Xymon Mailing List Archive search

restricting access to hobbit

list Jerry Yu
Tue, 20 Nov 2007 07:43:16 -0500
Message-Id: <user-4f894727e67f@xymon.invalid>

What Phil requested may be worthy of the status of a new feature: capability
to segment hosts into groups, which in turn can be accessed and/or managed
only by designated users/group.
For some large installations with thousands of hosts, it seems to be a
must-have instead of a nice-to-have.

On Nov 15, 2007 7:36 PM, Phil Wild <user-e365c1418192@xymon.invalid> wrote:

Thank you all,

This is what I was kind of expecting. The path we are currently going to
take is to use Xen to run two versions on the one box. The virtual host idea
is interesting but I expect we would have problems with all the daemons.

I was kind of hopting that all these functions used a common utility like
bbhostgrep or something to get the list of hosts from the bb-hosts tree and
if so, it may have been simple to modify along the lines of putting a
commented tag against hosts listed in bb-hosts.

For the functions/reports that built directory structures I was thinking
that a wrapper could be used to put the authentication directives in the
right places.

Cheers

Phil


On 16/11/2007, user-ce96540ed38f@xymon.invalid <user-ce96540ed38f@xymon.invalid> wrote:
On Thursday 15 November 2007, Tod Hansmann wrote:
So what you are asking is to have one hobbit installation function in
a
manner equivalent to two hobbit installations.  The only reason the
apache authentication stuff won't work is because the CGI-BIN stuff
works on the raw data and/or memory state of hobbit's main
functionality.  Thus, you would need to hack the code to do two things
that is doesn't do currently:

1) You would need to get permissions built-in to bb-hosts
interpretations, which would be trivial to have understood, but a lot
of
changes to do anything with that.  (Knowing there's a group A and B is
one thing.  Knowing what do with that knowledge is the harder part).
2) You would need to modify all the CGI programs to work on the
separate
datas.

This, in my estimation, is not at all what hobbit was designed for,
and
you'd be much better off just running two separate instances of
hobbit.
You can even run a third to combine the two sets of data into one
(like
we do) and only allow yourself to see that one.

Am I missing something in my estimations here?

Tod Hansmann
Network Engineer

To get 2 separate instances can be performed by using Alternate
Pagesets. See
the Alternate Pagesets section under the bbgen man. That will not solve
your
issue with stoping a user group from maint'ing another group's devices,
since
the cgi dir isn't separate.

As to limiting users from ack'ing/maint'ing the other groups servers,
you can
look at a post I outlined long ago. The post is at:
http://www.hswn.dk/hobbiton/2007/07/msg00534.html

Not sure how this works with alternative page sets, but this should be
enough
for you to move forward and tweak accordingly.

~Steve


--

Tel: XXXX XXX XXX
Fax: XXXX XXX XXX
email: user-e365c1418192@xymon.invalid