This article was written for op5 Monitor version 7.1.8. It could work on both lower and higher versions if nothing else is stated.
Articles in the Community-Space are not supported by op5 Support.
In op5 Monitor the permissions of which hosts and services may be seen by which user is configured at the hosts and services objects, not on the host group objects. As a result of that, the visibility of a host group in the list of host groups depends on whether a user is allowed to see the host group's members or not.
The methods explained in this article applies to op5 Monitor version 6.1 and later. In all versions between 6.0 and 6.1 the group visualization worked in a completely different way, and had to be configured in Ninja's configuration directory in order to work the expected way. More about this in the nd of this article.
Strict Group Authorization
By default, a logged in user (also called an "authenticated contact") that has limited view permissions (that means, the user only sees hosts and services which the user is a contact for), will only get to see a certain host group, in case the group solely consists of hosts which the user already has access to view.
We have four authenticated contacts, four host objects and two host groups.
- Contact 1 has view permissions for Host 1 and Host 2. These are all hosts contained by Host Group Customer 1, therefore Contact 1 will see Host Group Customer 1 in the host groups list.
- Contact 2 has view permissions for Host 3 and Host 4. These are all hosts contained by Host Group Customer 2, therefore Contact 2 will see Host Group Customer 2 in the host groups list.
- Contact 3 has view permissions for only one host: Host 1. Contact 3 will not see any host groups in the host groups list, as there is no host group he has permission to view all content.
- Contact 4 has view permissions for Host 2 and Host 3. He will not see any host groups either.
This behavior is called strict group authorization, which MK Livestatus and op5 Monitor defaults to. This can be re-configured and changed to loose group authorization, as described below.
Loose Group Authorization
Loose group authorization means that an authenticated contact will gain access to view a host group, given that the user has permission to see at least one of the host group's host members.
For the example above this means that Contact 3 would see Host Group Customer 1 in the host groups list, and Contact 4 would see Host Group Customer 1 and Host Group Customer 2. The users will see the host group objects but in a way that it appears that these would only contain the host objects that the specific user is allowed to see. This way, Contact 3 would see Host Group Customer 2 with one host as member (Host 3), but Contact 4 would see the same host group with two members: Host 3 and Host 4.
This changed behavior might be interesting in order to give end customers a better categorization of their hosts, but it might also be dangerous, as this way the user could potentially see host groups that explain what else is monitored by the same monitoring system. Deciding which method to use is up to the administrator of the monitoring system.
Changing to loose group authorization is achieved by modifying livestatus' settings (that are found in /opt/monitor/etc/mconf/livestatus.cfg). In this file you will find a line such as:
broker_module=/usr/lib64/naemon-livestatus/livestatus.so hidden_custom_var_prefix=OP5SECRET_ pnp_path=/opt/monitor/op5/pnp/perfdata /opt/monitor/var/rw/live
An argument, called group_authorization, should be appended to this line and its value should be set to loose, like this:
broker_module=/usr/lib64/naemon-livestatus/livestatus.so hidden_custom_var_prefix=OP5SECRET_ pnp_path=/opt/monitor/op5/pnp/perfdata /opt/monitor/var/rw/live group_authorization=loose
Prior to op5 Monitor 7.0.5, this broker_module line (among others) could be found in /opt/monitor/etc/nagios.cfg.
op5 Monitor versions prior to 6.1:
In all Monitor versions from 6.0 and prior to 6.1, a different group authorization model was used. This was configured in Ninja's configuration files and behaved even more open than the "loose" model by default: any authenticated contact was allowed to see ALL host groups, regardless of what host objects the user had permissions to see.
The way to switch this behavior is the following:
Copy the original groups configuration file into the custom directory:
cp /opt/monitor/op5/ninja/application/config/groups.php /opt/monitor/op5/ninja/application/config/custom/
<?php defined('SYSPATH') OR die('No direct access allowed.'); # control if you need to be authorized for # all hosts to see a hostgroup or not # Default is false $config['see_partial_hostgroups'] = true; # control if you need to be authorized for # all services to see a servicegroup or not # Default is false $config['see_partial_servicegroups'] = true;
You will probably also need this patch in order for Ninja to respect this setting. There is a bug report #6751 explaining a bit more details. This is the patch to activate this functionality:
Just apply the patch using the following command(s):
cd /opt/monitor/op5/ninja/ patch -p 1 < ~/0001-Livestatus-We-do-have-auth-support-for-groups-use-it.patch