Advanced permissions/user properties
Hari Sekhon
hpsekhon at googlemail.com
Mon Nov 6 12:29:25 CET 2006
This is a very interesting thread, especially since I am currently
wondering how I can do this sort of thing. I want to give a web
interface to consultants to view our web site availability. I have
created a user and contactgroup which shows only the services I have
added the group to. The problem is that even this limited account can
switch off checks or notifications and I can't see a way to stop this.
It appears that when this account switches off a notification, this is
done on a global basis which is bad. I'm using nagios 1.4.1.
Reading through this thread it appears that the issue is under debate at
the moment. Does this mean that what I want, a read only user cannot be
done at the moment?
-h
Hari Sekhon
Ton Voon wrote:
>
> On 4 Nov 2006, at 16:43, Alex Burger wrote:
>
>> Ton Voon wrote:
>>> Hi Alex,
>>> I think the "read/write" attribute needs to be associated with the
>>> contact. So this implementation looks more obvious (to me):
>>> define contact {
>>> name person
>>> contactgroups cg1,cg2,cg3 # means can submit commands
>>> contactgroups_viewonly cg5,cg6
>>> }
>>> This would effectively mean the can_submit_commands attribute is
>>> redundant, because you just use contactgroups_viewonly instead of
>>> contactgroups.
>>
>> The more I think about it, the more I think we are looking at this
>> the wrong way. With file system or application permissions, we would
>> assign a group to a folder/object, and then pick what rights the
>> group would have. Why don't we do the same thing with Nagios?
>>
>> Leave the groups as they are, but modify the host and service
>> contact_groups command? For example:
>>
>> define host{
>> host_name localhost
>> contact_groups netops:rw, helpdesk:r
>> }
>>
>> For backwards compatibility, if no permissions are set, the defaults
>> would be rw so the following would be the same:
>>
>> define host{
>> host_name localhost
>> contact_groups netops, helpdesk:r
>> }
>>
>> If a user was in both the netops and helpdesk group, the user should
>> have rw access.
>>
>> This will take a bit more work to implement, but I think it makes
>> more sense. What do you think?
>
> Firstly, this is fantastic work, Alex. Nice to see someone run with an
> idea.
>
> I've been mulling this over the weekend and I think you're right: I
> was looking at this the wrong way. It was very smart of you to make
> the analogy with filesystem security and I think you have the right
> design.
>
> Authorization is about defining a user's permissions on an object
> (http://en.wikipedia.org/wiki/Access_control#Authorization). The base
> objects in Nagios are the host and service object. These objects
> should then hold information about which users (contacts) are allowed
> which permission. You've got a good thread on what the permissions
> should be, so I'll ignore that. But the assigning of permissions at
> the host/service definition is, I think, the right way to go.
>
> My only request is to add in the ability to check for a single contact
> too. This will be more important in Nagios 3 as Ethan has said you
> will be allowed to specify single contacts from a host/service
> definition, without the need for contactgroups.
>
> When you have your patch applied, I will request removal of the
> can_submit_commands patch as this is just a fudge from the
> sophisticated security model you will have added in (my patch is
> analogous to setting a user to "/bin/false" for their shell, I guess).
>
> Ton
>
> http://www.altinity.com
> T: +44 (0)870 787 9243
> F: +44 (0)845 280 1725
> Skype: tonvoon
>
>
>
> ------------------------------------------------------------------------
>
> -------------------------------------------------------------------------
> Using Tomcat but need to do more? Need to support web services, security?
> Get stuff done quickly with pre-integrated technology to make your job easier
> Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
> http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
> ------------------------------------------------------------------------
>
> _______________________________________________
> Nagios-users mailing list
> Nagios-users at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/nagios-users
> ::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
> ::: Messages without supporting info will risk being sent to /dev/null
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.monitoring-lists.org/archive/users/attachments/20061106/6643d263/attachment.html>
-------------- next part --------------
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642
-------------- next part --------------
_______________________________________________
Nagios-users mailing list
Nagios-users at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nagios-users
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null
More information about the Users
mailing list