[hobbit] Acknowledging & Enable/Disable Permissions

Henrik Stoerner henrik at hswn.dk
Wed Jul 20 22:47:05 CEST 2005


On Wed, Jul 20, 2005 at 12:56:24PM -0400, Peter Murray wrote:
> In our quest for a more distributed environment, we have a need to allow
> a select group of users the ability to acknowledge alerts, but do NOT
> want to give those users the ability to enable/disable any of the
> services.  It appears that a given userID/password will allow both.  Is
> there any way we can restrict this to disallow the enable/disable
> ability for some but not all?

This is more of an Apache access-control question, since Hobbit doesn't
implement any access controls by itself. I'm no expert on this, but one
way it could be done was to simply move the acknowledge CGI to a
different directory, and then instead of the "Require valid-user"
directive in the apache setup you'd use a "Require group enableusers"
and "Require group acknowledgeusers".

To be more specific: Your hobbit homedirectory currently has:

henrik at osiris:/usr/lib/hobbit$ ls -CFR cgi*
cgi-bin:
bb-csvinfo.sh*   bb-eventlog.sh*  bb-histlog.sh*  bb-hostsvc.sh*
bb-rep.sh*       hobbitcolumn.sh*
bb-datepage.sh*  bb-findhost.sh*  bb-hist.sh*     bb-replog.sh*
bb-snapshot.sh*  hobbitgraph.sh*

cgi-secure:
bb-ack.sh*  hobbit-enadis.sh*


Create a new directory, let's say "cgi-ack", and move the bb-ack.sh 
script there, so you have

henrik at osiris:/usr/lib/hobbit$ ls -CFR cgi*
[...]
cgi-ack:
bb-ack.sh*

cgi-secure:
hobbit-enadis.sh*


The bb-ack.sh CGI is only referenced from the Hobbit menu, so just
edit ~hobbit/server/www/menu/menu_items.js and change the URL for
the bb-ack.sh script to the new directory.


In your Apache config, copy the section for the "cgi-secure" directory
and make an identical for the "cgi-ack" directory. Then, change the
authorization section: By default, it's

    AuthUserFile /etc/hobbit/hobbitpasswd
    AuthType Basic
    AuthName "Hobbit Administration"
    Require valid-user

For the cgi-secure directory, make that

    AuthUserFile /etc/hobbit/hobbitpasswd
    AuthGroupFile /etc/hobbit/hobbitgroup
    AuthType Basic
    AuthName "Hobbit Administration"
    Require group disablers

and for the cgi-ack directory it will be

    AuthUserFile /etc/hobbit/hobbitpasswd
    AuthGroupFile /etc/hobbit/hobbitgroup
    AuthType Basic
    AuthName "Hobbit Administration"
    Require group ackers disablers

So you add an AuthGroupFile line, and change the "Require" from
"valid-user" to a specific group of users.

The only thing left then is to setup the /etc/hobbit/hobbitgroup
file. This is a text file - each group ("disablers" and "ackers") go
on a line by itself, followed by a colon and then a list of the users
who belong to each group. A single user can be in multiple groups.

So e.g.

   disablers: pmurray
   ackers: jdoe

The "pmurray" user now can access both the cgi-secure and the cgi-ack 
directories, the "jdoe" user can access only the cgi-ack directory.


Regards,
Henrik




More information about the Xymon mailing list