Problem With authentication and access


Just been adding in extra users to our nagios system and have noticed this problem. I have configured a user as a contact and in htpasswd.users. This user is a contact for all host up/down messages and no other services. When they login to the nagios screen they seem to be able to acknowledge any service running on the host.

I would only have expected them to have access to those hosts or services that they are contacts for ? (as per docs). However, they seem to have access to all hosts and all services.

I guess one way around this is to configure the contact name different from their login and explicitly add them into cgi.cfg, but this seems like more work ?

Any other suggestions ?



I suppose it’s due to you defining and giving them access in the cgi.cfg file.
If you don’t want them to have access, don’t give it to them.


No it’s not. I am aware of this feature. If you read the comments (and the documentation) it states that if a user (via htusers) logs in, and that user is defined as a contact, they will have access to everything they are a contact for. e.g. if I define a contact, say “bob” and put bob into the contactgroup for all hosts, when bob logs in he will have a default view & modify of all hosts. However, my point is that he seems to have access to all services as well (presumably because they are in someway linked to the hosts!). The workaround I have in place is to change the name in the contactgroup (from say, bob to bob_email) and then add bob_email to the authorized_for_all_hosts). This works, but makes admin a little more cumbersome.

It would be easier to know that if you define a user, they have access to ONLY the items they are contacts for.

I’m sure now, that this is a minor bug, and is easily worked around. Be nice if it was fixed though.

By the way, version being used is 2.0.3b

#4 … ult_rights

If bob is a contact for all hosts then he sees all hosts, but not all services. You must have him in a contact for the services also.

contact_groups allservicesgroup
contact_groups allhostsgroup

Bob is a member of allhostsgroups but not allservicesgroup. He should not see any services.


I agree. If bob is a contact for allhostgroups and not for any servicegroups, then he shouldn’t be able to to view or acknowledge any services, just the hosts. This is not happening. Basically, I have setup a user, who is part of our server support group, who I want to see/acknowledge all host up/down statuses, but not any services as he has no interest in apps. Also, we want other users to have view only access to specific services/service groups of interest (but no acknowledge capability).

From the docs.
*If you are authorized for all hosts you can view all hosts and all services.
If you are authorized for all services you can view all services.
**If you are an authenticated contact you can view all hosts and services for which you are a contact. ***

It seems that rule 1 is being fired instead of rule 3.
I am away from work right now, but I’ll post the relevant bits of config tomorrow.

Thanks for your reply


make sure bob is not in the cgi.cfg ANYWHERE.
grep bob /usr/local/nagios/etc/cgi.cfg



Ok this is the config. The username is kbrett that I am interested in.

cgi.cfg has no reference to kbrett anywhere in it.
grep -l kbrett *

The only two files that have reference to this user are contacts.cfg and contactgroups.cfg as follows:
(I have removed certain details for security reasons, like email address)

define contact {
contact_name kbrett
alias Keith Brett
service_notification_period 24x7
host_notification_period 24x7
service_notification_options w,u,c,r
host_notification_options d,u,r
service_notification_commands html-email
host_notification_commands host-notify-by-email

define contactgroup{
contactgroup_name ess3rdline
alias ESS Unix Support
members kbrett

Also, the only other config is where the contact group ess3rdline exist as follows:

grep -l ess3rdline *

define host {
name host-generic-24-7
use generic-host
check_command check-host-alive
max_check_attempts 10
notification_interval 360
notification_period 24x7
notification_options d,u,r
contact_groups nagios,ess3rdline

The only occurences of the template “host-generic-24-7” exist on host definitions like the one below, and not in any services:

define host{
use host-generic-24-7 ; Name of host template to use
host_name altxs003
alias altxs003
address x.x.x.x}

So with the above config, this user can login and has access to all hosts and all services, meaning he can acknowledge any service problem.

Clearly, what I am trying to achieve is that he has access only to hosts.

Is there something I have missed ? Or if you have access to a particular host, do you automatically get access to all the services on that host ?


Ok. Just did a quick test which proves my point. If I change the config so that kbrett is a contact for only two hosts, then when I login as kbrett I only see those two hosts, but I can access all services on those two hosts and acknowledge them.

So it is inheritable. i.e. if you give someone access to a host, you inherently give them access to all services on that host (when defined as a contact).


This may be a doc error, and possibly done that way on purpose. Personally, I don’t see why this would be much of a concern, but yes, you must be correct. I wonder if it works the other way around too like that, I’m not sure at the moment.