<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-15"
http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
This is a very interesting thread, especially since I am currently
wondering how I can do this sort of thing. I want to give a web
interface to consultants to view our web site availability. I have
created a user and contactgroup which shows only the services I have
added the group to. The problem is that even this limited account can
switch off checks or notifications and I can't see a way to stop this.<br>
<br>
It appears that when this account switches off a notification, this is
done on a global basis which is bad. I'm using nagios 1.4.1.<br>
<br>
Reading through this thread it appears that the issue is under debate
at the moment. Does this mean that what I want, a read only user cannot
be done at the moment?<br>
<br>
-h<br>
<br>
<pre class="moz-signature" cols="72">Hari Sekhon
</pre>
<br>
<br>
Ton Voon wrote:
<blockquote cite="mid353DE8BA-307C-4068-8651-DABA1B4194D6@altinity.com"
type="cite"><br>
<div>
<div>On 4 Nov 2006, at 16:43, Alex Burger wrote:</div>
<br class="Apple-interchange-newline">
<blockquote type="cite">
<div style="margin: 0px;">Ton Voon wrote:</div>
<blockquote type="cite">
<div style="margin: 0px;">Hi Alex,</div>
<div style="margin: 0px;">I think the "read/write" attribute
needs to be associated with the contact. So this implementation looks
more obvious (to me):</div>
<div style="margin: 0px;">define contact {</div>
<div style="margin: 0px;">name person</div>
<div style="margin: 0px;">contactgroups cg1,cg2,cg3 # means can
submit commands</div>
<div style="margin: 0px;">contactgroups_viewonly cg5,cg6</div>
<div style="margin: 0px;">}</div>
<div style="margin: 0px;">This would effectively mean the
can_submit_commands attribute is redundant, because you just use
contactgroups_viewonly instead of contactgroups.</div>
</blockquote>
<div style="margin: 0px; min-height: 14px;"><br>
</div>
<div style="margin: 0px;">The more I think about it, the more I
think we are looking at this the wrong way.<span
class="Apple-converted-space"> </span>With file system or
application permissions, we would assign a group to a folder/object,
and then pick what rights the group would have. Why don't we do the
same thing with Nagios?</div>
<div style="margin: 0px; min-height: 14px;"><br>
</div>
<div style="margin: 0px;">Leave the groups as they are, but modify
the host and service contact_groups command?<span
class="Apple-converted-space"> </span>For example:</div>
<div style="margin: 0px; min-height: 14px;"><br>
</div>
<div style="margin: 0px;">define host{</div>
<div style="margin: 0px;"><span class="Apple-converted-space">
</span>host_name <span class="Apple-converted-space">
</span>localhost</div>
<div style="margin: 0px;"><span class="Apple-converted-space">
</span>contact_groups<span class="Apple-converted-space">
</span>netops:rw, helpdesk:r</div>
<div style="margin: 0px;">}</div>
<div style="margin: 0px; min-height: 14px;"><br>
</div>
<div style="margin: 0px;">For backwards compatibility, if no
permissions are set, the defaults would be rw so the following would be
the same:</div>
<div style="margin: 0px; min-height: 14px;"><br>
</div>
<div style="margin: 0px;">define host{</div>
<div style="margin: 0px;"><span class="Apple-converted-space">
</span>host_name <span class="Apple-converted-space">
</span>localhost</div>
<div style="margin: 0px;"><span class="Apple-converted-space">
</span>contact_groups<span class="Apple-converted-space">
</span>netops, helpdesk:r</div>
<div style="margin: 0px;">}</div>
<div style="margin: 0px; min-height: 14px;"><br>
</div>
<div style="margin: 0px;">If a user was in both the netops and
helpdesk group, the user should have rw access.</div>
<div style="margin: 0px; min-height: 14px;"><br>
</div>
<div style="margin: 0px;">This will take a bit more work to
implement, but I think it makes more sense.<span
class="Apple-converted-space"> </span>What do you think?</div>
</blockquote>
</div>
<div><span class="Apple-style-span"
style="border-collapse: separate; border-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px;"><span
class="Apple-style-span"
style="border-collapse: separate; border-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px;"><span
class="Apple-style-span"
style="border-collapse: separate; border-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px;"><span
class="Apple-style-span"
style="border-collapse: separate; border-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px;"><span
class="Apple-style-span"
style="border-collapse: separate; border-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px;"><span
class="Apple-style-span"
style="border-collapse: separate; border-spacing: 0px; color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; letter-spacing: normal; line-height: normal; text-indent: 0px; text-transform: none; orphans: 2; white-space: normal; widows: 2; word-spacing: 0px;">
<div><br class="khtml-block-placeholder">
</div>
<div>Firstly, this is fantastic work, Alex. Nice to see someone run
with an idea.</div>
<div><br class="khtml-block-placeholder">
</div>
<div>I've been mulling this over the weekend and I think you're
right: I was looking at this the wrong way. It was very smart of you to
make the analogy with filesystem security and I think you have the
right design.</div>
<div><br class="khtml-block-placeholder">
</div>
<div>Authorization is about defining a user's permissions on an
object (<a
href="http://en.wikipedia.org/wiki/Access_control#Authorization">http://en.wikipedia.org/wiki/Access_control#Authorization</a>).
The base objects in Nagios are the host and service object. These
objects should then hold information about which users (contacts) are
allowed which permission. You've got a good thread on what the
permissions should be, so I'll ignore that. But the assigning of
permissions at the host/service definition is, I think, the right way
to go.</div>
<div><br class="khtml-block-placeholder">
</div>
<div>My only request is to add in the ability to check for a single
contact too. This will be more important in Nagios 3 as Ethan has said
you will be allowed to specify single contacts from a host/service
definition, without the need for contactgroups.</div>
<div><br class="khtml-block-placeholder">
</div>
<div>When you have your patch applied, I will request removal of the
can_submit_commands patch as this is just a fudge from the
sophisticated security model you will have added in (my patch is
analogous to setting a user to "/bin/false" for their shell, I guess).</div>
<div><br class="khtml-block-placeholder">
</div>
<div>Ton</div>
<div><br class="khtml-block-placeholder">
</div>
<div><a href="http://www.altinity.com">http://www.altinity.com</a></div>
<div>T: +44 (0)870 787 9243</div>
<div>F: +44 (0)845 280 1725</div>
<div>Skype: tonvoon</div>
</span></span></span></span></span>
<div><br class="khtml-block-placeholder">
</div>
<br class="Apple-interchange-newline">
</span></div>
<br>
<pre wrap="">
<hr size="4" width="90%">
-------------------------------------------------------------------------
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
<a class="moz-txt-link-freetext" href="http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642">http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642</a></pre>
<pre wrap="">
<hr size="4" width="90%">
_______________________________________________
Nagios-users mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Nagios-users@lists.sourceforge.net">Nagios-users@lists.sourceforge.net</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/nagios-users">https://lists.sourceforge.net/lists/listinfo/nagios-users</a>
::: Please include Nagios version, plugin version (-v) and OS when reporting any issue.
::: Messages without supporting info will risk being sent to /dev/null</pre>
</blockquote>
</body>
</html>