > >>Dushyanth
> > >>-- 
> > >>The Definition of an Upgrade: Take old bugs out, put new ones in.
> > >>
> > >>http://symonds.net/~dushy
> > >>
> > >>
> > >>-------------------------------------------------------
> > >>This SF.net email is sponsored by: Get the new Palm Tungsten T 
> > >>handheld. Power & Color in a compact size! 
> > >>http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
> > >>_______________________________________________
> > >>Nagios-users mailing list
> > >>Nagios-users at lists.sourceforge.net
> > >>https://lists.sourceforge.net/lists/listinfo/nagios-users
> > >>
> > >>
> > > 
> > > 
> > > -------------------------------------------------------
> > > This SF.net email is sponsored by: Get the new Palm Tungsten T 
> > > handheld. Power & Color in a compact size! 
> > > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
> > > _______________________________________________
> > > Nagios-users mailing list
> > > Nagios-users at lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/nagios-users
> > > 
> > > 
> > > 
> > 
> > 
> > 
> > 
> > -------------------------------------------------------
> > This SF.net email is sponsored by: Get the new Palm Tungsten T 
> > handheld. Power & Color in a compact size! 
> > http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
> > _______________________________________________
> > Nagios-users mailing list
> > Nagios-users at lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/nagios-users
> > 
> 
> 
> -------------------------------------------------------
> This SF.net email is sponsored by: Microsoft Visual Studio.NET 
> comprehensive development tool, built to increase your 
> productivity. Try a free online hosted session at:
> http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> 


-------------------------------------------------------
This SF.net email is sponsored by: Microsoft Visual Studio.NET 
comprehensive development tool, built to increase your 
productivity. Try a free online hosted session at:
http://ads.sourceforge.net/cgi-bin/redirect.pl?micr0003en




More information about the Users mailing list