fragit.net

Nagios advanced permissions:

On the Nagios-Users list back in November 2006 there was a discussion about adding advanced permissions to Nagios for hosts and services. Users (including myself) were looking for a way to grant users the ability to view hosts, but not submit commands and to allow for more complex permissions. I also wanted a way to limit which hosts a user would be notified for while still giving them access to view the status in the web interface.

At first I attempted to expand the Altinity patch (included in Nagios 3) by adding a 'can_submit_commands' and 'can_submit_commands_strict' option to contact groups but I found that this did not provide the functionality I was looking for. I decided that it made more sense to model the permission system based on how file system permissions are handled. With file system permissions, we would assign a group to a folder, and then pick what rights the group would have. It made sense to do the same thing with Nagios in the contact_groups/contact option for hosts and services.

I created a patch to implement this for both Nagios 2.x and 3.x and submitted it to the nagios-users and nagios-devel list. Although some users found it useful, most appear to be waiting for the new php Nagios front-end. The new front-end has been delayed, so some may have a need for this patch. I hope that the new interface includes granular permissions.

Below is an example of how to configure a host with advanced permissions after applying the patch:

define host{
          host_name               localhost
          contact_groups          netops:rwxn, helpdesk:r
          contact                 alex:rwxn               (Nagios 3 only)
}

For backwards compatibility, if no permissions are set, the defaults are rwxn (unless default_permissions is defined in cgi.cfg and nagios.cfg), so the following would be the same:

define host{
          host_name               localhost
          contact_groups          netops, helpdesk:r
          contact                 alex                    (Nagios 3 only)
}

The available permissions are:

Permission	Description
r	View in web interface
x	Submit commands for this host/service in web interface
w	Not really needed yet. Maybe some of the other programs that allow you to modify the configuration files could use this permission to allow a user to modify the host / service.
n	Notify if contact has a pager or email defined

The addition of the new permissions allow for senarios such as:

you want users to be able to view all or some hosts and services, but not submit commands
you want users to be able to view all or some hosts and services, but also be able to submit commands for a select few
you want users to be able to view all or some hosts and services, but only get notifications for only a select few
any combination of the above

If permissions are not set on the contact_groups or contact line, then the defaults will be used. If the new default_permissions option in cgi.cfg and nagios.cfg are not set, then it will default to full permissions (the same as not having the patch).

Here is a description of the option for cgi.cfg and nagios.cfg:

# DEFAULT HOST/SERVICE PERMISSIONS
# This option contains a list of default permissions for hosts and
# services that will be used when permissions are not explicitly
# set on a host or service. When not defined, the default is all
# permissions (rwxn). Note: This option must be set the same in
# both cgi.cfg and nagios.cfg.

#default_permissions=rwxn

As you can see, the option needs to be in both config files.

With the 2.x patch, if you are not a contact for a service (you do not have the 'r' permission), then the service will not be displayed. I preferred to have it this way so I could prevent some admins from seeing services that they are not responsible for such as the TRAP service used by SNMPTT. The problem with this is that even though the user only sees the services he or she has permissions to, as long as the user has rx permissions to the host, the user can do an 'Enable notifications for all services on this host' which will do ALL services. I was planning on fixing this but I have moved on to Nagios 3.

With the 3.x patch, if you are a contact with view (r) access to the host, then you will see all of the services. I will probably fix this in the near future so that you only see services you have 'r' access to. If you have 'x' access to the host then you will be able to submit commands for the host and all services. If you only have x on a service, then you will only be able to submit commands for that service and the 'submit for all' options such as 'disable notifications for all services on this host' won't work as expected.

If you use any programs that parse the config files such as Nagiosgrapher, then they will have to be patched to support the permissions on the contact / contact_group lines. It should be easy to fix most applications by just having it ignore the : and everything after it.

Patches are available below. I used the 2.8 version for over two years in production and have recently started to use the 3.0.6 patch in production. Please test before deploying to your production environment.

Nagios version	Patch
2.5	patch-nagios-2.5-permissions
2.8 / 2.9	patch-nagios-2.8-permissions
3.0 CSV (11/16/06)	patch-nagios-3.0-cvs-11-16-06-permissions
3.0.6	patch-nagios-3.0.6-permission (posted 05/20/09)

Please email me with any suggestions or comments.

This page was last updated on May 20th, 2009

Email me