restricting access to hobbit
list Phil Wild
Hello, I am looking at setting up hobbit to manage two groups of hosts. I would prefer to just deploy one hobbit installation for both groups. For most of the hobbit web pages, Apache security solves a lot of the browsing issues but the cgi-bin executables and menus are the problem. I want to make sure one group don't have access to see or make changes to the other groups hosts. The areas I see a problem with are: hobbit-enadis.sh bb-findhost.sh hobbit-confreport.sh I would like to restrict the above to only work with a subset of hosts (perhaps a tag in the bbhosts file) The reports generate web pages on the fly and drop the user at the top level page which is not what I would prefer (each group have their own top level page etc.) All nongreen view is also an issue and lastly, manually modifying the URL based on bb-hostsvc.sh to get to a web page for a host in the other groups list is also a problem. Any ideas how I can address this? Thanks Phil
list Josh Luthman
The default Apache configuration that Hobbit makes for you will specify requiring HTTP logins for the cgisec directory. Is this what you're looking for?
▸
On 11/14/07, Phil Wild <user-e365c1418192@xymon.invalid> wrote:Hello, I am looking at setting up hobbit to manage two groups of hosts. I would prefer to just deploy one hobbit installation for both groups. For most of the hobbit web pages, Apache security solves a lot of the browsing issues but the cgi-bin executables and menus are the problem. I want to make sure one group don't have access to see or make changes to the other groups hosts. The areas I see a problem with are: hobbit-enadis.sh bb-findhost.sh hobbit-confreport.sh I would like to restrict the above to only work with a subset of hosts (perhaps a tag in the bbhosts file) The reports generate web pages on the fly and drop the user at the top level page which is not what I would prefer (each group have their own top level page etc.) All nongreen view is also an issue and lastly, manually modifying the URL based on bb-hostsvc.sh to get to a web page for a host in the other groups list is also a problem. Any ideas how I can address this? Thanks Phil
--
Josh Luthman
Office: XXX-XXX-XXXX
Direct: XXX-XXX-XXXX
XXXX Wayne St
Suite XXXX
Troy, OH XXXXX
Those who don't understand UNIX are condemned to reinvent it, poorly.
--- Henry Spencer
list Phil Wild
No, not quite, I want to make a single hobbit install work for two groups of users, and I don't want group A to have any access to see or do anything to Group B hosts and vice versa. I am tryingto find out if there is a way of restricting the reports/tools/executables to only run against a subset of the hosts defined in bbhosts say like using bbgrep to filter on a tag or something for all functions. Any ideas? Phil
▸
On 16/11/2007, Josh Luthman <user-4c45a83f15cb@xymon.invalid> wrote:The default Apache configuration that Hobbit makes for you will specify requiring HTTP logins for the cgisec directory. Is this what you're looking for? On 11/14/07, Phil Wild <user-e365c1418192@xymon.invalid> wrote:Hello, I am looking at setting up hobbit to manage two groups of hosts. I would prefer to just deploy one hobbit installation for both groups. For most of the hobbit web pages, Apache security solves a lot of the browsing issues but the cgi-bin executables and menus are the problem. I want to make sure one group don't have access to see or make changes to the other groups hosts. The areas I see a problem with are: hobbit-enadis.sh bb-findhost.sh hobbit-confreport.sh I would like to restrict the above to only work with a subset of hosts (perhaps a tag in the bbhosts file) The reports generate web pages on the fly and drop the user at the top level page which is not what I would prefer (each group have their own top level page etc.) All nongreen view is also an issue and lastly, manually modifying the URL based on bb-hostsvc.sh to get to a web page for a host in the other groups list is also a problem. Any ideas how I can address this? Thanks Phil-- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
--
Tel: XXXX XXX XXX
Fax: XXXX XXX XXX
email: user-e365c1418192@xymon.invalid
list Josh Luthman
With two groups of hosts you still only have one directory accessible by web. This means Apache HTTP authentication is out of the question. That's about all I can tell you =/
▸
On 11/15/07, Phil Wild <user-e365c1418192@xymon.invalid> wrote:No, not quite, I want to make a single hobbit install work for two groups of users, and I don't want group A to have any access to see or do anything to Group B hosts and vice versa. I am tryingto find out if there is a way of restricting the reports/tools/executables to only run against a subset of the hosts defined in bbhosts say like using bbgrep to filter on a tag or something for all functions. Any ideas? Phil On 16/11/2007, Josh Luthman <user-4c45a83f15cb@xymon.invalid> wrote:The default Apache configuration that Hobbit makes for you will specify requiring HTTP logins for the cgisec directory. Is this what you're looking for? On 11/14/07, Phil Wild <user-e365c1418192@xymon.invalid> wrote:Hello, I am looking at setting up hobbit to manage two groups of hosts. I would prefer to just deploy one hobbit installation for both groups. For most of the hobbit web pages, Apache security solves a lot of the browsing issues but the cgi-bin executables and menus are the problem. I want to make sure one group don't have access to see or make changes to the other groups hosts. The areas I see a problem with are: hobbit-enadis.sh bb-findhost.sh hobbit-confreport.sh I would like to restrict the above to only work with a subset of hosts (perhaps a tag in the bbhosts file) The reports generate web pages on the fly and drop the user at the top level page which is not what I would prefer (each group have their own top level page etc.) All nongreen view is also an issue and lastly, manually modifying the URL based on bb-hostsvc.sh to get to a web page for a host in the other groups list is also a problem. Any ideas how I can address this? Thanks Phil-- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer-- Tel: XXXX XXX XXX Fax: XXXX XXX XXX email: user-e365c1418192@xymon.invalid
-- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
list Iain Conochie
▸
Josh Luthman wrote:
With two groups of hosts you still only have one directory accessible by web. This means Apache HTTP authentication is out of the question. That's about all I can tell you =/
Not necessarily! You can use the PAGE statement in bb-hosts and then you have a new directory for each page and sub-page underneath. You can then use apache auth for that. Then for the top level you can also use apache auth for admins Cheers Iain
On 11/15/07, *Phil Wild* <user-e365c1418192@xymon.invalid
▸
<mailto:user-e365c1418192@xymon.invalid>> wrote:
No, not quite, I want to make a single hobbit install work for two
groups of users, and I don't want group A to have any access to
see or do anything to Group B hosts and vice versa.
I am tryingto find out if there is a way of restricting the
reports/tools/executables to only run against a subset of the
hosts defined in bbhosts say like using bbgrep to filter on a tag
or something for all functions.
Any ideas?
Phil
On 16/11/2007, *Josh Luthman* < user-4c45a83f15cb@xymon.invalid
<mailto:user-4c45a83f15cb@xymon.invalid>> wrote:
The default Apache configuration that Hobbit makes for you
will specify requiring HTTP logins for the cgisec directory.
Is this what you're looking for?
On 11/14/07, * Phil Wild* <user-e365c1418192@xymon.invalid
<mailto:user-e365c1418192@xymon.invalid>> wrote:
Hello,
I am looking at setting up hobbit to manage two groups of
hosts. I would prefer to just deploy one hobbit
installation for both groups. For most of the hobbit web
pages, Apache security solves a lot of the browsing issues
but the cgi-bin executables and menus are the problem.
I want to make sure one group don't have access to see or
make changes to the other groups hosts.
The areas I see a problem with are:
hobbit-enadis.sh
bb-findhost.sh
hobbit-confreport.sh
I would like to restrict the above to only work with a
subset of hosts (perhaps a tag in the bbhosts file)
The reports generate web pages on the fly and drop the
user at the top level page which is not what I would
prefer (each group have their own top level page etc.)
All nongreen view is also an issue
and lastly, manually modifying the URL based on
bb-hostsvc.sh to get to a web page for a host in the other
groups list is also a problem.
Any ideas how I can address this?
Thanks
Phil
--
Josh Luthman
Office: XXX-XXX-XXXX
Direct: XXX-XXX-XXXX
XXXX Wayne St
Suite XXXX
Troy, OH XXXXX
Those who don't understand UNIX are condemned to reinvent it,
poorly.
--- Henry Spencer
--
Tel: XXXX XXX XXX
Fax: XXXX XXX XXX
email: user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid>
▸
--
Josh Luthman
Office: XXX-XXX-XXXX
Direct: XXX-XXX-XXXX
XXXX Wayne St
Suite XXXX
Troy, OH XXXXX
Those who don't understand UNIX are condemned to reinvent it, poorly.
--- Henry Spencerlist Phil Wild
This is correct and I expect this part to work. But all the tools bypass this security. For example, If you run an sla report, it builds a new directory structure and hence the user that ran the report can see everything from the top level down. Also, the enable/disable menu option lets you see all hosts, same with findhost or even if you muck around with the hostsvc URL. I was wondering if there was some way of either wrapping this functionality with something that restricts the hosts (like as if bbhostgrep is used as the input to all these functions or something). Has anyone achieved this or is it not possible without changing the source? Phil
▸
On 16/11/2007, Iain Conochie <user-c784e16a5170@xymon.invalid> wrote:Josh Luthman wrote:With two groups of hosts you still only have one directory accessible by web. This means Apache HTTP authentication is out of the question. That's about all I can tell you =/Not necessarily! You can use the PAGE statement in bb-hosts and then you have a new directory for each page and sub-page underneath. You can then use apache auth for that. Then for the top level you can also use apache auth for admins Cheers IainOn 11/15/07, *Phil Wild* <user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid>> wrote: No, not quite, I want to make a single hobbit install work for two groups of users, and I don't want group A to have any access to see or do anything to Group B hosts and vice versa. I am tryingto find out if there is a way of restricting the reports/tools/executables to only run against a subset of the hosts defined in bbhosts say like using bbgrep to filter on a tag or something for all functions. Any ideas? Phil On 16/11/2007, *Josh Luthman* < user-4c45a83f15cb@xymon.invalid <mailto:user-4c45a83f15cb@xymon.invalid>> wrote: The default Apache configuration that Hobbit makes for you will specify requiring HTTP logins for the cgisec directory. Is this what you're looking for? On 11/14/07, * Phil Wild* <user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid>> wrote: Hello, I am looking at setting up hobbit to manage two groups of hosts. I would prefer to just deploy one hobbit installation for both groups. For most of the hobbit web pages, Apache security solves a lot of the browsing issues but the cgi-bin executables and menus are the problem. I want to make sure one group don't have access to see or make changes to the other groups hosts. The areas I see a problem with are: hobbit-enadis.sh bb-findhost.sh hobbit-confreport.sh I would like to restrict the above to only work with a subset of hosts (perhaps a tag in the bbhosts file) The reports generate web pages on the fly and drop the user at the top level page which is not what I would prefer (each group have their own top level page etc.) All nongreen view is also an issue and lastly, manually modifying the URL based on bb-hostsvc.sh to get to a web page for a host in the other groups list is also a problem. Any ideas how I can address this? Thanks Phil -- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer -- Tel: XXXX XXX XXX Fax: XXXX XXX XXX email: user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid> -- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
-- Tel: XXXX XXX XXX Fax: XXXX XXX XXX email: user-e365c1418192@xymon.invalid
list Josh Luthman
I've never used the PAGE statement, but I was under the impression it was just going to put the following hosts in www/newpage.html instead of www/bb.html - same directory. Is this not so?
▸
On 11/15/07, Iain Conochie <user-c784e16a5170@xymon.invalid> wrote:Josh Luthman wrote:With two groups of hosts you still only have one directory accessible by web. This means Apache HTTP authentication is out of the question. That's about all I can tell you =/Not necessarily! You can use the PAGE statement in bb-hosts and then you have a new directory for each page and sub-page underneath. You can then use apache auth for that. Then for the top level you can also use apache auth for admins Cheers IainOn 11/15/07, *Phil Wild* <user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid>> wrote: No, not quite, I want to make a single hobbit install work for two groups of users, and I don't want group A to have any access to see or do anything to Group B hosts and vice versa. I am tryingto find out if there is a way of restricting the reports/tools/executables to only run against a subset of the hosts defined in bbhosts say like using bbgrep to filter on a tag or something for all functions. Any ideas? Phil On 16/11/2007, *Josh Luthman* < user-4c45a83f15cb@xymon.invalid <mailto:user-4c45a83f15cb@xymon.invalid>> wrote: The default Apache configuration that Hobbit makes for you will specify requiring HTTP logins for the cgisec directory. Is this what you're looking for? On 11/14/07, * Phil Wild* <user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid>> wrote: Hello, I am looking at setting up hobbit to manage two groups of hosts. I would prefer to just deploy one hobbit installation for both groups. For most of the hobbit web pages, Apache security solves a lot of the browsing issues but the cgi-bin executables and menus are the problem. I want to make sure one group don't have access to see or make changes to the other groups hosts. The areas I see a problem with are: hobbit-enadis.sh bb-findhost.sh hobbit-confreport.sh I would like to restrict the above to only work with a subset of hosts (perhaps a tag in the bbhosts file) The reports generate web pages on the fly and drop the user at the top level page which is not what I would prefer (each group have their own top level page etc.) All nongreen view is also an issue and lastly, manually modifying the URL based on bb-hostsvc.sh to get to a web page for a host in the other groups list is also a problem. Any ideas how I can address this? Thanks Phil -- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer -- Tel: XXXX XXX XXX Fax: XXXX XXX XXX email: user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid> -- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
-- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
list Iain Conochie
▸
Josh Luthman wrote:
I've never used the PAGE statement, but I was under the impression it was just going to put the following hosts in www/newpage.html instead of www/bb.html - same directory. Is this not so?
Nope. Using "PAGE NewPage This is a new page!" statement creates a directory NewPage and there is an index.html file under that Iain
On 11/15/07, *Iain Conochie* <user-c784e16a5170@xymon.invalid
▸
<mailto:user-c784e16a5170@xymon.invalid>> wrote: Josh Luthman wrote:With two groups of hosts you still only have one directory accessible by web. This means Apache HTTP authentication is out of the question. That's about all I can tell you =/Not necessarily! You can use the PAGE statement in bb-hosts and then you have a new directory for each page and sub-page underneath. You can then use apache auth for that. Then for the top level you can also use apache auth for admins Cheers IainOn 11/15/07, *Phil Wild* <user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid>>> wrote: No, not quite, I want to make a single hobbit install work for two groups of users, and I don't want group A to have any access to see or do anything to Group B hosts and vice versa. I am tryingto find out if there is a way of restricting the reports/tools/executables to only run against a subset of the hosts defined in bbhosts say like using bbgrep to filter on a tag or something for all functions. Any ideas? Phil On 16/11/2007, *Josh Luthman* < user-4c45a83f15cb@xymon.invalid<mailto:user-4c45a83f15cb@xymon.invalid>>> wrote:The default Apache configuration that Hobbit makes for you will specify requiring HTTP logins for the cgisec directory. Is this what you're looking for? On 11/14/07, * Phil Wild* <user-e365c1418192@xymon.invalid
<mailto: user-e365c1418192@xymon.invalid
▸
<mailto:user-e365c1418192@xymon.invalid>>> wrote:Hello, I am looking at setting up hobbit to manage two groups of hosts. I would prefer to just deploy one hobbit installation for both groups. For most of the hobbit web pages, Apache security solves a lot of the browsing issues but the cgi-bin executables and menus are the problem. I want to make sure one group don't have access to see or make changes to the other groups hosts. The areas I see a problem with are: hobbit-enadis.sh bb-findhost.sh hobbit-confreport.sh I would like to restrict the above to only work with a subset of hosts (perhaps a tag in the bbhosts file) The reports generate web pages on the fly and drop the user at the top level page which is not what I would prefer (each group have their own top level page etc.) All nongreen view is also an issue and lastly, manually modifying the URL based on bb-hostsvc.sh to get to a web page for a host in the other groups list is also a problem. Any ideas how I can address this? Thanks Phil -- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer -- Tel: XXXX XXX XXX Fax: XXXX XXX XXX email: user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid> -- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer-- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
list Iain Conochie
▸
Phil Wild wrote:
This is correct and I expect this part to work. But all the tools bypass this security. For example, If you run an sla report, it builds a new directory structure and hence the user that ran the report can see everything from the top level down. Also, the enable/disable menu option lets you see all hosts, same with findhost or even if you muck around with the hostsvc URL.
Ah ha. I see you issue. I guess you could run multiple instances of hobbit on the same machine, one for each customer, and have virtual hosts in apache. Very ugly solution though :( What is the hobbit server currently running on? If you are using solaris you could use containers to seperate the hobbit processes. And I believe that the linux kernel will soon have container support too. I think Henrik posted a workaround to this on the 7th Nov. Cheers Iain
▸
I was wondering if there was some way of either wrapping this functionality with something that restricts the hosts (like as if bbhostgrep is used as the input to all these functions or something). Has anyone achieved this or is it not possible without changing the source? Phil On 16/11/2007, *Iain Conochie* <user-c784e16a5170@xymon.invalid <mailto:user-c784e16a5170@xymon.invalid>> wrote: Josh Luthman wrote:With two groups of hosts you still only have one directory accessible by web. This means Apache HTTP authentication is out of the question. That's about all I can tell you =/Not necessarily! You can use the PAGE statement in bb-hosts and then you have a new directory for each page and sub-page underneath. You can then use apache auth for that. Then for the top level you can also use apache auth for admins Cheers IainOn 11/15/07, *Phil Wild* <user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid>>> wrote: No, not quite, I want to make a single hobbit install work for two groups of users, and I don't want group A to have any access to see or do anything to Group B hosts and vice versa. I am tryingto find out if there is a way of restricting the reports/tools/executables to only run against a subset of the hosts defined in bbhosts say like using bbgrep to filter on a tag or something for all functions. Any ideas? Phil On 16/11/2007, *Josh Luthman* < user-4c45a83f15cb@xymon.invalid<mailto:user-4c45a83f15cb@xymon.invalid>>> wrote:The default Apache configuration that Hobbit makes for you will specify requiring HTTP logins for the cgisec directory. Is this what you're looking for? On 11/14/07, * Phil Wild* <user-e365c1418192@xymon.invalid <mailto: user-e365c1418192@xymon.invalid<mailto:user-e365c1418192@xymon.invalid>>> wrote:Hello, I am looking at setting up hobbit to manage two groups of hosts. I would prefer to just deploy one hobbit installation for both groups. For most of the hobbit web pages, Apache security solves a lot of the browsing issues but the cgi-bin executables and menus are the problem. I want to make sure one group don't have access to see or make changes to the other groups hosts. The areas I see a problem with are: hobbit-enadis.sh bb-findhost.sh hobbit-confreport.sh I would like to restrict the above to only work with a subset of hosts (perhaps a tag in the bbhosts file) The reports generate web pages on the fly and drop the user at the top level page which is not what I would prefer (each group have their own top level page etc.) All nongreen view is also an issue and lastly, manually modifying the URL based on bb-hostsvc.sh to get to a web page for a host in the other groups list is also a problem. Any ideas how I can address this? Thanks Phil -- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer -- Tel: XXXX XXX XXX Fax: XXXX XXX XXX email: user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid> -- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer-- Tel: XXXX XXX XXX Fax: XXXX XXX XXX email: user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid>
list Tod Hansmann
So what you are asking is to have one hobbit installation function in a manner equivalent to two hobbit installations. The only reason the apache authentication stuff won't work is because the CGI-BIN stuff works on the raw data and/or memory state of hobbit's main functionality. Thus, you would need to hack the code to do two things that is doesn't do currently: 1) You would need to get permissions built-in to bb-hosts interpretations, which would be trivial to have understood, but a lot of changes to do anything with that. (Knowing there's a group A and B is one thing. Knowing what do with that knowledge is the harder part). 2) You would need to modify all the CGI programs to work on the separate datas. This, in my estimation, is not at all what hobbit was designed for, and you'd be much better off just running two separate instances of hobbit. You can even run a third to combine the two sets of data into one (like we do) and only allow yourself to see that one. Am I missing something in my estimations here? Tod Hansmann Network Engineer
▸
-----Original Message-----
From: Iain Conochie [mailto:user-c784e16a5170@xymon.invalid]
Sent: Thursday, November 15, 2007 8:58 AM
To: user-ae9b8668bcde@xymon.invalid
Subject: Re: [hobbit] restricting access to hobbit
Josh Luthman wrote:I've never used the PAGE statement, but I was under the impression it was just going to put the following hosts in www/newpage.html instead of www/bb.html - same directory. Is this not so?
Nope. Using "PAGE NewPage This is a new page!" statement creates a directory NewPage and there is an index.html file under that Iain
On 11/15/07, *Iain Conochie* <user-c784e16a5170@xymon.invalid <mailto:user-c784e16a5170@xymon.invalid>> wrote: Josh Luthman wrote:With two groups of hosts you still only have one directory accessible by web. This means Apache HTTP authentication is out of the question. That's about all I can tell you =/Not necessarily! You can use the PAGE statement in bb-hosts and then you have a new directory for each page and sub-page underneath. You can then use apache auth for that. Then for the top level you can also use apache auth for admins Cheers IainOn 11/15/07, *Phil Wild* <user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid>>> wrote: No, not quite, I want to make a single hobbit install work for two groups of users, and I don't want group A to have any access to see or do anything to Group B hosts and vice versa. I am tryingto find out if there is a way of restricting the reports/tools/executables to only run against a subset of the hosts defined in bbhosts say like using bbgrep to filter on a tag or something for all functions. Any ideas? Phil On 16/11/2007, *Josh Luthman* < user-4c45a83f15cb@xymon.invalid<mailto:user-4c45a83f15cb@xymon.invalid>>> wrote:The default Apache configuration that Hobbit makes for you will specify requiring HTTP logins for the cgisec directory. Is this what you're looking for? On 11/14/07, * Phil Wild* <user-e365c1418192@xymon.invalid <mailto: user-e365c1418192@xymon.invalid<mailto:user-e365c1418192@xymon.invalid>>> wrote:Hello, I am looking at setting up hobbit to manage two groups of hosts. I would prefer to just deploy one hobbit installation for both groups. For most of the hobbit web pages, Apache security solves a lot of the browsing issues but the cgi-bin executables and menus are the problem. I want to make sure one group don't have access to see or make changes to the other groups hosts. The areas I see a problem with are: hobbit-enadis.sh bb-findhost.sh hobbit-confreport.sh I would like to restrict the above to only work with a subset of hosts (perhaps a tag in the bbhosts file) The reports generate web pages on the fly and drop the user at the top level page which is not what I would prefer (each group have their own top level page etc.) All nongreen view is also an issue and lastly, manually modifying the URL based on bb-hostsvc.sh to get to a web page for a host in the other groups list is also a problem. Any ideas how I can address this? Thanks Phil -- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer -- Tel: XXXX XXX XXX Fax: XXXX XXX XXX email: user-e365c1418192@xymon.invalid <mailto:user-e365c1418192@xymon.invalid> -- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer-- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer
list S Aiello
▸
On Thursday 15 November 2007, Tod Hansmann wrote:
So what you are asking is to have one hobbit installation function in a manner equivalent to two hobbit installations. The only reason the apache authentication stuff won't work is because the CGI-BIN stuff works on the raw data and/or memory state of hobbit's main functionality. Thus, you would need to hack the code to do two things that is doesn't do currently: 1) You would need to get permissions built-in to bb-hosts interpretations, which would be trivial to have understood, but a lot of changes to do anything with that. (Knowing there's a group A and B is one thing. Knowing what do with that knowledge is the harder part). 2) You would need to modify all the CGI programs to work on the separate datas. This, in my estimation, is not at all what hobbit was designed for, and you'd be much better off just running two separate instances of hobbit. You can even run a third to combine the two sets of data into one (like we do) and only allow yourself to see that one. Am I missing something in my estimations here? Tod Hansmann Network Engineer
To get 2 separate instances can be performed by using Alternate Pagesets. See the Alternate Pagesets section under the bbgen man. That will not solve your issue with stoping a user group from maint'ing another group's devices, since the cgi dir isn't separate. As to limiting users from ack'ing/maint'ing the other groups servers, you can look at a post I outlined long ago. The post is at: http://www.hswn.dk/hobbiton/2007/07/msg00534.html Not sure how this works with alternative page sets, but this should be enough for you to move forward and tweak accordingly. ~Steve
list Phil Wild
Thank you all, This is what I was kind of expecting. The path we are currently going to take is to use Xen to run two versions on the one box. The virtual host idea is interesting but I expect we would have problems with all the daemons. I was kind of hopting that all these functions used a common utility like bbhostgrep or something to get the list of hosts from the bb-hosts tree and if so, it may have been simple to modify along the lines of putting a commented tag against hosts listed in bb-hosts. For the functions/reports that built directory structures I was thinking that a wrapper could be used to put the authentication directives in the right places. Cheers Phil
▸
On 16/11/2007, user-ce96540ed38f@xymon.invalid <user-ce96540ed38f@xymon.invalid> wrote:On Thursday 15 November 2007, Tod Hansmann wrote:So what you are asking is to have one hobbit installation function in a manner equivalent to two hobbit installations. The only reason the apache authentication stuff won't work is because the CGI-BIN stuff works on the raw data and/or memory state of hobbit's main functionality. Thus, you would need to hack the code to do two things that is doesn't do currently: 1) You would need to get permissions built-in to bb-hosts interpretations, which would be trivial to have understood, but a lot of changes to do anything with that. (Knowing there's a group A and B is one thing. Knowing what do with that knowledge is the harder part). 2) You would need to modify all the CGI programs to work on the separate datas. This, in my estimation, is not at all what hobbit was designed for, and you'd be much better off just running two separate instances of hobbit. You can even run a third to combine the two sets of data into one (like we do) and only allow yourself to see that one. Am I missing something in my estimations here? Tod Hansmann Network EngineerTo get 2 separate instances can be performed by using Alternate Pagesets. See the Alternate Pagesets section under the bbgen man. That will not solve your issue with stoping a user group from maint'ing another group's devices, since the cgi dir isn't separate. As to limiting users from ack'ing/maint'ing the other groups servers, you can look at a post I outlined long ago. The post is at: http://www.hswn.dk/hobbiton/2007/07/msg00534.html Not sure how this works with alternative page sets, but this should be enough for you to move forward and tweak accordingly. ~Steve
-- Tel: XXXX XXX XXX Fax: XXXX XXX XXX email: user-e365c1418192@xymon.invalid
list Jerry Yu
What Phil requested may be worthy of the status of a new feature: capability to segment hosts into groups, which in turn can be accessed and/or managed only by designated users/group. For some large installations with thousands of hosts, it seems to be a must-have instead of a nice-to-have.
▸
On Nov 15, 2007 7:36 PM, Phil Wild <user-e365c1418192@xymon.invalid> wrote:
Thank you all, This is what I was kind of expecting. The path we are currently going to take is to use Xen to run two versions on the one box. The virtual host idea is interesting but I expect we would have problems with all the daemons. I was kind of hopting that all these functions used a common utility like bbhostgrep or something to get the list of hosts from the bb-hosts tree and if so, it may have been simple to modify along the lines of putting a commented tag against hosts listed in bb-hosts. For the functions/reports that built directory structures I was thinking that a wrapper could be used to put the authentication directives in the right places. Cheers Phil On 16/11/2007, user-ce96540ed38f@xymon.invalid <user-ce96540ed38f@xymon.invalid> wrote:On Thursday 15 November 2007, Tod Hansmann wrote:So what you are asking is to have one hobbit installation function in a manner equivalent to two hobbit installations. The only reason the apache authentication stuff won't work is because the CGI-BIN stuff works on the raw data and/or memory state of hobbit's main functionality. Thus, you would need to hack the code to do two things that is doesn't do currently: 1) You would need to get permissions built-in to bb-hosts interpretations, which would be trivial to have understood, but a lot of changes to do anything with that. (Knowing there's a group A and B is one thing. Knowing what do with that knowledge is the harder part). 2) You would need to modify all the CGI programs to work on the separate datas. This, in my estimation, is not at all what hobbit was designed for, and you'd be much better off just running two separate instances of hobbit. You can even run a third to combine the two sets of data into one(likewe do) and only allow yourself to see that one. Am I missing something in my estimations here? Tod Hansmann Network EngineerTo get 2 separate instances can be performed by using Alternate Pagesets. See the Alternate Pagesets section under the bbgen man. That will not solve your issue with stoping a user group from maint'ing another group's devices, since the cgi dir isn't separate. As to limiting users from ack'ing/maint'ing the other groups servers, you can look at a post I outlined long ago. The post is at: http://www.hswn.dk/hobbiton/2007/07/msg00534.html Not sure how this works with alternative page sets, but this should be enough for you to move forward and tweak accordingly. ~Steve-- Tel: XXXX XXX XXX Fax: XXXX XXX XXX email: user-e365c1418192@xymon.invalid
list Josh Luthman
Jerry, get coding! =) As that isn't a possibility right now, I guess the only solution is a whole new Hobbit install - correct?
▸
On 11/20/07, Jerry Yu <user-764c1f364fe0@xymon.invalid> wrote:What Phil requested may be worthy of the status of a new feature: capability to segment hosts into groups, which in turn can be accessed and/or managed only by designated users/group. For some large installations with thousands of hosts, it seems to be a must-have instead of a nice-to-have. On Nov 15, 2007 7:36 PM, Phil Wild <user-e365c1418192@xymon.invalid> wrote:Thank you all, This is what I was kind of expecting. The path we are currently going to take is to use Xen to run two versions on the one box. The virtual host idea is interesting but I expect we would have problems with all the daemons. I was kind of hopting that all these functions used a common utility like bbhostgrep or something to get the list of hosts from the bb-hosts tree and if so, it may have been simple to modify along the lines of putting a commented tag against hosts listed in bb-hosts. For the functions/reports that built directory structures I was thinking that a wrapper could be used to put the authentication directives in the right places. Cheers Phil On 16/11/2007, user-ce96540ed38f@xymon.invalid <user-ce96540ed38f@xymon.invalid > wrote:On Thursday 15 November 2007, Tod Hansmann wrote:So what you are asking is to have one hobbit installation function in a manner equivalent to two hobbit installations. The only reason the apache authentication stuff won't work is because the CGI-BIN stuff works on the raw data and/or memory state of hobbit's main functionality. Thus, you would need to hack the code to do two things that is doesn't do currently: 1) You would need to get permissions built-in to bb-hosts interpretations, which would be trivial to have understood, but a lot of changes to do anything with that. (Knowing there's a group A and B is one thing. Knowing what do with that knowledge is the harder part). 2) You would need to modify all the CGI programs to work on the separate datas. This, in my estimation, is not at all what hobbit was designed for, and you'd be much better off just running two separate instances of hobbit. You can even run a third to combine the two sets of data into one(likewe do) and only allow yourself to see that one. Am I missing something in my estimations here? Tod Hansmann Network EngineerTo get 2 separate instances can be performed by using Alternate Pagesets. See the Alternate Pagesets section under the bbgen man. That will not solve your issue with stoping a user group from maint'ing another group's devices, since the cgi dir isn't separate. As to limiting users from ack'ing/maint'ing the other groups servers, you can look at a post I outlined long ago. The post is at: http://www.hswn.dk/hobbiton/2007/07/msg00534.html Not sure how this works with alternative page sets, but this should be enough for you to move forward and tweak accordingly. ~Steve-- Tel: XXXX XXX XXX Fax: XXXX XXX XXX email: user-e365c1418192@xymon.invalid
-- Josh Luthman Office: XXX-XXX-XXXX Direct: XXX-XXX-XXXX XXXX Wayne St Suite XXXX Troy, OH XXXXX Those who don't understand UNIX are condemned to reinvent it, poorly. --- Henry Spencer