Nagios Read Only User


By default your Nagios user will have full access to the web interface. This mean, he/she can do just about anything like stopping checks etc.
Here’s a quick guide on how to enable read only user access for your nagios web interface.
This document assumes:
1. Nagios 3 (may work for 2, please try, if it works, pls post a comment)
2. Apache2
3. Debian 3 (or higher)
4. Authentication on Nagios is enabled
 
You need to find out where apache is storing your htdigest or htpasswd file in your apache sites-enabled config file. In that file, for the nagios website, you should see the link to the htpasswd or htdigest file.
 
Edit that file add your new users there. You can generate new users with user/realm/password pair via CLI tools such as #htpasswd or #htdigest or use this page similar to this http://www.htaccesstools.com/htpasswd-generator/ to generate that readonly user, for this guide, we will use the username rouser and password rouser.
 
E.g. generating a htaccess file for Nagios rouser
#htpasswd -c /tmp/rouser.txt rouser
 
This created a file in /tmp/rouser.txt, which has content like this;
rouser:ug/fib3zqISok
 
Paste that exact line inside the .htaccess (or htdigest) file that you found in sites-enabled in apache.

Now, you can test access with that user already on your Nagios web screen. You will notice, it doesn’t have any access to anywhere except for the static images/html in there.
To provide rouser with rights to see stuff, simply edit your nagios cgi file normally found in /usr/local/nagios/etc/cgi.cfg. Look for the directives
authorized_for_all_services=nagiosadmin
authorized_for_all_hosts=nagiosadmin
And add next to it with a comma, the rouser which you just created like below:
authorized_for_all_services=nagiosadmin,rouser
authorized_for_all_hosts=nagiosadmin,rouser
Now, you need to restart the Nagios daemon. Then sign in again (shutdown your browser) with user rouser and password rouser. You now can see everything but cannot access those CGI commands therefore making it read-only.
Now, if you want to make access specific for certain hosts only, then you need to match the user you create with the contacts definition files. So, user rouser can be rouser-switches for instance and now he/she see read only for switches.
Try it out and let us know the outcome.

11 Comments

  1. This doens't work for specific hosts/services which which the 'rouser' is memeber of contact_groups, in this case rouser can enable/disable notification for the specific hosts/services, resechudle the check etc.
    Yes it does work for all hosts/services by editing …

    authorized_for_all_services=nagiosadmin,rouser
    authorized_for_all_hosts=nagiosadmin,rouser

  2. "This doens't work for specific hosts/services which which the 'rouser' is memeber of contact_group"

    Yup, it doesn't, and yes, you can specify which contact groups view what in readonly or whatnot.

    This value is global

  3. Thanks for the tip…and yes, its a global value and yes, you can further define who gets to see exactly what when they are a contact of a particular object.

  4. off subject, but can we make rouser login automatically? so that the authentication window doesn't display? Thanks!

  5. Thanks, worked for me very nicely. Gentoo 2.6.32-r7, Apache 2.2.15 and Nagos 3.2.0

  6. adding the password (whithout using some webservice) use following comand to add the user to an existing htpasswd.users file

    htpasswd /usr/local/nagios/etc/htpasswd.users rauser

  7. Add user rauser to the contacts.cfg

    define contact{
    contact_name rauser
    use user-contact
    alias Nagios User
    email [email protected]
    }

    were user-contact is defined in templates.cfg and derived from generic-contact

    arrange persmissions to the nagios content by adding the user rauser to the members (one or more) of the contactgroups (also in contacts.cfg)

    for example

    define contactgroup{
    contactgroup_name printeradmins
    alias Nagios Printer Admins
    members nagiosadmin, rauser
    }

    printeradmins are used in printer.cfg like

    # SEKPRT1 – Toshiba multifunctional BW printer TOSHIBA e-STUDIO182
    define service{
    use generic-service ; Inherit values from a template
    host_name sekprt1 ; The name of the host the service is associated with
    service_description Printer Device Trays ; The service description
    check_command check_snmp_printer_sh!public!TRAY 1,2,5,7 ; The command used to monitor the service
    normal_check_interval 10 ; Check the service every 10 minutes under normal conditions
    retry_check_interval 1 ; Re-check the service every minute until its final/hard state is determined
    contact_groups printeradmins
    servicegroups printer-services
    }

Comments are closed.