One of our customers wanted Nagios to allow an authenticated user to see a subset of the services available, but not allow the ability to run commands for that service (like reschedule the next check, add comments, disable active checks, etc). In Opsview, we call that a "view some, change none" role.
Seems like you can fake it with a combination of Apache's access controls in .htpasswd by only allowing certain groups to access sbin/cmd.cgi. However, the interface is lousy - Apache just re-prompts you for a username and password, when you are already logged in!
Besides, the security model would be broken. It should be:
- authentication - Webserver
- access - Nagios
So we've made a change that puts the access control into Nagios: issue_commands.patch.
It implements a new attribute for contacts called issue_commands. This defaults to 1 (TRUE) for backwards compatibility, but if you specify 0 and this user then tries to submit a command, then you will get the usual Sorry, but you are not authorized to commit the specified command page, which is much friendlier.
The patch also updates the html documentation. It applies cleanly onto Nagios 2.0. We'll let Ethan know to see if he wants to apply it to Nagios 2.1 or Nagios 3.0.
By the way, the new var/objects.cache is fantastic for debugging! I made a mistake in the patch when using a contact template, but I could tell just by restarting nagios and checking the objects.cache. Without it, it would have taken me ages to work out why the CGI wasn't working as expected. Good job, Ethan!
Update: Ethan has applied this to the 3.0 branch and has renamed the attribute to can_submit_commands, which sounds better. The patch is updated to reflect. He also spotted a limitation of mine where the cgi could coredump if the contact authorised by the webserver was not recognised by Nagios. This is fixed in the patch.
Update: If you use Ndoutils with Nagios, make sure you update the included header files.
Wouldn't it be better to make a patch for "can_submit_command" to status.c and not to cgi_auth.c? I think from users point it would be better to not see the actions that he cannot perform...
Posted by: Christian Masopust | May 23, 2006 at 07:13 AM
Christian,
I agree about a better UI (I hate UIs which show options that are not possible for the current user - another reason I hate SAP!).
However, there are two reasons for making the patch at cgi_auth.c:
1. security - even if you make the option unavailable at status.cgi, you still need to stop a user calling cmd.cgi with the required POST parameters to do the action, so there needs to be access logic there
2. With a future Nagios, the cgis are going to be rewritten in perl/php, so we can leave this for their feature list :)
Having said that, if you make the patches in status.c, I'm sure Ethan will consider adding it into Nagios 3. We'll be happy to publish or link to it too.
Ton
Posted by: tonvoon | May 23, 2006 at 01:18 PM
I don't suppose there is an rpm with the issue_commands.patch in it? Our Linux admins won't apply a source code patch, only rpm's.
- margie b.
Posted by: Margie B. | November 6, 2006 at 08:11 PM
Sorry, creating an RPM is outside of scope for us. Others may create one - maybe try the nagios-users mailing list.
This may require a change in local policy, but your linux admins could obtain a SRPM and amend the spec file to add the patch in before creating the RPM.
Otherwise, this patch will be in Nagios 3, so will be available then.
Posted by: tonvoon | November 7, 2006 at 09:01 AM
How do you apply the patch. The resolution is exactly what I am looking for for our Nagios environment. I am new to Linux and not sure how to get this to work. We are running nagios 2.9. Thanks for your help.
Posted by: Nick M | August 3, 2007 at 06:13 AM
Nick,
When you expand the Nagios tarball, you get something like nagios-2.9/. Change into that directory and run:
patch -p1 < ../issue_commands.patch
This should then patch all the files. Then you can run ./configure and make as usual.
You can see our svn head repository at http://source.altinity.org/source to see how we create our patched version of Nagios in our Makefile.
Alternatively, Nagios 3 has the feature and you could try using that.
Enjoy!
Ton
Posted by: tonvoon | August 3, 2007 at 09:14 AM