By default your Nagios user will have full access to the web interface. This mean, he/she can do just about anything like stopping checks etc.
Here's a quick guide on how to enable read only user access for your nagios web interface.
This document assumes:
1. Nagios 3 (may work for 2, please try, if it works, pls post a comment)
2. Apache2
3. Debian 3 (or higher)
4. Authentication on Nagios is enabled
You need to find out where apache is storing your htdigest or htpasswd file in your apache sites-enabled config file. In that file, for the nagios website, you should see the link to the htpasswd or htdigest file.
Edit that file add your new users there. You can generate new users with user/realm/password pair via CLI tools such as #htpasswd or #htdigest or use this page similar to this http://www.htaccesstools.com/htpasswd-generator/ to generate that readonly user, for this guide, we will use the username rouser and password rouser.
E.g. generating a htaccess file for Nagios rouser
#htpasswd -c /tmp/rouser.txt rouser
This created a file in /tmp/rouser.txt, which has content like this;
rouser:ug/fib3zqISok
Paste that exact line inside the .htaccess (or htdigest) file that you found in sites-enabled in apache.
Now, you can test access with that user already on your Nagios web screen. You will notice, it doesn't have any access to anywhere except for the static images/html in there.
To provide rouser with rights to see stuff, simply edit your nagios cgi file normally found in /usr/local/nagios/etc/cgi.cfg. Look for the directives
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
And add next to it with a comma, the rouser which you just created like below:
authorized_for_all_services=nagiosadmin,rouser
authorized_for_all_hosts=nagiosadmin,rouser
Now, you need to restart the Nagios daemon. Then sign in again (shutdown your browser) with user rouser and password rouser. You now can see everything but cannot access those CGI commands therefore making it read-only.
Now, if you want to make access specific for certain hosts only, then you need to match the user you create with the contacts definition files. So, user rouser can be rouser-switches for instance and now he/she see read only for switches.
Try it out and let us know the outcome.
11 comments:
Thank you, I am using Ubuntu Svr 9.04, Nagios 3, Apache2 and it has worked for me
-Robert
This doens't work for specific hosts/services which which the 'rouser' is memeber of contact_groups, in this case rouser can enable/disable notification for the specific hosts/services, resechudle the check etc.
Yes it does work for all hosts/services by editing ...
authorized_for_all_services=nagiosadmin,rouser
authorized_for_all_hosts=nagiosadmin,rouser
"This doens't work for specific hosts/services which which the 'rouser' is memeber of contact_group"
Yup, it doesn't, and yes, you can specify which contact groups view what in readonly or whatnot.
This value is global
Thanks for the tip...and yes, its a global value and yes, you can further define who gets to see exactly what when they are a contact of a particular object.
It also works on 2.9. But how do you define a contact for rouser? Thanks!
off subject, but can we make rouser login automatically? so that the authentication window doesn't display? Thanks!
thank you.
Worked fine for me - even with Icinga.
Using CentOS, Apache 2.2, and Icinga
www.christianhuck.de
Thanks, worked for me very nicely. Gentoo 2.6.32-r7, Apache 2.2.15 and Nagos 3.2.0
adding the password (whithout using some webservice) use following comand to add the user to an existing htpasswd.users file
htpasswd /usr/local/nagios/etc/htpasswd.users rauser
Add user rauser to the contacts.cfg
define contact{
contact_name rauser
use user-contact
alias Nagios User
email nobody@company.nl
}
were user-contact is defined in templates.cfg and derived from generic-contact
arrange persmissions to the nagios content by adding the user rauser to the members (one or more) of the contactgroups (also in contacts.cfg)
for example
define contactgroup{
contactgroup_name printeradmins
alias Nagios Printer Admins
members nagiosadmin, rauser
}
printeradmins are used in printer.cfg like
# SEKPRT1 - Toshiba multifunctional BW printer TOSHIBA e-STUDIO182
define service{
use generic-service ; Inherit values from a template
host_name sekprt1 ; The name of the host the service is associated with
service_description Printer Device Trays ; The service description
check_command check_snmp_printer_sh!public!TRAY 1,2,5,7 ; The command used to monitor the service
normal_check_interval 10 ; Check the service every 10 minutes under normal conditions
retry_check_interval 1 ; Re-check the service every minute until its final/hard state is determined
contact_groups printeradmins
servicegroups printer-services
}
You Rock dude!!
Post a Comment