Thursday, July 23, 2009

Nagios Read Only User


By default your Nagios user will have full access to the web interface. This mean, he/she can do just about anything like stopping checks etc.

Here's a quick guide on how to enable read only user access for your nagios web interface.

This document assumes:
1. Nagios 3 (may work for 2, please try, if it works, pls post a comment)
2. Apache2
3. Debian 3 (or higher)
4. Authentication on Nagios is enabled
 
You need to find out where apache is storing your htdigest or htpasswd file in your apache sites-enabled config file. In that file, for the nagios website, you should see the link to the htpasswd or htdigest file.
 
Edit that file add your new users there. You can generate new users with user/realm/password pair via CLI tools such as #htpasswd or #htdigest or use this page similar to this http://www.htaccesstools.com/htpasswd-generator/ to generate that readonly user, for this guide, we will use the username rouser and password rouser.
 
E.g. generating a htaccess file for Nagios rouser
#htpasswd -c /tmp/rouser.txt rouser
 
This created a file in /tmp/rouser.txt, which has content like this;

rouser:ug/fib3zqISok
 
Paste that exact line inside the .htaccess (or htdigest) file that you found in sites-enabled in apache.

Now, you can test access with that user already on your Nagios web screen. You will notice, it doesn't have any access to anywhere except for the static images/html in there.

To provide rouser with rights to see stuff, simply edit your nagios cgi file normally found in /usr/local/nagios/etc/cgi.cfg. Look for the directives

authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin

And add next to it with a comma, the rouser which you just created like below:

authorized_for_all_services=nagiosadmin,rouser
authorized_for_all_hosts=nagiosadmin,rouser

Now, you need to restart the Nagios daemon. Then sign in again (shutdown your browser) with user rouser and password rouser. You now can see everything but cannot access those CGI commands therefore making it read-only.

Now, if you want to make access specific for certain hosts only, then you need to match the user you create with the contacts definition files. So, user rouser can be rouser-switches for instance and now he/she see read only for switches.

Try it out and let us know the outcome.
Post a Comment