View options for hosts and services


#1

I have got a problem with my Nagios configuration and hope somebody can help me. I have got 2 different users. The first one is admin-account and the seccond one is view-account. The configuration for the cgi’s is no problem. I can adjust exactly what the 2 accounts can do and what they aren’t allowed to do. The problem is when I am logged in with one of the accounts. They both see the same hosts and services while I have configured that they are not the contacts of the same hosts and services. Does anybody has an idea where you can change this. That the view-account will only see the hosts and services which he is contact for (or member of the contact-groups)? And that the admin-account will also only see the hosts and services which he is contact for? Thanks in advantage.


#2

Hi

Have you set use_authentication=1?

[quote]Enabling Authentication/Authorization Functionality In The CGIs

The next thing you need to do is make sure that the CGIs are configured to use the authentication and authorization functionality in determining what information and/or commands users have access to. This is done be setting the use_authentication variable in the CGI configuration file to a non-zero value. Example:

use_authentication=1[/quote]

http://nagios.sourceforge.net/docs/3_0/cgiauth.html

HTH

/S


#3

Hi Strides,

thanks for the quick response. Yes, the use_authentication is set to 1. That is why I don’t have a problem with logging in to the Nagios monitoring and getting access to all the different views in the left box (service detail, host detail, service problems, process info, view config, etc.). The problem is specific when I click on the service details or hosts details. The admin-account is configured to be a contact for all of the different hosts and services. The view-account is only configured for a couple of hosts and services. When I now log in with the view-account I still see all the hosts and services, also the ones this account is no contact for. To be more specific.

admin-account
Is contact for Host1, Host2, Host3, Host4 and Host5. And also for Service1, Service2 and Service3.

view-account
Is contact only for Host1 and Service2.

At this moment I want to log in to Nagios. If I do this with the admin-account, I want to see all the hosts and services. If I log in with the view-account I only want to see Host1 and Service2. Can this be arranged???


#4

Hi

If you have set up the users as authenticated contacts as per the link in the previous post (i.e. username matches contact name in contact definition) then that is indeed what should happen, unless the less-priveleged user has found it’s way into something like authorized_for_all_services/hosts. The only other possibilities are that something wierd is going on in a cacheing or proxy sense, or it’s broken. I’m afraid I’ve never had cause to set it up thus far (it’s always on the to-do list) but that is exactly how I imagined it working when I’ve looked into it - I will try and make it work and see what happens… Perhaps someone else can suggest something more useful in the meantime.

/S


#5

I had it working in version 2.9. Now I am using version 3.05 and I am not getting it to work anymore. The problem is that we need it for a customer and they are waiting for it. Thanks for the help so far Stirdes. Hope somebody else has experience with this configuration.


#6

No problem. FYI I just set this up for a defined contact that only had 1 host and 1 service associated with them. All I did was run htpasswd /usr/local/nagios/etc/htpasswd.users <contact-short-name> and I was able to log in and view that one host and service, and that was all. All other hosts and services were not visible, as is your requirement. This was on 3.0.3 mind you… as it shouldn’t be difficult to set up I am of the view that it is quite possible that the functionality has been broken in 3.0.5 :frowning:


#7

I solved the problem with a tip from somebody off the Nagios mailling list. The problem was that I also put the view-account in the cgi.cfg file. Both were added to the lines authorized_for_all_services and authorized_for_all_hosts. After I had removed the names behind this lines (the names were already added to the different hosts and services as contact) everything worked fine. Thanks for all the help.