Securing hobbit
list Aaron Kincaid
Hi, we have been setting up hobbit for our company over the last couple of weeks and it is a brilliant product! We were originally planning on allowing anyone within the company to see the pages, but now we have been asked to limit access to each department head and the department heads can only see the results for equipment in their department. We have divided the bb-hosts file up using the PAGE function, but wanted to know if there is a way to explicitly allow one or two people to see the page for a specific department. We also want to publish the site and use authentication to get to it, what is the best way to meet both these goals?
list Greg L Hubbard
I think you need to do it at the Web Server level. You appear to be on the right track. GLH
▸
From: Aaron Kincaid [mailto:user-7f6756a6c8ac@xymon.invalid]
Sent: Monday, October 01, 2007 9:42 AM
To: user-ae9b8668bcde@xymon.invalid
Subject: [hobbit] Securing hobbit
Hi, we have been setting up hobbit for our company over the last
couple of weeks and it is a brilliant product! We were originally
planning on allowing anyone within the company to see the pages, but now
we have been asked to limit access to each department head and the
department heads can only see the results for equipment in their
department. We have divided the bb-hosts file up using the PAGE
function, but wanted to know if there is a way to explicitly allow one
or two people to see the page for a specific department.
We also want to publish the site and use authentication to get
to it, what is the best way to meet both these goals?
list Henrik Størner
▸
On Mon, Oct 01, 2007 at 09:41:36AM -0500, Aaron Kincaid wrote:
Hi, we have been setting up hobbit for our company over the last couple of weeks and it is a brilliant product! We were originally planning on allowing anyone within the company to see the pages, but now we have been asked to limit access to each department head and the department heads can only see the results for equipment in their department. We have divided the bb-hosts file up using the PAGE function, but wanted to know if there is a way to explicitly allow one or two people to see the page for a specific department. We also want to publish the site and use authentication to get to it, what is the best way to meet both these goals?
Hobbit doesn't have any access controls built-in, so you need to
configure this through your webservers' access control mechanism.
These usually make it relatively straight-forward to secure access
to certain directories to a limited group of users. In Apache,
you'd put something like this in your config:
AuthType Basic
AuthName "Hobbit"
AuthUserfile "/etc/hobbit/users"
AuthGroupfile "/etc/hobbit/groups"
Alias /hobbit/ "/var/lib/hobbit/www/"
<Directory "/var/lib/hobbit/www">
Options Indexes FollowSymLinks Includes MultiViews
Order allow,deny
Allow from all
Require group admins
</Directory>
<Directory "/var/lib/hobbit/www/dept1/">
Require group admins dept1users
</Directory>
Note that you can also use .htaccess files to control this.
Then use the htpasswd utility to create users, and add users
to the "/etc/hobbit/group" file like
dept1users: john mick
admins: aaron
Regards,
Henrik
list Charles Jones
I need to do something similar, and .htaccess files came to mind. However, I want to basically provide all hobbit functionality to groups, without exposing any other groups hostsnames. I have noticed that some things in Hobbit already work nicely for this, such as enable/disable and acknoledge alert, when selected from a sub page will only show the hosts/alerts from that page, but what about things like bb2.html (all non-green view), and other administrative things (eventlog, availbility, etc) that we may want a group to be able to use, but not have them wade through other groups hosts as well? -Charles
▸
Henrik Stoerner wrote:On Mon, Oct 01, 2007 at 09:41:36AM -0500, Aaron Kincaid wrote:Hi, we have been setting up hobbit for our company over the last couple of weeks and it is a brilliant product! We were originally planning on allowing anyone within the company to see the pages, but now we have been asked to limit access to each department head and the department heads can only see the results for equipment in their department. We have divided the bb-hosts file up using the PAGE function, but wanted to know if there is a way to explicitly allow one or two people to see the page for a specific department. We also want to publish the site and use authentication to get to it, what is the best way to meet both these goals?Hobbit doesn't have any access controls built-in, so you need to configure this through your webservers' access control mechanism. These usually make it relatively straight-forward to secure access to certain directories to a limited group of users. In Apache, you'd put something like this in your config: AuthType Basic AuthName "Hobbit" AuthUserfile "/etc/hobbit/users" AuthGroupfile "/etc/hobbit/groups" Alias /hobbit/ "/var/lib/hobbit/www/" <Directory "/var/lib/hobbit/www"> Options Indexes FollowSymLinks Includes MultiViews Order allow,deny Allow from all Require group admins </Directory> <Directory "/var/lib/hobbit/www/dept1/"> Require group admins dept1users </Directory> Note that you can also use .htaccess files to control this. Then use the htpasswd utility to create users, and add users to the "/etc/hobbit/group" file like dept1users: john mick admins: aaron Regards, Henrik
list Aaron Kincaid
I did as suggested using an .htaccess file, but nothing happens. Is there some way to test? I know that this is really an Apache question more so than a Hobbit question, but if there is anyone trying to do this, please help. I followed Henrik's instruction and I can't see what I could possibly be doing wrong. Aaron Kincaid
▸
From: Aaron Kincaid
Sent: Monday, October 01, 2007 9:42 AM
To: user-ae9b8668bcde@xymon.invalid
Subject: Securing hobbit
Hi, we have been setting up hobbit for our company over the last couple
of weeks and it is a brilliant product! We were originally planning on
allowing anyone within the company to see the pages, but now we have
been asked to limit access to each department head and the department
heads can only see the results for equipment in their department. We
have divided the bb-hosts file up using the PAGE function, but wanted to
know if there is a way to explicitly allow one or two people to see the
page for a specific department.
We also want to publish the site and use authentication to get to it,
what is the best way to meet both these goals?
list Pkc_mls
▸
Aaron Kincaid a écrit :
I did as suggested using an .htaccess file, but nothing happens. Is there some way to test? I know that this is really an Apache question more so than a Hobbit question, but if there is anyone trying to do this, please help. I followed Henrik’s instruction and I can’t see what I could possibly be doing wrong.
hello, the best is to play around with the .htaccess in a temp/test directory, so you can see/check if the htaccess is correct or not. you should also have a look a the error log from apache.
▸
Aaron Kincaid *From:* Aaron Kincaid *Sent:* Monday, October 01, 2007 9:42 AM *To:* user-ae9b8668bcde@xymon.invalid *Subject:* Securing hobbit Hi, we have been setting up hobbit for our company over the last couple of weeks and it is a brilliant product! We were originally planning on allowing anyone within the company to see the pages, but now we have been asked to limit access to each department head and the department heads can only see the results for equipment in their department. We have divided the bb-hosts file up using the PAGE function, but wanted to know if there is a way to explicitly allow one or two people to see the page for a specific department. We also want to publish the site and use authentication to get to it, what is the best way to meet both these goals?