Thursday, July 23, 2009

Nagios Read Only User


By default your Nagios user will have full access to the web interface. This mean, he/she can do just about anything like stopping checks etc.

Here's a quick guide on how to enable read only user access for your nagios web interface.

This document assumes:
1. Nagios 3 (may work for 2, please try, if it works, pls post a comment)
2. Apache2
3. Debian 3 (or higher)
4. Authentication on Nagios is enabled
 
You need to find out where apache is storing your htdigest or htpasswd file in your apache sites-enabled config file. In that file, for the nagios website, you should see the link to the htpasswd or htdigest file.
 
Edit that file add your new users there. You can generate new users with user/realm/password pair via CLI tools such as #htpasswd or #htdigest or use this page similar to this http://www.htaccesstools.com/htpasswd-generator/ to generate that readonly user, for this guide, we will use the username rouser and password rouser.
 
E.g. generating a htaccess file for Nagios rouser
#htpasswd -c /tmp/rouser.txt rouser
 
This created a file in /tmp/rouser.txt, which has content like this;

rouser:ug/fib3zqISok
 
Paste that exact line inside the .htaccess (or htdigest) file that you found in sites-enabled in apache.

Now, you can test access with that user already on your Nagios web screen. You will notice, it doesn't have any access to anywhere except for the static images/html in there.

To provide rouser with rights to see stuff, simply edit your nagios cgi file normally found in /usr/local/nagios/etc/cgi.cfg. Look for the directives

authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin

And add next to it with a comma, the rouser which you just created like below:

authorized_for_all_services=nagiosadmin,rouser
authorized_for_all_hosts=nagiosadmin,rouser

Now, you need to restart the Nagios daemon. Then sign in again (shutdown your browser) with user rouser and password rouser. You now can see everything but cannot access those CGI commands therefore making it read-only.

Now, if you want to make access specific for certain hosts only, then you need to match the user you create with the contacts definition files. So, user rouser can be rouser-switches for instance and now he/she see read only for switches.

Try it out and let us know the outcome.

11 comments:

Anonymous said...

Thank you, I am using Ubuntu Svr 9.04, Nagios 3, Apache2 and it has worked for me

-Robert

Anonymous said...

This doens't work for specific hosts/services which which the 'rouser' is memeber of contact_groups, in this case rouser can enable/disable notification for the specific hosts/services, resechudle the check etc.
Yes it does work for all hosts/services by editing ...

authorized_for_all_services=nagiosadmin,rouser
authorized_for_all_hosts=nagiosadmin,rouser

Anonymous said...

"This doens't work for specific hosts/services which which the 'rouser' is memeber of contact_group"

Yup, it doesn't, and yes, you can specify which contact groups view what in readonly or whatnot.

This value is global

Admin said...

Thanks for the tip...and yes, its a global value and yes, you can further define who gets to see exactly what when they are a contact of a particular object.

Anonymous said...

It also works on 2.9. But how do you define a contact for rouser? Thanks!

Anonymous said...

off subject, but can we make rouser login automatically? so that the authentication window doesn't display? Thanks!

Anonymous said...

thank you.
Worked fine for me - even with Icinga.

Using CentOS, Apache 2.2, and Icinga

www.christianhuck.de

Lukas (known as Pavouk106) said...

Thanks, worked for me very nicely. Gentoo 2.6.32-r7, Apache 2.2.15 and Nagos 3.2.0

Carl said...

adding the password (whithout using some webservice) use following comand to add the user to an existing htpasswd.users file

htpasswd /usr/local/nagios/etc/htpasswd.users rauser

Carl said...

Add user rauser to the contacts.cfg

define contact{
contact_name rauser
use user-contact
alias Nagios User
email nobody@company.nl
}

were user-contact is defined in templates.cfg and derived from generic-contact

arrange persmissions to the nagios content by adding the user rauser to the members (one or more) of the contactgroups (also in contacts.cfg)

for example

define contactgroup{
contactgroup_name printeradmins
alias Nagios Printer Admins
members nagiosadmin, rauser
}

printeradmins are used in printer.cfg like

# SEKPRT1 - Toshiba multifunctional BW printer TOSHIBA e-STUDIO182
define service{
use generic-service ; Inherit values from a template
host_name sekprt1 ; The name of the host the service is associated with
service_description Printer Device Trays ; The service description
check_command check_snmp_printer_sh!public!TRAY 1,2,5,7 ; The command used to monitor the service
normal_check_interval 10 ; Check the service every 10 minutes under normal conditions
retry_check_interval 1 ; Re-check the service every minute until its final/hard state is determined
contact_groups printeradmins
servicegroups printer-services
}

DirtyJackal said...

You Rock dude!!