Skip to content
This repository has been archived by the owner. It is now read-only.

[dev.icinga.com #1013] hostgroup only shown in case user is contact for all hosts in the group #456

Closed
icinga-migration opened this issue Nov 15, 2010 · 40 comments

Comments

Projects
None yet
1 participant
@icinga-migration
Copy link
Member

commented Nov 15, 2010

This issue has been migrated from Redmine: https://dev.icinga.com/issues/1013

Created by tontonitch on 2010-11-15 16:38:35 +00:00

Assignee: mjbrooks
Status: Resolved (closed on 2011-08-22 12:59:27 +00:00)
Target Version: 1.5
Last Update: 2014-12-08 09:39:50 +00:00 (in Redmine)


Hi,

From the tests i've done, a hostgroup is shown in the hostgroup overview only in case the logged user is contact for all hosts in the hostgroup.
I cannot remember if it was the case in previous version of icinga/nagios.

Nevertheless, i think it would be more logic to

  • show a hostgroup in case the logged user is contact for at least one host of the hostgroup.
  • only show the hosts in the list of this hostgroup for which the logged user is a contact.

Regards,

Yannick

Attachments

Changesets

2011-06-03 06:12:17 +00:00 by (unknown) 5076719

Added option to show partial hostgroups #1013

By default, a user only sees a hostgroup and the hosts within it if
they are an authorized contact for all of the hosts of the group.

This commit adds the cgi.cfg option:

show_partial_hostgroups=0

When enabled, the hostgroups overview will show a partial listing
of hosts that the user is an authorized contact for within each
hostgroup.

It will also add the string "(Partial Hostgroups Enabled)" to the
top of the Hostgroup Overview to help prevent any confusion over
whether the option is in use or not. However for privacy reasons,
hostgroups that are only showing a partial listing are not
specifically indicated.

COMPATABILITY NOTICE: As with any tweak made to the output of the
CGIs, enabling this option may adversely impact third party
programs that rely on 'screen scraping' to get their information.
If you encounter such a problem, turn this option back to it's
default of off and encourage the developer(s) of the program to
use JSON for their data needs instead.

refs #1013

2011-07-17 10:01:51 +00:00 by (unknown) ff25680

Prevent empty partial hostgroups from displaying

The initial change to status.c for partial hostgroup display made it
so that users would see empty hostgroups even for the hostgroups they
are not authorized to see.

This change prevents that from occuring by pre-iterating over the
hostgroup and suppressing the display of it if the hostgroup would
be empty.

refs #1013

2011-07-28 22:37:21 +00:00 by (unknown) 580a0ab

Remove blank table sections being generated for suppressed partial hostgroups

Moved the check for the existance of partial_hosts to occur earlier so they
are done before the table sections get created for the hostgroups.

refs #1013

2011-07-29 09:58:56 +00:00 by (unknown) 75b9029

Revert removal of iterative check for partial_hosts in show_hostgroup_overview

refs #1013

2011-07-29 14:49:43 +00:00 by mfriedrich 6e46433

re. hostgroup only shown in case user is contact for all hosts in the group - patch by tontonitch #1013

refs #1013

2011-08-03 09:06:00 +00:00 by mfriedrich e1b3eb7

add partial hostgroups patch by tontonitch #1013

refs #1013

2011-09-13 19:35:07 +00:00 by ricardo 348d1bb

classi-ui: fixes service overview for single hostgroups in status.cgi #1013

refs: #1013

* now you get shown a service overview for a single hostgroup when
  show_partial_hostgroups is switched on and you are allowed to see
  this hostgroup.
* code cleanup

Relations:

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jan 25, 2011

Updated by mfriedrich on 2011-01-25 15:47:55 +00:00

  • Status changed from New to Feedback
  • Assigned to set to __

hmmm this could be done as a config option, leaving the old behavior intact.

@rune

one for you.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Mar 23, 2011

Updated by ricardo on 2011-03-23 15:18:03 +00:00

This is related to #1320

should this be made a config option, or just show, the hosts the user is authorized for.

But on the other hand.
If the user has to see certain hosts, then there should be a hostgroup created which the user can see. But this wouldn't do anything better, or would it?

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Mar 23, 2011

Updated by tontonitch on 2011-03-23 15:40:02 +00:00

Let's illustrate that issue with an exemple.
It might be helpful and complete the issue description.

Let's take a configuration with 1 hostgroup "windows-servers", 2 contacts "oracleadmin" and "systemadmin", and 2 hosts "server1" and "server2".
"server1" and "server2" belong to hostgroup "windows-servers".

  • systemadmin is contact of "server1" and "server2"
    -> no problem, the hostgroup is well listed
  • oracleadmin is not contact of "server1" and "server2"
    -> ok, the hostgroup is not listed as expected

Now, an Oracle component is installed on the server1. The user oracleadmin is also made contact of "server1"
So now oracleadmin is contact of "server1" and not contact of "server2"

=> i was expecting the hostgroup (with only server1) to appear in the hostgroup overview when logged as oracleadmin. but it's not the case.

Do you agree with what I was expecting?

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Mar 23, 2011

Updated by ricardo on 2011-03-23 15:49:08 +00:00

Yes I agree, but shouldn't you create a new host group just for the oracle admin, or put server1 in the host with oracle, which the oracleadmin can already see??

What's your point of view on that?

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Mar 23, 2011

Updated by mfriedrich on 2011-03-23 15:54:36 +00:00

  • Assigned to deleted ~~~~

showing the user just a piece of the whole cake (assorted authorized hosts out of the hostgroup) would result in confusions on how to assemble the configs properly. i'm pretty sure that there are a lot of setups out there just depending on the 'if not all, don't show it' feature while it would be nice to enable that on demand, yes. making it a config options and checking on that, and the host authorization instead of the whole group might make sense. but i don't want to see that enabled by default, breaking compatibility.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Mar 23, 2011

Updated by tontonitch on 2011-03-23 16:35:58 +00:00

Good points. I agree, if done, this should be a config options disabled by default.
But i'm starting to think that this might be designed like that on purpose...

Note: to answer to ricardo,

  • new hostgroups is indeed a solution, but would introduces some configuration redundancy in some ways.
  • in my config oracle db are considered as "host", due to lots of databases and related services, and the ability to move the database/instance. There is just a parent relationship between the database and the hosting server. So there are specific hostgroups for oracle databases/instances.
@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Mar 24, 2011

Updated by mfriedrich on 2011-03-24 21:36:56 +00:00

  • Target Version set to 1.5

someone should implement it basically and then let's have that tested.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Mar 31, 2011

Updated by mjbrooks on 2011-03-31 11:13:59 +00:00

I wouldn't say that this is related to #1320. In that one, the user is already authorized for the host and can already see when it's down, they just weren't getting the proper view a blocking network outage if they couldn't see all hosts.

I agree with dnsmichi, it shouldn't be enabled by default.

At the same time, perhaps this is something that is better addressed in the docs to explain the behavior more clearly to everyone and to better express how hostgroups != tags/labels.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented May 19, 2011

Updated by mfriedrich on 2011-05-19 11:45:17 +00:00

  • Assigned to set to mjbrooks

please give it a try :)

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented May 20, 2011

Updated by mjbrooks on 2011-05-20 08:01:10 +00:00

@dnsmichi regarding comment 5, I'm thinking that keeping them in their respective hostgroups, but marking the hostgroups where the user isn't seeing the whole group with something to indicate that it is not a full listing would address your concern about potential confusion. For example "Linux Servers (linux-servers) [Partial listing]".

Unfortunately, that would create a bit of an information leak because the user would then know that there are other hosts in that group. Since some of my focus has been plugging such things for privacy/security reasons I'm hesitant about adding one on purpose. So if this is really deemed a necessary change, I'm leaning more towards listing them partially in their groups with a cfg option and if it's enabled to just have an additional line under the section title along the lines of:

Service Overview For All Host Groups
(Partial Group Listing Allowed)

That said, tontonitch I wouldn't consider it really redundant to add a seperate oracle-server group to the example you gave. Sure the server is listed twice, but it's listed for seperate reasons, one is based on it's type (it's a windows server) and the other on one of it's roles (it does Oracle stuff). The Oracle admin shouldn't care if it's windows or not, he should just care if the host's role is Oracle related.

However unless I'm mis-understanding what you said, your last bullet item in comment 6 sounds to me like you are using a host group where a service group would probably make more sense http://docs.icinga.org/latest/en/objectdefinitions.html#objectdefinitions-servicegroup

If that's not the case can you clarify so I understand what you mean... perhaps even give some sample of your cfgs so I can see what you are trying to do?

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented May 30, 2011

Updated by mjbrooks on 2011-05-30 15:13:00 +00:00

  • File added 1013-partial-hostgroups-disabled.jpeg
  • File added 1013-partial-hostgroups-enabled.jpeg

Attaching some images of what I just hacked together.

In this example there are four hosts in the hostgroup linux-servers: localhost, localhost2, localhost3 and localhost4. The user is a contact for localhost, localhost2 and localhost3 only.

The image with the name that ends with 'disabled' is with the new cgi.cfg option show_partial_hostgroups=0, and is what you get now before the change and what will be the default. The image ending with 'enabled' is what you would get with show_partial_hostgroups=1. (Note how localhost4 is not being listed, since the user is not authorized for that host)

Any thoughts? Opinions? Complaints?

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jun 3, 2011

Updated by mjbrooks on 2011-06-03 06:21:25 +00:00

  • Done % changed from 0 to 100

Just pushed to mbrooks/cgis in git. Redmine should pick it up whenever it wakes up.

@dnsmichi FYI, I checked this against rbartels/cgi-current just to be safe and it merges with his branch cleanly.

Let me know if this works for you.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jun 3, 2011

Updated by tontonitch on 2011-06-03 07:42:00 +00:00

@mjbrooks,

Thanks for that great work. The choosen solution should be perfect for every icinga users, that's great! I will test that change next week and give you some feedback.

That said, tontonitch I wouldn't consider it really redundant to add a seperate oracle-server group to the example you gave.
Sure the server is listed twice, but it's listed for seperate reasons, one is based on it's type (it's a windows server)
and the other on one of it's roles (it does Oracle stuff). The Oracle admin shouldn't care if it's windows or not, he should
just care if the host's role is Oracle related.

To clarify a bit:
Our infrastructure department is quite small, so the bondaries of responsabilities are not "square". The Oracle team is consequently responsible also for parts of the storage servers, parts of the windows servers (even if there's no Oracle products installed),... Same for network team. That's why a partial listing of hostgroups would give a useful view, without the need of creating lots of additional small hostgroups.

However unless I'm mis-understanding what you said, your last bullet item in comment 6 sounds to me like you are using a
host group where a service group would probably make more sense

Concerning your comment about service groups, that was a choice to consider Oracle databases as host objects. We have currently a maximum of 20 Oracle instances running on 1 solaris server (6 solaris servers).
Gathering all that Oracle DB check on a single solaris server would result basically in the following service on one host:

  • 20 x 15 = 1000 oracle specific services
  • 15 solaris specific services

So, Oracle DB are considered as hosts:

  • to make a separation between the solaris server/services and the oracle database services
  • to make a separation between the oracle databases themself

Then, servicegroups are configured depending on the "business services" provided:

  • servicegroup 1 = checks 1-5 on database D + checks 1-4 on windows server X ...

This setup has been working well like that for 2 years.

Hope that answer parts of your interrogations

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jun 25, 2011

Updated by mjbrooks on 2011-06-25 23:59:57 +00:00

@tontonich Have you had a chance to try out the partial hostgroups yet?

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jun 26, 2011

Updated by tontonitch on 2011-06-26 10:31:59 +00:00

  • File added test1_partial_desactivated_admin_user.png
  • File added test1_partial_desactivated_restricted_user.png
  • File added test1_partial_activated_admin_user.png
  • File added test1_partial_activated_restricted_user.png

Tested the feature against an icinga core 1.4.1, on a small test environment.

  • With this feature disabled, I don't see any problem, the classical-ui behaves as expected.
    test1_partial_desactivated_admin_user.png
    test1_partial_desactivated_restricted_user.png
  • With the show_partial_hostgroups feature activated, my restricted test user can see the expected partial listing in the hostgroups overview. The only thing I didn't expect is that all the hostgroups are listed, even if empty. I need to redo the test with the last git snapshot to see if this is alredy fixed.
    test1_partial_activated_admin_user.png
    test1_partial_activated_restricted_user.png

I also need to test it with a bigger environment. Cannot be done before 30/06 (back from holidays)

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jun 29, 2011

Updated by tontonitch on 2011-06-29 16:32:03 +00:00

Did a quick test with a icinga-core git snapshot taken 29/06/2011 afternoon, to be sure.
Same behaviour, so all is fine, except that all hostgroups are showed, even if the logged user is not a contact for any hosts of this hostgoup (see last image above).
Don't think this behaviour is expected, right?

(sorry for the previous images without any titles, I was expecting the image names to be printed on top of them :-\)

Regards,

Yannick

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jun 29, 2011

Updated by mjbrooks on 2011-06-29 18:42:01 +00:00

  • Status changed from Feedback to Assigned
  • Done % changed from 100 to 90

Thanks for the follow-up.

Prior to this, if you have an empty hostgroup and are authorized for everything you would see an empty group for it. This change just brings it down another level. So it's not necessarily unexpected, but it's certain not wanted for privacy reasons. I'll look into correcting it soon.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 16, 2011

Updated by mfriedrich on 2011-07-16 14:58:59 +00:00

any status update on that?

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 16, 2011

Updated by mjbrooks on 2011-07-16 22:51:50 +00:00

  • Category set to 52
  • Status changed from Assigned to Feedback
  • Done % changed from 90 to 100

Just pushed a change to mbrooks/cgis

I'm not crazy about how I went about it (an extra iteration), but it works. I'll revisit it down the road when I have the chance to make a cleaner solution.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 18, 2011

Updated by tontonitch on 2011-07-18 08:18:20 +00:00

Hi Matthew,
I've tested your last change: it correctly hide empty hostgroups. Nevertheless, in the hostgroups view, an empty column remains for each hidden hostgroups. This is not annoying in case only a few hostgroups are hidden.
Anyway, the objective of keeping hidden the hostgroups the user is not authorized for is reached. Great work!
Cheers,
Yannick

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 18, 2011

Updated by mjbrooks on 2011-07-18 08:21:44 +00:00

If you can, please post a screenshot and I will look into it. Feel free to fuzz out anything sensitive, I'd just like to see what you are seeing regarding the column.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 19, 2011

Updated by tontonitch on 2011-07-19 07:45:05 +00:00

  • File added hostgroups_partial.png

Hi Matthew,
I've attached a screenshot (hostgroups_partial.png) corresponding to the hostgroup view (partial) for a user with limited rights. On that view, you can see the blank columns. I've checked with a superadmin user, and the blank columns correspond exactly to hostgroups for which the user doesn't have any rights (not contact of any hosts).
Hope that it will clarify the situation.
Cheers,
Yannick

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 19, 2011

Updated by mjbrooks on 2011-07-19 07:49:37 +00:00

Ah, I see what you mean now. Thanks for the follow up and image.

I'll see what we can do about that.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 28, 2011

Updated by mfriedrich on 2011-07-28 09:18:41 +00:00

so?

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 28, 2011

Updated by mjbrooks on 2011-07-28 22:47:17 +00:00

When you have the chance, please test mbrooks/cgis ( specifically commit 580a0ab ) against your test setup.

With that commit, it should no longer be shooting those blanks ;)

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 28, 2011

Updated by mjbrooks on 2011-07-28 23:17:46 +00:00

  • Status changed from Feedback to Resolved

I'm setting this to resolved in anticipation of your thumbs up ;)

We can reopen it if anything explodes.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 29, 2011

Updated by tontonitch on 2011-07-29 09:06:27 +00:00

Hi Matthew,
It seems that, with the last commit, the empty hostgroups are back :-\
I've tried also a second time with a fresh status.c and all your commits, but still the same behaviour, so it seems that the last commit is problematic.
Yannick

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 29, 2011

Updated by mjbrooks on 2011-07-29 09:14:00 +00:00

  • Status changed from Resolved to Assigned

Thanks... I'm working on it now.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 29, 2011

Updated by mjbrooks on 2011-07-29 10:06:59 +00:00

  • Status changed from Assigned to Feedback

Now I'm just embarrassed. I just pushed a new revision to mbrooks/cgis

https://git.icinga.org/?p=icinga-core.git;a=commit;h=75b90297

Let me know your thoughts.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 29, 2011

Updated by tontonitch on 2011-07-29 12:13:28 +00:00

  • File added status.c.patch

With the last commit, empty hostgroups are gone, and blanks are back.
For info, a blank consist of the HTML code

I've made some changes to status.c to remove those blanks with partial hostgroups. Attached the patch (generated via diff with following options: Nurb), following your last commit. This patch might be addapted, if you prefer to manage the function return values differently :-)

This new status.c seems to behave as wanted for partial hostgroups. Complementary tests might be needed.

Cheers,
Yannick

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Jul 29, 2011

Updated by mfriedrich on 2011-07-29 14:53:19 +00:00

i've taken the patch and reworked it a bit in regard of the return values. it now resides with matthew's changes in test/cgis for proper testing. mine looks fine from a first look.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 1, 2011

Updated by tontonitch on 2011-08-01 11:51:36 +00:00

Hi Matthew, Michael,
Moved to your last commit, just for checking.
Tested the feature, enabled or disabled, everything seems okay now with the partial Hostgroup Overview.
I've also tested some other hostgroup views, and one seems to provide too much information when partial hostgroups feature is activated: Status Summary For All Host Groups (status.cgi?hostgroup=all&style=summary)
Indeed, the counters take into account all hostgroups, event if the contact is not authorized for.
Cheers,
Yannick

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 1, 2011

Updated by tontonitch on 2011-08-01 12:44:38 +00:00

Looking at status.c, it seems that there are some cases where the host/service authorisations checks are not done and should be done. I'm adding these checks and will propose you the patch. It is complementary to partial hostgroups feature, but should fix some other cases.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 1, 2011

Updated by tontonitch on 2011-08-01 15:30:20 +00:00

  • File added partial_hostgroups_3.patch

Attached a patch "partial_hostgroups_3.patch", which should handle all the hostgroup views, adding the partial hostgroups feature and adding some authorization checks.
It follows the last commit.
changes:

  • show_hostgroup_summaries function:
    • add partial hostgroup notif
    • restrict hostgroups based on contact authorizations
  • show_hostgroup_host_totals_summary function:
    • restrict hosts based on contact authorizations
  • show_hostgroup_service_totals_summary function:
    • check if service exists
    • restrict services based on contact authorizations
  • show_hostgroup_grids, show_hostgroup_grid functions
    • add partial hostgroup notif
    • restrict hostgroup based on contact authorizations
    • restrict service based on contact authorizations, handle "nothing matching"

Tested and seems to work well on my test environment.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 2, 2011

Updated by mfriedrich on 2011-08-02 21:39:52 +00:00

thanks gotta test this tomorrow. interested in getting a git head and/or joining the classic ui developers? :-)

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 3, 2011

Updated by mfriedrich on 2011-08-03 18:25:06 +00:00

from my pov it looks good. but it's in r1.5 and test/cgis for further dev testing.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 5, 2011

Updated by tontonitch on 2011-08-05 16:18:19 +00:00

Also, please note that the last provided patch fixes also the issue #1718. Fixed it in the scope of partial hostgroups, but in fact this patch fixed that permission issue more globally.

interested in getting a git head and/or joining the classic ui developers? :-)

I'm currently a little bit too busy, and already have some difficulties to find some free time to release some personnal plugins (ex: check_interface_table_v3t). But I hope to be able to give a hand for the development of icinga for the 1.6 release ;-)

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 22, 2011

Updated by tontonitch on 2011-08-22 12:25:59 +00:00

Feedback on 1.5 beta release: using the partial hostgroup feature enabled for 10 days on a pre-production environment, and didn't have any trouble with it. All the hostgroup views are okay with each user.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Aug 22, 2011

Updated by mfriedrich on 2011-08-22 12:59:27 +00:00

  • Status changed from Feedback to Resolved

very good, thansk for the feedback. i'll resolve for now, pls reopen if something fails.

@icinga-migration

This comment has been minimized.

Copy link
Member Author

commented Dec 8, 2014

Updated by mfriedrich on 2014-12-08 09:39:50 +00:00

  • Project changed from 19 to Core, Classic UI, IDOUtils
  • Category changed from 52 to Classic UI
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.