[hobbit] Acknowledging & Enable/Disable Permissions
Henrik Stoerner
henrik at hswn.dk
Wed Jul 20 22:47:05 CEST 2005
On Wed, Jul 20, 2005 at 12:56:24PM -0400, Peter Murray wrote:
> In our quest for a more distributed environment, we have a need to allow
> a select group of users the ability to acknowledge alerts, but do NOT
> want to give those users the ability to enable/disable any of the
> services. It appears that a given userID/password will allow both. Is
> there any way we can restrict this to disallow the enable/disable
> ability for some but not all?
This is more of an Apache access-control question, since Hobbit doesn't
implement any access controls by itself. I'm no expert on this, but one
way it could be done was to simply move the acknowledge CGI to a
different directory, and then instead of the "Require valid-user"
directive in the apache setup you'd use a "Require group enableusers"
and "Require group acknowledgeusers".
To be more specific: Your hobbit homedirectory currently has:
henrik at osiris:/usr/lib/hobbit$ ls -CFR cgi*
cgi-bin:
bb-csvinfo.sh* bb-eventlog.sh* bb-histlog.sh* bb-hostsvc.sh*
bb-rep.sh* hobbitcolumn.sh*
bb-datepage.sh* bb-findhost.sh* bb-hist.sh* bb-replog.sh*
bb-snapshot.sh* hobbitgraph.sh*
cgi-secure:
bb-ack.sh* hobbit-enadis.sh*
Create a new directory, let's say "cgi-ack", and move the bb-ack.sh
script there, so you have
henrik at osiris:/usr/lib/hobbit$ ls -CFR cgi*
[...]
cgi-ack:
bb-ack.sh*
cgi-secure:
hobbit-enadis.sh*
The bb-ack.sh CGI is only referenced from the Hobbit menu, so just
edit ~hobbit/server/www/menu/menu_items.js and change the URL for
the bb-ack.sh script to the new directory.
In your Apache config, copy the section for the "cgi-secure" directory
and make an identical for the "cgi-ack" directory. Then, change the
authorization section: By default, it's
AuthUserFile /etc/hobbit/hobbitpasswd
AuthType Basic
AuthName "Hobbit Administration"
Require valid-user
For the cgi-secure directory, make that
AuthUserFile /etc/hobbit/hobbitpasswd
AuthGroupFile /etc/hobbit/hobbitgroup
AuthType Basic
AuthName "Hobbit Administration"
Require group disablers
and for the cgi-ack directory it will be
AuthUserFile /etc/hobbit/hobbitpasswd
AuthGroupFile /etc/hobbit/hobbitgroup
AuthType Basic
AuthName "Hobbit Administration"
Require group ackers disablers
So you add an AuthGroupFile line, and change the "Require" from
"valid-user" to a specific group of users.
The only thing left then is to setup the /etc/hobbit/hobbitgroup
file. This is a text file - each group ("disablers" and "ackers") go
on a line by itself, followed by a colon and then a list of the users
who belong to each group. A single user can be in multiple groups.
So e.g.
disablers: pmurray
ackers: jdoe
The "pmurray" user now can access both the cgi-secure and the cgi-ack
directories, the "jdoe" user can access only the cgi-ack directory.
Regards,
Henrik
More information about the Xymon
mailing list