7

How to allow a user in Nagios to view the status of some servers, but not disable/enable anything?

Joel Coel
  • 12,932
  • 14
  • 62
  • 100
Kazimieras Aliulis
  • 2,324
  • 2
  • 26
  • 46
  • Kindly refer below url to add new user for nagioswebinterface https://www.ibm.com/support/knowledgecenter/PurePower/p8ef9/p8ef9_ppim_nagios_userid.htm http://cyruslab.net/2012/10/19/nagios-it-appears-as-though-you-do-not-have-permission-to-view-information-for-any-of-the-hosts-you-requested/ – Chethan anchan Mar 31 '16 at 05:24

4 Answers4

5

In /usr/local/nagios/etc/cgi.cfg (or wherever it lives on your system) define the read-only users:

# A comma-delimited list of usernames that have read-only rights in
# the CGIs.  This will block any service or host commands normally shown
# on the extinfo CGI pages.  It will also block comments from being shown
# to read-only users.

authorized_for_read_only=viewer

Of course, viewer must be first defined as contact with an appropriate htpasswd authentication. In the service/host detail page, the right hand side where you usually have commands will say:

Your account does not have permissions to execute commands.

Marek
  • 66
  • 1
  • 2
2

If I understand your question correctly you would like to add users to nagios that can only see some of the servers and have no authority to do any of the administration tasks ( Start / Stop monitoring or alerting ).

To accomplish this you will need to add a user to the .htpasswd file for nagios and then create a contact in nagios with the contact_name matching the username set in .htpasswd and then add that contact only to the hosts which you want them to see. Remember that when you add things to the host configuration that are also defined in the template that it overrides the template instead of adding to it so you will need to also add back any contacts that host already has in the template.

Jason Janelle
  • 56
  • 2
1

For allowing a user view-only access only to some hosts in Nagios webview you have to implement following changes:

Note: Jump to 3. if you already have password protected authentication enabled:

  1. Edit the cgi.cfg located in your nagios installation (e.g. /usr/local/nagios/etc) to enable password protected login:

    use_authentication=1

  2. In the nagios.conf file in your Apache installation directory, verify that the following lines are included to point to the htpasswd.users file:

    AuthName "Nagios Access"
AuthType Basic
AuthUserFile /usr/local/nagios/etc/htpasswd.users
Require valid-user

  3. Add the user to the htpasswd.users file using the htpasswd command and the Apache HTTPD password manager. Location could vary depending on your system; a few common locations for it are /usr/bin and /usr/local/apache/bin:

    # htpasswd /usr/local/nagios/etc/htpasswd.users testuser01
New password:
Re-type new password:
Adding password for user testuser01

  4. Edit the cgi.cfg located in your nagios installation; uncomment authorized_for_read_only and add the username(s) for which you want to grant the access:

    authorized_for_read_only=testuser1

  5. Create an entry for the user in objects/contacts.cfg from your nagios installation:

    define contact {
    contact_name                    testuser01
    use                             generic-contact
    alias                           Test User 01
    email                           test.user01@email.com
}

  6. In the same objects/contacts.cfg define also a group that will hold the user and other future users that will need same access to same hosts - easier to manage when users are contain in groups:

    define contactgroup {
    contactgroup_name       view-only-host01
    alias                   View Only access to alarms for Host01
    members                 testuser01
}

  7. Take the contactgroup defined previously, view-only-host01, and in the .cfg of your host (e.g. objects/host01.cfg) add it to every service for which you want to grant the view only access:

    define service{
       service_description     Alarm for Test service - Metric 01
       check_command           webinject!test/test.xml
       servicegroups           availability
       contact_groups          admins,view-only-host01
}

  8. Restart nagios

Cristi Dascalu
  • 11
  • 1
  • welcome to the community. Thanks for providing an answer. This is a very old question and was flagged because of the age. I don't see anything wrong with it though. so carry on! – Scott Lundberg Sep 21 '17 at 02:34
0

In your cgi.cfg file, there are the following lines:

authorized_for_all_services=*

authorized_for_all_hosts=*

Normally these are configured as above, so all users can at least view all your hosts and services. So if you add your new user to your htpasswd file, they should get the desired behaviour by default.

  • 1
    Those lines are configured only for main admins. – Kazimieras Aliulis Feb 09 '10 at 09:08
  • 1
    I don't understand - Nagios has no concept of a "main admin", only the named administrators in the htpasswd file or whichever authentication scheme Apache is configured to use. The directives in cgi.cfg dictate exactly what these users can do. The above directives control who can view services and hosts, and by default that is every user. Perhaps you can say a little more about what you're after? –  Feb 09 '10 at 09:22