User permissions issue

k20

Trainee

Posts: 51

Location: USA

Number of monitoring servers: 2

Nagios Version: 1.4.1 (retired)

Icinga Version: 1.8.3

Distributed monitoring: Ja

Redundant monitoring: Ja

Number of hosts: 300

Number of services: 1000

OS: RHEL 6

Plugin Version: 1.4.15

IDO-Version: 1.8

Wednesday, August 1st 2012, 11:03pm

User permissions issue

I know there were lots of questions posted about this issue before. However, none of the suggestions/solutions really worked for me. I have 3 users defined under /usr/local/icinga/etc/.digest_pw. All of them have been configured in /usr/local/icinga/etc/cgi.cfg

Also /etc/httpd/conf.d/icinga.conf was configured as follows:

ScriptAlias /icinga/cgi-bin "/usr/local/icinga/sbin"
<Directory "/usr/local/icinga/sbin">
SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
AuthType Digest
AuthName "Icinga Access"
AuthUserFile /usr/local/icinga/etc/.digest_pw
Require valid-user
</Directory>

Alias /icinga "/usr/local/icinga/share/"
<Directory "/usr/local/icinga/share/">
SSLRequireSSL
Options None
AllowOverride None
Order allow,deny
Allow from all
AuthType Digest
AuthName "Icinga Access"
AuthUserFile /usr/local/icinga/etc/.digest_pw
Require valid-user
</Directory>

All 3 users could log in Icinga classic web with their permissions working correctly. This worked well with version 1.6.1. After I upgraded it to 1.7.1, the problem appears, one of the users now sees the following error messages:

It appears as though you do not have permission to view information for any of the services you requested...

If you believe this is an error, check the
HTTP server authentication requirements for accessing this CGI and
check the authorization options in your CGI configuration file.

I triple checked the cgi.cfg, digest_pw and icinga.conf. I also restarted my Apache and Icinga multiple times. It still won't work. I even tried to delete that user then recreated it still without luck. So I thought I would want to add a brand new user to see what happens. The new user still did not work.

I'm really stuck now. Not sure what I am missing here and I really really need some assistance please. Any suggestions would be greatly appreciated.

Go to the top of the page

dnsmichi

Super Moderator

Posts: 5,989

Birthday: May 30th 1983 (29)

Gender: male

Location: Nürnberg

Occupation: Consultant / Developer beim besten Arbeitgeber der Welt @netways

Number of monitoring servers: Icinga: 4x dev, 10++ prod, Icinga2: 2x dev

Nagios Version: s/nagios/icinga/

Icinga Version: 1.9.1 / GIT

Distributed monitoring: Ja

Redundant monitoring: Ja

Number of hosts: 1000+

Number of services: 15000+

OS: RHEL, Debian, SUSE

Plugin Version: 1.4.16

IDO-Version: 1.9.1 / GIT MySQL/Postgresql/Oracle

Other Addons: Icinga Web, PNP, check_multi, inGraph, EventDB, LConf

Thursday, August 2nd 2012, 1:55pm

post the affected host/service object configuration and the contacts associated to that (from objects.cache). as well as # egrep -v "^#|^$" cgi.cfg

+++ Icinga / LConf Developer +++ Senior Consultant at []NETWAYS> +++
+++ Icinga 1.9 || Icinga 2 +++ Icinga Support || IRC +++

Go to the top of the page

k20

Trainee

Posts: 51

Location: USA

Number of monitoring servers: 2

Nagios Version: 1.4.1 (retired)

Icinga Version: 1.8.3

Distributed monitoring: Ja

Redundant monitoring: Ja

Number of hosts: 300

Number of services: 1000

OS: RHEL 6

Plugin Version: 1.4.15

IDO-Version: 1.8

Thursday, August 2nd 2012, 8:07pm

Here you go.

Thanks.

k20 has attached the following images:

k20 has attached the following files:

cgi.cfg.txt (1.7 kB - 58 times downloaded - Last download: Today, 12:50pm)
objects.cache.txt (7.57 kB - 30 times downloaded - Last download: Today, 1:01pm)

This post has been edited 1 times, last edit by "k20" (Aug 2nd 2012, 8:19pm)

Go to the top of the page

dnsmichi

Super Moderator

Posts: 5,989

Birthday: May 30th 1983 (29)

Gender: male

Location: Nürnberg

Occupation: Consultant / Developer beim besten Arbeitgeber der Welt @netways

Number of monitoring servers: Icinga: 4x dev, 10++ prod, Icinga2: 2x dev

Nagios Version: s/nagios/icinga/

Icinga Version: 1.9.1 / GIT

Distributed monitoring: Ja

Redundant monitoring: Ja

Number of hosts: 1000+

Number of services: 15000+

OS: RHEL, Debian, SUSE

Plugin Version: 1.4.16

IDO-Version: 1.9.1 / GIT MySQL/Postgresql/Oracle

Other Addons: Icinga Web, PNP, check_multi, inGraph, EventDB, LConf

Friday, August 3rd 2012, 1:17pm

1.

icingaadmin is the only contact associated to your hosts and services, so given the default cgi auth, only the logged in user "icingaadmin" will have proper permission to view.

unless you override those settings with authorized_for_all_* config options.

2.

Source code

authorized_for_all_services=icingaadmin
authorized_for_all_hosts=icingaadmin
authorized_for_all_services=kbtran
authorized_for_all_hosts=kbtran
authorized_for_all_hosts=readonly
authorized_for_all_services=readonly

does not work. these settings require a comma seperated list instead of repeating them. given the config parser, the last option is the one used, so in your case only the readonly user will see everything (give it a try before changing the config).

+++ Icinga / LConf Developer +++ Senior Consultant at []NETWAYS> +++
+++ Icinga 1.9 || Icinga 2 +++ Icinga Support || IRC +++

Go to the top of the page

k20

Trainee

Posts: 51

Location: USA

Number of monitoring servers: 2

Nagios Version: 1.4.1 (retired)

Icinga Version: 1.8.3

Distributed monitoring: Ja

Redundant monitoring: Ja

Number of hosts: 300

Number of services: 1000

OS: RHEL 6

Plugin Version: 1.4.15

IDO-Version: 1.8

Friday, August 3rd 2012, 9:54pm

That's it. It worked as expected now after I put in the commas instead of repeating the commands. I guess the only question I have is why didn't I see this issue in the earlier versions of Icinga, in particular, 1.6.1?